Cybersecurity

HIPAA BAA Requirements 2026: The Vendor Verification Playbook

The operator's playbook for HIPAA BAA governance in 2026 — required provisions, annual BA verification, subcontractor flow-down, and the audit-defensible register.

Douglyn 11 min read
Legal contract labeled Business Associate Agreement being reviewed at a desk, with a digital verification checkmark hovering over the signature area and a subtle network of connected vendor icons in the background representing subcontractor flow-down

The Office for Civil Rights made vendor accountability the centerpiece of its 2026 HIPAA enforcement priorities, and the enforcement pattern that’s emerged over the past 18 months is consistent: covered entities with technically-compliant Business Associate Agreements are still getting hit when their business associates cause breaches. The BAA on the shelf is not enough. What matters operationally is who signed it, when it was last reviewed, whether the business associate is actually doing what the agreement requires, and whether their subcontractors are bound to equivalent obligations.

Every mid-size healthcare practice has BAAs that were signed in 2015 and never reviewed. Every one of them is a potential enforcement gap. And the picture is complicated further by the current regulatory limbo — the January 2025 Notice of Proposed Rulemaking would have added mandatory annual business associate verification requirements, but the spring 2026 publication window came and went with no final rule. As of mid-2026, the Final Rule remains proposed, roughly 4,700 public comments are still being reviewed, and a coalition of 100+ hospital and provider groups has asked HHS to withdraw the proposal entirely.

This is the operator’s playbook for HIPAA BAA governance under 2026 conditions — the required provisions, the annual review discipline, the subcontractor flow-down that OCR actually enforces on, and the register that turns BAA compliance into a defensible audit posture. It pairs with our HIPAA audit preparation 90-day checklist (sibling spoke), our 2026 HIPAA Security Rule updates for Florida practices hub, the Miami-Dade medical office compliance checklist, the Orlando healthcare cybersecurity deep dive, and the broader Florida healthcare cybersecurity threat landscape.

Key Takeaways

  • Vendor accountability is OCR’s stated 2026 priority. BAAs signed years ago and never revisited are the primary enforcement gap.
  • Nine required provisions define a compliant BAA. Missing any of them is a finding. Boilerplate BAAs from 2018 typically have 2-3 gaps against 2026 expectations.
  • Subcontractor flow-down is where enforcement actually happens. OCR has pursued cases where BAAs were technically compliant but BAs failed to impose equivalent obligations downstream.
  • The 2026 NPRM’s proposed annual BA verification remains proposed. Spring 2026 target missed. Timeline uncertain. Prepare anyway — the verification discipline is best practice regardless.
  • A BAA register with review cadence is the audit-defensible artifact. Not the individual agreements — the register that shows they’re actively managed.

What a BAA Actually Is (and Isn’t)

The Business Associate Agreement is a legal contract between a covered entity and a business associate that establishes the terms under which PHI is created, received, maintained, or transmitted on the covered entity’s behalf. Understanding what it does and doesn’t do keeps operators from over-relying on it.

What the BAA does. Establishes the permitted uses and disclosures of PHI by the BA. Requires the BA to safeguard PHI. Requires the BA to notify the covered entity of breaches. Requires the BA to make PHI available for individual access, amendment, and accounting-of-disclosures requests. Requires the BA to return or destroy PHI at termination. Creates a contract-law basis for the covered entity to hold the BA accountable.

What the BAA does not do. Waive the covered entity’s obligations under HIPAA. Shield the covered entity from OCR enforcement when the BA has a breach. Substitute for the covered entity’s own compliance program. Guarantee the BA is actually doing what the BAA requires.

The covered entity remains responsible for its overall HIPAA posture. A BAA that’s technically compliant but signed with a business associate that has weak security operations is a covered entity’s problem when the breach happens.

The 9 Required BAA Provisions

Every compliant BAA must include the following provisions. Missing any of these is a finding under OCR review.

