The HIPAA Business Associate Agreementchecklist & vendor tracker.
Before you sign a vendor's BAA, check it against what HIPAA actually requires. This free, printable checklist lists every required element (45 CFR 164.504(e)), plus a tracker to inventory every vendor that touches PHI and confirm a current BAA is on file — and where to get HHS's official sample language.
What's inside
Eight sections — verify any BAA, track every vendor.
This is a compliance checklist and vendor tracker — not a contract. Use it to confirm a vendor's BAA covers the required elements, and to keep a current register of who has signed one. For the actual contract, the checklist points you to HHS's official sample.
- 1The required BAA elements to check (45 CFR 164.504(e))
- 2Breach & security-incident reporting timelines
- 3Subcontractor flow-down language
- 4Return / destruction of PHI at termination
- 5Vendor & business-associate inventory tracker
- 6BAA-on-file status & renewal dates
- 7Cloud-provider BAA notes (M365, Google, Dropbox)
- 8Where to get HHS's official sample BAA language
The checklist is a printable web document. Use your browser's Print → Save as PDF to keep an offline copy.
Why this matters
A missing BAA is a citation waiting to happen.
OCR's #2 cited deficiency
Missing or inadequate BAAs sit right behind the risk analysis among the most-cited HIPAA findings — and OCR has issued multi-million-dollar settlements over them.
A vendor breach becomes your breach
Without a signed BAA, a vendor incident involving your patients' PHI is fully your problem to notify and remediate — with no contractual recourse.
Most vendor BAAs have gaps
Subcontractor flow-down and breach-notification timelines are the elements most often missing. This checklist makes them easy to catch before you sign.
This checklist is general information, not legal advice. Consult qualified counsel before signing or modifying a Business Associate Agreement.