Business Associate Agreement
This Business Associate Agreement (hereinafter referred to as the "Agreement") is entered into on [Effective Date] (the "Effective Date") by and between
[Individual’s name], [Who Covered Entity] ([Many Individuals Form Covered] individual(s)), with a mailing address at [Address], [City], [State] [ZIP Code](hereinafter referred to as the "Covered Entity"), and
[Individual’s name], [Who Business Associate] ([Many Individuals Form Business] individual(s)), with a mailing address at [Address], [City], [State] [ZIP Code](hereinafter referred to as the "Business Associate"), collectively referred to as the "Parties" and individually as the "Party".
WHEREAS this Agreement sets forth the terms and conditions of the disclosure and use of the Protected Health Information (PHI) provided by, created, or received by the Business Associate from or on behalf of the Covered Entity. The Parties agree to be obliged by the privacy rule and the security rule promulgated under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and other related rules and regulations.
DEFINITIONS. For the purpose of this Agreement, the terms of this Agreement are defined as follows:
The term "Protected Health Information" or "PHI" has the same meaning as the term "Protected Health Information" in 45 CFR §160.103, which is limited to the information created or received by the Business Associate on behalf of or from the Covered Entity. Protected Health Information shall include any health information in electronic form and any other form.
The "Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the privacy rule, which compromises the security or privacy of the PHI.
The "CFR" means the Code of Federal Regulations.
The "Breach Notification Rule" means the portion of HIPAA set forth in Subpart D of 45 CFR Part 164.
The "Individual" means the person who is the subject of the Protected Health Information.
The "Privacy Rule" refers to the standards for privacy of individually identifiable health information at 45 CFR Part 160 and Part 164, Subparts A and E.
The "Security Rule" means the Security Standards at 45 CFR Part 160 and Part 164, Subparts A and C.
The terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the Privacy Rule and Security Rule.
SUBJECT OF THE AGREEMENT. The Parties have entered or will enter into a service or any other agreement under which the Business Associate shall provide specific services to the Covered Entity (the "Master Agreement"). Executing the Master Agreement requires the Covered Entity to disclose the PHI and the Business Associate to receive and use it.
USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION. Business Associate may use or disclose the PHI following the terms and conditions of this Agreement, as permitted under the Privacy Rule and as required by law.
The Business Associate agrees to use, disclose, and request the PHI in accordance with the minimum necessary policies and procedures of the Covered Entity.
Except as otherwise limited by this Agreement, federal or state law, the Covered Entity authorizes the Business Associate:
[Authorized Actions]
The Business Associate may disclose the PHI for the purposes specified herein above. These disclosures must comply with the following conditions:
- Before disclosing the PHI to a third party, the Business Associate should obtain written assurance from the third party. This assurance should confirm that the PHI shall be held confidential under the terms outlined in this Agreement and used or further disclosed only as required by law or for the purpose it was disclosed to this third party.
- An agreement must be obtained from this third party to immediately notify the Business Associate of any breaches of PHI confidentiality to the extent the Business Associate is aware of the Breach.
The Business Associate shall use appropriate safeguards and comply, where applicable, with the Privacy Rule to prevent the use or disclosure of the PHI other than as provided by the Agreement.
The Business Associate will not use or disclose PHI in any way other than as specified in this Agreement, as permitted by the Privacy Rule, or as required by law. When disclosing or using the PHI, the Business Associate shall make reasonable efforts to limit it to a minimum necessary amount or as a limited data set to fulfill the intended purpose of the use or disclosure, following the specifications of Section 13405(b) of the HITECH Act (codified at 42 USC §17935(b)).
The Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit the PHI on behalf of the Business Associate agree to the same restrictions and conditions that apply to the Business Associate concerning such information.
The Business Associate shall make reasonable efforts to mitigate any harmful effect known to the Business Associate of any use or disclosure of the PHI by the Business Associate or the agents or subcontractors in violation of the requirements of this Agreement.