  1. Permitted uses and disclosures of PHI. Specific to the services being provided. Boilerplate “for the purposes of the services” language is weak; specificity is stronger.
  2. Safeguard requirements. Referencing the HIPAA Security Rule’s administrative, physical, and technical safeguard categories at minimum. Stronger BAAs specify controls (encryption, MFA, access logging, incident response capability).
  3. Breach notification obligations. Specifying the timeline (currently no more than 60 days under HIPAA, but negotiate tighter — 24 to 72 hours is common in strong BAAs), the notification content, and the cooperation obligations during breach response.
  4. Subcontractor obligations. Requiring the BA to bind its own subcontractors to equivalent-or-stronger obligations. This is the provision OCR most-frequently finds inadequate.
  5. PHI access and amendment obligations. BA must make PHI available for individual access, amendment, and accounting-of-disclosures requests routed through the covered entity.
  6. HHS access provisions. BA must make its books, records, and PHI-related activities available to HHS for compliance investigation.
  7. PHI return or destruction at termination. BA must return or destroy all PHI upon termination of the contract. Where return or destruction is infeasible, the BAA must extend safeguards to the retained PHI.
  8. Termination for material breach. Covered entity may terminate the BAA (and stop providing PHI) if the BA materially breaches the agreement and doesn’t cure.
  9. HIPAA regulatory compliance. BA must comply with all applicable HIPAA regulations, and cannot disclose PHI in ways the covered entity itself couldn’t.

Recommended (not required but strong practice): indemnification for breach costs, minimum insurance requirements (cyber liability, errors and omissions), audit rights, and specific technical control requirements (encryption at rest and in transit, MFA on privileged access, EDR deployment).

What the 2026 NPRM Would Add — And Why It Matters Even Though It’s Proposed

The January 2025 NPRM proposes several BAA-related changes that remain proposed as of mid-2026.

The headline change: annual business associate verification. The NPRM would require business associates to verify, at least once every twelve months, that they have deployed the technical safeguards required by the Security Rule. The verification must be performed by a subject-matter expert and documented in writing, with the BA certifying that the analysis is accurate.

Status as of mid-2026. The spring 2026 publication target OCR had signaled came and went with no final rule. Approximately 4,700 public comments are still under review. A coalition of 100+ hospital and provider groups has asked HHS to withdraw the proposal, citing implementation cost and operational burden. Industry analysts still expect publication in 2026 but the timing is uncertain. Once published, covered entities and BAs get 180-240 days to comply.

Why prepare anyway. Even in the scenarios where the NPRM is delayed, modified, or withdrawn, the underlying discipline of BA annual verification is best practice. Cyber insurance carriers already ask about it. Customer counterparties in due diligence ask about it. State attorneys general in states with independent healthcare privacy laws (California, New York, Texas among others) are moving in similar directions.

Practical guidance for 2026. Add annual verification language to new BAAs today. On BAA renewals, add or update the annual verification clause. For existing BAAs where amendment is impractical, implement operational verification (annual questionnaire, security attestation, SOC 2 Type II review) regardless of contract silence.

The Subcontractor Flow-Down Problem

This is where OCR enforcement actually happens.

The 2013 HIPAA Omnibus Rule established that downstream subcontractors handling PHI are business associates in their own right. It also placed the primary BA on the hook to impose equivalent obligations on its own subcontractors — the “flow-down” requirement. In practice, many BAAs still contain vague subcontractor language that allows subcontracting without requiring flow-down.

OCR has pursued enforcement actions where a covered entity’s BAA with the BA was technically compliant, but the BA failed to impose equivalent obligations on its subcontractors — meaning the covered entity’s compliance posture was undermined by a subcontractor gap the covered entity had no direct visibility into.

Practical governance for the flow-down. Require explicit subcontractor flow-down language in every BAA. For significant BAs (EHR platforms, cloud providers, MSPs), ask about subcontractor practices during vendor diligence: who are the key subcontractors, how are they vetted, how is flow-down enforced. For the highest-risk vendors, negotiate for annual subcontractor lists. Document the diligence — that’s the audit trail that matters when OCR asks.

