The Missing Signature That Cost a Health System $4.3 Million
In 2016, Advocate Health Care Network settled with the Office for Civil Rights (OCR) for $5.55 million — at the time one of the largest HIPAA settlements in history. Among the findings? The organization failed to obtain business associate agreements from multiple entities that had access to electronic protected health information (ePHI). A missing BAA contract wasn't the only problem, but it was a glaring one that made everything worse.
I've seen this scenario play out at organizations of every size. A vendor gets access to PHI. Someone assumes legal already handled the paperwork. Nobody checks. Then a breach happens, and the first thing OCR asks for is the signed BAA contract. If you can't produce one, the conversation shifts from "let's remediate" to "let's calculate the fine."
This post breaks down exactly what a BAA contract must contain, where organizations keep getting it wrong, and how to build a process that actually holds up under scrutiny.
What Exactly Is a BAA Contract?
A business associate agreement — commonly called a BAA contract — is a legally binding document required under the HIPAA Privacy and Security Rules. It governs the relationship between a covered entity (like a hospital, health plan, or clearinghouse) and any business associate that creates, receives, maintains, or transmits protected health information on the covered entity's behalf.
Think of it this way: if a third party touches your patients' data, you need a BAA contract in place before that access begins. Not after. Not "when legal gets around to it." Before.
The requirement comes directly from 45 CFR Part 164, Subpart C, and OCR has made it painfully clear through enforcement actions that this isn't optional.
Who Counts as a Business Associate?
This is where I see the most confusion. Business associates aren't just your EHR vendor. They include:
- IT service providers with access to systems containing ePHI
- Cloud storage and hosting companies
- Billing and coding services
- Shredding and document destruction companies
- Consultants who review patient records
- Answering services that handle patient calls
- Attorneys who receive PHI for legal matters
If you're unsure whether a vendor qualifies, ask one question: "Will this organization have any access to identifiable patient information?" If the answer is yes — or even maybe — you need a BAA contract.
The 9 Elements Every BAA Contract Must Include
HHS publishes sample BAA provisions that spell out what's required. But sample language and compliant language aren't always the same thing. Here's what your BAA contract must address:
1. Permitted Uses and Disclosures
The agreement must specify exactly how the business associate can use and disclose PHI. Vague language like "for business purposes" won't cut it. Be specific about the services being performed and the data involved.
2. Safeguard Requirements
The business associate must agree to implement appropriate administrative, physical, and technical safeguards to protect ePHI. This mirrors the Security Rule obligations that apply to covered entities.
3. Reporting Obligations
Your BAA contract must require the business associate to report any use or disclosure of PHI not provided for in the agreement — including security incidents and breaches. The breach notification timeline matters here: business associates must notify the covered entity within 60 days of discovering a breach, though I always recommend negotiating that window down to 10-15 days.
4. Subcontractor Requirements
If your business associate uses subcontractors who will access PHI, the BAA must require that those subcontractors also agree to the same restrictions. This downstream accountability was strengthened significantly by the HITECH Act and the 2013 Omnibus Rule.
5. Access to PHI
The agreement must ensure that the business associate will make PHI available to satisfy an individual's right of access under the Privacy Rule.
6. Amendment of PHI
Similarly, the BAA must require the business associate to make PHI available for amendment when requested.
7. Accounting of Disclosures
The business associate must agree to document and make available the information needed for an accounting of disclosures.
8. HHS Access
The agreement must allow HHS to access the business associate's internal practices, books, and records related to PHI use — for compliance verification purposes.
9. Termination Provisions
Your BAA contract must spell out what happens when the relationship ends, including the return or destruction of all PHI. It should also address what happens if the business associate violates the agreement.
The $2.3 Million Mistake: Not Managing BAAs After Signing
Raleigh Orthopaedic Clinic paid $750,000 to OCR in 2016 for providing a business associate with access to PHI on its server without having a BAA in place. That's a mid-sized practice — not a hospital system — getting hit with a six-figure penalty for something that takes an afternoon to fix.
But here's what I've seen more often than missing BAAs: organizations that sign them and then forget they exist. The BAA contract sits in a drawer or a SharePoint folder. Nobody tracks renewal dates. Nobody verifies that the business associate is actually complying with the safeguard requirements they agreed to.