REPORTING DISCLOSURES OF THE PHI AND SECURITY INCIDENTS. The Business Associate shall report to the Covered Entity any unauthorized use or disclosure of information not permitted by the Agreement of which the Business Associate becomes aware, including any breaches of the PHI as required by the Privacy Rule. The Business Associate agrees to report any such event within [Number of days] business days.
REPORTING BREACHES AND UNSECURED PHI. The Business Associate shall promptly notify the Covered Entity in writing of any discovery of the Breach concerning unsecured PHI within a maximum time frame of [Number of days] calendar days, but in no case later than 60 calendar days after discovery of the Breach, unless a shorter time frame exists under state law.
The Business Associate shall reimburse the Covered Entity for any costs incurred in compliance with the requirements of Subpart D of 45 CFR §164 imposed on the Covered Entity as a result of the Breach committed by the Business Associate.
AUDIT REPORT. Upon request by the Covered Entity, the Business Associate shall provide a copy of the most recent independent HIPAA compliance report (AT-C 315) or other third-party audit report based on independent standards.
ACCESS AND AMENDMENT TO THE PHI. Upon the request of the Covered Entity, the Business Associate agrees to provide copies of the PHI maintained by the Business Associate in a designated record set in the time and manner specified by the Covered Entity to enable the Covered Entity to respond to an Individual’s request for access to PHI.
If the Individual or a personal representative directly requests access to the Individual’s PHI from the Business Associate, the Business Associate shall promptly forward that request to the Covered Entity within 10 business days. The Covered Entity is solely responsible for any decision related to the disclosure or non-disclosure of the requested PHI and compliance with the requirements concerning an Individual’s right to access the PHI.
Upon request and instruction from the Covered Entity, the Business Associate shall amend PHI or records about the Individual in a designated record set. These records are maintained by or otherwise within the possession of the Business Associate as directed by the Covered Entity following procedures established by the Security Rule. The Business Associate shall complete any request by the Covered Entity to amend such information within 15 business days of the Covered Entity’s request.
If any Individual requests that the Business Associate amend such Individual’s PHI or records in a designated record set, the Business Associate shall forward this request to the Covered Entity within 10 business days. The Covered Entity is solely responsible for any decisions regarding the amendment or non-amendment of the PHI or records requested by the Individual, as well as compliance with the requirements for the Individual’s right to request amendments in PHI.
RESPONSIBILITIES OF THE COVERED ENTITY. The Covered Entity is obligated to:
- Notify the Business Associate about any limitations in its privacy practices and notice to the extent that such limitations may affect the Business Associate’s use or disclosure of the PHI.
- Inform the Business Associate of any alterations or withdrawal of the Individual’s permission to use or disclose the PHI if any alterations or withdrawals may affect the Business Associate’s use or disclosure of PHI.
- Notify the Business Associate of any restriction on the use or disclosure of the PHI agreed upon by the Covered Entity if these restrictions may affect the Business Associate’s use or disclosure of the PHI.
- Except for data aggregation or management and administrative activities of the Business Associate, the Covered Entity shall not request the Business Associate to use or disclose the PHI in any manner that would not be permissible under HIPAA if done by the Covered Entity.
TERM AND TERMINATION. This Agreement shall be effective as of the Effective Date and remain in effect until termination of the Master Agreement.
A material breach in the context of this Agreement encompasses any violation of the obligation outlined herein.
If the Business Associate materially breaches the Agreement, the Covered Entity shall have the right to terminate the Agreement unilaterally. The Covered Entity shall provide written notice of the Breach, and if the Business Associate fails to remedy it within [Number of days] days, the Covered Entity shall immediately terminate the Agreement. The Covered Entity also has the right to report the violation to the Secretary of Health and Human Services.
