Does your vendor ever come into contact with protected health information (PHI), even indirectly through a tool, inbox, or system they support?
A business associate agreement (BAA) is the contract that sets the rules when a covered entity works with a vendor who will handle PHI.
It lays out what the vendor can do with that data, the protections they’re expected to maintain, how incident reporting works, and what happens to the information when the relationship ends.
In this guide, you’ll see what a strong BAA should include before you sign. It covers the situations that typically trigger a BAA, what counts as PHI in real workflows, and the requirements that tend to matter most.
It also points out the clauses worth a closer look, common red flags, and a practical template you can use as a reference while you review agreements.
A business associate agreement is a contract a covered entity uses when hiring a vendor that will handle protected health information. It sets the rules for how that vendor can use and share PHI, plus the security and reporting responsibilities that come with it.
In many cases, you’ll request business associate terms before any PHI is shared, so expectations are clear from day one.
A typical BAA requires appropriate safeguards, limits PHI use to the services being provided, and spells out what happens if there’s a security incident or breach. It also covers subcontractors, so downstream access to PHI stays controlled. More on this later.
In short, the BAA is one of the main documents the U.S. Department of Health and Human Services expects to see when a third party works with PHI on your behalf.
You need a business associate agreement when a vendor will create, receive, maintain, or transmit protected health information for you as part of a paid service.
This comes up most often with a provider, a health plan, or a health care clearinghouse working with third parties tied to treatment, billing, or health care operations.
If you’ll disclose protected health information to the vendor, or the vendor can access PHI inside your systems, get the BAA signed before any work starts.
If a vendor claims they don’t need one, pause and sort it out first. Even with an existing master agreement, you may still need to notify business associate stakeholders internally and attach the BAA as an addendum.
Common situations:
PHI, for BAA purposes, is health information tied to an identifiable person that a covered entity or business associate creates, receives, maintains, or transmits. It can show up in paper files, an electronic form, recordings, screenshots, support tickets, exports, and backups.
It’s easy to focus on diagnoses and medical charts, but PHI often hides in the identifiers and context around care or payment.
Common PHI examples include:
A business associate contract usually sits alongside an underlying service agreement, and both should apply the same restrictions on PHI use and disclosure. When PHI gets misclassified as “just data,” teams open themselves up to avoidable risk and potential HIPAA violations.
Essentially, a solid BAA sets clear rules for PHI and keeps responsibilities easy to enforce. Here are the requirements that usually matter most:
Before you sign a BAA, focus on the clauses that set the real boundaries and the real consequences. These might include:
This section tells you what the BAA covers and what it doesn’t. Start by checking how it defines PHI, what systems or data types fall under the agreement, and which party roles apply.
If you’re working with certain services that touch patient data indirectly, make sure the scope still captures that access.
Pay close attention to how the contract describes unsecured PHI, since that language often connects to incident response and reporting.
If definitions feel broad or fuzzy, ask for such changes early, since unclear scope tends to create messy legal responsibilities later.
This is where the agreement draws the boundaries around the disclosure of PHI and how the business associate can use it. HIPAA requires limits tied to the underlying services, so the allowed uses should track closely to what the vendor actually does.
Watch for open-ended language that allows “any business purpose” or “product improvement” without guardrails. Covered entities and business associates share real legal responsibilities here, so keep the permissions narrow and easy to defend as meeting HIPAA requirements.
This section should spell out the protection standards the vendor must follow. HIPAA requirements point to administrative, physical, and technical safeguards, and the agreement should reflect that in practical terms.
Look for commitments that match the risk of the data, especially if the vendor stores PHI in multiple systems or relies on subcontractors.
If you see vague promises with no specifics, request such changes so the contract clearly sets the same requirements you expect from any party handling PHI.
You’re looking for clear triggers, timelines, and a practical notification process. The clause should explain what the vendor must report, how fast they must report it, and what details you’ll get (what happened, what data was involved, who was affected, and what they’re doing next).
Strong language also accounts for other applicable law, since reporting duties can extend beyond HIPAA depending on the situation. If the timing is vague or the notice goes to the wrong contact, fix it before signing.
Vendors often rely on sub-processors for hosting, support, or analytics, so this section matters more than people think.
It should require the vendor to contractually bind subcontractors to the same privacy and security obligations, and to keep oversight through audits, security reviews, or documented internal practices.
You also want clarity on who is responsible if a subcontractor causes an incident, since finger-pointing burns time during a response.
