7 Common BAA Mistakes That Put Your Practice at Risk

Even organizations that take HIPAA seriously often make critical errors with their Business Associate Agreements. Here are the most common mistakes — and how to avoid them.

1. Not Having a BAA at All

The most basic and most costly mistake. Many organizations don't realize they need BAAs with certain vendors. A cloud storage provider? Yes, you need a BAA. An IT support company with remote access? Yes, BAA required. A medical transcription service? Absolutely.

**Fix:** Audit all vendor relationships and identify every entity that touches PHI. Execute BAAs before sharing any patient data.

2. Using a One-Size-Fits-All Template Without Review

While templates (like the one our tool generates) are a great starting point, every business associate relationship is different. A BAA for your cloud hosting provider should differ from one with your billing company.

**Fix:** Customize each BAA to reflect the specific services, PHI types, and risk profile of the relationship. Have an attorney review significant agreements.

3. Failing to Include Required Provisions

HIPAA specifies exact provisions that must be in every BAA. Missing even one can make the entire agreement non-compliant. Common omissions include:

- Breach notification requirements

- Subcontractor obligations

- Return/destruction of PHI upon termination

- Individual access rights provisions

**Fix:** Use a comprehensive template and verify it covers all requirements under 45 CFR §164.504(e).

4. Setting Breach Notification Periods Too Long

HIPAA requires business associates to notify covered entities of breaches "without unreasonable delay." Some BAAs set notification periods of 90 or even 120 days — which may not meet HIPAA's standard.

**Fix:** Set breach notification at 60 days maximum. Many experts recommend 30 days or shorter to give covered entities time to meet their own 60-day notification obligation to individuals.

5. Ignoring Subcontractor Requirements

Your business associate might use their own vendors (subcontractors) who also access PHI. Under HIPAA, business associates must ensure subcontractors are also bound by BAA terms.

**Fix:** Include strong subcontractor provisions in your BAAs and require business associates to notify you of subcontractors handling PHI.

6. Not Updating BAAs When Relationships Change

Services evolve. A vendor that once had limited PHI access may now handle much more data. If your BAA doesn't reflect the current scope of the relationship, it may not provide adequate protection.

**Fix:** Review BAAs annually or whenever the scope of services changes. Update the services description, PHI types, and permitted uses as needed.

7. No Termination or Exit Plan

What happens to your PHI when the business associate relationship ends? Without clear termination provisions, your data could remain in limbo — or worse, be improperly retained.

**Fix:** Every BAA should specify that PHI must be returned or destroyed upon termination, with a timeline for completion. If return or destruction isn't feasible (e.g., backup tapes), the BAA should extend protections indefinitely to retained data.

Bonus: Not Keeping Signed Copies

HIPAA requires you to retain BAAs for six years from the date of creation or the date it was last in effect — whichever is later. Many organizations can't produce their BAAs when OCR comes knocking.

**Fix:** Maintain a centralized, organized repository of all executed BAAs with dates, parties, and renewal schedules.

The Bottom Line

A BAA is only as good as the effort you put into it. Take the time to customize, review, and maintain your agreements. The cost of getting it right is far less than the cost of getting it wrong.