Business Associate Agreement Template (HIPAA)

Pro template

4.7 (49 reviews)

All states

Updated Apr 18, 2025

~ 7 pages

PDF

4.7K downloads

A Business Associate Agreement is a legal contract between a healthcare provider and a service partner that ensures the protection of patients’ sensitive health information. It is used to comply with HIPAA regulations and define each party’s responsibility in handling confidential information.

Preview

Written by Karyna Pukaniuk - Reviewed by Kate Adkham, LLB

Template Description

Copy section link

Paper titled "Business Associate Agreement"; man and woman shaking hands

When you have a BAA HIPAA form, the main goal is to protect and transfer ownership rights and interests, giving the main party a lot of safety. When these kinds of agreements are used, they protect important assets and keep them from being stolen. They also create a strong legal wall around the knowledge that can be sold.

When To Use a Business Associate Agreement

Copy section link

You should use a HIPAA business associate agreement template when a healthcare provider or organization shares private patient information (like medical records) with another company that helps them. This includes companies that do things like billing, IT support, or data storage.

A sample business associate agreement is needed when:

A company is handling health information on behalf of a doctor, hospital, or clinic
A third party has access to electronic medical records or patient data
You want to follow HIPAA rules and avoid legal trouble for sharing sensitive health info
You need to clearly explain how the data will be used and protected

How To Fill Out the BAA Forms

Copy section link

1. Enter the basic info

You’ll need to fill in the names and addresses of both parties. The person or company sharing the protected information is the Covered Entity, and the person or company handling that information is the Business Associate.

Example:

This Business Associate Agreement is entered into on March 10, 2025 by and between Green Valley Clinic, an individual having their usual place of living at 123 Oak Ave, Springfield, IL 62704, and Secure Health Data LLC, an individual having their usual place of living at 456 Main St, Springfield, IL 62701.

2. Reporting disclosures of PHI and security incidents

This part explains how and when the Business Associate must report any unauthorized access to protected health information (PHI).

Example:

The Business Associate agrees to report any such event within 5 business days.

3. Reporting breaches and unsecured PHI

If the Business Associate discovers that PHI was exposed or accessed inappropriately, they must notify the Covered Entity.

Example:

...within a maximum time frame of 30 calendar days...

4. Breach consequences and agreement termination

free business associate agreement template

If there’s a serious violation, the Covered Entity can cancel the agreement.

Example:

...and if the Business Associate fails to remedy it within 15 days...

5. Contact details for notices

You’ll need to list email addresses or mailing addresses where official communication should be sent.

Example:

If to the Covered Entity: compliance@greenvalleyclinic.com
If to the Business Associate: info@securehealthdata.com

Once all these sections are filled in, both parties should review the terms carefully, then sign and date the agreement to make it legally binding.