The BAA Register: What Audit-Ready Looks Like

The audit-ready artifact is not the stack of individual BAAs — it’s the register that shows they’re actively managed. Minimum fields:

  • Vendor name and services provided
  • Date BAA was executed
  • BAA version (yours or theirs, current template date)
  • Last review date
  • Next scheduled review date
  • Contact information for the BA’s HIPAA point of contact
  • BA’s subcontractors that touch PHI (if disclosed)
  • Notes on any material issues or open remediation items
  • Breach notification timeline agreed to
  • Subcontractor flow-down language present (yes/no/version)
  • Annual verification received (if applicable)
  • Termination trigger status

Update the register on a regular cadence (quarterly is common). Review the entire register annually. Flag any BAAs older than 24 months for template refresh. Flag any BAAs where the BA has had material changes (acquisition, breach, service scope expansion) for re-negotiation.

For mid-size practices, the register can live in a spreadsheet or a dedicated GRC tool. The tool matters less than the discipline of maintaining it.

The 6 BAA Failure Modes That Recur

Patterns in denied claims, OCR settlements, and third-party HIPAA assessments:

  1. Stale template. BAA was executed in 2015 using a template that predates the 2013 Omnibus Rule updates. Missing subcontractor flow-down language, stale breach notification provisions.
  2. Missing subcontractor language. Template is current but the subcontractor flow-down clause is vague or missing. The BA can subcontract freely without imposing equivalent obligations.
  3. No annual review. Register doesn’t exist or hasn’t been updated in years. BAAs signed and forgotten.
  4. Missing cloud provider BAA. Practice uses AWS/Azure/Google Cloud for PHI-processing workloads but hasn’t executed the cloud provider’s BAA.
  5. Breach notification timeline undefined. BAA relies on HIPAA’s baseline 60-day BA notification window with no negotiated tighter timeline.
  6. Termination triggers vague. Material breach language is present but the covered entity’s practical ability to terminate is undermined by other contract provisions (long notice periods, non-terminable payment obligations, limitation-of-liability clauses).

Each of these is preventable with the register discipline above. Each is what surfaces first when preparation was rushed or absent.

When to Terminate a BAA vs Renegotiate

Termination is the nuclear option, but it should be genuinely available. Three scenarios where renegotiation is the right answer:

  • The BAA has provision gaps but the vendor is generally responsive. Renegotiate the specific provisions. Most vendors will accept reasonable updates.
  • The BA had an incident but responded appropriately. Their incident response is signal about maturity. Update the BAA if lessons emerged, but don’t terminate over one well-handled incident.
  • Provider is essential and hard-to-replace. Renegotiate what you can; document the remaining gaps as accepted risk with the reasoning; revisit at next renewal.

Three scenarios where termination is the right answer:

  • BA repeatedly ignores BAA obligations. Missed notification timelines, refusal to update template, refusal to provide security attestations. Signal of broader operational weakness.
  • BA had a material breach and handled it poorly. Slow notification, opacity, blame-shifting. The next incident will be worse.
  • BA is not equipped to serve healthcare customers. The pattern of missed obligations reveals the vendor is fundamentally consumer-tier trying to work in a regulated space.

Termination should be a documented, planned transition — not a reflexive response to one bad interaction. But it should always be available.

What BASG Does — as MSP-BA and BA Governance Advisor

BASG operates on both sides of the BAA question. As a managed IT services provider to healthcare practices, we sign our own BAAs with covered entity clients and treat the obligations seriously — our IR runbook, our documentation, our subcontractor practices, and our annual attestation are all built around meeting BA obligations under 2026 conditions. We also help our healthcare IT services and industry compliance clients govern their broader BAA landscape — building the register, refreshing stale templates, running BA diligence questionnaires, and remediating the subcontractor gaps that OCR looks for.

