Mako Logics
Call

Resources / BAA Checklist for Healthcare

BAA checklist for Houston healthcare practices.

The Business Associate Agreement clauses your small practice actually needs — and the red-flag language to push back on. A practical checklist for HIPAA-covered entities reviewing vendor BAAs.

Healthcare services →

Published April 21, 2026.

A BAA is a contract. This checklist helps you evaluate one; your attorney should sign off on any BAA before you do.

Who needs a BAA from whom

Any vendor that creates, receives, maintains, or transmits Protected Health Information (PHI) on your behalf needs a BAA. For a typical small practice, that’s usually:

  • EHR / practice-management vendor
  • Patient-portal provider
  • Email hosting (if PHI is sent via email — and it usually is)
  • Cloud file storage (OneDrive, Google Drive, Dropbox Business)
  • Backup / disaster-recovery vendor
  • Medical billing service
  • Transcription / dictation services
  • Your Managed IT Service Provider (MSP)
  • Secure-messaging or referral platforms
  • Analytics or quality-reporting vendors that see PHI

A vendor that cannot or will not provide a BAA is not an appropriate vendor for a healthcare practice, regardless of what they offer.

Required clauses to verify

  • Definition section mirrors HIPAA's use of "PHI," "Business Associate," and "Covered Entity"
  • Permitted uses and disclosures explicitly limited to what the service requires
  • Safeguards clause: vendor will implement administrative, physical, and technical safeguards consistent with HIPAA Security Rule
  • Subcontractor clause: vendor will require any downstream subcontractor handling PHI to enter into the same terms
  • Breach-notification clause: vendor will notify you within a specific number of days (30 or fewer is reasonable; 60 is the outer limit)
  • Incident reporting beyond breaches — attempted security incidents at minimum quarterly or upon request
  • Individual rights support: access, amendment, accounting of disclosures
  • HHS audit cooperation: vendor will make books and records available to HHS
  • Return or destruction of PHI at contract termination
  • Mitigation of any known harmful effect from unauthorized use or disclosure

Red-flag language to push back on

  • "Vendor will use reasonable efforts to secure PHI" — should be specific safeguards, not "reasonable efforts"
  • 60+ day breach notification window — too long; push for 30 days or less
  • Liability caps at the annual fee — breaches cost more than your annual fee; at minimum negotiate a higher cap for breach events
  • Broad "data use" rights (de-identification, analytics, AI training on your patients' data) — this is common in SaaS BAAs and usually inappropriate
  • No subcontractor flow-down — vendor should require subs to have equivalent BAAs
  • Unlimited indemnification running against you — should be mutual or at least limited
  • Auto-renewal without renegotiation or price-lock

Operational checks beyond the BAA

Having a BAA on file is necessary but not sufficient. Verify:

  • Vendor has an audited security posture (SOC 2 Type II, HITRUST, or equivalent)
  • Vendor's breach-history disclosure — ask
  • Vendor's incident-response process aligns with your IR plan
  • Vendor supports MFA for your admins
  • Vendor supports export of your data in a usable format
  • Vendor's geographic footprint (if PHI leaves the US, additional considerations)

Maintenance

  • Maintain a single list of all BAAs with signed-date and renewal cadence
  • Review annually — vendors add products and services that may not be covered by the original BAA
  • Re-verify the BAA when a vendor is acquired, merged, or changes ownership
  • Update your Notice of Privacy Practices if your BAA landscape materially changes
Schedule a 15-Minute Discovery Call