How to Draft a HIPAA-Compliant Business Associate Agreement: Guide and Examples

Definition of Business Associate Agreement

A Business Associate Agreement (BAA) is a contract that spells out how a vendor or partner will create, receive, maintain, or transmit Protected Health Information on behalf of a HIPAA covered entity. It binds both parties to Privacy Rule Compliance and sets clear rules for using and safeguarding PHI.

A “business associate” includes organizations such as billing companies, cloud or data-hosting providers, analytics vendors, e-fax and e-prescribing tools, and consultants who handle PHI. If a service touches PHI beyond incidental exposure, you should assume a BAA is required and draft accordingly.

Quick examples

• Business associate: a cloud platform that stores ePHI for a clinic, or a revenue cycle vendor accessing claims data.
• Not a business associate under the conduit exception: a telecom carrier that merely transmits PHI without persistent storage or routine access.

Purpose of a BAA

A BAA operationalizes HIPAA by defining permitted uses and disclosures, mandating PHI Safeguards, and establishing accountability. It protects patients, reduces organizational risk, and aligns day-to-day operations with Privacy Rule Compliance and the Security Rule for electronic PHI.

The agreement also creates clear processes for Unauthorized Disclosure Reporting and breach response, requires downstream Subcontractor Obligations, and authorizes oversight such as access to records to satisfy HHS Audit Requirements.

Required Elements of a BAA

Core privacy and security terms

• Permitted and required uses/disclosures: precisely describe what the business associate may do with PHI and prohibit any other use unless required by law.
• Minimum necessary: limit PHI uses and disclosures to the minimum necessary to accomplish the intended purpose.
• PHI Safeguards: implement administrative, physical, and technical controls consistent with the HIPAA Security Rule for ePHI, including risk analysis, access controls, audit logging, and encryption where feasible.

Reporting, access, and accountability

• Unauthorized Disclosure Reporting: require prompt notice of any use or disclosure not provided for by the BAA, including breaches of unsecured PHI and security incidents, without unreasonable delay and no later than 60 days after discovery, with details sufficient for notifications.
• Individual rights support: provide timely access to PHI, make amendments, and supply an accounting of disclosures when requested by the covered entity.
• HHS Audit Requirements: make internal practices, books, and records relating to PHI available to the Secretary of HHS for compliance review.

Flow-down and lifecycle controls

• Subcontractor Obligations: require subcontractors that create, receive, maintain, or transmit PHI to agree in writing to the same restrictions and safeguards.
• Return or destruction: upon termination, return or securely destroy PHI; if infeasible, extend protections and limit further use to what makes return or destruction infeasible.
• Termination Clauses: authorize termination for a material breach, specify cure periods, and outline termination assistance and data transition steps.

When a BAA is Not Required

• Workforce members: employees of the covered entity are not business associates.
• Treatment by another covered entity: disclosures for treatment do not require a BAA between the providers, though other HIPAA rules still apply.
• Conduits: services that only transmit PHI without persistent storage (for example, certain telecom carriers) generally do not require a BAA.
• De-identified data: if information is de-identified under HIPAA standards, it is not PHI and a BAA is not required.
• Limited data set for specific purposes: a Data Use Agreement may suffice for a limited data set used for research, public health, or health care operations; if the party performs business associate functions, a BAA is still needed.

Drafting Best Practices

• Map data flows: list systems, integrations, and personnel that touch PHI to ensure the BAA’s scope and PHI Safeguards match reality.
• Be precise: define PHI, ePHI, and permitted use cases; include data aggregation or de-identification only if needed.
• Right-size reporting: set a breach/security incident notice deadline (for example, 5–10 business days for incidents; no later than 60 days for confirmed breaches) and specify required content.
• Flow obligations downstream: require Subcontractor Obligations, periodic attestations, and the covered entity’s right to request evidence of controls.
• Security alignment: reference risk management, encryption in transit and at rest, access governance, vendor access reviews, and disposal standards.
• Strong Termination Clauses: include cure periods, immediate termination for impermissible disclosures, and transition assistance to return or destroy PHI.
• Audit readiness: address HHS Audit Requirements by keeping policies, training, risk analyses, and incident logs organized and retrievable.
• State law overlay: incorporate compliance with more stringent state privacy or security requirements where applicable.

Sample BAA Template

The following template is a starting point. Tailor it to your operations and consult counsel before use.

Business Associate Agreement

Effective Date: [Month Day, Year]

Parties: [Covered Entity Name], a covered entity under HIPAA (Covered Entity), and [Business Associate Name] (Business Associate).

1. Definitions

Protected Health Information (PHI) has the meaning set forth in HIPAA. Electronic PHI (ePHI) is PHI transmitted or maintained in electronic media.

