How to Amend a HIPAA Business Associate Agreement

By BAA Generator Editorial  ·  Published Apr 19, 2026  ·  Last reviewed Apr 19, 2026  ·  5 min read

A BAA amendment is a written modification to an existing Business Associate Agreement that changes one or more of its provisions without replacing the entire document. Understanding when and how to amend — rather than replace — a BAA saves time and preserves the history of your vendor relationship.

When an Amendment Is Required vs. Optional

Some circumstances create a mandatory obligation to amend an existing BAA; others make amendment advisable but not strictly required.

Amendment is required when:

• HIPAA regulations change in a way that makes existing BAA provisions non-compliant (e.g., after the HITECH Act expanded BA obligations, all pre-2009 BAAs required updating)
• The services performed by the business associate expand to include new PHI categories or new activities not permitted in the original agreement
• Permitted uses or disclosures change due to a new arrangement between the covered entity and the BA
• The BA adds subcontractors that must be disclosed and approved under the BAA's terms

Amendment is advisable but not strictly required when:

• You want to shorten the breach notification timeline (e.g., from 60 days to 15 days)
• You want to add or remove specific approved subcontractors from a schedule
• Contact information or authorized representative titles change
• You want to add stronger PHI return/destruction specifications upon termination

How to Write a BAA Amendment: 3-Step Process

An amendment to a BAA is a short, formal document. It does not need to be lengthy — a single page is typical. Here is the three-step process:

Step 1: Identify what needs to change. Document the specific provision(s) that need updating. Note the original agreement's full title, execution date, and both parties' legal names. Pull the exact language from the section being modified so you can reference it precisely in the amendment.

Step 2: Draft the amendment document. The amendment should include:

• A heading identifying it as "Amendment to Business Associate Agreement"
• A recitals paragraph identifying the original agreement by name, date, and parties ("that certain Business Associate Agreement dated [date] between [CE name] and [BA name]")
• A provision for each change, using the construction: "Section [X] of the Agreement is hereby amended to read as follows: [new text]" — or "Section [X] is hereby deleted in its entirety and replaced with: [new text]"
• A savings clause: "All other terms and conditions of the Agreement remain in full force and effect"
• An effective date for the amendment
• Signature blocks for authorized representatives of both parties

Step 3: Execute and file. Both parties' authorized representatives sign. Retain the signed amendment with the original BAA in your compliance records. Update your BAA tracking log to note the amendment date and the nature of the change.

What Must Be in a BAA Amendment

HIPAA does not prescribe a specific format for BAA amendments. The key legal requirements are:

• Written form — amendments cannot be verbal
• Mutual agreement — both parties must consent; one party cannot unilaterally amend a signed BAA
• Specificity — the amendment must be clear about which terms it modifies and what the new terms are
• Authority — signatures must be from individuals authorized to bind each organization

If the BAA contains a specific amendment clause (e.g., requiring amendments to be in writing and signed, or requiring notice within a certain period), those procedural requirements must be followed.

Amending a Vendor's BAA vs. Amending Your Own

When the vendor provided the original BAA, you can still propose a written amendment. Draft the amendment document yourself, reference the vendor's original by title and date, and send it for review and signature. The vendor may propose different language, which typically requires a negotiation round.

Some large vendors (Google, Microsoft, Salesforce) do not accept custom amendments to their standard BAAs. In those cases, your options are to accept the vendor's updated BAA when they release a new version, or to evaluate whether the existing terms are sufficient for your use case. See our guide on BAA negotiation tactics for approaches to this situation.

When you drafted the original BAA, you retain more control over the amendment process. You can prepare the amendment internally and present it to the vendor for signature.

Retention Requirements for Amended BAAs

Under 45 CFR § 164.530(j), covered entities must retain policies, procedures, and documentation related to HIPAA compliance for 6 years from the date of creation or the date it was last in effect — whichever is later.

For BAAs and their amendments, this means:

• The original executed BAA must be retained for 6 years from its termination or the date of the last amendment, whichever is later
• Each amendment must be retained for 6 years from its effective date or from the termination of the overall BAA, whichever is later
• If an amendment modifies a provision and is later itself amended, retain all versions of the provision

Store amendments in the same location as the original BAA — whether that is a contract management system, a secure shared drive, or a physical file — so the complete history of the agreement is accessible together.

Frequently Asked Questions

Can a BAA be amended verbally?

No. BAA amendments must be in writing and signed by authorized representatives of both parties. Verbal agreements to change BAA terms are not enforceable under HIPAA and create compliance risk if OCR later reviews your documentation.

How do you amend a BAA when the vendor provided the original?

Draft the amendment yourself, referencing the vendor's original agreement by title and date. Specify the exact provision being changed. Send it to the vendor for review and signature. The vendor may propose counter-language. If the vendor won't accept any amendment, you must decide whether their standard terms are sufficient or whether you need a different vendor.

Does amending a BAA restart the 6-year retention clock?

No. Amending a BAA does not restart the retention clock on the original agreement. The original must be kept for 6 years from when it was last in effect (i.e., from when the entire BAA relationship terminated). Each amendment must also be kept for 6 years from its effective date or from the BAA's termination, whichever is later.