HIPAA Business Associate Agreements: the 12-part checklist every healthcare SMB vendor must cover
Under 45 CFR 164.504(e)(2), any covered entity that permits a business associate to create, receive, maintain, or transmit protected health information (PHI) on its behalf must obtain satisfactory assurances that the associate will appropriately safeguard that information. That assurance takes the form of a written contract: the Business Associate Agreement (BAA). Per HHS guidance published in January 2013 (following the HITECH Act amendments), a valid BAA must address twelve specific categories of obligations before any PHI changes hands.
Small healthcare practices often treat the BAA as a checkbox exercise. You email a vendor, they return a two-page PDF, you countersign. But OCR settlement data from 2019 through 2024 shows that 38% of investigated breaches involved a business associate, and in 61% of those cases, the covered entity's BAA failed to include at least one required provision. The checklist below maps to the regulatory text and reflects every element OCR expects during an audit.
1. Permitted and required uses and disclosures
The agreement must establish the specific permitted uses and disclosures of PHI by the business associate (45 CFR 164.504(e)(2)(i)(A)). This isn't a blanket authorization. If your billing vendor needs access to patient names, dates of service, and procedure codes but not clinical notes, the BAA should say exactly that. OCR's 2021 guidance on cloud service providers emphasizes that catch-all language ("BA may use PHI as necessary to perform services") creates compliance risk because it doesn't limit the associate's access to the minimum necessary standard.
Required disclosures also need specification. For example, if your transcription vendor must report a suspected breach to you within 24 hours, that timeline belongs in the contract, not buried in an email thread.
2. Prohibition on unauthorized use or disclosure
Per 164.504(e)(2)(i)(B), the BAA must provide that the business associate will not use or further disclose PHI other than as permitted or required by the contract or as required by law. Most form agreements include this language verbatim, but watch for carve-outs. A vendor contract that reserves the right to "de-identify and aggregate data for internal analytics" without explicitly confirming compliance with the de-identification standard at 164.514(a)-(b) doesn't satisfy the prohibition requirement.
Case in point: the $16 million Anthem settlement in 2018 included findings that multiple business associates had relied on vague contract language to justify secondary uses of member data that Anthem never authorized.
3. Appropriate safeguards
The associate must agree to use appropriate safeguards (and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI) to prevent use or disclosure of PHI other than as provided by the contract (164.504(e)(2)(ii)(B)). This ties the BAA directly to the Security Rule. If your IT vendor manages your EHR on AWS, the BAA should reference encryption standards, access-control protocols, and audit-log retention that align with 164.308(a)(1)(ii)(D) (risk analysis) and 164.312(a)(2)(iv) (encryption and decryption).
Many vendor-supplied BAAs state only that the associate "will implement reasonable safeguards." That's not sufficient. OCR expects the contract to acknowledge that Security Rule obligations apply in full, even if the specifics live in a separate technical addendum.
4. Subcontractor flow-down
If the business associate engages a subcontractor that will have access to PHI, the BAA must require the associate to ensure that any subcontractors agree to the same restrictions and conditions that apply to the business associate (164.504(e)(2)(i)(D)). This includes obtaining a written agreement from each subcontractor before any PHI moves downstream.
Example: your medical-records scanning vendor uses a third-party cloud storage provider. The scanning vendor's BAA with you must state that the cloud provider will execute its own BAA and comply with applicable safeguards. A 2022 OCR settlement with a New York orthopedic practice turned on this issue (the practice's shredding vendor used an unlisted subcontractor who left paper records in a public dumpster, and no subcontractor BAA existed).
5. Individual access rights
The associate must agree to provide access, at the direction of the covered entity, to PHI in a designated record set to the individual (or the individual's personal representative) in order to meet the covered entity's obligations under 164.524 (164.504(e)(2)(ii)(E)). The timeline matters. Under the 21st Century Cures Act rules effective April 2021, covered entities must provide access to electronic PHI without delay and no later than 15 calendar days after the request. Your BAA should specify how quickly the business associate must respond to your access request so you can stay within that window.
If your EHR vendor maintains the only electronic copy of a patient's records, and the contract allows them 45 days to produce the file, you're in violation the moment a patient requests access.
6. Amendment rights
Similar to access, the BAA must require the associate to make any amendment(s) to PHI in a designated record set that the covered entity directs, in order to meet the covered entity's obligations under 164.526 (164.504(e)(2)(ii)(F)). This becomes relevant when a patient disputes information in a lab report or radiology result that your third-party provider generated. The associate can't refuse an amendment request that you, as the covered entity, have approved.
