The HIPAA Business Associate Agreement (BAA): What’s Required, What’s Optional, and How to Track Yours in 2026

A Business Associate Agreement is a contract between a HIPAA-covered entity and any vendor that creates, receives, maintains, or transmits protected health information (PHI) on its behalf. It’s required — not optional — under 45 CFR 164.504(e). Without one, every PHI disclosure to that vendor is technically a HIPAA violation, and OCR has fined practices for this exact gap.

Despite that, BAAs remain one of the most-missed compliance items at small and mid-size healthcare organizations. The form itself is simple; the operational hard part is tracking which vendors need one, which ones have signed it, when each one was last reviewed, and which subcontractors downstream of those BAs are also covered.

This page covers (1) the five clauses required by 45 CFR 164.504(e), (2) the three clauses most practices miss but should add, (3) when a BAA is and isn’t required, (4) the BAA inventory and annual-verification workflow Medcurity recommends, and (5) BAA mistakes that show up in OCR enforcement actions.

The 5 clauses 45 CFR 164.504(e) requires

The Privacy Rule lists specific contractual provisions that every BAA must contain. Each is grounded in 45 CFR 164.504(e)(2)(ii)(A)–(J).

1. Establish permitted uses and disclosures of PHI. The BAA must specify what the BA is allowed to do with the PHI it receives. Permitted uses can’t exceed what the covered entity itself could do under the Privacy Rule.
2. Restrict use and disclosure to those permitted by contract or required by law. The BA may not use PHI for any purpose not enumerated in the BAA — including for the BA’s own marketing, product analytics not tied to the service, or sale.
3. Require appropriate safeguards (and Subpart C compliance for ePHI). The BA must apply administrative, physical, and technical safeguards to protect PHI; for ePHI specifically, the BA must comply with the Security Rule.
4. Require breach reporting to the covered entity. The BA must report any use or disclosure not permitted by the contract — including breaches of unsecured PHI — within timeframes the BAA specifies. The regulation says “without unreasonable delay”; most BAAs operationalize this as 30–60 days, often less for the largest covered entities.
5. Bind subcontractors to the same restrictions. Anyone downstream of the BA who handles PHI must agree to the same terms. This is the clause covered entities most often miss when their BA has its own vendor stack — think a billing vendor that uses a third-party clearinghouse.

A sixth clause is required at termination: the BA must return or destroy all PHI it holds when the contract ends, or — if return or destruction is infeasible — limit further use to the purposes that make destruction infeasible.

The 3 clauses most practices miss but should add

1. Indemnification + insurance carrier requirements. Not required by HIPAA, but materially de-risks the relationship. Specify a minimum cyber-liability limit ($1M/$3M is common at the practice level; $5M/$10M for hospital-scale relationships).
2. Right-to-audit clause. The covered entity retains the right to inspect the BA’s safeguards and remediation work. Without this, the only way to verify is through a SOC 2 report the BA chooses to share.
3. Specific breach-notification timeline (faster than HIPAA’s “without unreasonable delay”). Drop in a hard 30-day or 15-day clock so your notification window to OCR plus affected patients doesn’t get squeezed by a slow-reporting BA.

When a BAA is required (and when it isn’t)

• Required: EHR vendors, billing services, transcription services, IT-managed-services providers with PHI access, cloud storage holding PHI, secure-messaging tools, telehealth platforms, third-party billing clearinghouses, lab interfaces, marketing vendors handling patient lists.
• Not required: Conduits (USPS, FedEx, UPS, telecom carriers transmitting unopened data); janitorial services where incidental PHI exposure is minimized; disclosures to other covered entities for treatment under the Privacy Rule’s TPO exception.
• Gray area worth a written opinion: Personal-device MDM vendors, AI-based transcription tools, voice-biometric systems, generic SaaS that customers may use to handle PHI but the vendor doesn’t market for healthcare.

