Free Word download • Edit online • Save & share with Drive • Export to PDF
A Business Associate Agreement (BAA) is a legally required contract under the Health Insurance Portability and Accountability Act (HIPAA) between a covered entity — any healthcare provider, health plan, or healthcare clearinghouse — and a third-party vendor or partner, known as a business associate, that creates, receives, maintains, or transmits protected health information (PHI) on the covered entity's behalf. The agreement defines precisely how the business associate may use PHI, what safeguards it must implement, how it must respond to breaches, and what happens to PHI when the relationship ends. Without a signed BAA in place before PHI access begins, both the covered entity and the business associate are in direct violation of federal law — regardless of how carefully the data is actually handled in practice.
Operating without a Business Associate Agreement is one of the most consistently cited findings in HHS Office for Civil Rights enforcement actions, and the consequences are concrete. Civil monetary penalties range from $100 to $50,000 per violation, with annual caps reaching $1.9 million per violation category — and each day of non-compliant access can count as a separate violation. A missing BAA also undermines every other investment in HIPAA compliance: technical safeguards, staff training, and security audits all rest on a foundation of documented vendor agreements. Beyond federal enforcement, state attorneys general in California, New York, and Texas have brought independent health data enforcement actions citing missing or inadequate vendor agreements. This template gives you a compliant, editable starting point that closes the most common BAA gaps — undefined PHI scope, missing subcontractor flow-down language, and inadequate breach notification timelines — so you can onboard vendors confidently and document your compliance posture for any future audit.
| If your situation is… | Use this template |
|---|---|
| Healthcare provider contracting with a billing or coding company | Business Associate Agreement (Provider to Vendor) |
| SaaS platform that is itself a business associate onboarding sub-vendors | Subcontractor Business Associate Agreement |
| Health plan contracting with a pharmacy benefit manager | Business Associate Agreement (Health Plan) |
| Broader data-sharing arrangement not limited to HIPAA PHI | Data Processing Agreement |
| Vendor needs confidentiality terms but does not access PHI | Non-Disclosure Agreement |
| Full vendor engagement covering services, IP, and data handling | IT Services Agreement |
| Cloud infrastructure provider requiring a standard HIPAA addendum | HIPAA Data Security Addendum |
Why it matters: Every day the business associate accessed PHI without a signed BAA is a separate HIPAA violation. OCR has levied fines based on the duration of the gap, not just the absence of the agreement.
Fix: Implement a vendor onboarding checklist that flags PHI access and routes the BAA for signature before any system credentials or data access are provisioned.
Why it matters: An NDA does not include the HIPAA-required elements — permitted uses enumeration, breach notification, HHS access, subcontractor flow-down, or PHI disposition on termination. OCR treats an NDA-only arrangement as having no BAA.
Fix: Maintain a separate BAA template distinct from your standard NDA. Where both are needed, execute them as separate documents referencing each other.
Why it matters: A business associate that gains access to additional PHI categories or takes on new functions not covered by the original BAA is operating outside its permitted uses — a direct HIPAA violation even if the original BAA was compliant.
Fix: Tie BAA review to contract renewals and scope-of-work amendments. Any change in the services that alters PHI access should trigger a BAA amendment signed by both parties.
Why it matters: Under the Omnibus Rule, a business associate is directly liable for a subcontractor's HIPAA violations if no BAA was in place. Covered entities have also been penalized for failing to require their business associates to flow down BAA terms.
Fix: Add a representation in the BAA that the business associate currently has BAAs in place with all subcontractors handling PHI and will obtain them before engaging any new subcontractor.
Why it matters: Sixty days is the covered entity's deadline to notify patients — not the business associate's window to notify the covered entity. A 60-day BA notification window makes the covered entity's statutory deadline mathematically impossible to meet.
Fix: Set the business associate's notification obligation at 10–15 calendar days following discovery of a breach, giving the covered entity time to investigate and prepare the patient and HHS notifications.
Why it matters: Without documented evidence that PHI was returned or destroyed, the covered entity cannot demonstrate compliance to HHS if an inquiry arises after the vendor relationship ends.
Fix: Require the business associate to deliver a signed written certification of PHI destruction or return within 30 days of termination, specifying the method of destruction for ePHI.
