Who is considered a business associate under HIPAA?

A business associate is any person or organization, other than a workforce member of a covered entity, that performs services involving the use or disclosure of PHI on behalf of a covered entity. Common examples include billing companies, EHR vendors, cloud storage providers, IT support firms, transcription services, and legal or accounting firms that access PHI.

What happens if a covered entity doesn't have a BAA with a vendor?

Operating without a required BAA is a HIPAA violation that can result in civil monetary penalties, HHS OCR investigations, corrective action plans, and, in cases of willful neglect, criminal prosecution. Covered entities should audit all vendors with PHI access and ensure BAAs are in place and current.

Does a BAA make a business associate fully responsible for HIPAA compliance?

A BAA establishes contractual obligations, but both the covered entity and the business associate retain independent HIPAA compliance obligations. Since the HITECH Act, business associates are directly liable for HIPAA Security Rule compliance and for breaches caused by their own actions or failures. The covered entity remains responsible for selecting reputable business associates and monitoring compliance.

How long must a BAA be retained?

Under HIPAA, covered entities must retain BAAs for six years from the date of creation or the date when the agreement was last in effect, whichever is later (45 CFR § 164.530(j)). Business associates should maintain the same retention standard.

Free HIPAA Business Associate Agreement (BAA) — Fill Out & Download Instantly

Free — No Sign-Up RequiredPDF & WordUpdated April 17, 2026

A HIPAA Business Associate Agreement (BAA) is a legally required contract between a HIPAA-covered entity (such as a hospital, physician practice, or health plan) and a business associate — any vendor, contractor, or subcontractor that creates, receives, maintains, or transmits protected health information (PHI) on behalf of the covered entity. Under the HIPAA Privacy Rule (45 CFR § 164.504(e)) and Security Rule, covered entities must have a signed BAA in place with all business associates before sharing PHI.

⚠️ Legal Disclaimer: This template is attorney-reviewed and built to US legal standards. It does not substitute for professional legal advice. For complex situations, we recommend consulting a licensed attorney.

Document Completeness0%

Governing State*

Covered Entity Name*

Covered Entity Address*

Business Associate Name*

Business Associate Address*

Effective Date*

MM/DD/YYYY

Description of Services*

Permitted Uses and Disclosures of PHI*

Required Safeguards*

Breach Notification Deadline (Days)*

Maximum 60 days under HIPAA; recommend 30 days or fewer

Termination for Cause*

Live Preview

100%

HIPAA BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement ("Agreement") is entered into as of [Effective Date], by and between:

COVERED ENTITY: [Covered Entity Name], located at [Covered Entity Address] ("Covered Entity");

and

BUSINESS ASSOCIATE: [Business Associate Name], located at [Business Associate Address] ("Business Associate").

This Agreement is governed by the laws of the State of [Governing State] and the applicable provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the regulations promulgated thereunder (45 CFR Parts 160 and 164).

════════════════════════════════════════

1. DESCRIPTION OF SERVICES

════════════════════════════════════════

[Description of Services]

════════════════════════════════════════

2. PERMITTED USES AND DISCLOSURES OF PHI

════════════════════════════════════════

[Permitted Uses and Disclosures of PHI]

════════════════════════════════════════

3. OBLIGATIONS OF BUSINESS ASSOCIATE

════════════════════════════════════════

a) Safeguards: [Required Safeguards]

b) Subcontractors: Business Associate shall ensure that all subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions as apply to Business Associate under this Agreement.

c) Individual Rights: Business Associate shall make PHI available to Covered Entity to enable Covered Entity to respond to individuals' requests to access, amend, or receive an accounting of disclosures of their PHI, as required by the HIPAA Privacy Rule.

d) Reporting: Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement, including any breaches of unsecured PHI as required by 45 CFR § 164.410.

════════════════════════════════════════

4. BREACH NOTIFICATION

════════════════════════════════════════

Business Associate shall notify Covered Entity of any discovered breach of unsecured PHI within [Breach Notification Deadline (Days)] calendar days of discovery. Notification shall include the information required by 45 CFR § 164.410(c).

════════════════════════════════════════

5. TERM AND TERMINATION

════════════════════════════════════════

[Termination for Cause]

════════════════════════════════════════

6. MISCELLANEOUS

════════════════════════════════════════

This Agreement shall be interpreted consistent with HIPAA and the HITECH Act. In the event of a conflict between this Agreement and any other agreement between the parties regarding PHI, this Agreement shall control.