The BAA inventory and annual-verification workflow Medcurity recommends

A five-step workflow that holds up at audit and stays maintainable for a small or mid-size practice.

1. Inventory. Build a single list of every vendor that touches PHI — names, contacts, services, PHI types handled, last BAA-signature date.
2. Map PHI flows. For each vendor, what PHI moves to and from them? A simple diagram or table is fine.
3. Sign or re-sign. If no BAA on file, execute one. If on file but old (over 3 years), refresh against the current Security Rule. The 2026 update introduces explicit risk-management practice expectations under §164.308; pre-2026 BAAs don’t reference these.
4. Annual verification. Once a year, ask each BA to confirm: still operational, no material change in PHI handling, security controls still in place, no unreported breaches. Medcurity calls this BAA Annual Verification and tracks it as a recurring task in the platform.
5. Termination. When a vendor relationship ends, document the return-or-destruction decision and date.

BAA mistakes that show up in OCR enforcement actions

• No BAA on file at all. The most common BAA-related fine. OCR enforcement actions have cited missing or inadequate BAAs as a contributing factor in resolution agreements totaling millions of dollars.
• BAA signed but not extended to subcontractors. Applies most often to billing companies that use clearinghouses or to MSPs that subcontract DR/backup.
• BAA signed but never refreshed when the underlying service changed. For example, the EHR vendor adds an AI-based clinical-summary feature; the pre-feature BAA didn’t anticipate this kind of PHI use.
• Stale BAAs from before the Omnibus Rule (2013). These don’t bind the BA directly to HIPAA, only contractually to the covered entity.
• BAA missing the breach-notification clause. Surprisingly common in BAs’ own template language.

Frequently asked questions

Is a BAA required for my EHR vendor?

Yes. Every EHR vendor that holds your patients’ PHI is a business associate under HIPAA, regardless of size or whether the vendor sells healthcare-specific products.

Do I need a BAA before I use ChatGPT or Claude with PHI?

Yes — and most general-purpose LLMs do not sign BAAs. Where available, OpenAI’s BAA is part of the Enterprise tier; Anthropic’s BAA is available for select API customers under specific terms. Don’t paste PHI into a consumer AI tool that doesn’t have a signed BAA with your practice.

Can I use a generic BAA template I found online?

Legally yes if it covers all 45 CFR 164.504(e) requirements; operationally — only if you also build the inventory and annual-verification workflow around it. The template is the easy part.

What’s the difference between a BAA and a Business Associate Subcontractor Agreement?

A BAA binds a covered entity to its business associate. A Business Associate Subcontractor Agreement binds the BA to its own downstream vendors who also handle PHI. After Omnibus (2013), subcontractors are directly liable under HIPAA, but a written contract is still required.

How often should I re-sign BAAs?

No HIPAA-mandated frequency, but most practices re-sign every three years OR after any material change in service: a new feature touching PHI, a new subcontractor, a change of control of the BA, or a security incident.

Do I need a BAA with my landlord or office cleaning service?

Generally no — the conduit and incidental-disclosure exceptions cover most of these. But if the cleaning crew has unsupervised access to areas where paper PHI is visible, document the safeguards (locked cabinets, shredder use) instead of forcing a BAA.

How Medcurity helps

BAA tracking is included in every Medcurity tier. The platform builds your BAA inventory automatically, surfaces vendors that touch PHI but don’t yet have a signed agreement, runs Annual Verification reminders, and exports an audit-ready evidence packet for OCR.

If you’re standing up your BAA program for the first time — or recovering one that grew without owners — Medcurity gives you the inventory, the annual cadence, and the audit trail in a single workflow. Pair the BAA module with our HIPAA security risk analysis module so the inventory feeds your annual SRA. Curious about pricing? Our what HIPAA costs across practice sizes breakdown sets expectations by practice size.

For specific verticals, see our CHC BAA workflow, FQHC vendor stack, and ongoing security monitoring obligations guidance. Ready to see the workflow live? Start your BAA inventory in Medcurity.