Your BAA contract management process needs to include:
- A centralized inventory of every business associate relationship and its corresponding BAA
- Annual reviews to confirm the agreement still reflects the actual services being provided
- Termination tracking to ensure PHI is returned or destroyed when a vendor relationship ends
- Verification mechanisms — requesting evidence of security practices, not just trusting the signed paper
Can You Use a Template BAA Contract?
Yes, but with serious caveats. The HHS sample provisions are a starting point, not a finish line. I've reviewed hundreds of BAA contracts over the years, and the ones that cause the most problems are the ones copied verbatim from a template without tailoring them to the actual relationship.
Every vendor relationship is different. A cloud hosting provider needs different provisions than a medical transcription service. Your BAA contract should reflect the specific type of PHI involved, the specific systems in play, and the specific risks of that particular arrangement.
Get your legal counsel involved. But also make sure your HIPAA Privacy and Security Officers review the operational details. Lawyers write enforceable contracts. Compliance officers catch the gaps that lead to breaches.
What Happens When a Business Associate Breaches Your Data?
Under the Breach Notification Rule, the covered entity is ultimately responsible for notifying affected individuals and HHS — even when the breach occurred at the business associate level. Your BAA contract is the mechanism that ensures you find out about that breach quickly enough to meet your own obligations.
This is why the reporting timeline clause matters so much. If your BAA gives the business associate 60 days to tell you about a breach, and then you have 60 days to notify individuals, you could be looking at a four-month gap between a breach and public notification. That's a terrible outcome for your patients and your reputation.
Negotiate tight timelines. Require incident details in the initial notification. Build escalation procedures directly into the BAA contract.
Training Your Workforce on BAA Requirements
Your compliance team isn't the only group that needs to understand BAA contracts. Anyone involved in vendor procurement, contract management, or IT provisioning needs baseline knowledge of when a BAA is required and what it must contain.
I've seen breaches triggered by a well-meaning department manager who gave a new IT consultant remote access to a system containing ePHI — without looping in compliance or legal. No BAA. No risk assessment. Just a handshake and a login credential.
Building this awareness into your HIPAA workforce training program is one of the most effective risk reduction steps you can take. When staff across your organization understand the basics of business associate relationships, they become your early warning system instead of your weakest link.
What Should BAA Training Cover?
- How to identify when a vendor qualifies as a business associate
- The process for initiating a BAA before granting PHI access
- Red flags that suggest a current BAA may be outdated or inadequate
- How to report a suspected BAA gap to your compliance team
The HIPAA training catalog at HIPAACertify includes role-specific courses that address these exact scenarios — designed for the people who need practical guidance, not just legal theory.
Your BAA Contract Checklist for 2026
Here's a quick self-assessment. If you can't answer "yes" to every one of these, you have work to do:
- Do you maintain a current, centralized inventory of all business associate relationships?
- Does every business associate have a signed, up-to-date BAA contract on file?
- Have you reviewed each BAA within the past 12 months to confirm it reflects current services?
- Do your BAAs include breach notification timelines shorter than 60 days?
- Have you verified that business associates with subcontractors have downstream BAAs in place?
- Is your workforce trained to recognize when a new vendor relationship triggers the need for a BAA?
- Do you have a documented termination process that includes PHI return or destruction verification?
Every "no" on that list is an exposure point. And OCR doesn't grade on a curve.
Stop Treating the BAA Contract as a Formality
A BAA contract isn't a checkbox. It's the legal and operational framework that determines who's responsible when something goes wrong with your patients' most sensitive data. I've watched organizations treat BAAs like HR paperwork — something to sign and file. Then a breach happens, and that neglected document becomes the centerpiece of an OCR investigation.
Get your inventory current. Review your agreements with fresh eyes. Train your people to spot gaps before they become incidents. And if you're not sure where your program stands, start with a comprehensive look at your HIPAA compliance training to make sure everyone from the C-suite to the front desk understands what's at stake.
Because by the time OCR comes asking for your BAA contracts, it's already too late to go looking for them.