🏆 Neotas Named Chartis FCC50 Market Disruptor Winner – Know Your Third Party & Supply Chain Excellence Award Read More →

🏆 Chartis Best-of-Breed Winner 2026 – Adverse Media Monitoring

HIPAA business associate agreement template and HIPAA BAA checklist

Quick answer

A HIPAA Business Associate Agreement (BAA) is a legally required written contract, mandated under 45 CFR 164.504(e), ^[4] between a covered entity and any vendor, contractor, or service provider that creates, receives, maintains, or transmits Protected Health Information (PHI) on the covered entity’s behalf.

A compliant BAA defines how PHI may be used, requires appropriate safeguards, mandates breach notification within 60 days, ^[3] and extends HIPAA obligations to the BA’s own sub-contractors under HITECH. ^[5] No PHI handling begins before a BAA is signed. The BAA is the legal foundation of HIPAA third-party vendor risk management, but executing it is the start of the compliance obligation, not the end.

Key takeaways

A HIPAA BAA is required before any vendor, contractor, or service provider handles PHI. Cloud providers, SaaS platforms, and email systems are included. There are no category exemptions when PHI access exists.
HITECH extended HIPAA obligations to Business Associates’ sub-contractors. ^[5] A BAA must require the BA to impose equivalent safeguards on its own sub-contractors, making fourth-party risk a mandatory HIPAA compliance consideration.
90% of serious healthcare data breaches involve a third-party Business Associate. ^[2] A signed BAA does not prevent breaches. Continuous vendor monitoring is what reduces breach probability.
The Change Healthcare breach of February 2024 exposed one in three Americans’ health data ^[6] through a known Business Associate relationship. Affected organisations all had BAAs in place. Most lacked continuous monitoring.
HIPAA penalties for wilful neglect reach $1.9 million per violation category per year. ^[1] OCR investigates BAA programme gaps as separate violations from any breach that triggered the investigation.
A BAA template satisfies the documentation requirement under 45 CFR 164.504(e). ^[4] The ongoing due diligence requirement under 45 CFR 164.308(a)(1) ^[7] requires independent verification that the safeguards the BAA mandates actually exist.

What Is a HIPAA Business Associate Agreement?

A HIPAA Business Associate Agreement is a written contract required under 45 CFR 164.504(e) of the HIPAA Privacy Rule. ^[4] It must be in place before any Business Associate creates, receives, maintains, or transmits Protected Health Information on behalf of a covered entity. The agreement defines the permitted uses and disclosures of PHI, requires the BA to apply appropriate safeguards, and establishes the terms under which the covered entity can terminate the relationship if the BA violates the agreement.

The HITECH Act of 2009 significantly expanded BAA obligations. ^[5] It made Business Associates directly liable for HIPAA compliance, not just contractually liable to the covered entity, and extended the BAA requirement to Business Associates’ own sub-contractors.

A BAA is not a vendor security questionnaire, a privacy policy, or a generic data processing agreement. It is a HIPAA-specific legal instrument with specific required provisions defined by federal regulation. Missing any one of those provisions makes the BAA non-compliant, which means the covered entity may be operating without a valid BAA regardless of whether a breach has occurred.

The HIPAA BAA fits within a broader healthcare TPRM programme. Neotas covers how BAA execution connects to the full 7-stage vendor lifecycle from onboarding through to offboarding and PHI destruction confirmation.

Who Needs a HIPAA Business Associate Agreement?

A BAA is required between a covered entity and any Business Associate. The breadth of who qualifies as a Business Associate surprises most compliance teams when they first audit their vendor portfolio.

Who is a covered entity?

Covered entities include healthcare providers who transmit health information electronically (hospitals, physician practices, pharmacies, labs), health plans (insurance companies, HMOs, Medicare, Medicaid), and healthcare clearinghouses. If your organisation creates, stores, or transmits PHI electronically and falls into one of these categories, HIPAA applies.

Who is a Business Associate?

A Business Associate is any person or entity that performs functions or activities on behalf of a covered entity involving the use or disclosure of PHI, or provides services to a covered entity where PHI access is involved. The six most commonly missed categories are:

Technology and software vendors

EHR vendors, cloud storage, SaaS platforms, data analytics firms, AI tools that access patient data, email providers used for PHI communications

Administrative and billing services

Medical billing companies, revenue cycle management firms, healthcare clearinghouses, coding services, claims processing vendors

Professional service providers

Healthcare attorneys, consultants, accountants, and auditors who access PHI in the course of providing services

Clinical and diagnostic vendors

Transcription services, lab testing companies, pharmacy benefit managers, telehealth platforms, medical device companies whose devices transmit PHI

Physical record vendors

Medical record storage and destruction companies, document shredding services, couriers that transport PHI-containing materials

Sub-contractors (HITECH created this)

Any sub-contractor of a Business Associate who creates, receives, maintains, or transmits PHI. HITECH created direct HIPAA liability for these entities. BAA obligations must flow through from the covered entity to the BA to the sub-contractor. ^[5]

Who does not need a BAA?

A BAA is not required for treatment relationships between providers where PHI is shared for care coordination (the treatment exception), entities receiving PHI as required by law (public health authorities, law enforcement), employers receiving employee health information for employment purposes, or conduits that transport PHI without accessing it (postal services, telephone carriers that do not store the PHI in transit).

