Ounce of Prevention: Do Your Business Associate Agreements Have All Required Provisions?

May 21, 2024
Applicable Provider Types: All

Is Your Entity in Compliance?

The Health Insurance Portability and Accountability Act of 1996, as modified by the Health Information Technology for Economic and Clinical Health Act of 2009 (HIPAA) requires Covered Entities (CEs), Business Associates (BAs) and Business Associate subcontractors to enter into written agreements (also known as Business Associate Agreements or BAAs) governing each party’s rights and obligations with respect to the privacy and security of patient Protected Health Information (PHI). In part I of this series, we discussed the importance of maintaining BAAs with all required BAs and sub-BAs. Once you have established with whom you must enter into a BAA, the next step is to ensure each BAA includes all required provisions.

The BAAs must contain all the elements required under 45 CFR 164.504(e), including a description of the permitted and required uses and disclosures of PHI by the BA or the subcontractors, and must include language regarding implementation of appropriate security safeguards, how and when BAs will report unauthorized uses and disclosures to the CE, and whether PHI will be returned or destroyed at the end of the agreement.  

BAAs that do not contain all required provision technically violate HIPAA requirements and can result in significant fines if discovered, particularly in the event of a HIPAA breach.

How to Confirm?

To assess whether your BAAs have all required elements:

  1. Verify each BAA contains the required elements by comparing the BAA to the Department of Health and Human Services (HHS) sample Business Associate Contract or the HHS model BAA and the rule at 45 CFR 164.504(e). Check for each of the required elements and review 45 CFR 164.410, 164.504(e),164.524, 164.526 and 164.528 to ensure the following are included in your BAAs:
    • Establish the BA’s permitted and required uses and disclosures of PHI.
    • Require the BA not to use or further disclose the information other than as permitted or required by the contract or by law.
    • Require the BA to implement appropriate safeguards to prevent unauthorized use or disclosure, including implementing requirements of the HIPAA Security Rule for ePHI.
    • Require the BA to report unauthorized use or disclosure to the CE.
    • Require the BA to provide an accounting of disclosures to the individual, amend PHI and comply with PHI access requirements.
    • If the BA is carrying out the CE’s obligations, require the BA to follow the HIPAA rules as if it were the CE.
    • Require the BA to make books and records available to the Secretary of HHS for inspection.
    • Require the BA to return or destroy all PHI at the end of the contract.
    • Require the BA to enter into BAAs with any sub-BAs (i.e., their subcontractors that will have access or use of PHI) and ensure those agreements are at least as stringent as the BAAs in place with CEs.
    • Establish the CE’s right to terminate the contract if the BA violates a material term of the contract.
  2. Seek to amend any BAA that may be missing any of these required provisions.

If you need assistance reviewing BAAs for compliance, please do not hesitate to contact a McGuireWoods attorney.


Ounce of Prevention is a McGuireWoods series that details healthcare laws and regulations and offers tips on how providers can ensure they are in compliance. To recommend a topic for a future installment, email Gretchen Heinze Townshend at [email protected] or Tim Fry at [email protected].

Subscribe