The Contractual Agreement Between Covered Entities and Business Associates (HIPAA BAA): What You Need to Include

A HIPAA Business Associate Agreement (BAA) is the contractual backbone that makes it lawful for a covered entity to share Protected Health Information (PHI) with a vendor. It spells out what the business associate may do with PHI, the safeguards it must maintain, and what happens if something goes wrong. Use the following sections to ensure your BAA reflects the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule while staying practical for everyday operations.

Permitted Uses and Disclosures of PHI

Define the scope of use

State clearly that the business associate may use and disclose PHI only to perform contracted services, to meet legal obligations, and for its own management and administration when disclosures are either required by law or made with reasonable assurances of confidentiality. Tie each permitted use to a concrete purpose to avoid ambiguity.

Apply the minimum necessary standard

Require the business associate to access, use, and disclose only the minimum necessary PHI to accomplish the task. Incorporate role-based access and documented criteria so workforce members and systems limit PHI exposure by default.

Prohibit unauthorized marketing and sale of PHI

Bar uses and disclosures not allowed under the HIPAA Privacy Rule—such as marketing, sale of PHI, and most communications that generate financial remuneration—unless a valid individual authorization explicitly permits them.

Allow de-identification and aggregation where appropriate

Permit creation of de-identified data and limited data sets for approved analytics and operations, provided the business associate follows recognized de-identification methods and signs any required data use agreements.

Implementing Safeguards for PHI Protection

Administrative Safeguards

Mandate a documented risk analysis and risk management plan, workforce training, sanctions for violations, vendor risk management, and incident response procedures. These Administrative Safeguards align with the HIPAA Security Rule and should be reviewed at least annually or upon major changes.

Physical Safeguards

Require facility access controls, media controls for devices that store PHI, secure disposal, and protections for offsite work. Spell out expectations for data centers, offices, and portable media to prevent loss or theft of PHI.

Technical Safeguards

Call for strong authentication, unique user IDs, role-based access, encryption of PHI in transit and at rest, audit logging, integrity controls, and secure transmission protocols. Specify log retention, monitoring, and alerting so anomalies are detected and investigated promptly.

Policies, documentation, and verification

Oblige the business associate to maintain written policies and procedures, keep documentation for six years, and cooperate with reasonable assessments. Include a right-to-request evidence of compliance without creating unfettered access to proprietary information.

Breach Notification Requirements

Trigger and timing

Require prompt written notice to the covered entity of any breach of unsecured PHI, without unreasonable delay and no later than 60 calendar days after discovery. Make clear that “discovery” occurs when the breach is known or should reasonably have been known to the business associate or its subcontractor.

Content of the notice

Specify that notifications must describe what happened, the date of the breach and discovery, the categories of PHI involved, the number of affected individuals, mitigation steps taken, and a primary contact for follow‑up. If a subcontractor is involved, the notice should identify the entity and relevant details.

Risk assessment and incident handling

Direct the business associate to perform and document a four‑factor risk assessment to determine whether an impermissible use or disclosure rises to a reportable breach. Require containment, forensic investigation, remediation, and preservation of logs and evidence.

Allocation of notification duties

Clarify who drafts and sends individual notices, media notices, and reports to regulators. Many covered entities prefer to control outward communications, while the business associate supports data validation, call center readiness, and credit monitoring if needed.

Supporting Individual PHI Rights

Access and copies

Require the business associate to make PHI available to the covered entity—or directly to the individual if directed—for access requests within HIPAA deadlines. For ePHI, ensure the ability to provide an electronic copy in the requested readily producible format.

Amendments

Oblige the business associate to accommodate approved amendment requests by appending or linking corrections to the designated record set and propagating updates to relevant systems and subcontractors as appropriate.

Accounting of disclosures

Ensure the business associate records and, upon request, provides an accounting of non‑routine disclosures so the covered entity can respond within required timelines. Maintain records long enough to meet regulatory retention rules.

Restrictions and confidential communications

Support reasonable restrictions and confidential communication preferences that the covered entity has agreed to honor. This operationalizes Individual Rights Under HIPAA across all systems handling PHI.

Ensuring Subcontractor Compliance

Flow‑down of obligations

Require the business associate to execute written agreements with any subcontractors that create, receive, maintain, or transmit PHI, imposing the same restrictions, conditions, and safeguards—these are your Subcontractor Compliance Requirements.

Due diligence and oversight

Expect pre‑contract security due diligence, least‑privilege access, ongoing monitoring, and timely breach reporting by subcontractors to the primary business associate. Include audit and remediation rights to verify performance.

Data handling expectations

Address cross‑border data transfers, encryption key management, backup protections, and termination procedures for subcontractors so PHI remains protected throughout the data lifecycle.

Procedures for Return or Destruction of PHI

At contract end

Direct the business associate, upon termination or completion, to return or securely destroy all PHI, including backups and derivative files, within a defined timeframe. Require written certification describing what was returned or destroyed and how.

If destruction is infeasible

When legal, archival, or technical limitations make destruction infeasible, require the business associate to document the reason, continue to safeguard the PHI, limit further use or disclosure to the reason retention is required, and destroy the PHI when the impediment ends.

Transition support

Include a short, clearly scoped transition assistance clause so services can wind down without compromising privacy or security. Specify secure transfer methods and chain‑of‑custody expectations.

Termination Rights of Covered Entities

Termination for cause

Grant the covered entity the right to terminate the BAA and related services if the business associate materially breaches the agreement or repeatedly fails to comply with HIPAA requirements. For curable breaches, provide a defined cure period; for non‑curable events or serious risk, allow immediate termination.

Escalation and regulatory reporting

If termination is not feasible, require the covered entity to report the violation to regulators and to document the rationale. Preserve rights to suspend data exchange, seek injunctive relief, and require corrective action plans to mitigate ongoing risk.

Survival of obligations

State that privacy and security obligations—especially those governing retained PHI—survive termination until all PHI is returned or destroyed. This ensures continuity of protections after services end.

Conclusion

A well‑crafted HIPAA BAA defines permissible PHI use, embeds robust safeguards, operationalizes breach response, supports individual rights, binds subcontractors, and controls exit procedures. By aligning each clause with the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule, you reduce compliance risk while enabling secure, efficient collaboration.

FAQs.

What is the purpose of a HIPAA Business Associate Agreement?

A HIPAA BAA authorizes a business associate to handle PHI for a covered entity and contractually requires compliance with the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule. It defines permitted uses, required safeguards, breach reporting, subcontractor flow‑downs, and end‑of‑contract PHI handling.

What are the required safeguards for PHI under HIPAA?

HIPAA requires Administrative Safeguards (risk analysis, training, policies), Physical Safeguards (facility and device protections), and Technical Safeguards (access controls, encryption, audit logs, transmission security). Together, these controls protect PHI in paper and electronic forms across its lifecycle.

How must a business associate report a breach of PHI?

The business associate must notify the covered entity without unreasonable delay and no later than 60 calendar days after discovery. The notice should describe what happened, the PHI involved, affected individuals, mitigation steps, and a contact for questions, and it must support the covered entity’s regulatory notifications.

What rights must business associates support for individuals under HIPAA?

Business associates must help the covered entity honor Individual Rights Under HIPAA: access to PHI (including electronic copies), amendments to records, and an accounting of disclosures, as well as implementing agreed restrictions and confidential communications across systems that handle PHI.