This article broadly discusses business associate agreements, the required provisions under HIPAA/ HITECH, and other provisions that should be contemplated by health care covered entities or business associates as they enter into or revise "business associate agreements." This article focuses solely on Protected Health Information and health data contracts. The principles explored in this article, however, can be applied generally to other types of third-party contracts that deal with other types of data and privacy. There are, of course, specific considerations depending on the particular privacy or security statute at issue. This article was originally published in the December 2012 issue of New Jersey Lawyer Magazine, a publication of the New Jersey State Bar Association, and is reprinted here with permission.