I’ll Have the Confidentiality Provision, BAA, and Security Addendum Please, Hold the DPA and DUA: Choosing from the Expanding Menu of Data Safeguards Contracts and Provisions

• May 29, 2026

• Adam H. Greene , Davis Wright Tremaine LLP

Once upon a time, a standard confidentiality provision was enough to safeguard your data rights. Then came the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in 2000, requiring a business associate agreement (BAA) or the occasional data use agreement (DUA). The U.S. Department of Health and Human Services (HHS) published the HIPAA Security Rule a few years later, adding additional information security requirements to BAAs. Then the HIPAA Breach Notification Rule and heightened cybersecurity threats increased the risks of a data breach. It became worth considering whether an information security addendum is needed. More recently, California enacted the California Consumer Privacy Act (CCPA), requiring service provider agreements for personal information, with a swath of states following suit and requiring data processing agreements (DPAs). As a result, organizations in health care have been left with a dizzying menu of potential contracting mechanisms to consider with respect to safeguarding data. This Briefing discusses the different categories of data safeguard contracts and their appropriate use for upstream entities.

ARTICLE TAGS

• Health Information and Technology Practice Group
• Health Information