About This Document
This Business Associate Agreement (BAA) governs the use, disclosure, and safeguarding of Protected Health Information (PHI) shared between a Covered Entity and a Business Associate, as required under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its amendments.
It ensures HIPAA compliance when third parties perform services involving PHI on behalf of health providers, insurers, or other regulated entities.
Who Should Use This Template
Healthcare providers (doctors, hospitals, clinics) sharing PHI with outside vendors
Software companies providing electronic health records (EHR), billing, or SaaS solutions handling PHI
Consultants, accountants, lawyers, and service providers accessing protected health information for clients
Any organization needing to legally manage HIPAA compliance with contractors and partners
What the Template Includes
HIPAA-compliant definitions and incorporation of HIPAA Rules
Obligations for Business Associate to:
Use and disclose PHI only as permitted
Implement administrative, technical, and physical safeguards
Report breaches and unauthorized disclosures
Secure subcontractors with equivalent protections
Provide access and amendment rights to PHI as required
Covered Entity obligations, including notification of privacy restrictions or permission changes
Permitted uses and disclosures by the Business Associate (e.g., management and administration, de-identification)
Termination procedures for HIPAA violations or breaches
Survival of obligations for safeguarding PHI post-termination
Limitation of liability consistent with the underlying service agreement
Amendment procedures to comply with HIPAA and future regulatory changes
No third-party beneficiary rights
Editable Word format for easy customization
Instructions for Completing the Template
Fill in the Business Associate’s name and Covered Entity’s name at the beginning of the agreement.
Specify the underlying service agreement name (e.g., SaaS Agreement, Consulting Agreement) and execution date in the introduction.
Insert appropriate notice addresses for both parties for breach reporting and other formal communications.
Confirm the state law jurisdiction matches your overall service agreement or regulatory compliance strategy.
Have authorized representatives of both parties sign and date the BAA.
Retain a signed copy in your company’s HIPAA compliance documentation.
Important Reminder
This document is provided as a template to assist with standard HIPAA compliance when working with Business Associates.
It does not constitute legal advice. You should consult a qualified attorney to ensure this BAA meets your specific HIPAA obligations, matches your underlying service agreements, and addresses state-specific privacy law requirements, especially if handling sensitive health data.
About This Document
This Business Associate Agreement (BAA) governs the use, disclosure, and safeguarding of Protected Health Information (PHI) shared between a Covered Entity and a Business Associate, as required under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its amendments.
It ensures HIPAA compliance when third parties perform services involving PHI on behalf of health providers, insurers, or other regulated entities.
Who Should Use This Template
Healthcare providers (doctors, hospitals, clinics) sharing PHI with outside vendors
Software companies providing electronic health records (EHR), billing, or SaaS solutions handling PHI
Consultants, accountants, lawyers, and service providers accessing protected health information for clients
Any organization needing to legally manage HIPAA compliance with contractors and partners
What the Template Includes
HIPAA-compliant definitions and incorporation of HIPAA Rules
Obligations for Business Associate to:
Use and disclose PHI only as permitted
Implement administrative, technical, and physical safeguards
Report breaches and unauthorized disclosures
Secure subcontractors with equivalent protections
Provide access and amendment rights to PHI as required
Covered Entity obligations, including notification of privacy restrictions or permission changes
Permitted uses and disclosures by the Business Associate (e.g., management and administration, de-identification)
Termination procedures for HIPAA violations or breaches
Survival of obligations for safeguarding PHI post-termination
Limitation of liability consistent with the underlying service agreement
Amendment procedures to comply with HIPAA and future regulatory changes
No third-party beneficiary rights
Editable Word format for easy customization
Instructions for Completing the Template
Fill in the Business Associate’s name and Covered Entity’s name at the beginning of the agreement.
Specify the underlying service agreement name (e.g., SaaS Agreement, Consulting Agreement) and execution date in the introduction.
Insert appropriate notice addresses for both parties for breach reporting and other formal communications.
Confirm the state law jurisdiction matches your overall service agreement or regulatory compliance strategy.
Have authorized representatives of both parties sign and date the BAA.
Retain a signed copy in your company’s HIPAA compliance documentation.
Important Reminder
This document is provided as a template to assist with standard HIPAA compliance when working with Business Associates.
It does not constitute legal advice. You should consult a qualified attorney to ensure this BAA meets your specific HIPAA obligations, matches your underlying service agreements, and addresses state-specific privacy law requirements, especially if handling sensitive health data.