The most common BAA gap: cloud and SaaS vendors

Healthcare organisations frequently overlook cloud storage providers, SaaS productivity tools, and email platforms as Business Associates. Google Workspace, Microsoft 365, Dropbox, Slack, and similar tools require a HIPAA BAA if staff use them to store or transmit PHI. Most major cloud providers offer HIPAA BAAs on request. The compliance failure is typically not that the BAA is unavailable. It is that the covered entity never confirmed it was in place before enabling PHI use on the platform.

Related: Enhanced due diligence checklist for healthcare vendors covers the verification steps that go beyond BAA execution to confirm a vendor is genuinely HIPAA-compliant.

$1.9M maximum HIPAA penalty per violation category per year for wilful neglect ^[1]

90% of serious healthcare data breaches involve a third-party Business Associate ^[2]

1,000+ vendors the average hospital works with simultaneously, each a potential HIPAA BA ^[2]

60 days maximum time a Business Associate has to notify a covered entity after discovering a PHI breach ^[3]

What a HIPAA Business Associate Agreement Must Contain: 8 Required Provisions

HHS defines the required contents of a HIPAA BAA at 45 CFR 164.504(e). ^[4] A BAA that omits any of the eight provisions below is non-compliant regardless of whether a breach has occurred. OCR audits check for each provision specifically, and an organisation with a non-compliant BAA faces the same penalty exposure as one with no BAA at all.

Permitted uses and disclosures of PHI

The BAA must clearly define the specific purposes for which the BA may use or disclose PHI. Uses and disclosures must be limited to what is necessary for the BA to perform its services. An open-ended clause permitting any use the BA deems appropriate is non-compliant. The HIPAA minimum necessary standard applies: the BA may access only the PHI required for the contracted function.

Prohibition on unauthorised use or disclosure

The BAA must explicitly prohibit the BA from using or disclosing PHI for any purpose beyond those specifically permitted. This prohibition must be enforceable through the agreement’s termination provisions. An implied prohibition is not sufficient.

Appropriate safeguards requirement

The BAA must require the BA to implement appropriate administrative, physical, and technical safeguards, including the safeguards required under the HIPAA Security Rule for electronic PHI. This provision is the contractual basis for requiring SOC 2 Type II audits, ISO 27001 certification, penetration testing, MFA enforcement, and data residency controls from vendor relationships.

Breach notification timeline

The BA must notify the covered entity of any breach of unsecured PHI without unreasonable delay and no later than 60 days after discovery, per 45 CFR 164.410. ^[9] Most organisations negotiate shorter timelines contractually: 24 to 72 hours is common for material incidents. The 60-day statutory limit is a ceiling, not a target. Notifications must include the nature of the breach, the types of PHI involved, the individuals affected, steps taken to investigate, and steps taken to mitigate harm.

Sub-contractor obligations (the HITECH requirement most templates miss)

HITECH requires the BA to enter into a BAA with its own sub-contractors who access PHI and to impose equivalent HIPAA safeguards on those sub-contractors. ^[5] This provision must be explicit and enforceable, with specific language requiring the BA to “enter into” a BAA with sub-contractors, not merely to “endeavour to” or “consider” doing so. Most generic BAA templates use aspirational language that is legally unenforceable. This is the exact fourth-party risk gap the Change Healthcare breach exploited. ^[6]

Individual rights support

If the BA maintains PHI in a designated record set, the BAA must require the BA to make that PHI available to the covered entity so patients can exercise HIPAA rights of access, amendment, and accounting of disclosures. The BA must also accommodate requests to provide PHI in electronic format when patients request it.

HHS audit cooperation

The BAA must require the BA to make its internal practices, books, and records relating to PHI available to HHS for determining the covered entity’s compliance with HIPAA. This provision must be explicit. When HHS requests access and the BA refuses, the covered entity’s contractual right to require cooperation does not shield it from liability if the right was never exercised.

PHI return or destruction at termination

At the end of the relationship, the BAA must require the BA to return or securely destroy all PHI. A one-line email from the BA stating data was deleted is not compliant. The documented confirmation must specify: the method of destruction, confirmation that all copies and backups were addressed, the date of destruction, and the name of the individual at the BA who confirmed it. Residual PHI access left active with a former BA is a HIPAA violation regardless of whether a subsequent breach occurs.

The practical gap between provisions 3, 4, and 5

Provisions 3 (safeguards), 4 (breach notification), and 5 (sub-contractor obligations) are where most organisations have the deepest gap between what the BAA says and what they actually verify. A BAA that requires safeguards but never checks them is documentation, not compliance. A BAA that requires sub-contractor BAAs but never confirms those BAAs exist leaves fourth-party risk entirely unmanaged. The Neotas vendor due diligence methodology closes exactly these three gaps.

HIPAA Business Associate Agreement Template: 6 Sections Every BAA Needs

HHS publishes model BAA language at its official guidance page. ^[8] That model is a starting point. A production-ready BAA for high-risk Business Associates requires additional provisions beyond the HHS model: stronger breach notification timelines, specific sub-contractor obligation language, and amendment mechanisms for when regulations change.