RETURNING OF THE PHI. Once the Agreement is terminated, all the PHI received from the Covered Entity or created by the Business Associate on behalf of the Covered Entity should be returned or destroyed. This provision shall also apply to the PHI in the possession of the Business Associate’s subcontractors or agents. The Business Associate should not retain any copies of the PHI. Upon request, the Business Associate shall provide the Covered Entity with a written certification of the destroyed PHI within [Number of days] days.
If returning or destroying the PHI is infeasible, all the PHI that is not returned or destroyed shall remain subject to the confidentiality obligations outlined in this Agreement.
NOTICE. Any notice or communication required to be given under this Agreement shall be deemed duly given if delivered personally or sent by registered mail, return receipt requested to the address specified in the opening paragraph or to such other address as one Party may have furnished to the other Party in writing, or to email addresses set forth below:
Either Party may change its registered mail or email address for receipt of notices by giving written notice to the other Party.
GOVERNING LAW AND DISPUTE RESOLUTION. This Agreement shall be governed by and interpreted under the laws of the State of [Governing law], and any disputes arising out of or in connection with this Agreement shall be exclusively resolved by the courts of the State of [Jurisdiction].
SEVERABILITY. The invalidity or unenforceability of any provision of this Agreement shall not affect the validity or enforceability of any other provision of this Agreement.
ENTIRE AGREEMENT. This Agreement constitutes the entire understanding between the Parties and supersedes any prior oral or written agreements.
WAIVER. The failure of any Party to enforce a particular provision of this Agreement shall not constitute a waiver of their right to enforce that provision in the future.
AMENDMENTS. This Agreement may be amended or modified only by a written agreement signed by both Parties. Any amendments to this Agreement shall be binding if they are in writing and signed by both Parties.
BINDING EFFECT. This Agreement shall be binding for the Parties and their respective permitted successors and assigns.
IN WITNESS WHEREOF, the Parties have signed this Agreement as of the Effective Date.
The Covered Entity
________________
Signature
The Business Associate
________________
Signature
What Is a Business Associate Agreement?
A Business Associate Agreement in the United States sets out the rights, duties and consideration binding the parties to it.
The HITECH Act of 2009 significantly expanded BAA requirements by making business associates directly liable for HIPAA compliance and subject to the same civil and criminal penalties as covered entities. Penalties for HIPAA violations range from $100 to $50,000 per violation, with annual maximums up to $1.5 million per violation category under the four-tier penalty structure established by the HITECH Act and enforced by the HHS Office for Civil Rights (OCR).
A BAA is not optional — it is a legal prerequisite. The OCR has imposed millions of dollars in penalties on organizations that failed to execute BAAs before sharing PHI with vendors. Any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity qualifies as a business associate and must have a BAA in place before accessing any patient data.
When Do You Need a Business Associate Agreement?
A Business Associate Agreement is required whenever a healthcare provider contracts with an IT company to host, manage, or maintain electronic health records (EHR) systems that contain patient data. Cloud service providers, data centers, and SaaS platforms that store or process ePHI must execute a BAA before any data is transferred to their systems.
Medical billing and coding companies, claims processing services, and revenue cycle management firms that handle patient billing information require a BAA. Third-party administrators (TPAs) managing health plan claims, pharmacy benefit managers (PBMs), and utilization review organizations all fall under the business associate definition.
Less obvious but equally important: shredding companies that destroy paper records containing PHI, attorneys providing legal services that involve access to patient records, accounting firms conducting audits of healthcare organizations, and consultants performing quality improvement or data analytics on patient populations.
The consequences of failing to have a BAA in place are severe. Beyond OCR enforcement actions and financial penalties, a data breach involving PHI without a proper BAA shifts the full liability burden onto the covered entity. The covered entity also risks losing its ability to participate in Medicare and Medicaid programs and faces potential class action lawsuits from affected patients under state privacy laws.
What to Include in Your Business Associate Agreement
A HIPAA-compliant BAA must identify the covered entity and business associate by their full legal names and define the scope of PHI that will be accessed, used, or disclosed. The permitted uses and disclosures of PHI must be explicitly defined and limited to the minimum necessary for the business associate to perform its contracted services, consistent with the Minimum Necessary Rule (45 CFR 164.502(b)).
