Business Associate Agreement Template
Generate a HIPAA-compliant BAA in minutes. Enter your covered entity and vendor details, select applicable provisions, and get a formatted agreement based on the HHS model BAA.
Pre-filled with a realistic example. Edit any field below — the BAA document updates in real time.
Covered Entity
The healthcare organization that owns the PHI.
Business Associate (Vendor)
The vendor or contractor that will handle PHI on your behalf.
Agreement Terms
Permitted Uses of PHI
Select the services for which the Business Associate is authorized to use or access PHI.
Additional Provisions
Select optional clauses to include beyond the minimum HIPAA requirements.
Business Associate Agreement
Pursuant to 45 CFR § 164.502(e) and § 164.504(e)
This Business Associate Agreement ("Agreement") is entered into as of April 1, 2026 by and between:
Covered Entity
Lakewood Family Medicine, P.C.
1200 Oak Street, Suite 300, Denver, CO 80220
Contact: Dr. Sarah Chen, Privacy Officer
Business Associate
CloudMed Solutions, LLC
500 Tech Parkway, Suite 200, Austin, TX 78701
Contact: Michael Torres, Compliance Director
WHEREAS, Covered Entity is a Healthcare provider subject to the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and their implementing regulations (collectively, "HIPAA Rules"); and
WHEREAS, Business Associate provides the following services that require access to Protected Health Information ("PHI"): Cloud-based electronic health record hosting, data backup, and IT support services;
NOW, THEREFORE, in consideration of the mutual obligations set forth herein, the parties agree as follows:
Section 1 — Definitions
"Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of such PHI, as defined in 45 CFR § 164.402.
"Protected Health Information" or "PHI" means individually identifiable health information as defined in 45 CFR § 160.103, limited to information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
"Electronic PHI" or "ePHI" means PHI that is transmitted by or maintained in electronic media as defined in 45 CFR § 160.103.
"Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 CFR § 164.304.
Section 2 — Obligations of Business Associate
2.1 Permitted Uses and Disclosures. Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement or as required by law. Business Associate is authorized to use and disclose PHI solely for the following purposes:
- Electronic health records (EHR)
- Data hosting and storage
- IT support and maintenance
- Cloud computing services
2.2 Safeguards. Business Associate shall use appropriate administrative, physical, and technical safeguards and comply with Subpart C of 45 CFR Part 164 with respect to ePHI, to prevent the use or disclosure of PHI other than as provided for in this Agreement.
2.3 Reporting. Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including any Breach of Unsecured PHI and any Security Incident.
2.4 Minimum Necessary. Business Associate shall, to the extent practicable, limit its use, disclosure, and requests for PHI to the minimum necessary to accomplish the intended purpose, in accordance with 45 CFR § 164.502(b) and § 164.514(d).
2.5 Term. This Agreement shall remain in effect for a period of 2 years from the Effective Date, unless sooner terminated as provided in Section 5.
Section 3 — Breach Notification
3.1 Notification Timeline. Business Associate shall report to Covered Entity any Breach of Unsecured PHI within 72 hours (HHS recommended) of discovery. Discovery occurs on the first day the Breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the Breach) who is a workforce member or agent of Business Associate.
3.2 Contents of Notice. Such notification shall include, to the extent available: (a) the identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed; (b) a brief description of what happened; (c) the date of the Breach and discovery; (d) a description of the types of Unsecured PHI involved; and (e) remediation steps taken.
3.3 Cooperation. Business Associate shall cooperate with Covered Entity in investigating any Breach and in meeting Covered Entity's obligations under 45 CFR §§ 164.404–164.408.
Section 4 — Additional Provisions
4.1 Subcontractor requirements. Business Associate shall ensure that any agent or subcontractor to whom it provides PHI agrees to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement, including implementation of reasonable and appropriate safeguards.
4.2 Encryption standards. Business Associate shall encrypt all ePHI using AES-256 or equivalent when at rest, and TLS 1.2 or higher when in transit. Encryption keys shall be managed in accordance with industry standards (NIST SP 800-57).
4.3 Audit rights. Covered Entity may, upon thirty (30) days' prior written notice, audit Business Associate's compliance with this Agreement. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for determining compliance.
4.4 Workforce training. Business Associate shall provide HIPAA privacy and security training to all workforce members who have access to PHI prior to granting access and annually thereafter. Business Associate shall maintain records of training completion.
4.5 Return or destruction of PHI. Upon termination of this Agreement, Business Associate shall return or destroy all PHI received from, or created or received on behalf of, Covered Entity. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to the purposes that make return or destruction infeasible.
4.6 Individual access rights. Business Associate shall make PHI maintained in a Designated Record Set available to Covered Entity within fifteen (15) business days of a request, in order for Covered Entity to satisfy its obligations under 45 CFR § 164.524 (individual access rights).
4.7 Accounting of disclosures. Business Associate shall document and make available to Covered Entity the information required to provide an accounting of disclosures in accordance with 45 CFR § 164.528. Business Associate shall maintain such records for a minimum of six (6) years.
Section 5 — Term and Termination
5.1 Material Breach. Covered Entity may terminate this Agreement if Covered Entity determines that Business Associate has violated a material term of this Agreement. Covered Entity shall provide written notice of the violation and afford Business Associate thirty (30) days to cure. If cure is not possible, Covered Entity may terminate immediately.
5.2 Effect of Termination. Upon termination of this Agreement for any reason, Business Associate shall return or destroy all PHI as set forth in this Agreement. The obligations of Business Associate under this Section shall survive termination.
5.3 Automatic Termination. This Agreement shall automatically terminate upon the termination or expiration of the underlying services agreement between the parties.
