BAA Termination Checklist

A step-by-step checklist for offboarding a vendor under HIPAA. Covers pre-termination planning, access revocation, PHI return and destruction, written certification, and post-termination documentation updates.

Short answer

A practical checklist for clinic administrators ending a business associate relationship. Covers every required step from pre-termination planning through post-termination certification — including a PHI destruction request letter template.

What is inside

Pre-termination: confirm PHI return/destruction terms in your existing BAA before giving notice
Termination notice: formal written notice requirements and what to include
System access revocation: what to cut off on or before the effective date
PHI return or destruction: how to request it in writing per 45 CFR §164.504(e)(2)(ii)(I)
Written certification: what you must receive back and how to file it
Post-termination: update your BAA tracker, risk analysis, and subcontractor records

We publish the same practical templates and decision tools that clinics use to structure recurring HIPAA work. No enterprise gate. No resource-library gimmicks. Just practical material delivered quickly.

Editorial details

Written by: Angel Campa

Reviewed by: PHIGuard Compliance Research

Updated: April 27, 2026

Best next step: Open the matching product path

Sources

Download the PDF

BAA Termination Checklist: A step-by-step guide for ending a vendor relationship compliantly

Enter your email and we will send the PDF.

Questions

What does HIPAA require when terminating a business associate relationship?

Under 45 CFR §164.504(e)(2)(ii)(I), the BAA must require the business associate to return or destroy all PHI upon termination — and to retain no copies. If return or destruction is not feasible, the BA must extend HIPAA protections to the retained PHI indefinitely. Covered entities should obtain written certification of completion.

How long does a vendor have to return or destroy PHI?

HIPAA does not set a fixed deadline, but your BAA should. A reasonable standard is 30 days from the termination effective date. Negotiate this into new BAAs and request it explicitly in the termination notice.

What if the vendor refuses to certify PHI destruction?

Document the refusal in writing, confirm the termination is complete on your end (access revoked, account closed), and consult legal counsel. You may need to file a complaint with OCR if the vendor is retaining PHI without a legal basis.

Do we need to notify patients when we switch vendors?

Not typically for routine vendor transitions where PHI is properly returned or destroyed. However, if the transition involves a disclosure outside the permitted uses in your BAA, or if a breach occurred during the transition, patient notification obligations under 45 CFR §164.400–414 may apply.