What must be included in a HIPAA BAA?

A HIPAA BAA must include under 45 CFR § 164.504(e): (1) permitted uses and disclosures of PHI; (2) prohibition on uses not permitted or required; (3) appropriate safeguards; (4) breach/security incident reporting; (5) subcontractor obligations; (6) access to PHI for individuals; (7) amendment of PHI on request; (8) accounting of disclosures; (9) compliance with covered entity's HIPAA obligations; (10) return or destruction of PHI at termination; (11) covered entity's right to terminate for non-compliance.

Can I use an email agreement as a BAA?

No — a BAA must be a formal written agreement (or electronic equivalent) that contains all mandatory provisions under 45 CFR § 164.504(e). An informal email acknowledging HIPAA compliance does not constitute a BAA. The agreement must be signed by both parties and must include the specific required provisions.

Do I need a lawyer to create a HIPAA BAA?

Not necessarily. Many healthcare organizations use standardized BAA templates — including the model BAA language published by HHS — without attorney involvement for routine vendor relationships. Legal review is advisable for complex arrangements (e.g., large enterprise vendors, data use agreements, cloud computing services with novel terms). For standard vendor BAAs with EHRs, billing companies, or cloud storage, a well-drafted template is sufficient.

How long must you keep a signed BAA?

HIPAA requires covered entities and business associates to retain BAA documentation for 6 years from the date of its creation or the date when it last was in effect, whichever is later. This means you must retain BAAs even after a vendor relationship ends, for up to 6 years from the termination date.

Step-by-Step Guide

How to Create a HIPAA Business Associate Agreement (Step by Step)

By BAA Generator Editorial · Published Apr 19, 2026 · Last reviewed Apr 19, 2026 · 6 min read

Key Takeaways

✓ Creating a BAA is a 5-step process: identify BAs → confirm clauses → draft → execute → store
✓ A BAA must contain 11 mandatory provisions under 45 CFR § 164.504(e)
✓ No PHI may be shared with a vendor before the BAA is signed by both parties
✓ Electronic signatures are valid — you don't need wet ink or notarization
✓ BAAs must be retained for 6 years after termination

Direct answer: Creating a HIPAA BAA involves 5 steps: (1) identify which vendors are business associates, (2) confirm the agreement includes all required clauses, (3) draft the BAA using a compliant template, (4) execute it with the counterparty's signature before sharing any PHI, and (5) store the executed agreement for at least 6 years. You do not need a lawyer for routine vendor BAAs.

Most HIPAA violations involving BAAs aren't about complex legal disputes — they're about organizations that simply never executed the agreement at all, or used a template missing required provisions. This guide walks through exactly what a BAA must contain and how to get one signed correctly.

Identify Your Business Associates

Map every vendor, contractor, or service provider who creates, receives, maintains, or transmits PHI on your behalf. A business associate is any person or entity — other than a member of your workforce — who performs services for you that involve accessing PHI.

Common business associates that require BAAs:

EHR and practice management software vendors
Medical billing companies and clearinghouses
Cloud storage and backup services
IT support companies and managed service providers
Transcription and documentation services
Telehealth video platforms
Email service providers used for clinical communication
Legal counsel who reviews patient records
Accountants and auditors who access financial records containing PHI
Document shredding companies (they physically access records)

Conduct this mapping annually and whenever you add a new vendor. A spreadsheet with vendor name, service description, PHI accessed, and BAA status is sufficient for most practices.

Confirm All Required BAA Clauses

A BAA is only valid under HIPAA if it includes the mandatory provisions specified in 45 CFR § 164.504(e). Missing any of these provisions means the BAA is non-compliant, even if both parties signed it.

The 11 mandatory provisions a BAA must include:

Permitted uses and disclosures — what the business associate may do with the PHI
Prohibition on non-permitted uses — the BA may not use or disclose PHI other than as permitted
Appropriate safeguards — BA must implement reasonable safeguards to prevent unauthorized use
Reporting of breaches and security incidents — BA must report to covered entity within 60 days
Subcontractor requirements — BA must ensure subcontractors who access PHI have equivalent obligations
PHI access for individuals — BA must provide covered entity access to PHI for individual access requests
Amendment of PHI — BA must amend PHI per covered entity's direction
Accounting of disclosures — BA must make its accounting available to covered entity
Internal practices available to HHS — BA must make books and records available to HHS for compliance review
PHI at termination — BA must return or destroy all PHI upon termination of the agreement
Authorization for termination — covered entity may terminate if BA materially breaches the agreement

Draft the BAA

Use a compliant BAA template that includes all required provisions. Customize the description of services, permitted uses of PHI, and party-specific terms. Do not strip out mandatory provisions to shorten the document.

You have several options for drafting:

HHS model BAA language — HHS publishes model contract provisions on its website. They're accurate but generic.
BAA generator tool — produces a fully drafted, customized BAA in minutes based on your vendor relationship and services.
Attorney-drafted template — appropriate for complex or high-value vendor relationships; expect $500–$2,500 in attorney fees.
Vendor's standard BAA — most large vendors have their own. Review against the mandatory clause list before signing.

Key customization fields: covered entity name and contact, business associate name and contact, effective date, description of services, permitted uses of PHI, and specific breach notification contact information.

Execute the BAA with the Counterparty

Send the BAA to the vendor for review and signature. Both parties must sign before any PHI is shared. Electronic signatures (DocuSign, Adobe Sign, HelloSign) are legally valid for BAA execution.

Execution process in practice:

Send the draft BAA by email (PDF or shared document link) with a cover note explaining what it is and asking for countersignature
Allow the vendor a reasonable review period (typically 5–10 business days for standard terms)
If the vendor proposes changes (redlines), review against the mandatory clause list — required provisions cannot be deleted, but negotiable provisions include breach notification timelines, indemnification, and liability caps
Once both parties agree, obtain electronic or wet-ink signatures from authorized signatories
Confirm the effective date — the BAA should be backdated if any PHI was already shared (note: sharing PHI before executing a BAA is itself a violation; don't compound it by leaving the BAA undated)

Store and Track Your BAAs

Retain a fully executed copy of every BAA in your compliance records. HIPAA requires retention for 6 years from the date of creation or last effective date, whichever is later.

Practical storage and tracking recommendations:

Store executed BAAs in a dedicated compliance folder in HIPAA-compliant cloud storage (Google Drive Workspace, Dropbox Business, OneDrive Business — all with their own BAAs)
Maintain a master tracking spreadsheet: vendor, service, PHI type, BAA date, renewal/review date
Set calendar reminders to review BAAs every 2–3 years or whenever a vendor's services change materially
When a vendor relationship ends, note the termination date — the BAA must be retained for 6 more years
Confirm the vendor has returned or destroyed your PHI per the BAA termination clause

Skip the drafting — generate your BAA now

Create a fully drafted, HIPAA-compliant Business Associate Agreement in under 5 minutes. Covers all mandatory provisions under 45 CFR § 164.504(e). Free to start.

Generate BAA for Free →