What must a HIPAA business associate agreement include?

A HIPAA BAA is not just a signature on a template — 45 CFR § 164.504(e) specifies the exact provisions it must contain. Here is every required element, the common drafting gaps OCR finds, and what to verify before you sign one.

By CoreFolio

Published May 20, 2026Verified May 20, 20267-minute read

A HIPAA business associate agreement (BAA) is a legal contract that allocates privacy and security responsibilities between a covered entity (or a business associate) and a business associate. It is also a compliance document — 45 CFR § 164.504(e) specifies what it must contain, and a BAA that omits required provisions may not satisfy the HIPAA requirement even if it is signed.

Covered entities that accept vendor-supplied BAA templates without reviewing them may find, in an OCR investigation, that their agreement is deficient. Understanding the required elements — and knowing what to look for before signing — is practical risk management.

Required provisions under 45 CFR § 164.504(e)(2)

The following provisions are required in every BAA between a covered entity and a business associate. An agreement that omits any of these is deficient under HIPAA.

1. Permitted uses and disclosures

The BAA must establish the permitted uses and disclosures of PHI by the business associate — specifying the functions, services, or activities that are authorized.

What to look for: The permitted uses and disclosures should be specific to the services the business associate is providing. A billing company’s BAA should describe billing and related revenue cycle functions. It should not include broad general permissions that allow the BA to use PHI for unrelated purposes.

Common gap: Overly broad permissive language (“all purposes necessary for business operations”) that does not accurately limit the BA’s use of PHI.

2. Prohibition on unauthorized use or disclosure

The BAA must provide that the business associate will not use or further disclose PHI other than as permitted or required by the contract or as required by law.

What to look for: This provision should be affirmative — the BA commits that PHI will not be used or disclosed beyond the scope of the agreement. It should reference the Privacy Rule standards that apply to covered entity uses and disclosures.

3. Appropriate safeguards

The BAA must require the business associate to use appropriate safeguards to prevent unauthorized use or disclosure of PHI, and to comply with the HIPAA Security Rule (45 CFR §§ 164.308, 164.310, 164.312) with respect to ePHI.

What to look for: The Security Rule compliance obligation must be explicit — not just general “appropriate measures.” The agreement should specifically reference the business associate’s obligation to implement administrative, physical, and technical safeguards for ePHI in accordance with the Security Rule.

Common gap: BAAs that require “reasonable security measures” without specifically requiring Security Rule compliance. This language may not satisfy the regulatory requirement.

4. Reporting of security incidents and breaches

The BAA must require the business associate to:

Report to the covered entity any use or disclosure of PHI not provided for by the contract of which it becomes aware, including breaches of unsecured PHI as required by the Breach Notification Rule
Report any security incidents of which it becomes aware

What to look for: The breach notification provision should specify a reporting timeline. The Breach Notification Rule requires BA notification to the covered entity within 60 calendar days of the BA discovering the breach. The BAA should reflect this — and many covered entities negotiate for a shorter window (30 days or less) so they have adequate time to meet their own 60-day patient notification deadline.

Common gap: BAAs that omit a reporting timeline, leaving the BA to report “promptly” or “as soon as reasonably practicable” without a defined window. Given that the covered entity’s patient notification clock runs from the BA’s discovery date, an undefined timeline creates genuine exposure.

5. Subcontractor requirements

The BAA must require the business associate to ensure that any subcontractors who create, receive, maintain, or transmit PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate under the BAA.

What to look for: The provision should require the BA to execute a BAA with each subcontractor before sharing PHI, and to ensure subcontractor BAAs include the same required provisions.

Practical note: You may also ask the BA to confirm the existence and coverage of its subcontractor BAAs as part of the vendor due diligence process. A BA that cannot identify its subcontractors or cannot confirm BAA status represents uncharted compliance exposure.

6. Access to PHI for individual rights

The BAA must require the business associate to make available PHI in accordance with:

The patient right of access under 45 CFR § 164.524 (copies of records)
The right to amendment under § 164.526
The accounting of disclosures under § 164.528

What to look for: The BA must cooperate with the covered entity when a patient requests records, requests amendments, or asks for an accounting of disclosures. The BAA should describe how the BA will respond to such requests from the covered entity.

7. HHS access for compliance review

The BAA must require the business associate to make its internal practices, books, and records — including policies, procedures, and PHI — available to HHS for purposes of determining compliance with HIPAA.

What to look for: This is a standard provision and most BAA templates include it. Verify it is present and not qualified in ways that would effectively prevent OCR access.

