Business Associate Agreement Template (HIPAA)

All states
Business Associate Agreement Page 1
Preview
4.6 (29 reviews)
Updated Apr 18, 2025
~ 7 pages
PDF
3.3K downloads
A business associate agreement (BAA form) is a legal template necessary to fill out with personal information from the parties and is required by the Health Insurance Portability and Accountability Act (HIPAA). Download this business associate agreement template and ensure the complete security of your data filled in the document.
Paper titled "Business Associate Agreement"; man and woman shaking hands

When you have a BAA HIPAA form, the main goal is to protect and transfer ownership rights and interests, giving the main party a lot of safety. When these kinds of agreements are used, they protect important assets and keep them from being stolen. They also create a strong legal wall around the knowledge that can be sold.

When To Use a Business Associate Agreement

You should use a HIPAA business associate agreement template when a healthcare provider or organization shares private patient information (like medical records) with another company that helps them. This includes companies that do things like billing, IT support, or data storage.

A sample business associate agreement is needed when:

  • A company is handling health information on behalf of a doctor, hospital, or clinic
  • A third party has access to electronic medical records or patient data
  • You want to follow HIPAA rules and avoid legal trouble for sharing sensitive health info
  • You need to clearly explain how the data will be used and protected

How To Fill Out the BAA Forms

1. Enter the basic info

BAA HIPAA form

You’ll need to fill in the names and addresses of both parties. The person or company sharing the protected information is the Covered Entity, and the person or company handling that information is the Business Associate.

Example:

This Business Associate Agreement is entered into on March 10, 2025 by and between Green Valley Clinic, an individual having their usual place of living at 123 Oak Ave, Springfield, IL 62704, and Secure Health Data LLC, an individual having their usual place of living at 456 Main St, Springfield, IL 62701.

2. Reporting disclosures of PHI and security incidents

BAA forms

This part explains how and when the Business Associate must report any unauthorized access to protected health information (PHI).

Example:

 The Business Associate agrees to report any such event within 5 business days.

3. Reporting breaches and unsecured PHI

BAA form

If the Business Associate discovers that PHI was exposed or accessed inappropriately, they must notify the Covered Entity.

Example:

 ...within a maximum time frame of 30 calendar days...

4. Breach consequences and agreement termination

free business associate agreement template

If there’s a serious violation, the Covered Entity can cancel the agreement.

Example:

...and if the Business Associate fails to remedy it within 15 days...

5. Contact details for notices

free BAA template

You’ll need to list email addresses or mailing addresses where official communication should be sent.

Example:

 If to the Covered Entity: [email protected]
 If to the Business Associate: [email protected]

Once all these sections are filled in, both parties should review the terms carefully, then sign and date the agreement to make it legally binding.

Also Read

Frequently Asked Questions

Do business associate agreements need to be signed annually?

No. A business associate agreement does not require new signatures to remain valid. It automatically renews.

What is a business associate subcontractor?

Some businesses that are considered business associates might hire subcontractors for specific work. This could include accountants, file-sharing vendors, attorneys, and email IT professionals. A business associate subcontractor could provide a service that isn't related to health care but during that service, they will still have access to PHI and therefore need to sign a business associate agreement form. The subcontractor might not have direct contact with the covered entity. However, for a business associate using that subcontractor to remain compliant with HIPAA law, they must still have them sign a business associate subcontractor agreement.

What happens if a business associate violates the business associate agreement?

Suppose a business associate or subcontractor mishandles PHI or otherwise violates the terms of the business associate agreement. In that case, the covered entity has to take steps to terminate the contract with the business associate, fix the breach, and stop the violation. Otherwise, the covered entity will be legally liable for the damages. Business associates have to notify the covered entity of any breach within a specific time frame. If the agreement says so, the affected individuals might also have to be informed. HIPAA violations come with steep penalties, including fines and jail time depending on the breach, which is why it's so important to have detailed business associate agreements.

When is a contract terminated?

This is up to you and the language in your agreement. You might say that the business associate agrees to terminate the contract upon any violations of HIPAA law or that the covered entity may choose to notify business associate groups with a 30-day warning.