In plain language: Establishes shared meaning for all key terms — PHI, ePHI, covered entity, business associate, security incident, and breach — by incorporating or mirroring HIPAA's regulatory definitions.
Capitalized terms used but not defined herein have the meanings assigned to them under HIPAA, including 45 C.F.R. Parts 160 and 164. 'PHI' means Protected Health Information as defined in 45 C.F.R. § 160.103.
Common mistake: Defining PHI more narrowly than the HIPAA regulatory definition — for example, excluding verbal communications — which leaves gaps in coverage that regulators treat as violations.
In plain language: Enumerates the specific purposes for which the business associate may use or disclose PHI — limited to what is necessary to perform the contracted services — and prohibits any use not expressly listed.
Business Associate may use and disclose PHI only as necessary to perform the services described in the underlying Service Agreement dated [DATE], and as required by law. Business Associate shall not use or disclose PHI in any manner that would violate HIPAA if done by Covered Entity.
Common mistake: Using a catch-all phrase like 'for any business purpose' instead of enumerating specific permitted uses — this language fails HIPAA's minimum necessary standard and is flagged in OCR audits.
In plain language: Specifies that the business associate must disclose PHI when the individual requests access under HIPAA, when required by HHS for compliance enforcement, or when the law otherwise mandates disclosure.
Business Associate shall disclose PHI to Covered Entity, or to an Individual upon request, as necessary to satisfy Covered Entity's obligations under 45 C.F.R. § 164.524. Business Associate shall make its internal practices available to HHS upon request.
Common mistake: Omitting the HHS disclosure obligation entirely, which is a required element under 45 C.F.R. § 164.504(e) and will void the BAA's compliance value if challenged.
In plain language: Requires the business associate to implement administrative, physical, and technical safeguards appropriate to the risk level of the PHI it handles, in compliance with the HIPAA Security Rule for ePHI.
Business Associate shall implement appropriate safeguards to prevent use or disclosure of PHI other than as permitted by this Agreement, and shall implement the administrative, physical, and technical safeguards required by 45 C.F.R. Part 164, Subpart C, with respect to ePHI.
Common mistake: Referencing 'reasonable' safeguards without tying the standard to the HIPAA Security Rule — courts and OCR have held that the Security Rule's specific requirements displace generic 'reasonable efforts' language.
In plain language: Requires the business associate to notify the covered entity of any discovered breach of unsecured PHI or security incident within a defined timeframe — typically no later than the time needed for the covered entity to meet its own 60-day notification deadline.
Business Associate shall notify Covered Entity without unreasonable delay, and in no event later than [10] calendar days following discovery of a Breach of Unsecured PHI. Notification shall include the nature of the Breach, PHI involved, individuals affected, and steps taken.
Common mistake: Setting the notification window at 60 days — the deadline that applies to the covered entity for notifying patients. The business associate must notify the covered entity early enough to allow the covered entity to meet its own 60-day clock.
In plain language: Obligates the business associate to obtain a signed BAA from any subcontractor that will receive, create, or maintain PHI on the business associate's behalf, passing down the same HIPAA obligations.
Business Associate shall obtain a written agreement from each subcontractor that creates, receives, maintains, or transmits PHI on Business Associate's behalf, ensuring the subcontractor agrees to the same restrictions and conditions that apply to Business Associate under this Agreement.
Common mistake: Allowing subcontractors to proceed under verbal agreements or NDA-only arrangements — the Omnibus Rule explicitly requires a formal BAA with subcontractors, and violations are directly attributable to the business associate.
In plain language: Requires the business associate to support the covered entity in fulfilling patients' HIPAA rights — including providing access to their PHI, accepting and processing amendments, and providing an accounting of disclosures.
Upon Covered Entity's request, Business Associate shall make PHI available for inspection and copying within [15] business days, incorporate any amendments to PHI directed by Covered Entity, and provide an accounting of disclosures made in the prior six years.
Common mistake: Limiting this clause to access only and omitting the amendment and accounting obligations — a partial implementation that fails the rights-of-individuals requirements in 45 C.F.R. §§ 164.526–164.528.
