What a Business Associate Contract Must Specify: The Complete Guide
You just found out your healthcare software vendor needs access to patient records. Now, or maybe you're a SaaS company that handles billing for a hospital network. Either way, someone just told you that you need a Business Associate Agreement, and now you're staring at a blank document wondering what the hell you're supposed to put in it Simple as that..
Here's the thing — this isn't optional paperwork you can half-read and sign. 5 million per violation category. Think about it: get this wrong, and you're looking at federal fines that can hit $1. That's not a typo.
So let's talk about what a business associate contract actually needs to say.
What Is a Business Associate Contract?
A Business Associate Agreement (BAA) is a legally binding contract required under HIPAA (the Health Insurance Portability and Accountability Act) whenever a "covered entity" — that's hospitals, health plans, healthcare clearinghouses, and their business associates — shares protected health information (PHI) with a third party That's the part that actually makes a difference..
Think of it this way: HIPAA creates a chain of responsibility for patient data. Also, covered entities can't just hand your medical records to anyone without safeguards in place. The business associate contract is the document that makes those safeguards official Which is the point..
But here's what trips people up — it's not just about having a contract. That's why it's about having the right contract. And one that actually covers all the bases. And the Department of Health and Human Services (HHS) isn't vague about what those bases are It's one of those things that adds up..
Who Needs One?
If you run a company that handles PHI in any capacity — whether you're storing it, processing it, transmitting it, or just viewing it — you probably need a BAA. Common examples include:
- Cloud hosting providers
- IT managed service providers
- Medical billing companies
- EHR software vendors
- Data analytics firms
- Shredding and disposal services
- Consultant agencies
If you're unsure whether you need one, the safe answer is: when in doubt, get one. The cost of a properly drafted BAA is nothing compared to a HIPAA audit.
Why This Matters More Than You Think
Let me paint a picture. On top of that, you're a growing health tech startup. You signed a "standard" BAA your legal team pulled from a template online. That said, two years later, a breach happens. Even so, maybe it's a ransomware attack. In real terms, maybe an employee left a laptop in a coffee shop. Either way, 50,000 patient records are compromised That alone is useful..
You file your breach report. HHS shows up. They ask to see your business associate contract That's the part that actually makes a difference..
And that's when they notice your BAA doesn't include language about subcontractor obligations. Worth adding: or it doesn't specify breach notification timelines. Or it lacks provisions for PHI return or destruction.
Suddenly, what seemed like a minor oversight becomes a $100,000 fine. Maybe more.
This happens. It happens more often than you'd think. And bAAs get signed without being read, and template contracts don't always include every required element. Which means the government doesn't care that you "didn't know. " They care about whether the contract actually protects patient data.
That's why understanding what must be specified isn't just legal trivia — it's business survival.
What a Business Associate Contract Must Specify
Here's the meat of it. Which means under HIPAA's Privacy Rule and Security Rule, your business associate contract needs to cover specific elements. Skip these, and your contract doesn't actually fulfill its purpose Simple, but easy to overlook..
Permitted Uses and Disclosures
The contract must explicitly state what the business associate is allowed to do with the PHI it receives.
This isn't the place to be vague. On the flip side, you need to spell out whether the business associate can use PHI to perform specific functions or activities on behalf of the covered entity, and nothing more. The contract should prohibit any use or disclosure that isn't expressly permitted.
It should also address whether the business associate can combine PHI with data from other sources for its own purposes. Usually, the answer should be no — or at least, not without explicit written authorization.
Obligations and Responsibilities of the Business Associate
This section is where you lay out what the business associate must actually do to protect the data. It typically includes:
- Complying with the HIPAA Privacy Rule and Security Rule requirements that apply to the business associate
- Implementing appropriate safeguards to ensure PHI confidentiality, integrity, and availability
- Reporting any security incidents or breaches to the covered entity
- Ensuring that any subcontractors or agents agree to the same restrictions
- Making PHI available for access requests from patients
- Allowing HHS to audit compliance
The key here is specificity. Practically speaking, don't just say "comply with HIPAA. " Say what compliance looks like for this particular relationship.
Safeguards Requirement
Your contract must require the business associate to implement administrative, physical, and technical safeguards that reasonably and appropriately protect PHI.
What does that mean in practice? It means the contract should reference the Security Rule's requirements for:
- Access controls and authentication
- Encryption for data at rest and in transit
- Audit logging and monitoring
- Physical security measures
- Workforce training and security awareness
You can reference the Security Rule directly, but it's better practice to at least summarize the expectations so there's no ambiguity about what's required.
Breach Notification
This is one of the most critical sections, and it's where many template contracts fall short Easy to understand, harder to ignore..
The contract must require the business associate to notify the covered entity of any breach — or even any suspected breach — without unreasonable delay. It should specify:
- The timeframe for notification (most contracts require 24-72 hours for confirmed breaches, with suspected breaches reported within a reasonable time)
- How notification must be delivered (written, with specific content requirements)
- What information must be included (description of the breach, types of information involved, individuals affected, corrective actions)
Here's what most people miss: the contract should also address breaches involving the business associate's subcontractors. The obligation flows all the way down the chain.