This section defines how long the BAA stays in effect, what events trigger termination, and what happens once the relationship ends.
Look for a right to exit if the business associate violates key obligations, and confirm the agreement allows you to authorize termination without jumping through unnecessary hoops.
It’s also smart to confirm how the termination date is defined, since return or destruction obligations usually start counting from that point.
This clause covers what happens to PHI when the relationship ends. Ideally, the vendor returns or securely destroys such information, including copies in backups or archived systems, and confirms completion in writing.
If destruction isn’t feasible, the agreement should require continued protections and clear limits on use and disclosure.
It also helps to see language confirming controls apply to the vendor’s workforce members, since offboarding and access removal are common weak points after termination.
Remember: Tight drafting here supports the covered entity's obligation to protect PHI and reduce follow-on risk after data breaches.
This section decides which terms win if the BAA conflicts with the underlying service agreement, a master agreement, or a security addendum. You want the BAA to control when privacy or security terms clash, since it carries HIPAA Privacy Rule-driven contractual obligations.
Look for wording that gives you reasonable assurances the vendor will follow the stricter standard when documents disagree, so a broader commercial clause doesn’t quietly override privacy protections.
When you review a BAA, red flags usually show up as vague language, missing timelines, or loopholes that weaken HIPAA compliance. If the work will involve access to PHI, it’s worth slowing down and scanning for these issues:
This template is a general guide and a quick preview of common BAA terms. It’s not legal advice. Talk with a qualified professional before you use it for a real deal, since the right language depends on the services, the data, and your risk profile.
Business Associate Agreement
This Business Associate Agreement (“Agreement”) is entered into as of [Effective Date] (“Effective Date”) between:
Covered Entity: [Legal Name], located at [Address] (“Covered Entity”)
and
Business Associate: [Legal Name], located at [Address] (“Business Associate”)
This Agreement is part of, and relates to, the [Underlying Service Agreement Name] dated [Date] (the “Service Agreement”). Business Associate performs functions or services for Covered Entity that involve access to, use of, disclosure of, creation of, receipt of, maintenance of, or transmission of Protected Health Information.
1. Definitions
Terms not defined here have the meaning given under HIPAA, the HIPAA Privacy Rule, the HIPAA Security Rule, and the HITECH Act.
1.1 “HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended.
1.2 “HITECH Act” means the Health Information Technology for Economic and Clinical Health Act and its implementing regulations, as amended.
1.3 “PHI” means Protected Health Information, including PHI in electronic form (“ePHI”).
1.4 “Breach” has the meaning set forth in 45 C.F.R. § 164.402.
1.5 “Security Incident” has the meaning set forth in 45 C.F.R. § 164.304.
1.6 “Unsecured PHI” has the meaning set forth in 45 C.F.R. § 164.402.
1.7 “Designated Record Set” has the meaning set forth in 45 C.F.R. § 164.501.
2. Permitted Uses and Disclosures
2.1 Service-related use and disclosure. Business Associate may use and disclose PHI only as necessary to perform services described in the Service Agreement, subject to this Agreement.
2.2 Minimum necessary. Business Associate will limit use, disclosure, and requests for PHI to the minimum necessary for the permitted purpose, as applicable under HIPAA.
2.3 Management and administration. Business Associate may use PHI for its proper management and administration, or to carry out its legal responsibilities, if such use is permitted under HIPAA.
2.4 Disclosures for management and administration. Business Associate may disclose PHI for proper management and administration, or to carry out legal responsibilities, if:
2.5 Data aggregation. Business Associate may perform data aggregation services (as defined in 45 C.F.R. § 164.501) only if expressly authorized in the Service Agreement or this Agreement: [Yes/No]. If yes, permitted scope: [Describe].
3. Prohibited Uses and Disclosures
3.1 Business Associate will not use or disclose PHI other than as permitted under this Agreement, the Service Agreement, or as required by law.
3.2 Business Associate will not use or disclose PHI in a manner that would violate the HIPAA Privacy Rule if done by Covered Entity, where applicable to Business Associate’s activities.
4. Safeguards
4.1 General safeguards. Business Associate will implement appropriate safeguards to prevent unauthorized use or disclosure of PHI.
4.2 Security Rule safeguards for ePHI. Business Associate will comply with the HIPAA Security Rule requirements applicable to Business Associate and will implement administrative, physical, and technical safeguards to protect ePHI.
4.3 Policies and workforce. Business Associate will maintain internal practices, policies, and procedures and will apply them to its workforce members who have access to PHI.
