HIPAA Business Associate Agreement (BAA): Requirements, Checklist & Template Guide

What is a Business Associate Agreement?

A Business Associate Agreement (BAA) is a written contract, required by the HIPAA Privacy and Security Rules, that establishes the permitted uses of protected health information (PHI) and the safeguards a vendor must apply when it handles PHI on behalf of a covered entity or another business associate.

In HIPAA terms, a covered entity is generally a health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically. A business associate is a person or organization — outside the covered entity's workforce — that performs a function or service involving the use or disclosure of PHI. Think cloud hosting, billing, transcription, analytics, or a SaaS vendor that stores patient records.

This article is general information, not legal advice. Confirm your specific obligations with qualified counsel and the current text of the HIPAA regulations.

When is a BAA required?

A BAA is generally required whenever a vendor will create, receive, maintain, or transmit PHI in order to perform a service for a covered entity (or for another business associate, in which case the downstream contract is sometimes called a subcontractor BAA).

The test is functional, not contractual. If the vendor's work necessarily exposes it to PHI, a BAA is needed regardless of whether the vendor wants to look at the data. A few clarifying points often trip teams up:

• •A vendor that only handles de-identified data (per the HIPAA de-identification standard) generally does not need a BAA, because de-identified data is not PHI.
• •So-called 'mere conduits' — entities that only transport data without routinely accessing it, in the narrow sense HHS describes — are treated differently; most cloud storage providers that maintain PHI are business associates, not conduits.
• •A vendor that incidentally could access PHI but is contractually and technically prevented from doing so still often warrants a BAA; classify conservatively.
• •Subcontractors of a business associate that handle PHI also need a BAA, flowing the obligations downstream.

Required clauses under 45 CFR 164.504(e)

The HIPAA Privacy Rule at 45 CFR 164.504(e) sets out the elements a BAA must contain. A compliant BAA generally must:

• •Establish the permitted and required uses and disclosures of PHI by the business associate, consistent with the covered entity's obligations.
• •Prohibit the business associate from using or disclosing PHI other than as permitted by the contract or required by law.
• •Require appropriate safeguards — including HIPAA Security Rule administrative, physical, and technical safeguards for electronic PHI — to prevent unauthorized use or disclosure.
• •Require the business associate to report to the covered entity any use or disclosure not provided for by the contract, including security incidents and breaches of unsecured PHI.
• •Ensure that subcontractors that create, receive, maintain, or transmit PHI agree to the same restrictions and conditions (the 'flow-down' obligation).
• •Make PHI available for access, amendment, and accounting of disclosures as needed for the covered entity to meet its own HIPAA obligations.
• •Make the business associate's internal practices, books, and records available to HHS for compliance review.
• •On termination, require return or destruction of PHI where feasible, and extend protections to information that cannot be returned or destroyed.
• •Authorize termination of the contract if the business associate violates a material term.

A practical BAA checklist

Beyond the regulatory minimums, use a working checklist when reviewing any BAA, whether you are sending your own paper or accepting a vendor's:

• •Confirm the parties and effective date are correct, and that the BAA references the underlying services agreement.
• •Verify the permitted-uses language matches what the vendor actually does — neither broader nor narrower.
• •Check the breach-notification timeline; tighter than the regulatory floor is common and worth negotiating.
• •Confirm subcontractor flow-down language is present and that you can request a list of subcontractors.
• •Look for indemnification, liability, and insurance terms — HIPAA does not mandate these, but they matter commercially.
• •Confirm return-or-destruction terms and how the vendor evidences destruction.
• •Record the renewal/review date so the BAA does not silently go stale.

Common BAA mistakes

The most frequent failures are not exotic. They are the result of treating the BAA as paperwork rather than a living control.

The first is signing a BAA but never re-confirming it. Vendors change subcontractors, get acquired, and update their security posture. A BAA executed three years ago may no longer reflect reality.

The second is missing the flow-down. A business associate that quietly uses a sub-processor for PHI without a downstream BAA creates a gap that lands on the covered entity during an audit.

The third is classification error at intake — assuming a vendor does not touch PHI when it does, and therefore never putting a BAA in place at all. This is why vendor classification belongs at the very start of the contract lifecycle, not after signature.

Automating the BAA lifecycle

Because a BAA is a contract with a clear set of required elements, it is well suited to lifecycle automation. A healthcare CLM can classify each vendor at intake, determine whether a BAA is required, select the correct template version (including the HHS sample BAA language as a baseline), track signature status, and surface BAAs that are missing, expired, or out of date.

Pairing BAA management with continuous vendor risk monitoring closes a loop that manual processes routinely miss: a vendor's exclusion or breach history can change after onboarding, and the BAA workflow should react to it rather than sit in a folder.

If you manage BAAs across many vendors today, a good next step is to inventory every active vendor relationship and confirm each one has a current, correctly scoped BAA. VeloContract was built to make that inventory continuous rather than a once-a-year scramble — see how BAAs are handled on the platform overview.