Section	What it must cover	Most common gap in generic templates
Definitions	PHI, ePHI, covered entity, Business Associate, sub-contractor, designated record set, breach. All terms must track to 45 CFR definitions.	Definitions that diverge from regulatory text, creating enforceability gaps when an incident occurs
Obligations of the BA	All 8 required provisions: permitted uses, prohibition, safeguards, breach notification, sub-contractor obligations, individual rights, HHS access, PHI return and destruction	Sub-contractor clause using “endeavour to” language rather than “shall require” — aspirational, not enforceable
Obligations of the covered entity	Notice of privacy practices, notification of PHI use restrictions, notification of revocation of authorisations	Absent entirely, creating an asymmetric agreement that may not constitute a valid contract
Permitted uses and disclosures	Specific uses for the BA’s services; management and administration; required by law; data aggregation if permitted; de-identification. Must be exhaustive.	Blanket permission for “operational purposes” or “as necessary to provide services” — too broad to be enforceable
Term and termination	Effective date, duration, termination for cause (material breach with cure period), termination for convenience, effect of termination, survival clause for audit rights	No cure period defined; no survival clause for post-termination obligations including HHS audit rights
Miscellaneous provisions	Governing law, amendment procedure, interpretation clause (HIPAA regulations prevail in conflicts), entire agreement, severability	No amendment mechanism, meaning the BAA cannot be updated when HHS changes regulations without executing a completely new agreement

Before using a generic BAA template from the internet

Most generic BAA templates circulating online are missing enforceable sub-contractor obligations, have vague breach notification timelines, and lack covered entity obligations entirely. OCR has cited organisations for BAAs that technically existed but were legally insufficient. Have your BAA template reviewed by healthcare counsel familiar with current HHS guidance before executing it with Critical-tier Business Associates.

When Is a Business Associate Agreement Required?

A BAA is required whenever a covered entity shares PHI with a Business Associate to perform services on its behalf. The triggering condition is the sharing of PHI for service purposes, not the creation of a formal vendor contract, not the passage of time, and not the nature of the services. If PHI is being shared for a service relationship, a BAA must be in place before that sharing begins.

BAA is required when:

A cloud provider stores electronic health records containing PHI
A billing company accesses patient data to process claims
An IT support vendor has remote access to systems containing PHI
An email provider delivers PHI-containing communications on behalf of the covered entity
A telehealth platform hosts virtual appointments involving PHI
A shredding company destroys paper records containing PHI
A data analytics firm processes records that include PHI
A BA’s sub-contractor accesses PHI on the BA’s behalf (HITECH) ^[5]

BAA is NOT required when:

Providers share PHI with other providers for treatment purposes (treatment exception)
Disclosures are required by law (public health authorities, law enforcement)
Conduit carriers transport PHI without storing it (postal services, telephone carriers)
Employers receive employee health information for employment purposes
Researchers receive a limited data set under a data use agreement
Financial institutions process payment transactions under the specific HIPAA exception

What happens when a BAA gap is discovered after PHI has already been shared

If PHI has been shared with a Business Associate without a signed BAA, the covered entity is already in violation of the HIPAA Privacy Rule. The violation exists independently of any breach. OCR’s response to discovered BAA gaps depends on the covered entity’s response: prompt identification, execution of a retroactive BAA where legally permissible, documentation of the gap, and corrective action can reduce but cannot eliminate penalty exposure. Voluntary disclosure through the OCR self-reporting mechanism typically results in lower penalties than discovery during an OCR-initiated investigation.

Neotas, Chartis FCC50 rated

A signed BAA is the start of your HIPAA vendor obligation, not the end

Most covered entities execute BAAs and assume compliance is satisfied. The HIPAA obligation is ongoing due diligence: verifying that safeguards actually exist, that sub-contractor obligations have been passed through, and that continuous monitoring is in place. Neotas provides the intelligence-led vendor assessment that connects your BAA programme to real risk management.

Speak to a specialist

HIPAA BAA and Third-Party Vendor Risk Management

A HIPAA Business Associate Agreement and a vendor risk management programme are not the same thing. Executing one does not substitute for the other. This is the most consequential misunderstanding in healthcare compliance, and OCR enforcement history confirms the cost of that misunderstanding.

The BAA is a legal instrument. It creates obligations and defines what should happen. A vendor risk programme is the operational infrastructure that verifies those obligations are being met continuously, not just at the point of signature.

What the BAA does

Creates a legal obligation for the BA to implement safeguards
Defines the permitted uses and disclosures of PHI
Establishes breach notification timelines
Creates the legal basis for termination if the BA violates the agreement
Passes HIPAA obligations through to the BA’s sub-contractors

What the vendor risk programme does

Verifies the safeguards actually exist through independent assessment
Monitors the BA continuously for adverse media, financial distress, and security incidents
Confirms sub-contractor BAAs have actually been executed and maintained
Provides the evidence trail OCR examines when a breach occurs
Identifies risks that the BA would not voluntarily disclose on a questionnaire

The February 2024 Change Healthcare breach makes this distinction concrete. The ransomware attack exposed one in three Americans’ health data ^[6] and caused hospitals to report revenue declines of up to 17% in the weeks following the attack. ^[10] The organisations affected all had BAAs with Change Healthcare. Security researchers had flagged vulnerabilities in Change Healthcare’s infrastructure publicly in the months before the attack. Annual questionnaire-based reviews would not have surfaced those warnings. Continuous monitoring would have.