5. Reporting Security Incidents and Breaches
5.1 Security incidents. Business Associate will report Security Incidents to Covered Entity without unreasonable delay and no later than [X] days after discovery. Business Associate will document Security Incidents and, upon request, provide a summary of incidents and responses.
5.2 Breach of Unsecured PHI. Business Associate will notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay and no later than [X] days after discovery.
5.3 Notice contents. The notice will include, to the extent known:
5.4 Mitigation. Business Associate will take reasonable steps to mitigate harmful effects of any unauthorized use or disclosure of PHI.
6. Subcontractors
6.1 Flow-down. Business Associate will require any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate to agree in writing to restrictions and conditions at least as protective as this Agreement.
6.2 Responsibility. Business Associate remains responsible for acts and omissions of its subcontractors relating to PHI.
7. Individual Rights and Covered Entity Support
7.1 Access. Business Associate will make PHI in a Designated Record Set available as needed for Covered Entity to meet access obligations under 45 C.F.R. § 164.524 within [X] days of request.
7.2 Amendment. Business Associate will incorporate amendments to PHI in a Designated Record Set as directed by Covered Entity under 45 C.F.R. § 164.526 within [X] days.
7.3 Accounting of disclosures. Business Associate will document disclosures and provide information required for Covered Entity to respond to accounting requests under 45 C.F.R. § 164.528 within [X] days.
7.4 Records relating to compliance. Business Associate will make records relating to its use and disclosure of PHI available to Covered Entity as reasonably necessary for Covered Entity’s HIPAA compliance obligations.
8. Access for Oversight
8.1 Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining compliance, as required by law.
9. Term and Termination
9.1 Term. This Agreement begins on the Effective Date and continues until PHI obligations end under this Agreement, unless terminated earlier under this Section.
9.2 Termination for cause. If Covered Entity determines Business Associate has violated a material term of this Agreement, Covered Entity may:
9.3 Effect of termination. The termination date is [Date] or, if not specified, the date the termination notice becomes effective under this Section.
10. Return or Destruction of PHI
10.1 Upon termination or expiration, Business Associate will return to Covered Entity or destroy all PHI received from, or created or received on behalf of, Covered Entity.
10.2 If return or destruction is not feasible, Business Associate will notify Covered Entity in writing and will extend protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.
11. Order of Precedence
11.1 If this Agreement conflicts with the Service Agreement or any other agreement between the parties, this Agreement controls for PHI privacy and security obligations, unless a stricter requirement is stated in writing and signed by both parties.
12. Miscellaneous
12.1 Amendment. The parties will amend this Agreement as needed to comply with changes in HIPAA requirements or applicable law.
12.2 Survival. Sections relating to safeguards, reporting, return or destruction, and permitted uses and disclosures survive termination as required for compliance.
12.3 No third-party beneficiaries. This Agreement creates no rights for third parties.
12.4 Governing law. Governing law is [State], subject to federal HIPAA requirements.
Signatures
Covered Entity
Name: [Name]
Title: [Title]
Signature: _________________________
Date: [Date]
Business Associate
Name: [Name]
Title: [Title]
Signature: _________________________
Date: [Date]
A BAA can look fine on the surface, then cause headaches later because one section is too vague or a deadline is missing. So, before you sign, do one last scan with fresh eyes.
Make sure the scope matches what the vendor will actually do, the permitted uses don’t wander beyond the service, and the incident notice language gives you real timelines and a real contact path.
If subcontractors are involved, confirm the same protections apply downstream and not only on paper.
Once those pieces line up, the agreement becomes a lot easier to live with day to day, and a lot easier to defend if questions come up later.
A covered entity typically needs a BAA before sharing patient data with a vendor that will create, receive, maintain, or transmit PHI as part of the service. The goal is to set clear rules before any covered entity's PHI changes hands.
Watch for a vague “permitted uses” section. A strong BAA puts such restrictions on how PHI can be used and disclosed, tied to the specific services in the contract.
Consequences can affect business associates in real ways, including investigation and enforcement exposure. Depending on the facts, outcomes can include civil penalties and, in extreme cases, criminal penalties.
Enforcement often involves the HHS Office for Civil Rights. Many BAAs also require the vendor to support individuals' requests, like access or amendment, so you can respond on time and keep your process clean.
Brent is an attorney, a full-stack JavaScript engineer and the CEO of Aline.
Subscribe to our newsletter to receive new posts straight to your inbox 👇
