Does a business associate agreement automatically renew?

The study titled "Telerehabilitation Store and Forward Applications: A Review of Applications and Privacy Considerations in Physical and Occupational Therapy Practice," published in the International Journal of Telerehabilitation, discusses compliance standards for telerehabilitation organizations, including business associates: “The BAA must specifically state what the BA has agreed to do and requires the BA to comply with the HIPAA and HITECH rules to protect the privacy and security of PHI.”

HIPAA does not explicitly address or restrict automatic renewal clauses in business associate agreements (BAAs). The Office for Civil Rights (OCR), however, provides sample BAAs, none of which preclude the use of automatic renewal clauses, provided the agreement remains compliant. Whether a BAA automatically renews depends on the specific language included in the agreement. 

HIPAA does not prohibit automatic renewal clauses in BAAs; instead, it requires that a valid, written agreement be in place whenever a covered entity shares PHI with a business associate. Automatic renewal clauses are common in many types of contracts as they provide continuity and minimize administrative burdens by allowing the agreement to extend beyond its initial term unless one party provides notice of termination. 

The inclusion of an automatic renewal clause in a BAA must not conflict with HIPAA’s core requirements. The agreement must always be current, accurately reflect the relationship and responsibilities of the parties. If a BAA is automatically renewed, the covered entities and their business associates must periodically review and update the agreement to address changes in law, technology, or business practices that may affect the handling of protected health information (PHI).

What is a business associate agreement? 

An apt definition for a BAA is provided in a study titled Academic Forensic Pathology notes, “HIPAA permits covered entities to disclose PHI to business associates that may not be covered entities through business associate agreements that require no further disclosure from the business associate.”

The primary purpose of a BAA is to make sure that business associates appropriately safeguard PHI in accordance with HIPAA’s Privacy and Security Rules. The BAA must clearly define the permitted and required uses and disclosures of PHI by the business associate, stipulate that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law, and require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information.

Contract term vs. contract subject matter

According to a PRS Global Open study on employment contracts provides insights into the requirements for more general contracts, “Essential contract components include a written document with defined roles, compensation, benefits, and legal protections such as malpractice insurance.”

A contract term is the duration or length of time the contract is in effect, while the contract subject matter is the specific topic, purpose, or scope of the agreement. The contract term can be a fixed period (for example, one or two years), or it can be a rolling or auto-renewal arrangement that continues until one party provides notice of termination. The term determines how long the parties are bound by the agreement and when they must revisit or renegotiate the contract. 

The contract subject matter describes what the contract is about, what obligations, services, or goods are being provided, and under what conditions. For a BAA, the subject matter would include the handling, use, and protection of PHI, the responsibilities of the business associate, and the requirements for compliance with HIPAA.

Both must be clearly defined in any healthcare contract to avoid ambiguity. For example, a BAA with a one-year term (contract term) that governs the secure transmission of patient billing data (contract subject matter) must specify both elements to be effective and compliant.

Why do BAAs have to be reviewed? 

BAAs must be regularly reviewed to ensure compliance with HIPAA regulations, adapt to changes in the law. The HIPAA Omnibus Rule, for instance, expanded the obligations of business associates and increased regulatory scrutiny, making it imperative for covered entities to revisit their BAAs so that all new requirements are incorporated. 

An interesting fact about the Omnibus Rule from The Milbank Quaterly study ‘The Role of HIPAA Omnibus Rules in Reducing the Frequency of Medical Data Breaches: Insights From an Empirical Study’ notes, “Implementation of HIPAA omnibus rules may have been a successful federal policy in enhancing privacy protection efforts and reducing the number of breach incidents in the US health care system.”

Regular review of BAAs helps identify and address gaps in privacy and security practices, clarify roles and responsibilities, and accurately reflects the current relationship between the parties. Failure to review and update BAAs can result in outdated agreements that do not protect against current risks or comply with the latest regulatory standards.

Periodic review allows organizations to assess the effectiveness of their privacy and security measures, incorporate lessons learned from incidents or breaches, and ensure that subcontractors and downstream vendors are also compliant.

How often should BAAs be renewed?

‘Regulatory Compliance/HIPAA Business Associate Agreements’ from the Journal of the California Dental Association provides insight into the covered entities perspective on a BAA, “A covered entity should maintain a log that lists identified business associates, their contact information and dates respective BAAs were signed, will expire or are to be reviewed.”

While there is no fixed interval mandated by HIPAA, renewing BAAs at least every one to three years, and more frequently as circumstances dictate. Organizations should therefore establish internal policies that trigger BAA review and potential renewal in response to key events, such as changes in business associate ownership, modifications in the scope of services, introduction of new technologies, or after a security incident or breach. 

Regular review and renewal so that the agreement remains aligned with current legal standards and organizational practices, and that any new risks or vulnerabilities are addressed in a timely manner.

Do renewal clauses have a place in BAA’s

Renewal clauses can be beneficial in maintaining uninterrupted protection of PHI and providing that the contractual relationship remains in place as long as necessary. However, the inclusion of renewal clauses must be balanced with the need for periodic review and updating of the agreement to reflect changes in law, technology, or business operations. 

Automatic renewal should not lead to complacency or the perpetuation of obsolete terms that fail to address current risks or regulatory requirements. Renewal clauses should be structured to include triggers for review, like changes in HIPAA regulations, the occurrence of a breach, or modifications in the services provided. 

Sample clauses and red flags

Red flags in BAAs include vague or overly broad language regarding permitted uses and disclosures, lack of specificity about security requirements, absence of breach notification procedures, failure to address subcontractor compliance, and omission of termination provisions for material breach. 

Other warning signs include outdated references to HIPAA regulations, failure to incorporate recent changes such as those introduced by the HIPAA Omnibus Rule, and clauses that limit the business associate’s liability in ways that conflict with regulatory requirements.

Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

What types of services typically require a BAA?

Services that often require a BAA include medical billing, claims processing, quality assurance, patient safety activities, legal or accounting services, transcription, data storage, and IT services. Any service where the vendor or contractor will have access to PHI will likely require a BAA.

Are subcontractors required to sign a BAA?

Yes. Any subcontractor that creates, receives, maintains, or transmits PHI on behalf of a business associate must agree to the same restrictions and conditions as the original business associate, and this must be documented in a BAA.

What happens if a business associate violates the BAA?

If a business associate violates the BAA, the covered entity is authorized to terminate the contract. Business associates can also be fined directly by the Department of Health and Human Services (HHS), State Attorneys General, and/or the Federal Trade Commission for HIPAA violations.