HIPAA Compliance for Small Healthcare Organizations: A Practical Series

Part 2 of 5 — The Business Associate Agreement: The Foundational Document Most Organizations Sign Without Reading

In Part 1, we established the threshold question of whether HIPAA applies to your organization. If the analysis concluded that you are or will be a business associate, the next step is not training, not policies, and not software. It is a contract: the Business Associate Agreement, almost universally referred to as a BAA.

The BAA is the single most important document in any business associate's compliance program. It is also the document that small organizations most frequently sign without negotiation, without legal review, and without understanding what they are agreeing to. This is a mistake that compounds over time, because the BAA does not just authorize the information sharing — it allocates legal risk between the covered entity and the business associate in ways that can determine who bears six- or seven-figure liability when something goes wrong.

Why the BAA Is Foundational

HIPAA prohibits a covered entity from disclosing PHI to a business associate unless the parties have executed a written agreement that meets the requirements of 45 C.F.R. § 164.504(e) (Privacy Rule) and § 164.314(a) (Security Rule). Without the BAA, the disclosure itself is a HIPAA violation by the covered entity, and the business associate has no lawful basis to receive or use the information. This is why hospitals and large provider organizations will not begin sharing any patient information with a vendor or partner until the BAA is signed — it is the legal predicate for everything that follows.

Beyond authorizing the relationship, the BAA performs three functions:

First, it defines the scope of the business associate's permitted uses and disclosures of PHI. The business associate may only use PHI for the specific purposes laid out in the BAA. See 45 C.F.R. § 164.504(e)(2)(i). Use of PHI for any other purpose — including a purpose that seems reasonable, related, or beneficial — is a breach of contract and a HIPAA violation.

Second, it imposes the regulatory obligations that flow from HIPAA onto the business associate as contractual duties. Since the 2013 Omnibus Rule, business associates have been directly liable under HIPAA for their own violations — see78 Fed. Reg. 5566, 5573–74 (Jan. 25, 2013); 45 C.F.R. § 164.402 — but the BAA gives the covered entity a contractual remedy in addition to whatever regulatory action HHS might take. The Security Rule's safeguards (45 C.F.R. §§ 164.306, 164.308–164.316), the Privacy Rule's restrictions, and the Breach Notification Rule's reporting requirements (45 C.F.R. §§ 164.400–414) all become contract terms in addition to regulatory obligations.

Third, and most importantly for risk allocation, the BAA distributes liability between the parties through indemnification, insurance, and notification provisions. The default regulatory framework already makes the business associate directly liable for its own HIPAA violations. The contract can — and almost always does — go further, requiring the business associate to indemnify the covered entity for the covered entity's losses arising from the business associate's acts or omissions. These provisions can convert a manageable regulatory penalty into a business-ending claim.

Required Provisions Under 45 C.F.R. § 164.504(e)

HIPAA itself specifies a minimum set of provisions every BAA must contain. A BAA that omits any of these is non-compliant on its face. The required elements, drawn from 45 C.F.R. § 164.504(e)(2)–(4) and § 164.314(a)(2), include:

•      A description of the permitted and required uses and disclosures of PHI by the business associate (§ 164.504(e)(2)(i))

•      A prohibition on the business associate using or disclosing PHI other than as permitted by the contract or required by law (§ 164.504(e)(2)(ii)(A))

•      A requirement that the business associate implement appropriate safeguards (since the Omnibus Rule, this means full Security Rule compliance under §§ 164.308, 164.310, and 164.312) to prevent unauthorized use or disclosure (§ 164.504(e)(2)(ii)(B))

•      A requirement that the business associate report to the covered entity any use or disclosure not provided for by the contract, including breaches of unsecured PHI (§ 164.504(e)(2)(ii)(C); § 164.410)

•      A requirement that the business associate ensure any subcontractors who handle PHI agree in writing to the same restrictions and conditions (§ 164.504(e)(2)(ii)(D); the "flow-down" requirement)

•      Provisions allowing individuals their rights of access, amendment, and accounting of disclosures (§ 164.504(e)(2)(ii)(E)–(G); see also 45 C.F.R. §§ 164.524, 164.526, 164.528)

•      A requirement that the business associate make its internal practices, books, and records available to HHS for purposes of determining the covered entity's compliance (§ 164.504(e)(2)(ii)(H))

•      Provisions for return or destruction of PHI at termination of the contract, when feasible (§ 164.504(e)(2)(ii)(I))

•      Authorization for the covered entity to terminate the contract if the business associate has violated a material term (§ 164.504(e)(2)(iii))

These are the floor, not the ceiling. Most covered entities — particularly large hospital systems and health plans — use BAA templates that include substantial additional terms. HHS publishes sample BAA provisions, which are useful as a starting reference, at hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions.