In plain language: Provides termination triggers — including material breach and inability to cure — and requires that upon termination the business associate return or destroy all PHI, with no copies retained unless retention is legally required.
Upon termination of this Agreement for any reason, Business Associate shall, at the direction of Covered Entity, return or destroy all PHI in its possession and certify in writing that no copies have been retained, except where retention is required by law, in which case the protections of this Agreement shall survive termination.
Common mistake: Omitting the written certification of destruction requirement — without it the covered entity has no documented evidence of PHI disposition to present to HHS in the event of an audit.
In plain language: Allows the business associate to use PHI for its own management, legal obligations, and data aggregation services, subject to the minimum necessary standard, where the HIPAA Privacy Rule permits such uses.
Business Associate may use PHI for Business Associate's own management and administration or to carry out its legal responsibilities, provided such use is necessary and the information is not used or disclosed in a manner prohibited under this Agreement.
Common mistake: Omitting this clause and inadvertently prohibiting uses HIPAA expressly permits — for example, the business associate using de-identified or aggregated PHI for benchmarking, which can be a legitimate contracted service.
In plain language: Specifies the governing jurisdiction, confirms that the BAA supersedes any conflicting provisions in the underlying service agreement regarding PHI, and requires amendments to be made in writing to remain compliant with future regulatory changes.
This Agreement is governed by the laws of [STATE]. To the extent any provision of the underlying Service Agreement conflicts with this BAA regarding PHI, the terms of this BAA shall control. Any amendment must be in writing and signed by both parties.
Common mistake: Allowing the broader service agreement to govern PHI-related disputes — when service contract terms conflict with BAA terms on data handling, the less protective standard may apply and create HIPAA non-compliance.
Enter the full legal name and entity type of each party. The covered entity is the HIPAA-regulated organization (provider, health plan, or clearinghouse); the business associate is the vendor or contractor receiving PHI.
💡 Verify the covered entity's NPI or plan ID and the business associate's legal registered name against your vendor contract to ensure the entities match exactly.
Link the BAA to the specific services contract or statement of work that creates the need for PHI access. Include the service agreement's title and effective date so the two documents are formally connected.
💡 If no service agreement exists yet, describe the services briefly in an exhibit to the BAA — a BAA with no underlying services description is harder to enforce and harder to audit.
Enumerate the categories of PHI involved — medical records, billing data, imaging files, demographic data — and specify whether the business associate will create, receive, maintain, or transmit it.
💡 Narrower PHI scope language reduces the business associate's risk surface and makes breach notification simpler — if only billing data is covered, a breach of imaging files falls outside the BAA's scope.
Write out each specific purpose for which the business associate may use or disclose PHI. Avoid generic language. Reference the minimum necessary standard explicitly and prohibit uses not listed.
💡 Review the underlying service agreement and map each service function to a permitted use — mismatches between services performed and permitted uses are the most common OCR audit finding.
Enter the number of calendar days within which the business associate must notify the covered entity following discovery of a breach. Standard practice is 10–15 days, giving the covered entity adequate time to meet the 60-day patient notification deadline.
💡 Some large covered entities require 72-hour notification to align with GDPR and state breach laws — confirm your counterparty's requirements before finalizing the timeframe.
Confirm that any subcontractor the business associate engages to handle PHI must sign a BAA with terms at least as protective as this agreement. Include a representation that no subcontractors currently hold PHI without a signed BAA.
💡 Request a list of current subcontractors with PHI access at execution — updating this list annually is a practical way to demonstrate ongoing compliance.
Choose whether PHI must be returned to the covered entity or destroyed upon termination, and specify the timeframe for doing so. Add a written certification requirement confirming destruction or return.
💡 For cloud-based services where data deletion is technical rather than physical, require a deletion confirmation from the business associate's security officer, not a general IT contact.
Both parties must execute the BAA before the business associate receives, creates, or accesses any PHI. Retroactive execution may satisfy the written-agreement requirement but does not cure the period of non-compliant PHI access.
💡 Use a countersignature workflow that timestamps execution — OCR audits frequently ask for the BAA's execution date to determine whether it preceded the vendor relationship.
