Healthcare is one of the most heavily regulated industries in the United States, and contracts in this space carry obligations that go far beyond typical business agreements. A missing clause in a Business Associate Agreement can trigger six-figure fines. A poorly drafted patient consent form can expose a practice to lawsuits. A provider agreement without adequate compliance language can create liability that outlasts the contract itself.
HIPAA (the Health Insurance Portability and Accountability Act) and its enforcement arm, the Office for Civil Rights (OCR), impose specific contractual requirements on anyone who handles protected health information (PHI). These are not optional provisions you can negotiate away — they are federal mandates with civil and criminal penalties.
This guide covers the essential healthcare contracts, what HIPAA requires in each, and how to build a compliant contract framework.
Understanding HIPAA's contract requirements
Before diving into specific contract types, you need to understand how HIPAA creates contractual obligations.
Covered entities and business associates
HIPAA applies directly to covered entities: healthcare providers who transmit health information electronically, health plans, and healthcare clearinghouses. But it also extends to business associates — any person or organization that performs functions involving PHI on behalf of a covered entity.
The critical legal mechanism is the Business Associate Agreement (BAA). HIPAA requires covered entities to enter into a BAA with every business associate before sharing PHI. The BAA is not a best practice — it is a legal requirement under 45 CFR § 164.502(e) and § 164.504(e).
The HITECH Act extension
The HITECH Act of 2009 extended HIPAA's reach further. Business associates are now directly liable for HIPAA compliance — not just contractually liable through the BAA. And the chain does not stop there: business associates must enter into BAAs with their own subcontractors who handle PHI. This creates a compliance chain that runs through every vendor relationship touching patient data.
Business Associate Agreements (BAAs)
The BAA is the foundational healthcare contract. Without it, any PHI sharing is a HIPAA violation — full stop.
Required BAA elements
HIPAA specifies exactly what a BAA must contain. This is not a suggestion list — omitting required elements can invalidate the agreement and create HIPAA liability.
Permitted uses and disclosures. The BAA must specify exactly how the business associate may use and disclose PHI. This must be limited to performing services for the covered entity, as described in the underlying service agreement. Any use beyond the stated purpose violates both the BAA and HIPAA.
Safeguard requirements. The business associate must implement appropriate administrative, physical, and technical safeguards to protect PHI. Post-HITECH, this means compliance with the HIPAA Security Rule — encryption, access controls, audit logging, and workforce training.
Reporting obligations. The BAA must require the business associate to report any security incident or breach of unsecured PHI. HIPAA defines specific timelines: business associates must notify the covered entity within 60 days of discovering a breach. Many BAAs tighten this to 5-10 business days.
Subcontractor flow-down. The BAA must require the business associate to enter into equivalent agreements with any subcontractors who will access PHI. This ensures the compliance chain remains unbroken.
Return or destruction of PHI. Upon termination of the agreement, the business associate must return or destroy all PHI. If return or destruction is not feasible (e.g., required by law to retain records), the BAA must extend protections to the retained PHI indefinitely.
Individual rights support. The business associate must make PHI available to fulfill the covered entity's obligations under the HIPAA Privacy Rule — including patient access requests, amendment requests, and accounting of disclosures.
OCR access. The BAA must allow the Department of Health and Human Services (HHS) to access the business associate's practices, books, and records for compliance auditing.
Termination provisions. The BAA must authorize the covered entity to terminate the agreement if the business associate violates a material term. This is not a standard termination for convenience — it is a compliance-triggered termination right.
BAA red flags to watch for
- Overly broad use permissions. If the BAA allows the business associate to use PHI for "any lawful purpose," it is likely non-compliant. Uses must be specifically tied to the services being performed.
- No breach notification timeline. HIPAA requires notification within 60 days, but a BAA without a specific timeline creates ambiguity. Best practice: 5-10 business days.
- Missing subcontractor provisions. If your vendor uses cloud hosting, outsourced support, or any third-party services that might access PHI, the BAA must address subcontractor obligations.
- No audit rights. You should have the contractual right to audit or assess the business associate's compliance. Without this, you are relying entirely on their self-reporting.
- Weak indemnification. The business associate should indemnify the covered entity for losses caused by the associate's HIPAA violations. Without this, your practice bears the financial risk of their non-compliance.
Patient consent forms
Patient consent forms serve two distinct purposes in healthcare: consent for treatment and authorization for use and disclosure of PHI. While related, these are separate legal instruments with different requirements.
Consent for treatment
Treatment consent forms authorize a healthcare provider to perform specific medical procedures or treatments. While not strictly a HIPAA document, they intersect with privacy requirements because they document what the patient has agreed to and create a medical record.
Essential elements:
- Description of the proposed treatment or procedure
- Expected benefits and material risks
- Alternative treatments available
- Right to refuse treatment and consequences of refusal
- Acknowledgment that the patient has had the opportunity to ask questions
- Date, patient signature, and witness signature
HIPAA authorization forms
HIPAA authorizations are required when PHI will be used or disclosed for purposes beyond treatment, payment, and healthcare operations (TPO). Common scenarios include release of records to a third party, use of PHI for marketing, research involving identifiable patient data, and sharing psychotherapy notes.