Where the Real Negotiation Happens

The required provisions are non-negotiable. The provisions covered entities pile on top of them are very much negotiable, and small organizations leave significant value on the table by failing to negotiate them. The key areas:

Indemnification scope. Most provider-drafted BAAs include broad, uncapped, one-way indemnification running from the business associate to the covered entity for any breach or HIPAA violation. A balanced BAA includes mutual indemnification, caps the indemnification amount (often to insurance limits or to the value of the contract), and excludes consequential damages. Accepting an uncapped indemnification provision means a single breach incident — even one caused largely by the covered entity's own conduct — can result in unlimited liability for the business associate.

Breach notification timing. HIPAA's regulatory baseline at 45 C.F.R. § 164.410(b) gives business associates "without unreasonable delay and in no case later than 60 calendar days" to notify the covered entity of a breach. Many provider BAAs demand notification within a much shorter window — sometimes 24 hours, sometimes 5 days, often 10 days. Shorter windows are operationally difficult: a business associate often does not know whether an incident is actually a breach within 24 hours of discovery, because the four-factor breach risk assessment required by 45 C.F.R. § 164.402(2) takes longer than that. A reasonable position is 5 to 10 business days for confirmed breaches, with earlier notice required for incidents the business associate believes are highly likely to be breaches.

Cost allocation for breach response. Provider BAAs often shift the entire cost of breach response — investigation, individual notifications under § 164.404, credit monitoring, call center services, regulatory response — onto the business associate, regardless of fault. These costs can run into the hundreds of dollars per affected individual, and large breaches reach the millions. The business associate should negotiate for cost-sharing based on relative fault, with caps tied to insurance coverage.

Subcontractor approval. Some BAAs require prior written approval before a business associate engages any subcontractor that will handle PHI. This sounds reasonable but operationally constrains the business associate's ability to use standard cloud services and switch vendors. A more workable provision requires the business associate to ensure subcontractors sign their own downstream BAAs (as required by § 164.504(e)(5)) and gives notice to the covered entity, without requiring approval for each.

Insurance requirements. Provider BAAs typically require the business associate to maintain cyber liability insurance with specified minimum limits, often $1 million to $5 million per occurrence. The business associate needs to confirm those limits are realistic given the size of the relationship and the insurance market in their state — and needs to actually have the policy before signing, not after.

Audit rights. Some covered entities reserve broad rights to audit the business associate's premises, systems, and records at any time. This can be operationally disruptive and exposes the business associate's other clients' information. Reasonable limits include advance notice, audits no more than annually absent cause, scope limited to the services performed for that covered entity, and confidentiality protections for other clients' data.

Termination obligations. The BAA must address what happens to PHI at termination. The HIPAA default at § 164.504(e)(2)(ii)(I) is return or destruction, but if neither is feasible, the protections extend in perpetuity. Some provider BAAs require destruction within unrealistically short windows (30 days) and require certification of destruction. The business associate needs to know its actual capability to destroy PHI across all systems and backups before agreeing to a destruction provision.

Who Should Draft and Review the BAA

The BAA can come from either side. In practice, the larger party usually provides the template. This means small business associates typically receive a BAA drafted by the covered entity's counsel — which is to say, drafted to favor the covered entity.

Three approaches make sense for a small organization:

Develop your own template. For business associates that will sign BAAs with many covered entities, having a counsel-drafted template that you propose first is enormously valuable. It positions you as a sophisticated counterparty, frames the negotiation around your terms, and saves legal review costs on each new relationship. The investment is meaningful — usually $5,000 to $15,000 — but it pays back across multiple relationships.

Use a redline approach against provider templates. When the covered entity insists on its own template, retain counsel to redline the agreement. This is more expensive per agreement (typically $2,000 to $7,500 depending on complexity and back-and-forth), but it remains essential. Signing a hospital system's standard BAA without redlines is signing the most aggressive risk allocation the hospital's lawyers can defend.

Maintain a deal-breaker list. Some terms are so significant that an organization should refuse to sign without modification: uncapped indemnification, unrealistic breach notification windows, single-business-day timing, audit rights without notice or limits, and obligations that exceed HIPAA's own requirements without compensation. Knowing your deal-breakers before you start negotiating prevents accepting them under pressure.

