What must be included in a HIPAA BAA?

Under 45 CFR § 164.504(e), a compliant HIPAA BAA must include: (1) a description of permitted uses and disclosures of PHI; (2) a prohibition on uses beyond what is permitted; (3) safeguard obligations under the Security Rule; (4) breach and security-incident reporting to the covered entity; (5) subcontractor flow-down requirements; (6) provisions for individual rights access if applicable; (7) return or destruction of PHI upon termination; and (8) the covered entity's right to terminate for material breach.

What are the breach notification requirements under a HIPAA BAA?

Under 45 CFR § 164.410 and the BAA's breach notification clause, a business associate must report a discovered breach of unsecured PHI to the covered entity without unreasonable delay and no later than 60 days after discovery. The notification must include the identities of individuals affected, a description of the PHI involved, who impermissibly accessed it, and steps the business associate is taking to mitigate harm.

Can a business associate use subcontractors to handle PHI?

Yes, but the business associate must first execute a BAA with the subcontractor before sharing any PHI. This is known as the subcontractor flow-down requirement under 45 CFR § 164.308(b)(2). The subcontractor takes on the same obligations as the business associate, and the covered entity's original business associate remains liable if the subcontractor fails to comply.

What happens if a business associate violates HIPAA?

Business associates are directly subject to HIPAA enforcement since the HITECH Act (2009). The HHS Office for Civil Rights can impose civil monetary penalties on business associates ranging from $137 to $68,928 per violation (2024 adjusted amounts), up to approximately $2 million per category per year. Willful neglect can result in criminal penalties. The covered entity must also terminate the BAA if the breach is not cured.

Requirements

HIPAA BAA Requirements: What Must Be Included

By BAA Generator Research Team · Published Mar 12, 2026 · Last reviewed Apr 17, 2026 · 4 min read

Need a BAA right now?

Generate my BAA → See pricing →

Family resources. For HIPAA fundamentals (the three rules, covered entities, business associates), see ComplyCreate's guide to business associates. Covered entities also need a Notice of Privacy Practices — generate yours at NPP Generator.

Key Takeaways

✓ A HIPAA BAA must contain 7 mandatory provisions under 45 CFR § 164.504(e)
✓ Permitted uses of PHI must be explicitly listed — anything not listed is prohibited
✓ Breach notification must be addressed — business associates must report within 60 days
✓ Subcontractors must also sign BAAs before receiving any PHI
✓ PHI must be returned or destroyed at termination — or the BA must explain why it cannot be

Quick answer: Under 45 CFR § 164.504(e), a compliant HIPAA BAA must include seven mandatory provisions: (1) permitted uses and disclosures of PHI, (2) a prohibition on any use beyond what is permitted, (3) safeguard obligations, (4) breach and security-incident reporting, (5) subcontractor flow-down requirements, (6) return or destruction of PHI at termination, and (7) the covered entity's right to terminate for material breach. Missing any one of these is a HIPAA violation.

Not all Business Associate Agreements are created equal. A BAA that's missing required provisions isn't just a legal technicality — it's a HIPAA violation waiting to happen. Here's a clause-by-clause breakdown of everything your BAA must include under 45 CFR § 164.504(e).

1. Description of Permitted Uses and Disclosures

The BAA must clearly specify what the business associate is permitted to do with protected health information. This includes:

The specific services being performed (e.g., billing, data storage, IT support)
Whether the BA may use PHI for its own management and administration
Whether data aggregation for health care operations is permitted
Any disclosures required by law

The agreement must also prohibit all uses and disclosures not explicitly permitted — this is a common drafting mistake that creates compliance gaps.

2. Prohibition on Unauthorized Use or Disclosure

The BA must agree not to use or disclose PHI in any manner not permitted by the BAA or required by law. This seems obvious, but the specific language matters: regulators look for affirmative prohibitions, not just silence on a topic.

3. Safeguard Obligations

The business associate must agree to implement appropriate safeguards to prevent unauthorized use or disclosure, including compliance with the HIPAA Security Rule (Subpart C of 45 CFR Part 164) for electronic PHI. The BAA should reference:

Administrative safeguards (security officer designation, workforce training, access controls)
Physical safeguards (facility access, workstation policies)
Technical safeguards (encryption, audit controls, automatic logoff)

4. Breach and Security Incident Reporting

One of the most litigated provisions. The BAA must require the business associate to report to the covered entity:

Any breach of unsecured PHI under 45 CFR § 164.410 — within a specific timeframe (the HIPAA minimum is 60 calendar days after discovery, though many BAAs require faster notification)
Any security incident (including "unsuccessful" incidents like port scans and failed login attempts — these can be reported on a standing basis rather than individually)

5. Subcontractor Assurances

Under HITECH amendments, if the business associate uses subcontractors who access PHI, the BAA must require the BA to obtain written assurances — i.e., a sub-BAA — from those subcontractors that they will protect PHI to the same standards. The chain of liability extends downward.

6. Individual Rights Provisions

The BAA must include provisions ensuring the business associate will support the covered entity's obligations to patients:

Right of access (45 CFR § 164.524): The BA must make PHI in a designated record set available so patients can request their own records
Right to amendment (45 CFR § 164.526): The BA must make PHI available for amendment when requested
Accounting of disclosures (45 CFR § 164.528): The BA must track and report disclosures as required

7. Government Access

The business associate must make its internal practices, books, and records relating to PHI available to the HHS Secretary upon request for compliance investigations. This cannot be waived.

8. Term and Termination

The BAA must specify:

When the agreement takes effect and when it terminates (typically tied to the underlying services agreement)
The covered entity's right to terminate if the BA materially breaches the BAA — after notice and a reasonable cure period (typically 30 days)
What happens to PHI upon termination: the BA must return or destroy all PHI, or if that's infeasible, document why and continue to protect the data

Common Mistakes to Avoid

Using a template that doesn't reference the current HIPAA Rules (including HITECH amendments)
Failing to include breach notification timeframes — leaving them open-ended creates ambiguity
Not requiring subcontractor BAAs in the agreement language
Treating the BAA as a one-time formality rather than a living document that should be updated when HIPAA regulations change

For context on why these requirements exist, see our overview of what a Business Associate Agreement is. And if you're unsure whether your particular vendor relationship requires one, read when you need a HIPAA BAA.

Generate a compliant BAA in 5 minutes

HHS model BAA provisions · 45 CFR § 164.504(e) compliant · clean PDF + editable Word