HIPAA’s ongoing due diligence requirement at 45 CFR 164.308(a)(1) ^[7] is not satisfied by executing a BAA. OCR’s guidance is clear that covered entities must periodically assess and manage the risks to PHI created by their Business Associates throughout the relationship. A mature HIPAA healthcare vendor risk programme integrates the BAA lifecycle with continuous third-party monitoring.

HITECH and Sub-contractor Obligations: The Fourth-Party Risk Gap

Direct answer

HITECH (2009) ^[5] made Business Associates directly liable under HIPAA and extended BAA obligations to their sub-contractors. When a BA shares PHI with a sub-contractor, that sub-contractor must have its own BAA with the BA and must comply with HIPAA’s Security Rule safeguards. The covered entity’s BAA must require this. Most covered entities never verify whether their BAs have actually executed sub-contractor BAAs.

Before HITECH, Business Associates were only contractually liable to covered entities through the BAA. After HITECH, BAs are directly liable to HHS under HIPAA, and their sub-contractors who handle PHI are also Business Associates with direct regulatory obligations.

The sub-contractor chain obligation in practice

When your BA shares PHI with a sub-contractor, the BA must enter into a BAA with that sub-contractor. The sub-contractor must comply with the HIPAA Security Rule. If the sub-contractor breaches PHI, the BA faces direct OCR liability, and the covered entity faces OCR scrutiny over whether it verified that its BA had the required sub-contractor BAA obligations actually in place. Having the clause in your BAA is not the same as verifying it was acted on.

What this means for your BAA programme

Your BAA with the BA must contain an explicit, enforceable requirement that the BA enter into equivalent BAAs with its own sub-contractors. But executing that BAA clause does not verify that the BA has actually done so. Most covered entities never confirm whether their BAs’ sub-contractors have BAAs in place. For Critical-tier BAs: EHR vendors, cloud platforms, revenue cycle companies: your due diligence programme should include requesting the BA’s sub-contractor BAA inventory as part of onboarding and annual review.

The Change Healthcare parallel

Change Healthcare relied on cloud infrastructure and sub-contractors that created additional PHI exposure points invisible to covered entities. ^[6] HITECH required Change Healthcare to impose equivalent safeguards on those sub-contractors. Most BAAs between covered entities and Change Healthcare did not contain sufficiently specific sub-contractor verification requirements. The covered entities had no visibility into whether that obligation had been met.

The Neotas OSINT investigation methodology specifically addresses fourth-party visibility: mapping a BA’s sub-contractor structure to surface undisclosed cloud dependencies, beneficial ownership connections, and sub-contractors that may be handling PHI without adequate safeguards or BAA coverage.

BAA Requirements vs HIPAA Compliance Reality: Where Programmes Fail

OCR enforcement data shows a consistent pattern in how HIPAA BAA-related violations arise. The gap is rarely a missing BAA. The gap is almost always between what the BAA says and what the covered entity has actually verified, monitored, or enforced.

BAA provision	What the BAA says	What most covered entities actually do	The compliance gap
Appropriate safeguards	BA shall implement appropriate administrative, physical, and technical safeguards	Accept the BA’s self-certified security questionnaire response	The questionnaire captures what the BA discloses. Independent assessment verifies whether safeguards actually exist.
Sub-contractor obligations	BA shall enter into BAAs with sub-contractors who access PHI	Execute the BA BAA and take no further action regarding sub-contractors	Most covered entities have no visibility into whether the BA has executed BAAs with its own sub-contractors.
Ongoing monitoring	HIPAA requires ongoing due diligence per 45 CFR 164.308(a)(1) ^[7]	Annual questionnaire review cycle treated as satisfying the ongoing standard	Most incidents occur between annual reviews. Annual cycles do not satisfy the HIPAA ongoing standard.
Breach notification	BA shall notify within 60 days (or contractual timeline) of discovering a breach ^[9]	Execute the clause but never test whether the BA’s incident response process would trigger notification within the contractual timeline	Untested notification procedures fail in practice. BAs without pre-defined internal escalation paths miss the 60-day window.
PHI return on termination	BA shall return or destroy all PHI at termination with documented confirmation	Accept a one-line email from the BA stating data was deleted	Documented destruction confirmation with method, scope, date, and responsible individual is required. A deletion email is not compliant.

HIPAA penalties for BAA failures: current OCR tiers

Violation category	Per violation	Annual cap per category	BAA relevance
Unknowing violation	$100 to $50,000	$25,000	Rare for BAA failures: BAAs are a well-known HIPAA requirement
Reasonable cause	$1,000 to $50,000	$100,000	Missing BAA for a known vendor, or BAA with insufficient provisions discovered after a breach
Wilful neglect, corrected	$10,000 to $50,000	$250,000	Repeated failure to execute BAAs despite knowing the requirement, corrected after OCR investigation
Wilful neglect, not corrected	$50,000	$1,900,000	Systemic failure across multiple vendor relationships with no corrective action ^[1]

OCR investigates BAA programmes during breach investigations, not just the breach itself

When a breach involving a Business Associate triggers an OCR investigation, OCR does not limit its investigation to the breach. It examines whether a BAA was in place, whether the BAA contained all required provisions, whether the covered entity conducted ongoing due diligence of the BA’s safeguards, and whether there was a documented incident response process. Organisations with a breach and an inadequate BAA programme face compounded penalty exposure: the breach violation and the BAA programme violation are assessed separately.

