Free template
HIPAA Business Associate Agreement Template
Clearly define responsibilities regarding protected health information with this HIPAA Business Associate Agreement.
Downloaded 3229 times
HIPAA Business Associate Agreement Template
This HIPAA Business Associate Agreement ("Agreement") is entered into as of [Date], by and between:
Covered Entity: [Full Name / Company Name]
Address: [Address]
Email: [Email Address]
Phone: [Phone Number]
and
Business Associate: [Full Name / Company Name]
Address: [Address]
Email: [Email Address]
Phone: [Phone Number]
Together referred to as the "Parties."
1. Purpose
This Agreement is intended to ensure compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations, specifically regarding the safeguarding of Protected Health Information (PHI).
2. Definitions
PHI (Protected Health Information): Individually identifiable health information transmitted or maintained in any form.
Covered Entity: A healthcare provider, health plan, or healthcare clearinghouse subject to HIPAA.
Business Associate: A party that performs functions involving PHI on behalf of the Covered Entity.
3. Permitted Uses and Disclosures
The Business Associate may use or disclose PHI only:
As required to perform services for the Covered Entity
As permitted by this Agreement
As required by law
4. Safeguards and Security
The Business Associate agrees to:
Implement administrative, physical, and technical safeguards to protect PHI
Comply with the HIPAA Security Rule for electronic PHI (ePHI)
Prevent unauthorized use or disclosure of PHI
5. Reporting of Breaches
The Business Associate must:
Report any use or disclosure of PHI not permitted by this Agreement
Notify the Covered Entity of any breach of unsecured PHI within [X] days of discovery
Cooperate with the Covered Entity’s investigation and response efforts
6. Subcontractors and Agents
The Business Associate shall ensure that any subcontractor or agent who has access to PHI agrees in writing to the same restrictions and conditions outlined in this Agreement.
7. Access and Amendments
Upon request by the Covered Entity, the Business Associate will:
Provide access to PHI in a designated record set
Make amendments to PHI as directed by the Covered Entity
8. Accounting of Disclosures
The Business Associate shall document and provide an accounting of disclosures of PHI upon request by the Covered Entity or the patient.
9. Return or Destruction of PHI
Upon termination of this Agreement, the Business Associate shall:
☐ Return all PHI to the Covered Entity
☐ Destroy all PHI (with written confirmation)
☐ If return or destruction is not feasible, extend protections of this Agreement to the PHI retained
10. Term and Termination
This Agreement shall remain in effect for the duration of the services and until all PHI is returned or destroyed.
The Covered Entity may terminate this Agreement immediately if the Business Associate is found to be in material breach.
11. No Third-Party Beneficiaries
This Agreement is intended solely for the benefit of the Parties and does not create rights in any third party.
12. Governing Law
This Agreement shall be governed by the laws of [State] and applicable federal HIPAA regulations.
13. Entire Agreement
This document constitutes the full understanding between the Parties regarding PHI and supersedes all prior written or oral agreements related to the subject matter.
IN WITNESS WHEREOF, the Parties have executed this HIPAA Business Associate Agreement as of the date first written above.
Covered Entity Signature
Name:
Title:
Date:
Business Associate Signature
Name:
Title:
Date:
Details
Learn more about
HIPAA Business Associate Agreement Template
HIPAA BUSINESS ASSOCIATE AGREEMENT FAQ
What is a HIPAA business associate agreement?
A HIPAA business associate agreement (BAA) is a legally binding contract between a HIPAA-covered entity and a business associate that will have access to protected health information (PHI). It clearly outlines how PHI will be used, disclosed, secured, and safeguarded in compliance with federal privacy regulations.
Why do you need a HIPAA business associate agreement?
A BAA is required under HIPAA to ensure that any third party handling PHI on behalf of a covered entity complies with strict privacy and security standards. It defines each party’s responsibilities, protects sensitive patient data, and helps avoid costly fines for noncompliance.
When should I use a HIPAA business associate agreement?
Use a BAA whenever a third party—such as a vendor, contractor, or service provider—will access, process, or store PHI on behalf of a healthcare provider, insurer, or other covered entity. This applies to both ongoing partnerships and one-time services.
How to write a HIPAA business associate agreement?
Clearly define the permitted and prohibited uses of PHI, outline security measures, set breach notification procedures, specify compliance obligations, and include termination terms for violations. Ensure the agreement meets all HIPAA and HITECH Act requirements.
Need a HIPAA-compliant BAA fast?
Use our AI-powered contract builder to create a fully customized, regulation-compliant HIPAA business associate agreement in minutes.
Similar templates