════════════════════════════════════════

SIGNATURES

════════════════════════════════════════

COVERED ENTITY:

Signature: _______________________________

Printed Name: _______________________________

Title: _______________________________

Organization: [Covered Entity Name]

Date: _______________

BUSINESS ASSOCIATE:

Signature: _______________________________

Printed Name: _______________________________

Title: _______________________________

Organization: [Business Associate Name]

Date: _______________

Document Completeness0%

Governing State*

Covered Entity Name*

Covered Entity Address*

Business Associate Name*

Business Associate Address*

Effective Date*

MM/DD/YYYY

Description of Services*

Permitted Uses and Disclosures of PHI*

Required Safeguards*

Breach Notification Deadline (Days)*

Maximum 60 days under HIPAA; recommend 30 days or fewer

Termination for Cause*

What Is a HIPAA Business Associate Agreement (BAA)?

When Do You Need It?

A HIPAA BAA is required whenever a covered entity shares PHI with an outside vendor or contractor who will use, access, or store that information to perform services on the covered entity's behalf. Common business associates include: cloud storage providers, billing services, IT support companies, practice management software vendors, transcription services, attorneys and accountants who access PHI, and shredding companies. The BAA must be in place before any PHI is shared.

What's Included in This Template

State of governing law
Covered entity name and address
Business associate name and address
Effective date
Description of services performed
Permitted uses and disclosures of PHI
Required safeguards (administrative, physical, technical)
Breach notification timeline (number of days)
PHI return or destruction obligations upon termination
Termination for cause provisions

How to Fill It Out

Identify Both Parties and Effective Date — Select the governing state, enter the full legal names and addresses of the covered entity and the business associate, and set the effective date of the agreement.

Describe Services and Permitted Uses — In the services description field, describe the specific services the business associate will perform that require access to PHI. In the permitted uses field, list the purposes for which the business associate is authorized to use or disclose PHI.

Document Safeguards and Breach Notification Requirements — In the safeguards field, specify the administrative, physical, and technical safeguards the business associate must implement. Enter the number of days within which the business associate must notify the covered entity of a discovered breach (HIPAA requires notification without unreasonable delay, no later than 60 days).

Set Termination Provisions — In the termination cause field, describe the conditions under which either party may terminate the agreement. Include requirements for the return or destruction of PHI upon termination. Both parties should sign and retain a copy.

Legal Requirements & Notes

Under 45 CFR § 164.504(e), covered entities must have a written Business Associate Agreement in place with all business associates before sharing protected health information. Failure to execute or enforce a BAA can result in HIPAA violations carrying civil penalties of $100 to $50,000 per violation (up to $1.9 million per category per year) and potential criminal liability. The HITECH Act (2009) made business associates directly liable for HIPAA compliance. This template provides a general framework — healthcare organizations should have BAAs reviewed by HIPAA legal counsel to ensure compliance with current HHS guidance, state law, and their specific risk profile. HHS OCR provides model BAA language at hhs.gov.

Frequently Asked Questions

A BAA is a legally required contract between a HIPAA-covered entity and any vendor (business associate) that creates, receives, maintains, or transmits protected health information on the covered entity's behalf. The BAA establishes the permitted uses of PHI, safeguard requirements, breach notification obligations, and terms for PHI return or destruction at contract end.

Free HIPAA Business Associate Agreement (BAA) — Fill Out & Download Instantly

HIPAA BUSINESS ASSOCIATE AGREEMENT

════════════════════════════════════════

1. DESCRIPTION OF SERVICES

════════════════════════════════════════

════════════════════════════════════════

2. PERMITTED USES AND DISCLOSURES OF PHI

════════════════════════════════════════

════════════════════════════════════════

3. OBLIGATIONS OF BUSINESS ASSOCIATE

════════════════════════════════════════

════════════════════════════════════════

4. BREACH NOTIFICATION

════════════════════════════════════════

════════════════════════════════════════

5. TERM AND TERMINATION

════════════════════════════════════════

════════════════════════════════════════

6. MISCELLANEOUS

════════════════════════════════════════

════════════════════════════════════════

SIGNATURES

════════════════════════════════════════

COVERED ENTITY:

BUSINESS ASSOCIATE:

What Is a HIPAA Business Associate Agreement (BAA)?

When Do You Need It?

What's Included in This Template

How to Fill It Out

Legal Requirements & Notes

Frequently Asked Questions

Related Templates

HIPAA Consent Form

Medical Consent Form

Service Level Agreement (SLA) Template