← All templates
HIPAA · FREE TEMPLATE

HIPAA Business Associate Agreement (BAA) — Free Template

Every Covered Entity that shares Protected Health Information (PHI) with a vendor must execute a written Business Associate Agreement satisfying 45 CFR §164.504(e). This template covers every required term so it survives an OCR audit — fill in the bracketed fields and run it past counsel.

Who needs it
  • Healthcare providers (Covered Entities) engaging SaaS, billing, IT, analytics, or transcription vendors
  • Health plans contracting with TPAs, claims processors, or wellness vendors
  • Healthcare clearinghouses with downstream service providers
  • Any Business Associate sub-contracting to another vendor that will touch PHI (downstream BAA required)
What's included
  • Definitions aligned to 45 CFR §160.103
  • Permitted and required uses of PHI
  • Safeguards (administrative, physical, technical) per Security Rule
  • Breach notification timeline (≤60 days from discovery)
  • Reporting of unauthorised disclosures
  • Subcontractor flow-down obligations
  • Individual rights (access, amendment, accounting of disclosures)
  • Return or destruction of PHI on termination
  • Term and termination for material breach
  • Indemnification and limitation of liability placeholders

Template — full text

1. Parties and Effective Date

This Business Associate Agreement ("Agreement") is entered into as of [Effective Date] by and between [Company Legal Name], located at [Company Registered Address] ("Covered Entity"), and [Business Associate Legal Name], located at [Business Associate Address] ("Business Associate"). This Agreement supplements and is incorporated into the underlying services agreement between the Parties (the "Underlying Agreement"). In the event of any conflict, this Agreement controls with respect to PHI.

2. Definitions

Capitalised terms not otherwise defined in this Agreement have the meanings given in the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Parts 160 and 164, as amended ("HIPAA Rules"). "PHI" means Protected Health Information limited to information Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity.

3. Permitted Uses and Disclosures of PHI

Business Associate may use or disclose PHI only as necessary to perform its obligations under the Underlying Agreement, as Required by Law, or as expressly permitted under this Agreement. Specifically, Business Associate may:
  • Use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities (45 CFR §164.504(e)(4))
  • Disclose PHI for those purposes only if disclosure is Required by Law or Business Associate obtains reasonable written assurances of confidentiality and breach notification from the recipient
  • De-identify PHI in accordance with 45 CFR §164.514 for permitted purposes
  • Provide Data Aggregation services to Covered Entity as permitted by 45 CFR §164.504(e)(2)(i)(B), if applicable

4. Prohibited Uses and Disclosures

Business Associate shall not use or disclose PHI in any manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity, except as provided in Section 3 above. Business Associate shall not sell PHI nor use PHI for marketing without a HIPAA-compliant authorisation.

5. Safeguards

Business Associate shall implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic PHI in accordance with 45 CFR §§164.308, 164.310, 164.312, and 164.316 (Security Rule). Business Associate shall conduct, document, and update an annual risk analysis covering all systems that process PHI.

6. Reporting and Breach Notification

Business Associate shall report to Covered Entity:
  • Any use or disclosure of PHI not permitted by this Agreement, without unreasonable delay and in no event later than ten (10) business days after discovery
  • Any Security Incident of which it becomes aware (aggregate reports of unsuccessful attempts may be made annually)
  • Any Breach of Unsecured PHI without unreasonable delay and in no event later than thirty (30) calendar days after discovery, to allow Covered Entity to meet the 60-day notification deadline of 45 CFR §164.404
  • Reports shall include the information required by 45 CFR §164.410(c): identification of affected individuals, description of what occurred, types of PHI involved, and mitigation steps taken

7. Subcontractors

In accordance with 45 CFR §§164.502(e)(1)(ii) and 164.308(b)(2), Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on its behalf agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement.