Our cybersecurity services engagements with healthcare clients often start with a BAA audit because that’s where the most enforcement exposure lives in a mid-size practice. The remediation work is concrete: current-template BAAs on file for every vendor, subcontractor flow-down language in every agreement, a register that’s actively maintained, and annual attestation processes for the highest-risk BAs.

If your practice hasn’t reviewed its BAAs in the last 18 months, or if the possibility of a 2026 or 2027 Final Rule publication has surfaced the question, get in touch for a 30-minute BAA governance review. We’ll walk through your current register (or help you build one), identify the gaps most likely to surface in audit or during a customer due diligence request, and propose a remediation plan. BAA governance is unglamorous, and it’s exactly the discipline that keeps OCR investigations short.

Frequently Asked Questions

Who exactly needs a BAA with our practice?

Any person or organization that creates, receives, maintains, or transmits Protected Health Information on behalf of your practice is a business associate and needs a BAA. The category is broader than most operators realize. Obvious examples: EHR vendor, practice management system, billing service, medical transcription service, external coder, cloud storage provider hosting any PHI, telehealth platform, HIPAA-covered communications platform, secure fax service, records-management or shredding vendor with access to paper PHI, IT service provider (including MSPs — see the MSP FAQ). Less obvious: cloud infrastructure providers (AWS, Azure, Google Cloud) when your workloads process or store PHI, backup and disaster recovery services, telephony providers that route or record clinical calls, marketing agencies with access to patient lists, email marketing platforms sending patient communications, appointment reminder services, patient portal vendors, third-party analytics services embedded in patient-facing tools. Not business associates: workforce members (they're covered by internal policies), members of your organized health care arrangement (different framework), most janitorial services (incidental exposure only, no PHI custody). When in doubt, err toward BAA. A signed BAA with a low-risk vendor is administrative overhead; a missing BAA with a vendor who has an incident is enforcement exposure.

Do cloud providers (AWS, Azure, Google Cloud) count as business associates?

Yes, when your workloads store, process, or transmit PHI on their infrastructure. All three major cloud providers offer HIPAA-eligible services and standard BAAs for covered entities and business associates. AWS's BAA covers HIPAA-eligible services (a documented subset of AWS's service catalog); using non-HIPAA-eligible services with PHI puts you outside the BAA scope. Azure and Google Cloud have similar frameworks. Practical implications: (1) You must actively execute the cloud provider's BAA — signing up for an AWS account does not automatically enroll you. (2) Your architecture must restrict PHI to HIPAA-eligible services within the covered scope. (3) Your BAA with the cloud provider does NOT extend to third-party SaaS products running on that cloud — you need separate BAAs with each SaaS vendor that touches PHI. (4) OCR treats the cloud provider as the BA, not as an infrastructure component — meaning the cloud provider's HIPAA compliance, breach obligations, and audit posture matter to your compliance. Practices running EHRs, PM systems, or clinical tools on AWS/Azure/GCP need documentation showing the BAA is in place and that the workloads are within the covered service scope.

What happens if a business associate has a breach?

The BA has its own breach notification obligations under HIPAA, and the covered entity has obligations that flow through the BAA. Under current law, the BA must notify the covered entity of a breach without unreasonable delay and no later than 60 days after discovery. The notification must include the individuals affected, the PHI involved, the date of discovery, and the BA's initial response actions. The covered entity then has its own 60-day notification clock (from the date the covered entity is notified, or the date the covered entity should have known, whichever is earlier) to notify affected individuals, HHS, and — for breaches affecting 500+ individuals — the media. In practice, the covered entity carries the reputational and regulatory exposure even though the BA caused the breach. This is why the BAA's breach notification provisions matter operationally: too-long notification windows in the BAA translate directly into compressed covered-entity response timelines. The 2026 NPRM proposes tightening the internal notification window (potentially to 72 hours for certain incidents) — while proposed, it signals where OCR is heading. Practically: negotiate BAA breach notification to 24-72 hours where possible; require the BA to provide meaningful information (not just 'we had a security incident'); require the BA to provide reasonable cooperation in the covered entity's response and individual notification.