Related: TPRM policy guide covering HIPAA ongoing due diligence documentation requirements alongside DORA and OCC standards.

5 HIPAA BAA Mistakes That Create Regulatory Exposure

These are the patterns OCR finds most frequently during HIPAA investigations. They appear across all organisation sizes and all vendor types, from small practices to large health systems.

Mistake 1: Missing BAAs for cloud and SaaS vendors

The most common OCR finding is BAAs that exist for traditional healthcare vendors (billing companies, EHR vendors) but are missing for cloud storage providers, email platforms, collaboration tools, and SaaS applications that employees use to store or process PHI. If Google Workspace, Microsoft 365, Dropbox, Slack, or any other cloud tool is used to handle PHI and no HIPAA BAA is in place, the covered entity is in violation. Most major cloud providers offer HIPAA BAAs on request. The compliance failure is typically not that the BAA is unavailable. It is that the covered entity never requested or confirmed it before enabling PHI use on the platform.

Mistake 2: Generic BAA templates without healthcare counsel review

Many organisations use BAA templates from online repositories, legal form websites, or template libraries. Most of these templates are legally insufficient for HIPAA purposes. They typically miss enforceable sub-contractor obligations, have vague breach notification timelines, lack the covered entity’s own obligations, and contain no amendment mechanism for when HHS updates HIPAA regulations. OCR has cited organisations for BAAs that technically existed but were legally insufficient. The BAA’s existence provides no compliance protection if its provisions are inadequate.

Mistake 3: Treating BAA execution as the end of the compliance obligation

HIPAA’s risk management standard at 45 CFR 164.308(a)(1) ^[7] requires covered entities to implement ongoing security risk management. This means regularly reviewing BA safeguards throughout the relationship. Organisations that execute BAAs and conduct no subsequent verification of their BAs’ security posture are non-compliant with the HIPAA ongoing due diligence requirement regardless of whether the original BAA was fully compliant. Annual questionnaires are not equivalent to ongoing due diligence.

Mistake 4: No BAA inventory or register

Many healthcare organisations cannot produce a complete list of which vendors have BAAs in place when OCR requests it during an investigation. Without a maintained BAA register covering vendor name, execution date, expiry or renewal date, services covered, and PHI access scope, demonstrating programmatic compliance is not possible. Individual BAAs may exist in separate files across departments, but without an inventory, each vendor relationship is a separate compliance risk that cannot be systematically managed or reported to the board.

Mistake 5: No offboarding process for terminating BA relationships

When a BA relationship ends, the BAA requires return or destruction of PHI with documented confirmation. Most organisations accept a one-line email from the former BA stating data was deleted. That does not satisfy the HIPAA documentation requirement. The return or destruction must be documented with: the method used, confirmation that all copies and backups were addressed, the date of destruction, and the name of the individual at the BA who confirmed it. Residual PHI access left active with a former BA after contract termination is a HIPAA violation OCR regularly finds during breach investigations involving former vendors.

The Neotas enhanced due diligence checklist covers the independent verification steps that go beyond BAA execution, the checks that confirm safeguards exist and sub-contractor obligations have been met.

Free HIPAA BAA checklist

Download the Neotas HIPAA BAA Compliance Checklist

Covers all 8 required BAA provisions, sub-contractor obligation verification steps, ongoing monitoring requirements, and the offboarding checklist for terminating Business Associate relationships. Used by compliance teams and privacy officers across health systems and pharmaceutical companies. No credit card required.

Download the checklist

How to Audit Your HIPAA BAA Programme: 5 Steps

A HIPAA BAA programme audit verifies that your organisation has executed compliant BAAs with all required Business Associates, that those BAAs contain all required provisions, and that ongoing due diligence has been conducted. OCR conducts this audit during breach investigations. Running it proactively avoids compounded penalty exposure when a breach occurs.

Build a complete Business Associate inventory

Map every vendor, contractor, and service provider relationship that involves PHI access. Use procurement records, accounts payable data, IT system access logs, cloud software inventories, and department interviews. Include cloud services, SaaS applications, email providers, and any tool employees use to store or transmit PHI. Expect to find 20 to 40% more BA relationships than your current records reflect. This is normal for health systems of any size.

Confirm BAA execution for every Business Associate

Cross-reference the BA inventory against executed BAA documents. Document: BA name, execution date, services covered, PHI access scope, and storage location. Flag any BA relationship without an executed BAA as an immediate compliance gap requiring remediation before the next working day. Operating without a BAA is a HIPAA Privacy Rule violation from the first day PHI was shared.

Review each BAA against all 8 required provisions

Review each executed BAA against the 8 required provisions from 45 CFR 164.504(e). ^[4] Flag BAAs missing any provision as requiring amendment. Scrutinise sub-contractor obligation language specifically: “shall require” is enforceable, “endeavours to” is not. Review breach notification timelines and confirm they are contractually binding with specific day counts.