2. Permitted Uses and Disclosures

• Business Associate may use and disclose PHI solely to perform the services described in Exhibit A and as required by law.
• Business Associate may use PHI for proper management and administration and to carry out its legal responsibilities, provided disclosures are subject to confidentiality obligations and incident reporting.

3. Privacy Rule Compliance and Minimum Necessary

Business Associate will comply with applicable provisions of the HIPAA Privacy Rule and limit PHI to the minimum necessary to accomplish permitted purposes.

4. PHI Safeguards and Security Rule

Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, including risk analysis, access controls, audit logging, and encryption where feasible.

5. Unauthorized Disclosure Reporting and Security Incidents

• Business Associate will report to Covered Entity any use or disclosure not provided for by this Agreement, including a breach of unsecured PHI, without unreasonable delay and no later than 60 days after discovery.
• Reports will include known details: incident description, date of discovery, types of PHI involved, individuals affected (if known), mitigation steps, and corrective actions.

6. Subcontractor Obligations

Business Associate will ensure that any subcontractor that creates, receives, maintains, or transmits PHI on its behalf agrees in writing to the same restrictions, conditions, and safeguards set forth herein.

7. Individual Rights

• Access: Business Associate will make PHI available to Covered Entity to satisfy individual access requests.
• Amendment: Business Associate will incorporate amendments to PHI as directed by Covered Entity.
• Accounting: Business Associate will document and provide information required for an accounting of disclosures.

8. HHS Audit Requirements

Business Associate will make internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance.

9. Return or Destruction of PHI

Upon termination, Business Associate will return or securely destroy all PHI. If return or destruction is infeasible, Business Associate will extend the protections of this Agreement and limit uses to those purposes that make return or destruction infeasible.

10. Term and Termination Clauses

• Term: This Agreement begins on the Effective Date and remains in effect until all PHI is returned or destroyed.
• Termination for cause: Covered Entity may terminate upon material breach if not cured within [X] days after notice, or immediately if cure is not feasible.
• Transition assistance: The parties will cooperate to facilitate secure transfer or destruction of PHI at termination.

11. Miscellaneous

• Conflicts: In case of conflict, HIPAA controls.
• Notices: Send notices to the addresses in Exhibit B.
• Survival: Obligations regarding PHI survive termination as required.

Signatures: [Covered Entity Authorized Signatory, Title, Date] / [Business Associate Authorized Signatory, Title, Date]

Additional Resources for Compliance

• BAA intake checklist: services scope, data elements, systems touched, third-party Subcontractor Obligations, and cross-border transfers.
• Security evidence pack: most recent risk analysis, vulnerability management summary, encryption standards, access control policy, incident response plan, and workforce training records.
• Operational playbooks: PHI minimization and retention schedules; return/destruction procedures; standardized Unauthorized Disclosure Reporting templates.
• Audit readiness kit: inventory of BAAs, amendment tracker, and a repository of artifacts to satisfy HHS Audit Requirements.
• Governance cadence: quarterly vendor reviews, tabletop exercises for breach response, and periodic verification of downstream compliance.

Conclusion

A HIPAA-compliant Business Associate Agreement translates legal requirements into daily practice. By defining permitted uses, enforcing PHI Safeguards, flowing obligations to subcontractors, setting firm reporting and Termination Clauses, and preparing for audits, you reduce risk while enabling trusted data sharing.

FAQs

What is a Business Associate Agreement under HIPAA?

A BAA is a contract between a HIPAA covered entity and a vendor or partner that handles Protected Health Information. It defines allowable uses and disclosures, mandates Privacy Rule Compliance and Security Rule safeguards, and creates enforcement and oversight mechanisms.

When is a BAA required?

You need a BAA before a vendor will create, receive, maintain, or transmit PHI on your behalf. Typical examples include hosting ePHI, billing and collections, analytics, or support services that access PHI. A BAA is generally not needed for workforce members, de-identified data, certain conduit services, or disclosures for treatment between covered entities.

What are the essential elements of a HIPAA-compliant BAA?

Key elements include permitted uses/disclosures, minimum necessary, PHI Safeguards aligned to the Security Rule, Unauthorized Disclosure Reporting with deadlines, individual rights support, Subcontractor Obligations, HHS Audit Requirements, return or destruction of PHI, and clear Termination Clauses for breach.

How should breaches be reported under a BAA?

The BAA should require prompt notice of any impermissible use or disclosure and any security incident, without unreasonable delay and no later than 60 days after discovery for breaches of unsecured PHI. The report should describe what happened, the PHI involved, affected individuals if known, mitigation taken, and corrective actions.