General Provisions
Regulatory References. Any reference to a section of the HIPAA Rules means the section as in effect or as amended. All terms not otherwise defined in this Agreement shall have the meaning established under the HIPAA Rules.
Amendment. This Agreement may not be modified except by a written instrument signed by both parties. The parties agree to negotiate in good faith to amend this Agreement to comply with changes in the HIPAA Rules.
No Third-Party Beneficiaries. Nothing in this Agreement shall confer upon any person other than the parties any rights, remedies, obligations, or liabilities.
Governing Law. This Agreement shall be governed by federal law, including the HIPAA Rules, and where applicable, the laws of the state in which Covered Entity is located.
Signatures
Covered Entity
Lakewood Family Medicine, P.C.
Authorized Signature
Printed Name & Title
Date
Business Associate
CloudMed Solutions, LLC
Authorized Signature
Printed Name & Title
Date
Do You Need a BAA?
Answer a few questions to determine whether a Business Associate Agreement is required for your vendor relationship.
Does the vendor create, receive, maintain, or transmit protected health information (PHI) on your behalf?
What Is a Business Associate Agreement?
A Business Associate Agreement (BAA) is a legally required contract under HIPAA between a covered entity and any vendor, contractor, or subcontractor that creates, receives, maintains, or transmits protected health information (PHI) on their behalf. The BAA defines what the business associate can and cannot do with PHI, the safeguards they must implement, and what happens if a breach occurs.
The requirement is codified in 45 CFR § 164.502(e) and § 164.504(e). The HITECH Act of 2009 extended HIPAA's Security Rule requirements directly to business associates, making them independently liable for compliance — not just contractually bound.
Key point: Operating without a BAA when one is required is itself a HIPAA violation, even if no breach has occurred. OCR has imposed penalties exceeding $4.3 million for failure to have BAAs in place.
Which Vendors Need a BAA?
Any vendor that will access, store, process, or transmit PHI on your behalf requires a BAA. The determining factor is whether the vendor handles identifiable patient information — not whether they are a "healthcare company."
EHR / cloud hosting provider
BAA RequiredStores ePHI on servers they maintain
Medical billing company
BAA RequiredProcesses claims containing patient data
Transcription service
BAA RequiredReceives dictation containing PHI
IT support / managed services
BAA RequiredMay access systems containing ePHI
Shredding / document destruction
BAA RequiredHandles paper records containing PHI
Janitorial / cleaning company
Typically Not RequiredNo routine access to PHI
For a full breakdown of covered entities and business associates, see our guide on who HIPAA applies to.
How to Use This BAA Template Generator
- 1
Enter covered entity details — Your practice name, address, and privacy officer contact.
- 2
Add business associate information — The vendor's company name, contact, and a description of their services.
- 3
Set agreement terms — Effective date, term length, and breach notification timeline.
- 4
Select permitted uses — Check the specific services for which the BA needs PHI access.
- 5
Choose additional provisions — Add optional clauses like encryption standards, audit rights, or offshore restrictions.
- 6
Print or copy the agreement — The completed BAA appears below the builder. Have both parties sign and retain copies.
Important: This tool generates a template based on the HHS model agreement for informational purposes. Have your compliance officer or legal counsel review the completed BAA before execution. State laws and specific vendor relationships may require additional terms.
Key BAA Provisions Under HIPAA
The HIPAA Rules specify minimum provisions that every BAA must contain. This generator includes all required elements automatically. Here are the non-negotiable provisions per 45 CFR § 164.504(e):
| Provision | Requirement |
|---|---|
| Permitted uses | Describe exactly what the BA may do with PHI |
| Safeguards | Require appropriate administrative, physical, and technical safeguards |
| Reporting | Report any unauthorized use, disclosure, or breach |
| Subcontractors | Ensure subcontractors agree to the same restrictions |
| Access rights | Make PHI available for individual access requests (§ 164.524) |
| Amendment | Support amendments to PHI in designated record sets (§ 164.526) |
| Accounting | Provide information needed for accounting of disclosures (§ 164.528) |
| HHS access | Make records available to HHS for compliance determination |
| Return/destroy PHI | Return or destroy all PHI upon termination |
| Termination | Authorize CE to terminate for material breach |
Beyond these minimums, best practice is to include additional protections such as encryption standards, audit rights, cyber insurance requirements, and offshore data restrictions — all available as optional provisions in the generator above.
Penalties for Missing or Inadequate BAAs
OCR enforces BAA requirements through both complaint investigations and compliance audits. Penalties for operating without a BAA — or with a deficient one — are the same as other HIPAA violations:
| Tier | Culpability | Penalty Range |
|---|---|---|
| 1 | Did not know and would not have known by exercising reasonable diligence | $145 – $73,011 |
| 2 | Reasonable cause but not willful neglect | $1,461 – $73,011 |
| 3 | Willful neglect, corrected within 30 days | $14,602 – $73,011 |
| 4 | Willful neglect, not corrected within 30 days | $73,011 – $2,190,294 |
Annual caps apply per violation category, with a combined maximum of $2,190,294 per year (2026 figures). For a complete breakdown, see our most common HIPAA violations guide or the HIPAA compliance checklist.
Related Tools & Guides
Who Does HIPAA Apply To?
Understand covered entities, business associates, and when HIPAA requirements kick in.
HIPAA Compliance Checklist
Interactive checklist covering Privacy Rule, Security Rule, and Breach Notification requirements.
HIPAA Risk Assessment Template
Guided security risk assessment tool based on NIST SP 800-30 methodology.
Notice of Privacy Practices Template
Generate a compliant NPP for your covered entity.
HIPAA Release Form Generator
Build a HIPAA-compliant authorization form for releasing PHI.