Common Mistakes Small Organizations Make

A handful of patterns come up repeatedly in BAA disputes:

Signing the BAA before the threshold analysis. Some organizations sign a BAA on the assumption that they are a business associate, then discover later that they were not. The signing itself may have triggered obligations they did not need to accept and may have changed their regulatory status.

Treating the BAA as a one-time event. BAAs need to be reviewed and refreshed periodically — when services change, when regulations change, when the parties' relationship changes. A 2014 BAA that has never been updated may not address current regulatory requirements or current operational reality. This concern is amplified by the December 2024 Security Rule NPRM (90 Fed. Reg. 898), which, if finalized, would require existing BAAs to be updated to address new technical and documentation requirements.

Failing to flow obligations downstream. Every subcontractor that touches PHI needs its own BAA with the business associate. See 45 C.F.R. § 164.504(e)(5); § 164.308(b)(2). Cloud providers, email vendors, e-signature platforms, CRM systems — each requires a BAA, and many consumer-grade tools do not offer one. A business associate that signs a BAA with a covered entity but uses a non-BAA-covered email service for PHI is in violation of both HIPAA and its own BAA. OCR guidance on cloud computing addresses this directly — see HHS OCR, Guidance on HIPAA & Cloud Computing, hhs.gov/hipaa/for-professionals/special-topics/cloud-computing.

Ignoring the BAA after signing. The BAA's obligations are ongoing. Breach notification timing, subcontractor management, audit cooperation, individual rights — all require operational systems to execute. A signed BAA in a file drawer is not compliance; it is a list of promises the organization has not built the capacity to keep.

What This Means Practically

For an organization that has confirmed business associate status, the BAA work should happen in parallel with — not after — the other compliance work. Specifically:

•      Engage counsel to develop or review a BAA template before approaching any covered entity partner

•      Identify the deal-breaker terms in advance and brief decision-makers so the negotiation is not happening at the signature table

•      Build internal capacity to execute the obligations the BAA creates — particularly breach notification, subcontractor management, and individual rights response

•      Track every executed BAA in a central register, with renewal dates and key terms summarized

•      Confirm BAA coverage for every vendor that touches PHI before the vendor is onboarded

The BAA is not a formality. It is the contract that defines who you are in HIPAA's framework, what you are permitted to do, and what happens when things go wrong. Treat it accordingly.

HIPAA compliance is about building a practical compliance framework that fits the realities of your organization, your workforce, and the way patient information actually moves through your systems.  At West Coast Health Law Group, we assist healthcare practices, telehealth companies, nonprofits, and healthcare startups with the legal and operational side of HIPAA compliance.  West Coast Health Law offers a FREE consultation which you may schedule by clicking the button on our website.

Up next in Part 3: The Security Risk Analysis — the document OCR asks for first, what it should contain, and who can perform one for your organization.

Selected Authorities and Resources

Regulatory provisions governing BAAs:

•      45 C.F.R. § 160.103 (definitions of "business associate," "subcontractor")

•      45 C.F.R. § 164.308(b) (business associate contracts — administrative safeguards)

•      45 C.F.R. § 164.314(a) (business associate contracts — Security Rule organizational requirements)

•      45 C.F.R. § 164.502(e) (disclosures to business associates)

•      45 C.F.R. § 164.504(e) (business associate contracts — required provisions)

•      45 C.F.R. § 164.410 (notification by a business associate of breach)

Statutory framework:

•      HITECH Act, Pub. L. 111-5, §§ 13401, 13404 (direct liability of business associates)

•      Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules, 78 Fed. Reg. 5566 (Jan. 25, 2013) (Omnibus Rule)

HHS/OCR guidance:

•      OCR, Sample Business Associate Agreement Provisions, hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions

•      OCR, Business Associate Contracts, hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates

•      OCR, Guidance on HIPAA & Cloud Computing, hhs.gov/hipaa/for-professionals/special-topics/cloud-computing

Pending regulatory change:

•      HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information, 90 Fed. Reg. 898 (Jan. 6, 2025) (proposed)

Important Disclaimer: This post is for general informational purposes only and does not constitute legal advice. Reading this post, visiting our website, clicking a scheduling button, or requesting a consultation does not create an attorney-client relationship with West Coast Health Law Group. An attorney-client relationship is formed only after we confirm there is no conflict of interest and both you and our firm sign a written engagement agreement. If you are a California healthcare provider considering a partnership or internal succession arrangement, we invite you to schedule a free consultation through the button on our website to see whether we may be a good fit to help.