Do we need a BAA with our managed IT services provider or MSP?

Yes, and this is one of the most-missed BAAs in mid-market healthcare. If your MSP has any access to systems containing PHI — the EHR server, the PM database, the file share, the email server, backup systems, network monitoring tools that log PHI-adjacent activity — they are a business associate and need a BAA. This applies even if the MSP claims 'we don't touch PHI directly' — access to systems that contain PHI is enough to trigger BA status under HIPAA. The BAA with your MSP should specifically address: which systems the MSP has access to; whether MSP staff view PHI in the course of support (yes, in almost all cases); the MSP's security controls (their EDR, their MFA, their access logging, their personnel background checks); the MSP's subcontractor use (do they use a NOC or SOC partner? that partner is now a subcontractor of a BA and needs its own equivalent obligations); and the MSP's incident notification timeline back to your practice. If your MSP hasn't offered a BAA and you have HIPAA exposure, ask for one today. If they push back or claim they don't need one, that's a signal about their broader HIPAA posture — and possibly a signal to shop for an MSP with a healthcare practice. See our [healthcare IT services](/healthcare-it-services/) page for the framework we bring to healthcare engagements.

Do we need BAAs with our business associate's subcontractors?

You need language in your BAA with the primary business associate that requires the BA to have equivalent-or-stronger BAAs with its own subcontractors — that's the subcontractor flow-down obligation. You typically don't need to execute BAAs directly with the subcontractors yourself. The 2013 HIPAA Omnibus Rule made downstream subcontractors who handle PHI business associates in their own right, and it made the primary BA responsible for imposing equivalent obligations on them. OCR has pursued enforcement where a covered entity's BAA with the BA was technically compliant, but the BA failed to impose equivalent obligations on its own subcontractors — meaning the covered entity's compliance posture was undermined by a subcontractor gap the covered entity had no direct visibility into. Practical guidance: (1) Every BAA you execute should have a subcontractor flow-down clause explicitly requiring the BA to bind its subcontractors to at least the same terms. (2) Ask each significant BA about their subcontractor practices — who their key subcontractors are, how they diligence them, how they document the flow-down. (3) For very-high-risk vendor relationships (e.g., a large EHR platform with many downstream integrations), consider requiring the BA to provide their subcontractor list annually. (4) OCR does not expect you to individually verify every subcontractor — it expects you to have documented governance that makes the flow-down actually happen.

What if a vendor refuses to sign our BAA template?

This is a common negotiation, and the outcome depends on leverage and how essential the vendor is. Three scenarios worth distinguishing. (1) The vendor has a signed HIPAA-compliant BAA of their own that they'll offer instead of yours (common with large cloud providers, EHR vendors, established healthcare SaaS). Review it against your minimum requirements — required provisions, breach notification timeline, subcontractor flow-down, indemnification. If it substantively matches, sign theirs. Fighting for cosmetic changes wastes negotiation capital. (2) The vendor offers a BAA that has real gaps (long notification windows, weak subcontractor language, indemnification carveouts, limitation-of-liability clauses that effectively neutralize breach obligations). Negotiate the specific gaps. Most vendors have flexibility on 2-3 provisions per negotiation. (3) The vendor refuses to sign any BAA at all. This is a hard signal. Either they're not equipped for healthcare (in which case, do not use them for PHI), or they're a small enough consumer-grade tool that the operational risk is not worth it. Non-healthcare-eligible vendors trying to serve healthcare customers is one of the primary sources of hidden HIPAA exposure. Walk away and find a HIPAA-eligible alternative. The volume of HIPAA-eligible tools in every category has grown substantially — there's almost always a compliant alternative.
Tags: hipaa baa requirements business associate agreement 2026 hipaa baa verification baa annual verification subcontractor flow-down hipaa hipaa compliance 2026 healthcare vendor management

Let's Build Your Technology Strategy

Ready to transform your IT from a cost center into a competitive advantage? Talk to our team.