HIPAA BAA Permitted Uses and Disclosures: What the Clause Must Say

By BAA Generator Editorial  ·  Published Apr 20, 2026  ·  Last reviewed Apr 20, 2026  ·  5 min read

What Must Be Listed in Permitted Uses

The permitted uses and disclosures clause is the heart of any BAA. It defines the scope of what the business associate is authorized to do with the PHI it receives. Under 45 CFR § 164.504(e)(2)(i), the BAA must describe the permitted uses and disclosures sufficiently to establish what the BA is and is not allowed to do. For a full overview of what a BAA must contain, see what is a business associate agreement.

Standard permitted use categories that appear in virtually all BAAs include:

• Performing services for the covered entity — The BA may use and disclose PHI as necessary to perform the specific functions described in the service agreement (e.g., medical billing, IT support, EHR hosting).
• Management and administration of the BA — The BA may use PHI for its own internal management and administration, and to carry out its legal responsibilities, but only if those uses are necessary and the BAA expressly permits them.
• Reporting violations of law — The BA may disclose PHI to report violations of law to appropriate government authorities when required.
• As required by law — The BA may use or disclose PHI when required to do so by applicable law (e.g., law enforcement requests, public health reporting).

Prohibited Uses and the Closed-List Principle

The fundamental principle of the permitted uses clause is that it operates as a closed list: if a use is not listed, it is prohibited. This is the HIPAA minimum necessary standard in contractual form — the BA receives authorization only for specific, defined purposes.

Common prohibited uses that should never appear in a permitted uses clause (and which should be explicitly excluded if a vendor tries to include them) include:

• Using PHI to market the BA's own products or services to patients
• Selling PHI to third parties for any purpose
• Using PHI for the BA's own research without separate authorization
• Using PHI to train AI or machine learning models without explicit permission
• Disclosing PHI to the BA's corporate affiliates beyond what is necessary for service delivery

The Minimum Necessary Principle and Permitted Uses

The HIPAA minimum necessary standard (45 CFR § 164.502(b)) requires that disclosures of PHI — including disclosures to business associates — be limited to the minimum amount necessary to accomplish the purpose. The permitted uses clause operationalizes this requirement by defining the scope of permissible use narrowly. For a deeper dive into how this standard applies, see HIPAA minimum necessary standard and BAAs.

In practice, this means that a cloud storage vendor's BAA should authorize using PHI for storage, backup, and retrieval — not for analytics, product testing, or any other purpose. A billing company's BAA should authorize using PHI to submit and follow up on claims — not to build patient profiles for marketing.

Specific vs. Broad Permitted Uses Language

Vendor-provided BAAs frequently include broad permitted uses language — phrases like "any purpose necessary to perform services" or "uses consistent with the vendor's standard operating procedures." This language is too vague to satisfy HIPAA's requirement that permitted uses be described in the BAA, and it gives the vendor unlimited discretion over PHI use.

A well-drafted permitted uses clause is specific. It names the services being performed, the types of PHI involved, and the exact purposes for which the BA may use that PHI. Specificity protects the covered entity and gives patients meaningful assurance about how their information is being used.

When reviewing a vendor-provided BAA, the permitted uses clause is one of the first provisions to scrutinize. Overly broad language is a red flag that warrants negotiation before signing.

De-Identified Data Is Not PHI

Once PHI has been properly de-identified under 45 CFR § 164.514 (either via safe harbor or expert determination), it is no longer PHI and is not subject to HIPAA restrictions — including the permitted uses clause of a BAA. Vendors who de-identify data before using it for analytics or product improvement are not violating the permitted uses clause — but the de-identification process itself must be properly executed and documented, and the BAA may need to address how and when de-identification occurs.

Frequently Asked Questions

What must a HIPAA BAA permitted uses clause include?

A HIPAA BAA permitted uses clause must specify the purposes for which the business associate may use and disclose PHI. At minimum it should include: using PHI to perform services for the covered entity; using PHI for BA management and administration (if the BAA permits); using PHI to carry out legal responsibilities; and any additional specific uses the parties agree to. Any use not expressly listed is prohibited under HIPAA's closed-list principle.

Can a business associate use PHI for its own purposes?

A business associate may use PHI for its own management, administration, and legal responsibilities only if the BAA expressly permits it and only as necessary for those purposes. A BA cannot use PHI for marketing, product development, or training AI models without explicit authorization from the covered entity — and in many cases, authorization from affected patients would also be required. Covered entities should review vendor BAAs carefully for any broad language that could permit unauthorized secondary uses.

What is the minimum necessary standard in a BAA context?

The HIPAA minimum necessary standard (45 CFR § 164.502(b)) requires that PHI shared with a BA be limited to the minimum amount needed to accomplish the purpose of the disclosure. The permitted uses clause should reflect this by describing uses that are specifically tailored to the services being performed, rather than broad authorizations to use PHI for any purpose the vendor deems consistent with service delivery.

Can a BAA allow a vendor to use PHI for product improvement?

Not without careful structure. A vendor using PHI to improve their own product is using PHI for the vendor's own benefit, not the covered entity's operations. This requires explicit permission in the BAA, must comply with the minimum necessary standard, and in many cases would require patient authorization under the Privacy Rule before proceeding. Covered entities should be skeptical of BAA language that broadly permits PHI use for "service improvement" or "product development."