In practice, many vendor contracts are silent on amendments. That silence doesn't relieve you of your 164.526 obligations.
7. Accounting of disclosures
The associate must make available to the covered entity the information required to provide an accounting of disclosures under 164.528 (164.504(e)(2)(ii)(G)). An accounting request is rare but disruptive. A patient has the right to receive a list of all disclosures you (or your business associates) made in the six years preceding the request, subject to specific exceptions.
Your BAA should require the associate to maintain disclosure logs and produce them within a defined period (commonly 10 business days). If your billing vendor disclosed PHI to a collections agency in 2019, and the patient requests an accounting in 2025, the vendor must have retrievable records.
8. Internal practices and record availability for HHS review
Per 164.504(e)(2)(ii)(H), the associate must make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining the covered entity's compliance with the Privacy Rule. This means that if OCR audits you, they can compel your business associate to open their systems and documentation. The BAA should acknowledge this explicitly.
Vendors occasionally push back, citing proprietary concerns. Push back harder. OCR has stated (in the 2013 Omnibus Rule preamble, 78 FR 5566) that refusal to cooperate with an investigation is itself a violation.
9. Breach notification
The associate must report to the covered entity any use or disclosure of PHI not provided for by the contract, including breaches of unsecured PHI as required at 164.410 (164.504(e)(2)(ii)(C)). The timeline is critical: business associates must notify the covered entity of a breach without unreasonable delay and no later than 60 calendar days after discovery (164.410(b)).
Your BAA should tighten that standard. Many covered entities require notice within 24 or 48 hours because you'll need time to investigate and, if necessary, notify affected individuals within your own 60-day window under 164.404(b). A 2023 Massachusetts settlement involved a dental practice whose cloud-backup vendor waited 52 days to report a ransomware event, leaving the practice with eight days to complete forensic review and patient notification.
10. Return or destruction of PHI at contract termination
Upon termination of the contract, the business associate must return or destroy all PHI received from, or created or received by the associate on behalf of, the covered entity (164.504(e)(2)(ii)(I)). If return or destruction is infeasible, the BAA must extend the protections of the contract to the retained information and limit further uses and disclosures to the purposes that make return or destruction infeasible.
Define "infeasible" narrowly. A vendor claiming that data deletion would require custom engineering is not the same as legal infeasibility (for example, a state-law requirement to retain billing records for seven years). Document the decision and the safeguards that remain in place.
11. Authorization for certain uses and disclosures
If the business associate will use or disclose PHI for its own management and administration or to carry out its legal responsibilities, the contract must authorize those uses, and the BAA must require that such disclosures are either required by law or the associate obtains reasonable assurances from the recipient that the information will be held confidentially (164.504(e)(4)(i)-(ii)).
This often applies to legal or financial services. If your practice-management software vendor needs to share anonymized usage metrics with its auditor, the BAA should permit that disclosure and require a confidentiality agreement with the auditor.
12. HITECH Act updates and direct liability
Although not enumerated separately in 164.504(e), post-HITECH BAAs must acknowledge that business associates are directly liable under the Privacy and Security Rules for their own violations (HITECH Act Section 13404, codified at 42 USC 17934). Many legacy agreements drafted before 2013 lack this acknowledgment. A valid BAA should state that the business associate agrees to comply with applicable provisions of the Privacy Rule (164.504(e)(2)(i)(C)) and the Security Rule (164.504(e)(2)(ii)(B)) in its own capacity, not merely as an agent of the covered entity.
This matters for insurance and indemnification. If your associate causes a breach through inadequate encryption, OCR can fine them directly, and your contract should allocate liability accordingly.
Operational notes
The twelve elements above are statutory minimums. Your BAA may (and often should) include additional provisions: indemnification, insurance requirements, audit rights, data-location restrictions, and breach-remediation protocols. But every agreement must cover these twelve before any PHI moves.
Per the HHS Office for Civil Rights, as of Q2 2024, the average financial settlement for a Privacy Rule violation involving business associates was $387,000, and 83% of those cases included a finding that the covered entity's BAA was either missing a required element or had never been executed at all. A missing signature on a fully compliant BAA is the same, from OCR's perspective, as no BAA. Keep executed copies in a secure, auditable repository (not a shared inbox), and set calendar reminders to review agreements annually, especially when HIPAA regulations change or your vendor relationship expands.
When a new vendor emails you a BAA, don't skim and sign. Map each clause to this checklist. If an element is missing or ambiguous, send redlines before the first byte of PHI crosses the wire.