Verify sub-contractor BAA compliance for Critical-tier BAs

Request from your highest-risk BAs (EHR vendors, cloud platforms, billing companies, revenue cycle managers) their sub-contractor BAA inventory. Confirm they have executed BAAs with sub-contractors who access PHI. This verification step is what most covered entities skip, and it is the gap HITECH’s sub-contractor provisions were specifically designed to address. Intelligence-led vendor due diligence can surface sub-contractor relationships the BA has not voluntarily disclosed.

Implement ongoing monitoring and a centralised BAA register

Maintain a centralised BAA register with: BA name, execution date, services covered, PHI access scope, next review date, sub-contractor verification status, and current risk tier. Implement continuous monitoring for Critical-tier BAs covering adverse media, sanctions designations, regulatory enforcement actions, and financial distress signals. Annual questionnaires alone do not satisfy the HIPAA ongoing due diligence standard per 45 CFR 164.308(a)(1). ^[7]

What HIPAA BAA Compliance Means for Your Role

Chief Privacy Officer / Privacy Officer

OCR asks for three things when it opens a breach investigation: your BA inventory, the executed BAA documents, and evidence of ongoing monitoring between the execution date and the incident date. Most programmes cannot produce all three for the full vendor population on demand. The 5-step audit in this guide produces exactly what OCR will request. Running it proactively is the difference between a managed investigation and an unmanaged one.

Chief Information Security Officer

The BAA’s safeguards provision is the contractual basis for your security requirements of Business Associates. The gap is that most CISOs accept security questionnaires as proof of safeguards. Independent security assessment of Critical-tier BAs, combined with continuous monitoring for security incidents, is what the HIPAA Security Rule’s ongoing risk management standard at 45 CFR 164.308(a)(1) ^[7] actually requires. After Change Healthcare, ^[6] regulators now ask whether your monitoring would have caught what security researchers flagged publicly months before the breach.

General Counsel / Legal

Your BAA-related liability has two distinct components: the legal sufficiency of the BAA itself (does it contain all 8 required provisions and is it enforceable?) and the covered entity’s operational compliance (was ongoing due diligence actually conducted?). OCR examines both. A legally perfect BAA executed with an organisation that was never subsequently monitored creates the same compounded exposure as a missing BAA. The BAA programme must integrate legal sufficiency with operational compliance, and both must be documented.

Chief Compliance Officer

Board-level reporting on HIPAA BAA programme status requires more than a count of executed BAAs. Boards and audit committees now expect: coverage rate (what percentage of BA relationships have compliant BAAs), gap identification (which BAs are missing BAAs or have insufficient provisions), ongoing monitoring status (what percentage of Critical-tier BAs are on continuous monitoring), and sub-contractor verification status. Without this dashboard view, you cannot demonstrate to the board that the programme is operating as designed.

How Neotas Supports HIPAA BAA Compliance and Vendor Risk Management

Neotas is an intelligence-led third-party risk management provider, rated in the Chartis FCC50 as a leading financial crime compliance technology provider. For healthcare organisations, Neotas specifically closes the gap between what a HIPAA BAA requires and what most vendor risk programmes actually verify.

BA safeguard verification

Independent assessment of whether BA safeguards exist and function: SOC 2 Type II verification, adverse media screening, security researcher disclosure monitoring, and financial distress signals for Critical-tier Business Associates. Goes beyond self-reported questionnaire responses.

Sub-contractor visibility

OSINT investigation of BA sub-contractor structures to surface undisclosed fourth-party dependencies, cloud infrastructure concentration risk, and sub-contractors handling PHI without adequate safeguards or BAA coverage.

Continuous monitoring

Automated real-time monitoring of Business Associates for adverse media, sanctions designations, regulatory enforcement actions, and financial distress signals. The continuous monitoring gap exposed by Change Healthcare is precisely what this addresses: risks that develop between annual review cycles.

Beneficial ownership and reputational intelligence

Multi-language OSINT investigation of BA ownership structures to identify sanctions exposure, PEP connections, and reputational risks in non-English language press that structured database checks do not surface. Particularly relevant for pharmaceutical supply chains and medical device distributors with complex international structures.

Ready to build a HIPAA BAA programme that holds up under OCR examination?

Talk to a Neotas specialist about your HIPAA vendor risk programme

Whether you need a BAA programme audit, ongoing monitoring for Critical-tier Business Associates, or OSINT-enhanced due diligence for high-risk vendors, a 30-minute conversation will tell you exactly where your programme stands.

Schedule a meeting
Read the healthcare TPRM guide

No commitment required. Assessment findings within 5 working days.

Sources and citations

HIPAA business associate agreement template and compliabce checklist

Covers all 8 required BAA provisions, sub-contractor obligation verification steps, ongoing monitoring requirements, and the offboarding checklist for terminating BA relationships. Used by compliance teams and privacy officers across health systems.

Frequently Asked Questions about HIPAA Business Associate Agreements

What is a HIPAA Business Associate Agreement?+

A HIPAA Business Associate Agreement (BAA) is a legally required written contract under 45 CFR 164.504(e) ^[4] between a covered entity and any Business Associate: any vendor, contractor, or service provider that creates, receives, maintains, or transmits Protected Health Information on the covered entity’s behalf. The BAA defines permitted uses and disclosures of PHI, requires appropriate safeguards, mandates breach notification within 60 days, ^[3] and extends HIPAA obligations to the BA’s own sub-contractors under HITECH. ^[5] No PHI handling begins before a BAA is signed.

