Business Associate Agreement (BAA) Template

Free HIPAA-compliant template | Customizable for your organization | Last updated March 2026

Quick Answer

A Business Associate Agreement (BAA) is a legally required contract between covered entities and their business associates that defines how Protected Health Information (PHI) is handled, protected, and used. This template provides all necessary HIPAA-compliant clauses including security requirements, breach notification obligations, and data handling restrictions.

What is a Business Associate Agreement?

A Business Associate Agreement is a critical compliance document that establishes the legal relationship between a healthcare provider (Covered Entity) and any third-party vendor or contractor (Business Associate) that handles Protected Health Information. Under HIPAA, BAAs are mandatory when business associates come into contact with PHI in any capacity.

Why Your Organization Needs a BAA

Legal compliance with HIPAA Privacy and Security Rules
Defines permitted uses and disclosures of PHI
Establishes security and breach notification requirements
Protects your organization from liability
Required audit documentation for compliance
Vendor management and risk mitigation

HIPAA BAA Template

Copied to clipboard!

BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (Agreement) is made and entered into as of [INSERT DATE] (Effective Date) between [COVERED ENTITY NAME], a [state] [entity type] located at [ADDRESS] (Covered Entity), and [BUSINESS ASSOCIATE NAME], a [state] [entity type] located at [ADDRESS] (Business Associate). WHEREAS, the Covered Entity is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 45 CFR Parts 160, 162 and 164; and WHEREAS, the Business Associate will perform certain functions on behalf of the Covered Entity that involves access to, use, or disclosure of Protected Health Information (PHI); and WHEREAS, HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act require that the Covered Entity and Business Associate enter into this Agreement to establish permitted and required uses and disclosures of PHI. NOW, THEREFORE, the parties agree as follows: 1. DEFINITIONS 1.1 Breach: The unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of such information. 1.2 Covered Entity: Any entity subject to the HIPAA Privacy Rule, Security Rule, or Breach Notification Rule. 1.3 Encryption: The use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key. 1.4 Minimum Necessary: The minimum amount of PHI required to accomplish the intended purpose. 1.5 Protected Health Information (PHI): Any information in a medical record or health plan that can be used to identify an individual. 1.6 Security Officer: The individual designated by the Covered Entity responsible for developing and implementing security policies and procedures. 1.7 Unauthorized Access: Access to PHI that is not permitted under this Agreement or under applicable law. 2. PERMITTED USES AND DISCLOSURES 2.1 The Business Associate may use or disclose PHI only to: a) Perform functions, activities, or services for the Covered Entity as specified in the underlying business arrangement; b) Comply with legal obligations imposed by law; or c) As otherwise permitted by this Agreement. 2.2 The Business Associate shall not use or disclose PHI except as permitted by this Agreement or as required by law. 2.3 The Business Associate may use PHI for data aggregation services, management and administrative activities, and claims review and audits as specifically authorized by the Covered Entity in writing. 3. SECURITY AND SAFEGUARDS 3.1 The Business Associate shall implement and maintain administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI. 3.2 The Business Associate shall comply with all applicable Security Rule requirements at 45 CFR Part 164, Subpart C, including but not limited to: a) Access controls b) Audit controls c) Integrity controls d) Transmission security 3.3 The Business Associate shall implement encryption of PHI at rest and in transit. 3.4 The Business Associate shall maintain a security incident response plan and conduct regular risk assessments. 3.5 The Business Associate shall ensure that all workforce members with access to PHI receive HIPAA security training at least annually. 4. BREACH NOTIFICATION 4.1 The Business Associate shall notify the Covered Entity without unreasonable delay, but no later than [INSERT NUMBER] business days of discovery of a Breach of unsecured PHI. 4.2 The notification shall include: a) A description of the Breach b) The date of the Breach and discovery date c) Types of PHI involved d) Identification of individuals affected, if known e) Steps the Business Associate has taken or will take to mitigate harm 4.3 The Business Associate shall cooperate with the Covered Entity in fulfilling breach notification obligations under 45 CFR Part 164, Subpart D. 4.4 The Business Associate shall preserve evidence and provide forensic analysis related to a Breach. 5. SUBCONTRACTORS 5.1 The Business Associate shall ensure that any subcontractor or agent that creates, receives, maintains, or transmits PHI on behalf of the Business Associate agrees to be bound by the same restrictions and conditions in this Agreement. 5.2 The Business Associate shall remain fully liable to the Covered Entity for any failure by a subcontractor to comply with this Agreement. 6. ACCESS AND AMENDMENT 6.1 The Business Associate shall provide the Covered Entity with access to PHI in a timely manner as required by 45 CFR § 164.524. 6.2 The Business Associate shall make amendments to PHI as requested by the Covered Entity to maintain accuracy and completeness. 7. ACCOUNTING OF DISCLOSURES 7.1 The Business Associate shall maintain and provide to the Covered Entity a record of all disclosures of PHI in accordance with 45 CFR § 164.528. 7.2 The Business Associate shall retain accounting records for at least six (6) years. 8. TERM AND TERMINATION 8.1 The Agreement shall be effective as of the date stated above and shall continue until terminated. 8.2 Either party may terminate this Agreement upon thirty (30) days written notice to the other party. 8.3 Upon termination, the Business Associate shall: a) Return or destroy all PHI as directed by the Covered Entity b) Certify compliance with this requirement c) Retain no copies of PHI except as required by law 9. TERM AND COMPLIANCE 9.1 This Agreement shall be governed by the laws of [STATE] without regard to its conflict of law provisions. 9.2 This Agreement shall be binding upon and inure to the benefit of the parties hereto and their successors and assigns. Executed as of the Effective Date: COVERED ENTITY: Name: _________________________ Title: __________________________ Date: __________________________ BUSINESS ASSOCIATE: Name: _________________________ Title: __________________________ Date: __________________________