Subcontractor Requirements
Speaking of the chain — if your business associate hires other companies to help handle PHI, those subcontractors are also "business associates" under HIPAA. Your contract must require the business associate to:
- Obtain written agreements from subcontractors that include the same BAA requirements
- Ensure subcontractors comply with all applicable HIPAA provisions
- Be responsible for any violations by subcontractors
At its core, called "flow-down" requirements, and they're non-negotiable. You can't contract out of accountability.
PHI Access, Amendment, and Accounting
Patients have rights under HIPAA. Your contract needs to address how the business associate supports those rights:
- Access: The business associate must make PHI available to the covered entity so they can fulfill patient access requests
- Amendment: The business associate must accommodate requests to amend PHI within the required timeframe
- Accounting: The business associate must maintain disclosure logs and provide information needed for the covered entity to respond to patient accounting requests
These aren't optional. If your contract doesn't address them, you're leaving patients without their legally guaranteed rights Most people skip this — try not to..
Return or Destruction of PHI
When the relationship ends, what happens to the data?
Your contract must specify what the business associate does with PHI once it's no longer needed. The standard requirement is that the business associate returns or destroys all PHI — and certifies in writing that this has been done.
There are some nuances here. Some require destruction within a specific timeframe (30, 60, 90 days is common). Some contracts allow retention for legal or regulatory purposes. But whatever you decide, put it in writing.
We're talking about also where you address the tricky question of what happens to PHI stored in backup systems, which can be harder to fully destroy.
Term, Termination, and Survival
The contract needs clear language about:
- When it becomes effective
- How long it lasts (auto-renewal terms, if any)
- How either party can terminate it
- What happens upon termination (return/destruction of PHI, survival of certain provisions)
The termination provisions should address what happens if either party materially breaches the agreement. Usually, the non-breaching party can terminate for cause Worth keeping that in mind. Worth knowing..
Audits and Inspections
Your contract should give the covered entity (or HHS) the right to audit the business associate's compliance. This typically includes:
- The right to inspect facilities, systems, and records
- Requirements for the business associate to provide compliance documentation
- Cooperation with HHS audits or investigations
Some contracts also require the business associate to obtain annual third-party audits (like SOC 2 or HITRUST certifications) and share the results.
Governing Law and Enforcement
The contract should specify which state's law governs it and where disputes will be resolved. More importantly, it should make clear that HHS has the right to enforce HIPAA requirements directly against business associates.
Since the 2009 HITECH Act, business associates are directly liable for HIPAA violations — they can't hide behind the covered entity. Your contract should acknowledge this Less friction, more output..
Common Mistakes People Make With Business Associate Contracts
After seeing hundreds of these contracts, certain mistakes come up over and over:
Using outdated templates. HIPAA regulations have evolved. What was compliant in 2015 might have gaps today. Review your contracts regularly.
Assuming one-size-fits-all. A cloud hosting company needs different provisions than a medical billing service. Customize your BAA to the relationship.
Ignoring state laws. Some states have additional requirements beyond HIPAA. California, Texas, and others have their own data breach notification laws that may apply And that's really what it comes down to. That alone is useful..
Not addressing mobile devices and remote work. If your business associate's employees access PHI from laptops and phones, your contract should specifically address endpoint security and remote access controls.
Forgetting about business continuity. What happens if the business associate goes out of business? Your contract should address how PHI is protected in that scenario No workaround needed..
Vague breach notification language. "Promptly" isn't specific enough. Define timelines. Define what constitutes a reportable event.
Practical Tips for Getting This Right
Here's what actually works:
Start with a strong template, then customize. Don't write from scratch. Use a reputable template as your base, but review it with a lawyer who understands your specific situation Still holds up..
Map your data flow. Before you draft or sign anything, understand exactly what PHI you're sharing, how it flows through the business associate's systems, and where it might go after that.
Get it signed before any PHI changes hands. This seems obvious, but people rush to get vendors onboarded and skip this step. Don't The details matter here. And it works..
Keep records. Maintain signed BAAs, any amendments, and documentation of compliance audits. If HHS comes calling, you want a paper trail Simple, but easy to overlook..
Review annually. Relationships change. Services change. Your contract should evolve with them.
Train your team. Everyone who handles PHI — including at your business associates — should understand what's in the contract and why it matters Easy to understand, harder to ignore..
FAQ
Does a BAA need to be notarized?
No, notarization isn't required. A valid signature (electronic signatures are fine) is sufficient.
What happens if we don't have a BAA but we've been sharing PHI?
You're in violation of HIPAA. And the covered entity is on the hook, but so are you as a business associate. You should stop sharing PHI immediately until a proper BAA is in place.
Can a business associate use PHI for its own marketing?
Generally no — not without explicit patient authorization. The BAA should prohibit this.
How long should we keep BAAs after the relationship ends?
At least six years from the date of creation or the date it was last in effect, whichever is later. HIPAA requires retention of related records for that period But it adds up..
Do we need a separate BAA for each covered entity we work with?
Yes, typically. Each covered entity (hospital, health plan, etc.) needs its own agreement because each has its own PHI and its own requirements Most people skip this — try not to..
The Bottom Line
A business associate contract isn't just a formality. It's the document that defines how patient data gets protected throughout its journey outside your direct control. Get it right, and you've got a clear framework for accountability. Get it wrong, and you're playing roulette with your organization's reputation and finances.
The requirements aren't secret. They're written into HIPAA. But knowing what belongs in a BAA and actually putting it there are two different things. Take the time to do this properly — your future self will thank you Simple, but easy to overlook. Turns out it matters..