What is the purpose of a Business Associate Agreement?+

The BAA extends HIPAA obligations to Business Associates and creates a legal accountability framework for PHI shared with third-party vendors. Before HIPAA, there was no direct regulatory obligation on vendors handling patient data. The BAA creates contractual obligations mirroring HIPAA’s requirements, establishes the legal basis for terminating a vendor relationship if those obligations are violated, and under HITECH, ^[5] creates direct regulatory liability for Business Associates themselves. The BAA is also the mechanism through which HIPAA obligations flow to sub-contractors of the Business Associate.

Who needs a Business Associate Agreement under HIPAA?+

A BAA is required between covered entities (Healthcare providers, health plans, healthcare clearinghouses) and any Business Associate: any person or entity that performs functions or activities involving PHI on behalf of the covered entity. This includes technology and software vendors (EHR systems, cloud storage, SaaS platforms, data analytics), administrative and billing services (medical billing, revenue cycle management, coding), professional service providers (attorneys, consultants, accountants who access PHI), clinical vendors (transcription services, lab companies, pharmacy benefit managers, telehealth platforms), document management companies (shredding services, record storage), and under HITECH, sub-contractors of existing Business Associates. ^[5]

When is a Business Associate Agreement required?+

A BAA is required before any Business Associate begins creating, receiving, maintaining, or transmitting PHI on behalf of the covered entity. The triggering condition is the sharing of PHI for service purposes, not the creation of a formal vendor contract or the nature of the services. There is no grace period. If PHI has already been shared without a BAA, the covered entity is already in violation of the HIPAA Privacy Rule and should seek immediate legal counsel on remediation and disclosure obligations under 45 CFR 164.504(e). ^[4]

What must be included in a HIPAA BAA?+

A HIPAA BAA must include eight required provisions under 45 CFR 164.504(e): ^[4] (1) permitted uses and disclosures of PHI, clearly defined and not open-ended; (2) prohibition on unauthorised use or disclosure; (3) appropriate safeguards including HIPAA Security Rule safeguards for ePHI; (4) breach notification no later than 60 days from discovery ^[9]; (5) sub-contractor obligations requiring the BA to enter into BAAs with its own sub-contractors under HITECH; (6) individual rights support for patient access, amendment, and accounting; (7) HHS audit cooperation; (8) PHI return or destruction at termination with documented confirmation. Missing any of these makes the BAA non-compliant.

Does a cloud provider need a HIPAA BAA?+

Yes. Any cloud provider that stores or processes PHI on behalf of a covered entity is a Business Associate and requires a BAA. This includes Google Workspace, Microsoft 365, AWS, Azure, Google Cloud, Slack when used to handle PHI, and any SaaS application that accesses patient data. Most major cloud providers offer HIPAA BAAs on request. The common compliance failure is not that the BAA is unavailable. It is that the covered entity never requested and confirmed it was in place before enabling PHI use on the platform. This is one of the most common findings in healthcare breach investigations.

What are the HIPAA penalties for not having a BAA?+

Operating without a BAA when one is required is itself a HIPAA Privacy Rule violation, separate from any breach that may occur. Penalties are tiered by culpability: ^[1] unknowing violations ($100 to $50,000 per violation, $25,000 annual cap per category), reasonable cause ($1,000 to $50,000, $100,000 annual cap), wilful neglect corrected ($10,000 to $50,000, $250,000 annual cap), wilful neglect not corrected ($50,000 per violation, $1.9 million annual cap). OCR investigates BAA programme gaps as separate violations from any breach that triggered the investigation, meaning compounded penalty exposure applies.

What is the difference between a BAA and a HIPAA compliance questionnaire?+

A BAA is a legally required contract that creates obligations. A HIPAA compliance questionnaire is a self-reported assessment tool that captures what a vendor says about its practices. They are not substitutes for each other. The BAA creates the legal obligation for the vendor to implement safeguards. The questionnaire is one mechanism for verifying whether those safeguards actually exist. Because questionnaires are self-reported, they are insufficient on their own for Critical-tier Business Associates. Independent verification through security assessments, SOC 2 audit review, and OSINT screening is required to confirm that what the BA reports is accurate.

What did HITECH change about Business Associate obligations?+

HITECH (2009) ^[5] made three significant changes: (1) Business Associates became directly liable under HIPAA, no longer only contractually liable to covered entities through the BAA, meaning OCR can now enforce HIPAA directly against BAs. (2) HIPAA obligations were extended to Business Associates’ sub-contractors: BAs must enter into BAAs with their own sub-contractors who access PHI. (3) Breach notification requirements became mandatory for BAs: BAs must notify covered entities of PHI breaches within 60 days of discovery. HITECH also significantly increased HIPAA penalties, particularly for wilful neglect, and enabled state attorneys general to bring civil actions on behalf of state residents.