The agreement must require the business associate to implement appropriate administrative, physical, and technical safeguards as specified in the HIPAA Security Rule (45 CFR 164.306), including encryption of ePHI at rest and in transit, access controls, audit logging, and workforce training. The BAA must prohibit the business associate from using or disclosing PHI in ways not permitted by the agreement or HIPAA.
Breach notification obligations are critical — the business associate must report any breach of unsecured PHI to the covered entity without unreasonable delay, and no later than 60 days after discovery, as required by the Breach Notification Rule (45 CFR 164.410). The report must include the nature of the breach, the types of information involved, and recommended mitigation steps.
The agreement must address subcontractor requirements — any subcontractor that accesses PHI must also execute a BAA with the same obligations. Termination provisions must specify that the covered entity may terminate the agreement if the business associate violates a material term, and that upon termination, the business associate must return or destroy all PHI. A governing law clause and dispute resolution mechanism should be included. Both parties must sign and date the agreement.
Sources & Citations
Statutory citations link to official government sources.
- 45 CFR 164.502US – eCFR
- 45 CFR 164.306US – eCFR
- 45 CFR 164.410US – eCFR
- HIPAAUS – Cornell LII
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Business Associate Agreement (United States) [Legal document template]. Forms Legal. https://forms-legal.com/usa/business/contracts/business-associate-agreement
"Business Associate Agreement (United States)." Forms Legal, 2026, https://forms-legal.com/usa/business/contracts/business-associate-agreement.
@misc{formslegal-business-associate-agreement,
author = {{Forms Legal}},
title = {Business Associate Agreement (United States)},
year = {2026},
howpublished = {\url{https://forms-legal.com/usa/business/contracts/business-associate-agreement}},
note = {Free legal document template. Based on Uniform Commercial Code (UCC)}
}Also available for these jurisdictions:
Frequently Asked Questions
A business associate agreement (BAA) is a contract required under the Health Insurance Portability and Accountability Act (HIPAA) between a covered entity and a business associate that handles protected health information on the covered entity's behalf. A covered entity, such as a healthcare provider, health plan, or healthcare clearinghouse, must have a BAA with any business associate, such as a billing company, IT vendor, cloud storage provider, or consultant, that creates, receives, maintains, or transmits protected health information. The agreement obligates the business associate to safeguard the information, use it only as permitted, and comply with the applicable HIPAA Privacy and Security Rule requirements. Subcontractors of business associates that handle protected health information also need BAAs. Because HIPAA holds both covered entities and business associates accountable for protecting health information, the BAA is a legal requirement before sharing protected health information with a vendor. Failing to have a required BAA is itself a HIPAA violation that can result in penalties.
A business associate agreement must include the provisions required by the HIPAA Privacy and Security Rules to ensure the business associate protects health information. The agreement must describe the permitted and required uses and disclosures of protected health information, prohibit uses or disclosures beyond what the contract and law allow, and require the business associate to implement appropriate safeguards, including the administrative, physical, and technical safeguards of the Security Rule for electronic information. It must require the business associate to report breaches and security incidents to the covered entity, to ensure that any subcontractors agree to the same restrictions through their own agreements, and to make information available to support individuals' rights of access and amendment. The agreement must also require the business associate to return or destroy protected health information when the contract ends, where feasible. Because these elements are mandated by HIPAA, a compliant BAA should contain them, and omitting required terms can leave both parties exposed to enforcement for noncompliance.