8. Individual Rights

Business Associate shall:
  • Make PHI in a Designated Record Set available to Covered Entity (or to the individual, as directed) within fifteen (15) business days of request, to enable Covered Entity to meet 45 CFR §164.524
  • Incorporate amendments to PHI in a Designated Record Set within thirty (30) days of receipt, per 45 CFR §164.526
  • Maintain an accounting of disclosures sufficient for Covered Entity to respond to a request under 45 CFR §164.528
  • Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining Covered Entity's compliance

9. Term and Termination

This Agreement is effective on the date written above and continues until terminated by either Party or until the Underlying Agreement terminates, whichever is later. Covered Entity may terminate this Agreement immediately if Business Associate has materially breached its obligations and failed to cure within thirty (30) days of written notice. Upon termination, Business Associate shall return or destroy all PHI received from, or created or received on behalf of, Covered Entity. If return or destruction is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures.

10. Miscellaneous

This Agreement shall be construed in light of any applicable interpretation of or guidance on the HIPAA Rules issued by HHS. The Parties agree to amend this Agreement as necessary to comply with the HIPAA Rules. Neither Party intends to create a joint venture or agency relationship. This Agreement is governed by the laws of [Governing State].

11. Signatures

Executed by the duly authorised representatives of each Party. Covered Entity: [Company Legal Name] Signature: _______________________ Name: _______________________ Title: _______________________ Date: _______________________ Business Associate: [Business Associate Legal Name] Signature: _______________________ Name: _______________________ Title: _______________________ Date: _______________________
Disclaimer: This template is provided for general informational purposes only and does not constitute legal advice. Customise to your specific facts and have counsel review before execution.

Fields you customise

Company / Covered Entity legal name and addressBusiness Associate legal name and addressEffective date and governing stateSubcontractor list (if any) for Section 7 scheduleUnderlying services agreement reference
Email me a clean copy of this template
Polished HTML you can print, paste into Word, or share with counsel. No drip spam — one delivery email and one follow-up with the framework audit.
We'll send the template + one audit-invitation follow-up. Unsubscribe anytime.
Want a branded, multi-framework, board-ready version?

The ComplianceIQ generator produces this document in your company name and brand, mapped across every framework you need (HIPAA + GDPR + SOC 2 + ISO simultaneously), exported as DOCX + PDF, and scored against the audit checklist. Pre-populated with your tenant-specific values so nothing is left in brackets.

Run free HIPAA audit Generate branded version

FAQ

Do I need a BAA with every vendor?
Yes — any vendor that creates, receives, maintains, or transmits PHI on your behalf is a Business Associate and requires a BAA before any PHI flows to them. Common gaps: email providers, cloud storage, analytics tools, AI assistants, IT contractors. A few vendors qualify for the §164.502(e)(1)(ii) 'conduit' exception (e.g. ISPs, postal services) — but the bar is narrow.
Does this BAA satisfy 45 CFR §164.504(e)?
This template includes every term §164.504(e)(2) requires — permitted uses, safeguards, breach notification, subcontractor flow-down, individual rights, and return/destruction on termination. You still need counsel review for your specific risk profile, indemnification terms, and any state-law overlay (e.g. Texas HB 300).
What's the difference between this and the HHS Sample BAA?
HHS publishes sample provisions, not a complete contract. This template wraps the HHS provisions with the operational sections you actually need — effective date, signatures, governing law, breach notification timelines aligned to the 60-day individual notice deadline, and a subcontractor flow-down section.
Can I use this template for HITECH-covered services?
Yes. HITECH extended direct OCR enforcement to Business Associates (effective Sep 2013); this template treats the Business Associate as directly liable for Privacy and Security Rule violations, consistent with the 2013 Omnibus Rule.

What happens when this control fails

Anthem Inc.
$16M
Largest HIPAA settlement in history — 78.8M records breached
Premera Blue Cross
$6.85M
11M-record breach + risk-analysis + access-controls failures

More free templates

GDPR Data Processing Agreement (DPA)SOC 2 Access Control PolicySOC 2 Incident Response PlanISO 27001 Information Security Policy