HIPAA BAA Requirements: What Must Be Included

6 min read · HIPAA Compliance

Not all Business Associate Agreements are created equal. A BAA that's missing required provisions isn't just a legal technicality — it's a HIPAA violation waiting to happen. Here's a clause-by-clause breakdown of everything your BAA must include under 45 CFR § 164.504(e).

1. Description of Permitted Uses and Disclosures

The BAA must clearly specify what the business associate is permitted to do with protected health information. This includes:

• The specific services being performed (e.g., billing, data storage, IT support)
• Whether the BA may use PHI for its own management and administration
• Whether data aggregation for health care operations is permitted
• Any disclosures required by law

The agreement must also prohibit all uses and disclosures not explicitly permitted — this is a common drafting mistake that creates compliance gaps.

2. Prohibition on Unauthorized Use or Disclosure

The BA must agree not to use or disclose PHI in any manner not permitted by the BAA or required by law. This seems obvious, but the specific language matters: regulators look for affirmative prohibitions, not just silence on a topic.

3. Safeguard Obligations

The business associate must agree to implement appropriate safeguards to prevent unauthorized use or disclosure, including compliance with the HIPAA Security Rule (Subpart C of 45 CFR Part 164) for electronic PHI. The BAA should reference:

• Administrative safeguards (security officer designation, workforce training, access controls)
• Physical safeguards (facility access, workstation policies)
• Technical safeguards (encryption, audit controls, automatic logoff)

4. Breach and Security Incident Reporting

One of the most litigated provisions. The BAA must require the business associate to report to the covered entity:

• Any breach of unsecured PHI under 45 CFR § 164.410 — within a specific timeframe (the HIPAA minimum is 60 calendar days after discovery, though many BAAs require faster notification)
• Any security incident (including "unsuccessful" incidents like port scans and failed login attempts — these can be reported on a standing basis rather than individually)

5. Subcontractor Assurances

Under HITECH amendments, if the business associate uses subcontractors who access PHI, the BAA must require the BA to obtain written assurances — i.e., a sub-BAA — from those subcontractors that they will protect PHI to the same standards. The chain of liability extends downward.

6. Individual Rights Provisions

The BAA must include provisions ensuring the business associate will support the covered entity's obligations to patients:

• Right of access (45 CFR § 164.524): The BA must make PHI in a designated record set available so patients can request their own records
• Right to amendment (45 CFR § 164.526): The BA must make PHI available for amendment when requested
• Accounting of disclosures (45 CFR § 164.528): The BA must track and report disclosures as required

7. Government Access

The business associate must make its internal practices, books, and records relating to PHI available to the HHS Secretary upon request for compliance investigations. This cannot be waived.

8. Term and Termination

The BAA must specify:

• When the agreement takes effect and when it terminates (typically tied to the underlying services agreement)
• The covered entity's right to terminate if the BA materially breaches the BAA — after notice and a reasonable cure period (typically 30 days)
• What happens to PHI upon termination: the BA must return or destroy all PHI, or if that's infeasible, document why and continue to protect the data

Common Mistakes to Avoid

• Using a template that doesn't reference the current HIPAA Rules (including HITECH amendments)
• Failing to include breach notification timeframes — leaving them open-ended creates ambiguity
• Not requiring subcontractor BAAs in the agreement language
• Treating the BAA as a one-time formality rather than a living document that should be updated when HIPAA regulations change

For context on why these requirements exist, see our overview of what a Business Associate Agreement is. And if you're unsure whether your particular vendor relationship requires one, read when you need a HIPAA BAA.