How long does a HIPAA BAA last?+

A HIPAA BAA lasts for the duration of the Business Associate relationship. It is not time-limited in the way annual contracts are. The BAA terminates when the covered entity ends the relationship with the BA, when the BA materially violates the agreement, or when the contracted services conclude. Post-termination, the BAA’s obligations relating to PHI return or destruction and HHS audit cooperation rights typically survive the termination date. BAAs should include an explicit survival clause specifying which provisions continue after termination, and an amendment mechanism so the agreement can be updated when HIPAA regulations change without requiring execution of an entirely new document.

What is the BAA breach notification requirement?+

Under 45 CFR 164.410, ^[9] a Business Associate must notify the covered entity of a breach of unsecured PHI without unreasonable delay and no later than 60 days after discovering the breach. ^[3] The notification must include: the nature of the breach, the types of PHI involved, the individuals affected, whether the PHI was actually acquired or viewed, and the steps the BA has taken to investigate and mitigate harm. Most healthcare organisations negotiate shorter contractual timelines: 24 to 72 hours is common for material incidents. The 60-day statutory limit is a ceiling, not a target.

Is a BAA sufficient for HIPAA compliance with third-party vendors?+

A BAA is necessary but not sufficient for HIPAA compliance. The BAA satisfies the documentation requirement under 45 CFR 164.504(e). ^[4] HIPAA also requires ongoing risk management under 45 CFR 164.308(a)(1), ^[7] which means covered entities must periodically assess the risks PHI faces from their Business Associates throughout the relationship. Executing a BAA and conducting no subsequent monitoring does not satisfy the HIPAA ongoing due diligence standard. OCR’s guidance confirms this position, and enforcement history reflects it.

Does a HIPAA BAA need to be signed?+

Yes. A HIPAA BAA must be a written contract. Verbal agreements, email exchanges confirming security practices, or unilateral security policies posted on a vendor’s website do not constitute a valid BAA under HIPAA. The written agreement must be signed by authorised representatives of both the covered entity and the Business Associate. Electronic signatures are acceptable. Best practice for high-risk Business Associates is to ensure the executed BAA is countersigned, dated, stored in a centralised BAA register, and reviewed before the vendor begins any PHI handling.

How does the Change Healthcare breach relate to HIPAA BAA obligations?+

The February 2024 ransomware attack on Change Healthcare exposed one in three Americans’ health data ^[6] and caused hospitals to report revenue declines of up to 17% in the weeks following. ^[10] The organisations affected all had BAAs with Change Healthcare. The breach is directly relevant to BAA obligations in four ways: BAA execution alone does not prevent breaches or limit liability; the attack exploited a safeguard the BAA’s security provisions required but that most covered entities had not independently verified; sub-contractor infrastructure used by Change Healthcare created exposure points that covered entities’ BAA programmes had not addressed; and most covered entities had annual-only monitoring that would not have surfaced security researcher warnings published publicly in the months before the attack.

Last Updated on June 28, 2026

Neotas Enhanced Due Diligence

Neotas Enhanced Due Diligence covers 600Bn+ Archived web pages, 1.8Bn+ court records, 198M+ Corporate records, Global Social Media platforms, and more than 40,000 Media sources from over 100 countries to help you screen & manage risks.

In this guide

What Is a HIPAA BAA? Who Needs a BAA? 8 Required Provisions ★ BAA Template When Is a BAA Required? BAA and Vendor Risk HITECH Sub-contractors ⚠ Compliance Reality ⚠ Common Mistakes BAA Programme Audit FAQs

Download the HIPAA BAA Compliance Checklist

Create a compliant HIPAA Business Associate Agreement in minutes - without starting from scratch.

Unmatched Risk Intelligence Across All Industries

An advanced Due Diligence Platform that leverages AI to join the dots between Social Media, Corporate Records, Adverse Media and Open Source Intelligence (OSINT).

Real-Time, Actionable Intelligence

Our platform offers the most advanced insights, so you can respond to risks immediately.

Comprehensive Global Coverage

With insights spanning global jurisdictions, your business is never in the dark.

Scalable Solutions

Whether you manage a small portfolio or a global enterprise, our platform adapts to your needs

Schedule a Call

Ready to Transform Your Third-Party Risk Approach?

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
AWSALBTG	7 days	AWS Application Load Balancer Cookie. Load Balancing Cookie: Used to encode information about the selected target group.
AWSALBTGCORS	7 days	AWS Classic Load Balancer Cookie: Used to map the session to the instance. This cookie is identical to the original ELB cookie except for the attribute &SameSite=None;
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
debug	never	Cookie used to debug code and website issues
shown	session	Session cookie to control number of times a pop up is shown.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Functional

Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
AnalyticsSyncHistory	1 month	Used to store information about the time a sync took place with the lms_analytics cookie
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Performance

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

Cookie	Duration	Description
li_gc	2 years	Used to store consent of guests regarding the use of cookies for non-essential purposes
rl_anonymous_id	1 year	Generates an unique anonymous Id to identify a user and attach to a subsequent event.
rl_user_id	1 year	to store a unique user ID for the purpose of Marketing/Tracking

Analytics

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_107495977_1	1 minute	Set by Google to distinguish users.
_gat_UA-107495977-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
attribution_user_id	1 year	This cookie is set by Typeform for usage statistics and is used in context with the website's pop-up questionnaires and messengering.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Others