10 Common HIPAA BAA Mistakes (and How to Avoid Them)

By BAA Generator Editorial  ·  Published Apr 20, 2026  ·  Last reviewed Apr 20, 2026  ·  6 min read

The 10 Most Common HIPAA BAA Mistakes

Mistake 1: Not Having a BAA with Every Business Associate

The most fundamental mistake — and the most common one OCR identifies in investigations — is sharing PHI with a vendor without a signed BAA in place. A BAA is required before any PHI is disclosed to a business associate. Sharing PHI without a BAA is an automatic HIPAA violation regardless of whether a breach, misuse, or harm occurs. If you discover this situation, see what to do when you discover a missing BAA.

Mistake 2: Using a Pre-2013 BAA Template

The 2013 HIPAA Omnibus/HITECH Final Rule significantly expanded BAA requirements, including: direct BA liability for Security Rule compliance, subcontractor BAA requirements, and expanded breach notification obligations. BAAs executed before 2013 may be missing these elements entirely. Every BAA in your portfolio should be reviewed against the post-2013 requirements.

Mistake 3: No Breach Notification Timeline Specified

A BAA that simply says the BA will notify the CE "as required by applicable law" without specifying a contractual timeline leaves the covered entity at risk. The statutory 60-day maximum is inadequate for most organizations' actual breach response needs. Best practice is to specify a 5–15 day contractual notification window in every BAA.

Mistake 4: Not Requiring Subcontractor BAAs

Under the HITECH Act, business associates must obtain BAAs from their own subcontractors who handle PHI. Many organizations verify that their direct vendors have signed BAAs but fail to confirm that those vendors have BAAs with their own subprocessors (cloud hosts, analytics tools, support platforms). Your BAA should explicitly require the BA to obtain subcontractor BAAs and to notify you before adding new subcontractors with PHI access.

Mistake 5: Accepting Vendor BAAs Without Reading Them

Many covered entities simply click through or sign vendor-provided BAAs without reviewing the terms. Vendor BAAs are drafted to protect the vendor — they commonly include: overly broad permitted uses, caps on liability at minimal contract amounts, one-sided indemnification, and broad rights to use PHI for product improvement. Always review against the required elements and your organization's risk tolerance before signing.

Mistake 6: Not Tracking BAA Expiration and Renewal

BAAs that expire without renewal leave the covered entity with no contractual protection for ongoing PHI sharing. Maintaining a BAA compliance log with expiration dates and 90-day renewal reminders is a HIPAA compliance best practice and should be standard in any compliance program.

Mistake 7: Not Updating BAAs When Vendor Services Change

If a vendor expands their services — adding new features, integrating new subprocessors, or handling new categories of PHI — the existing BAA's permitted uses clause may no longer accurately describe what the vendor is doing with PHI. Material service changes should trigger a BAA review and amendment. See what to do when a vendor requires BAA changes for related guidance.

Mistake 8: Assuming SOC 2 Replaces a BAA

SOC 2 and HIPAA BAAs are completely separate. A SOC 2 Type II report demonstrates that a vendor's security controls were audited and found to be operating effectively. A BAA is a legal contract establishing HIPAA compliance obligations. A vendor can have exemplary SOC 2 results and still decline to sign a HIPAA BAA. SOC 2 does not substitute for a BAA and should not be accepted as a replacement.

Mistake 9: No Data Return or Destruction Provision

A HIPAA BAA must include provisions for return or destruction of PHI at termination — this is a required element under 45 CFR § 164.504(e)(2)(ii)(J). BAAs that omit this provision are non-compliant, and covered entities who terminate a vendor relationship without retrieving or confirming destruction of their PHI face ongoing risk. Verify this clause is present and specific about procedures and timelines.

Mistake 10: Sharing PHI Before a BAA Is Signed

This is closely related to Mistake 1 but distinct: some organizations begin onboarding a vendor — configuring access, running test data, or piloting the service — before the BAA is executed. Even a trial or pilot involving real PHI requires a signed BAA. The BAA must be in place before any PHI is shared, full stop. Use de-identified or synthetic data for pre-BAA testing where possible.

Frequently Asked Questions

What is the most common HIPAA BAA mistake?

The most common HIPAA BAA mistake is simply not having a BAA in place with every vendor that accesses PHI. This is also the most serious mistake — sharing PHI with a business associate without a signed BAA is an automatic HIPAA violation that creates direct OCR enforcement exposure regardless of whether a breach occurs. OCR routinely identifies missing BAAs as a primary violation in healthcare data breach investigations.

Does a SOC 2 report replace the need for a BAA?

No. A SOC 2 report is an independent security audit that evaluates a vendor's controls against the AICPA Trust Service Criteria. A BAA is a HIPAA legal contract establishing specific compliance obligations. They are completely separate instruments serving different purposes. A vendor can have excellent SOC 2 results and still not be willing to sign a HIPAA BAA. Always obtain a BAA regardless of the vendor's SOC 2, ISO 27001, or other security certification status.

Do I need to update my BAA when a vendor changes their services?

Yes, if the service change materially affects the scope of PHI the vendor accesses or the purposes for which they use it. A vendor adding new features, expanding integrations with third-party tools, or changing their data processing architecture may require a BAA amendment to ensure the permitted uses clause accurately reflects the current arrangement. Conduct a BAA review whenever a vendor notifies you of material service changes.

What happens if I discover I've been missing a BAA?

Stop sharing PHI with that vendor until a BAA is executed. Document the gap discovery and remediation efforts in writing as part of your compliance record. Assess whether any breaches or impermissible disclosures occurred during the period without a BAA. If a breach occurred, follow the HIPAA Breach Notification Rule timelines. Conduct a broader BAA audit to identify whether other vendor relationships are also missing agreements.