A Business Associate Agreement (BAA) is a legally binding contract required under HIPAA between a covered entity — such as a hospital, physician practice, or health plan — and any vendor or contractor that creates, receives, maintains, or transmits protected health information on the covered entity's behalf. The BAA specifies the permitted uses of PHI, safeguard obligations, breach notification requirements, and PHI disposition terms on termination. Without a signed BAA, the vendor relationship is non-compliant regardless of how securely the vendor actually handles the data.
Any vendor, contractor, or subcontractor that handles PHI on behalf of a covered entity must sign a BAA. Common examples include medical billing companies, EHR vendors, cloud storage providers, transcription services, IT managed service providers, legal counsel handling medical records, and accountants accessing PHI for audit purposes. The BAA obligation also flows down — business associates must obtain BAAs from their own subcontractors who access PHI.
Operating without a required BAA is a direct HIPAA violation for both the covered entity and the business associate. The HHS Office for Civil Rights can impose civil monetary penalties of $100 to $50,000 per violation, with annual caps reaching $1.9 million per violation category. OCR has settled multiple cases specifically for missing BAAs, including a $2.3 million settlement against a health insurer in 2016. Criminal penalties apply for willful neglect.
Yes. BAAs should be reviewed whenever the underlying service agreement changes scope, whenever the business associate gains access to new PHI categories, and at least annually as part of an ongoing vendor management program. The 2013 Omnibus Rule required covered entities to update legacy BAAs to reflect direct business associate liability and subcontractor requirements — many organizations still operate on pre-Omnibus templates that do not satisfy current requirements.
No. An NDA covers confidentiality broadly but lacks the specific HIPAA-mandated elements: enumeration of permitted PHI uses, Security Rule safeguard obligations, breach notification procedures, HHS access rights, subcontractor flow-down requirements, and PHI disposition on termination. OCR does not accept an NDA as a substitute for a BAA. Both documents may be needed — the NDA covers general confidentiality while the BAA satisfies HIPAA compliance.
When a business associate engages a third party — a subcontractor — to perform services that involve PHI, the business associate must obtain a signed BAA from that subcontractor. This downstream BAA must impose the same or greater protections as the original BAA between the covered entity and the business associate. The 2013 Omnibus Rule made subcontractors directly liable for their own HIPAA violations, but the business associate remains liable if no BAA was obtained.
Yes. Any cloud service provider that stores, processes, or transmits ePHI on behalf of a covered entity or business associate is itself a business associate and must sign a BAA. This includes infrastructure providers like AWS, Azure, and Google Cloud, as well as SaaS platforms that process health data. Major cloud providers offer standardized HIPAA BAA addenda — review them carefully against your specific use case before accepting defaults.
HIPAA requires covered entities and business associates to retain all policies, procedures, and documentation — including BAAs — for six years from the date of creation or the date it was last in effect, whichever is later. This means a BAA for a vendor relationship that ended in 2022 must be retained until at least 2028. Retaining both the executed BAA and any amendments in a centralized compliance system is strongly recommended.
HIPAA's Business Associate Agreement requirements apply to covered entities (healthcare providers, health plans, clearinghouses) and their business associates. Most employers are not covered entities when handling employee health information in the context of employment — for example, FMLA records or workers' compensation. However, employers that sponsor self-insured health plans are covered entities for plan-related PHI and must execute BAAs with third-party administrators handling that data.
An NDA creates a general confidentiality obligation covering any proprietary information shared between parties. A BAA is a HIPAA-specific compliance document covering PHI with mandatory elements the NDA lacks — permitted use enumeration, breach notification, subcontractor flow-down, and PHI disposition. OCR does not accept an NDA as a BAA substitute. Both may be needed: the NDA for general confidential business information and the BAA for regulated health data.
A Data Processing Agreement (DPA) governs personal data handling under GDPR and similar privacy frameworks. A BAA governs PHI under HIPAA. The two documents serve parallel functions in different regulatory regimes. Organizations operating under both HIPAA and GDPR — for example, a US health platform serving EU patients — may need both a BAA and a DPA covering the same vendor relationship.
An IT Services Agreement covers the commercial terms of a technology engagement — scope, SLAs, pricing, IP, and liability. A BAA is a compliance addendum to that commercial agreement, governing specifically how PHI is handled. The two should be executed together and the BAA should state that it controls over the services agreement wherever PHI-related terms conflict.