Customization Tips

Replace all [INSERT] placeholders with your organization-specific information
Specify the particular services provided by the Business Associate in Section 2
Adjust notification timelines in Section 4 to match your internal procedures
Add specific security requirements relevant to your organization's systems
Include data retention and destruction procedures specific to your workflow
Consult with legal counsel before finalizing the agreement

Common Mistakes to Avoid

Using a generic template without customizing for your specific services
Failing to include all required HIPAA Privacy and Security Rule provisions
Not addressing breach notification timelines and procedures
Omitting subcontractor liability and management requirements
Insufficient security safeguard specifications for your technology
Missing accounting of disclosures requirements
Not obtaining signatures from authorized representatives

Frequently Asked Questions

When do I need a Business Associate Agreement? +

You need a BAA whenever a business associate will access, use, or disclose PHI on your behalf. This includes IT vendors, cloud service providers, billing companies, transcription services, and consultants. If the third party doesn't handle PHI, a BAA isn't necessary.

What's the difference between minimum necessary and permitted uses? +

Minimum necessary refers to the amount of PHI required to accomplish the intended purpose—you shouldn't disclose more than needed. Permitted uses define what the business associate can do with the PHI, such as billing or claims management. Both concepts work together to limit PHI access.

Who is responsible for breach notification? +

The Business Associate is responsible for notifying the Covered Entity of a breach. The Covered Entity then notifies affected individuals and regulatory authorities. However, both parties have obligations—the BA must report, and the CE must assess and notify.

Is a BAA required for de-identified data? +

No, a BAA is not required if the data has been properly de-identified according to HIPAA standards. However, if there's any possibility of re-identification or if you're using limited datasets, a BAA is recommended for added protection.

Need Comprehensive HIPAA Compliance Management?

Medcurity provides complete solutions for HIPAA compliance, including risk assessments, policy development, and ongoing compliance monitoring.

Learn More About Medcurity