If a breach of protected health information occurs, the business associate agreement and HIPAA require specific responses to address and report it. The business associate must notify the covered entity of a breach of unsecured protected health information, typically without unreasonable delay and within the timeframe specified in the agreement and the HIPAA Breach Notification Rule. The covered entity is generally responsible for notifying affected individuals, and in larger breaches the Department of Health and Human Services and the media, within the deadlines the rule sets. The agreement should allocate responsibilities for investigation, notification, and any costs. Both covered entities and business associates can face civil penalties for HIPAA violations, which scale with the level of culpability, and serious violations can lead to enforcement actions. Because a breach triggers legal notification duties and potential liability, the BAA should clearly assign who does what after a breach. Prompt reporting by the business associate is essential so the covered entity can meet its notification obligations.
A business associate is directly liable for HIPAA violations, a result of changes made by the HITECH Act that extended HIPAA's requirements and penalties to business associates. Before the HITECH Act, business associates were bound mainly through their contracts, but now they must comply directly with the applicable provisions of the HIPAA Security Rule and certain Privacy Rule requirements and can be subject to enforcement by the Department of Health and Human Services. This means a business associate that fails to safeguard protected health information, uses it improperly, or does not report a breach can face civil penalties independently of the covered entity. Business associates must also enter agreements with their subcontractors, who likewise become directly liable. Because both covered entities and business associates bear responsibility, the business associate agreement allocates duties while the law imposes independent obligations. A business associate handling protected health information should implement compliant safeguards and follow HIPAA, since contractual terms and direct liability both apply to its handling of health information.
Business associate subcontractors do need their own agreements, because HIPAA requires a business associate to obtain satisfactory assurances, through a written agreement, that any subcontractor handling protected health information will safeguard it to the same standard. When a business associate delegates a function involving protected health information to a subcontractor, such as a vendor's own cloud provider or service partner, that subcontractor becomes a business associate as well and must sign an agreement with the same protections required of the original business associate. This creates a chain of agreements that extends HIPAA's safeguards down to every party that handles the information. Subcontractors are also directly liable under HIPAA for their own compliance. Because protected health information may pass through several vendors, the requirement for downstream agreements ensures protection is not lost when work is subcontracted. A business associate should put a compliant agreement in place with each subcontractor before sharing protected health information, since failing to do so is a HIPAA violation.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Business Contract
Create a professional Business Contract with our free online generator. This legally binding document establishes the terms and conditions governing a business relationship between two or more parties. It covers the scope of work, payment terms, timelines, confidentiality, intellectual property rights, liability limitations, dispute resolution, and termination provisions. Suitable for partnerships, service agreements, supply contracts, and consulting engagements. Fill out the interactive form with guided fields, preview your document in real time, and download as PDF or Word. Includes electronic signature support under the ESIGN Act and UETA. No registration required. Valid in all 50 US states.
Partnership Agreement
Going into business with someone? Exciting — but don't skip the Partnership Agreement. It spells out each partner's investment, profit share, decision-making authority, and exit strategy. Without one, your state's default partnership rules kick in, and those rarely reflect what you actually agreed on over coffee. Avoids ugly disputes when business gets tough. Our template covers capital contributions, roles, voting rights, new partner admission, dissolution, and dispute resolution. Fill it out, preview, download as PDF or Word — free, no sign-up.
Service Agreement
Hiring a freelancer, consultant, or service provider? Or offering your own services to a client? Either way, you need a Service Agreement. It defines the scope of work, payment terms, deadlines, intellectual property rights, confidentiality, and what happens if things go sideways. Without a written contract, you're relying on goodwill — and that doesn't hold up in court. Whether it's web design, marketing, or plumbing, put it in writing. Our free template covers all the essentials. Fill it out, preview, and download as PDF or Word.
Data Processing Agreement
If your business handles personal data on behalf of another company — or vice versa — a Data Processing Agreement isn’t optional, it’s the law in many jurisdictions. GDPR, CCPA, and similar regulations require a written contract between data controllers and data processors that spells out what data is being processed, for what purpose, security measures in place, and what happens in case of a breach. Fines for non-compliance can be massive. Our free template covers data categories, processing purposes, security obligations, breach notification procedures, and sub-processor rules. Download as PDF or Word.