A general Service Agreement defines the scope, fees, and terms of any professional services engagement. It becomes insufficient the moment the vendor accesses PHI — at that point a BAA must also be executed. A standalone service agreement with no BAA is a HIPAA violation for any covered-entity client. The BAA supplements, not replaces, the underlying service agreement.
Hospitals, clinics, and physician practices must execute BAAs with every vendor touching the EHR, billing systems, or medical imaging — a typical mid-size practice has 10–30 active BAAs.
Health plans require BAAs with claims processors, pharmacy benefit managers, utilization review organizations, and population health analytics platforms that access member PHI.
EHR vendors, telehealth platforms, and patient engagement tools are themselves business associates and must offer signed BAAs to covered-entity customers before onboarding them.
Law firms, accounting firms, and consultants handling medical records or conducting HIPAA audits for healthcare clients qualify as business associates and require a BAA before engagement.
IT support providers, cloud infrastructure vendors, and MSPs that have potential access to systems containing ePHI — even incidentally during maintenance — are business associates requiring a BAA.
Billing companies, coding firms, and revenue cycle management providers are among the most common business associates, receiving detailed patient and claims data that requires a BAA with every provider client.
BAAs are mandated by the HIPAA Privacy Rule (45 C.F.R. § 164.504(e)) and the Security Rule (45 C.F.R. § 164.314(a)). The 2013 Omnibus Rule extended direct liability to business associates and subcontractors. Many states — including California (CMIA), New York (SHIELD Act), and Texas (THIPA) — impose additional PHI and health data requirements beyond federal HIPAA minimums. State law applies wherever it is more protective than HIPAA.
Canada does not have a direct equivalent to HIPAA's BAA requirement, but provincial health privacy legislation — including Ontario's PHIPA, Alberta's HIA, and British Columbia's PIPA — requires custodians of personal health information to enter into written data-sharing agreements with agents and service providers. Quebec's Law 25 (modernized private sector privacy law) imposes additional written agreement requirements for personal information shared with third parties, including cross-border transfers.
The UK GDPR and the Data Protection Act 2018 require a written Data Processing Agreement (Article 28 contract) between controllers and processors of personal data, including health data. NHS organizations follow the Data Security and Protection Toolkit and must ensure data-sharing agreements meet NHS Data Security Standards. A US-style BAA does not satisfy UK GDPR requirements — a DPA meeting Article 28 criteria is required for UK-covered health data processing.
Health data is special category data under GDPR Article 9, requiring explicit legal basis and heightened protection. Article 28 mandates a written controller-processor agreement (the EU equivalent of a BAA) covering processing instructions, security measures, subprocessor rules, audit rights, and data return or deletion. Transfers of health data outside the EU require either an adequacy decision or Standard Contractual Clauses. HIPAA BAAs signed by US entities do not satisfy EU GDPR requirements without a separate Article 28 addendum.
| Path | Best for | Cost | Time |
|---|---|---|---|
| Use the template | Covered entities and business associates formalizing standard vendor relationships with routine PHI access | Free | 30 minutes |
| Template + legal review | Relationships involving large PHI volumes, cloud ePHI storage, or vendors operating across multiple states | $300–$800 | 2–5 days |
| Custom drafted | Health systems with complex vendor ecosystems, cross-border health data transfers, or BAAs involving research institutions and FDA-regulated data | $1,500–$5,000+ | 1–3 weeks |
This document is one of 3,000+ business & legal templates included in Business in a Box.
Access over 3,000+ business and legal templates for any business task, project or initiative.
Customize your ready-made business document template and save it in the cloud.
Share your files and folders with your team. Create a space of seamless collaboration.
"Fantastic value! I'm not sure how I'd do without it. It's worth its weight in gold and paid back for itself many times."
"I have been using Business in a Box for years. It has been the most useful source of templates I have encountered. I recommend it to anyone."
"It has been a life saver so many times I have lost count. Business in a Box has saved me so much time and as you know, time is money."
Stop downloading documents. Start operating with clarity. Business in a Box gives you the Business Operating System used by over 250,000 companies worldwide to structure, run, and grow their business.
Start free · No credit card required