HIPAA-required elements for valid authorization:
- Specific description of the information to be disclosed
- Name of the person or entity authorized to make the disclosure
- Name of the person or entity to receive the information
- Purpose of the disclosure
- Expiration date or event
- Patient's right to revoke authorization (and the process for doing so)
- Statement that treatment cannot be conditioned on authorization (with limited exceptions)
- Signature and date
Common authorization mistakes:
- Using blanket authorizations that do not specify the information being disclosed
- Failing to include an expiration date (authorizations without expiration are invalid for some purposes)
- Not providing a clear revocation process
- Conditioning treatment on signing an authorization for purposes beyond TPO
Notice of Privacy Practices (NPP)
While not a "contract" in the traditional sense, the NPP is a required document that every covered entity must provide to patients. It describes how the practice uses and discloses PHI, the patient's rights regarding their information, and the practice's legal duties. Patients must acknowledge receipt — the practice must document a good-faith effort to obtain this acknowledgment.
Provider agreements
Provider agreements govern the relationship between healthcare providers and the facilities, networks, or organizations they work with. These include hospital-physician agreements, managed care contracts, group practice employment agreements, and locum tenens (temporary staffing) arrangements.
Key provisions in healthcare provider agreements
Scope of services. Define the specific clinical services the provider will perform, including on-call responsibilities, administrative duties, and coverage requirements. Use clear language — "general medical services" is insufficient. Reference specific CPT codes, specialties, or department assignments where applicable.
Compensation and billing. Healthcare compensation structures are complex — base salary plus productivity bonuses (based on RVUs), fee-for-service arrangements, capitation models, or hybrid structures. The agreement must clearly define the compensation model, billing responsibilities (who bills, who collects), and how disputes over payment are resolved.
Credentialing and compliance. The provider must maintain active licensure, board certification (if required), hospital privileges, and malpractice insurance throughout the agreement term. The contract should specify minimum coverage amounts, typically $1 million per occurrence / $3 million aggregate for most specialties.
Non-compete and restrictive covenants. Healthcare non-compete clauses are increasingly regulated by state law. Several states have banned or restricted non-competes for physicians. Your agreement must comply with applicable state law, and overly broad non-competes are frequently struck down by courts even in states that allow them. Define reasonable geographic scope, duration, and specialty restrictions.
Tail coverage. When a provider leaves a practice, who pays for malpractice "tail coverage" (extended reporting period insurance)? This can cost $20,000-$100,000+ depending on the specialty. The agreement must allocate this responsibility explicitly — it is one of the most disputed terms in provider separations.
Medical records and data. Define who owns patient records, how they are maintained, and what happens to records when the provider leaves. HIPAA requirements apply to all medical records regardless of the employment arrangement.
Termination and wind-down. Healthcare terminations require patient notification and continuity of care planning. The agreement should include a wind-down period (typically 60-90 days for non-cause termination), patient notification procedures, and medical records transition requirements.
HIPAA compliance checklist for contracts
Use this checklist when reviewing any healthcare contract that involves PHI:
BAA requirements
- [ ] BAA exists with every vendor who accesses PHI
- [ ] Permitted uses and disclosures are specifically defined
- [ ] Security safeguard requirements reference the HIPAA Security Rule
- [ ] Breach notification timeline is defined (recommend ≤10 business days)
- [ ] Subcontractor flow-down provisions are included
- [ ] Return or destruction of PHI upon termination is required
- [ ] OCR audit access is permitted
- [ ] Compliance-based termination rights are included
Patient consent and authorization
- [ ] Treatment consent forms include all required elements
- [ ] HIPAA authorizations contain all six required elements
- [ ] Revocation process is clearly described
- [ ] Authorization expiration dates are set
- [ ] NPP acknowledgment process is documented
Provider agreements
- [ ] Compliance obligations are explicitly stated
- [ ] Malpractice insurance requirements are defined
- [ ] Non-compete terms comply with applicable state law
- [ ] Tail coverage responsibility is allocated
- [ ] Patient notification and wind-down procedures are included
- [ ] Medical records ownership and transition are addressed
State law considerations
HIPAA sets the federal floor for healthcare privacy and contract requirements, but many states impose additional obligations:
- California (CMIA) — Requires patient consent for most disclosures beyond treatment, often stricter than HIPAA.
- New York — Additional protections for HIV/AIDS information, mental health records, and genetic testing results.
- Texas — State-specific breach notification requirements that exceed HIPAA timelines.
- Washington — My Health My Data Act creates additional consent and deletion requirements for health data, including data held by non-covered entities.
Your contracts must comply with both HIPAA and applicable state law. When state law is more protective than HIPAA, state law controls.
Building a compliant contract framework
Healthcare contracts are not something to build from scratch without guidance. But they also do not require a $500/hour healthcare attorney for every agreement.
Start with these priorities:
- BAAs first. Audit every vendor relationship. Any vendor with PHI access needs a BAA. This is the highest-risk gap in most healthcare practices.
- Patient consent and authorization forms. Review and update annually. Ensure they meet both HIPAA and state-specific requirements.
- Provider agreements. Review non-compete provisions against current state law. Update termination and wind-down provisions.
- Annual review cycle. Healthcare regulations change frequently. Set an annual contract review date and update agreements to reflect new requirements.
Create an NDA → | Create a service agreement → | Create a custom contract →