8. Return or destruction of PHI at termination

The BAA must provide that upon termination of the contract, the business associate will, if feasible, return or destroy all PHI received from or created on behalf of the covered entity, and retain no copies.

If return or destruction is not feasible — for example, because PHI is embedded in a system the BA cannot practically purge — the BAA must extend the protections of the agreement to that PHI indefinitely.

What to look for: This provision is frequently missing from vendor-supplied BAA templates, particularly for cloud services. The vendor may prefer language that permits indefinite retention. A compliant BAA must address the endpoint of the PHI relationship.

Practical note: Confirm what happens to PHI in the vendor’s system when you terminate the service agreement. Does the vendor delete it? When? How? Getting specific answers here — and confirming they are reflected in the BAA — prevents a vendor from retaining patient data indefinitely after you end the relationship.

Additional provisions that covered entities commonly include

Beyond the required elements, covered entities frequently negotiate for:

Shorter breach notification timeline: Require the BA to notify within 10, 15, or 30 days of discovering a breach, rather than the 60-day regulatory maximum. This gives the covered entity adequate time to meet its own patient notification deadline.

Right to audit: The right to audit the BA’s Security Rule compliance, or to request a current risk analysis summary.

Amendment provisions: Agreement to amend the BAA as required by changes in HIPAA regulations without requiring renegotiation of the full agreement.

Indemnification: The BA’s obligation to indemnify the covered entity for losses resulting from the BA’s HIPAA violations. This is a business negotiation point, not a HIPAA requirement.

The HHS sample BAA provisions

HHS publishes sample business associate agreement provisions at hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions. These provisions reflect the minimum required elements and are useful as a checklist when reviewing vendor-supplied BAAs. They are not a complete agreement — they must be combined with standard contract terms (scope of services, term, termination, payment, and governing law).

Before you sign a vendor BAA: a review checklist

Sources: 45 CFR § 164.504(e) (BAA required provisions); 45 CFR § 164.308(b) (administrative safeguard BAA requirements); 45 CFR §§ 164.524, 164.526, 164.528 (patient rights); 45 CFR §§ 164.308, 164.310, 164.312 (Security Rule safeguards); HHS Sample Business Associate Agreement Provisions, hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions; HHS Business Associates guidance, hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates. Last verified May 20, 2026.

FAQ

Common questions

What happens if a BAA is missing a required element?

A BAA that omits required provisions is technically deficient and may not satisfy the HIPAA requirement at 45 CFR § 164.504(e). In an OCR investigation, the covered entity may be found to have violated the BAA requirement even if a signed agreement exists, if the agreement lacks the required provisions — for example, if it fails to require the business associate to implement Security Rule safeguards or to report breaches.

Does HHS provide a sample BAA?

Yes. HHS publishes sample business associate agreement provisions at hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions. These are sample provisions, not a complete template — they must be incorporated into a formal agreement. Parties typically add to them with terms governing scope of services, payment, and term and termination.

Can a vendor's standard BAA be modified?

Yes. A vendor's standard BAA is a starting point, not a take-it-or-leave-it document from a compliance perspective. Required provisions are required regardless of what the vendor's standard template says. If a vendor's BAA omits a required element — for example, does not require breach notification — you may request that the provision be added. Vendors that refuse to include required HIPAA provisions in their BAAs should be treated as a significant compliance risk.

When is a BAA no longer valid?

A BAA is no longer valid when it is terminated, when the business associate relationship ends and PHI is returned or destroyed per the BAA terms, or when a material amendment is made to the underlying services agreement that affects PHI handling without updating the BAA. A BAA signed for a service that has been substantially changed may no longer accurately reflect the PHI handling practices.

Keep learning

How-to
Who needs a HIPAA business associate agreement?
Not every vendor needs a BAA. Not every relationship that feels like it should requires one. Here is the legal test, the categories that consistently require BAAs, the common exceptions, and what happens if you skip one.
May 20, 20266-minute read
How-to
HIPAA BAAs for technology vendors: the requirement, what it covers, and how to verify
Any vendor that handles ePHI on your behalf is a business associate requiring a BAA before you transmit patient data. Here is the regulatory basis, which tool categories always need one, and how to find and verify a BAA with any vendor.
June 4, 20267-minute read
How-to
Covered entity vs. business associate: which one are you under HIPAA?
The distinction between a HIPAA covered entity and a business associate determines your obligations, your direct liability, and what agreements you must have in place. Here is how to determine your status and what it means.
May 20, 20266-minute read