Every HIPAA requirement, in plain language.
All required clauses
Permitted uses + disclosures, safeguards, breach notification, subcontractor flow-down, return/destruction at termination.
HITECH 2009 + Omnibus 2013
Updated for HITECH Act subcontractor liability and the 2013 Omnibus Rule expansion of business associate definition.
Breach notification 60-day clock
60-day breach notification timing matches HHS rule. Defines what triggers notification and to whom.
Subcontractor flow-down
Your subcontractors who handle PHI need their own BAA with you. Our template includes the flow-down language.
Termination + data return
On termination, BA must return or destroy all PHI. Where infeasible, BA extends BAA protections indefinitely.
Counsel-reviewed
Drafted by healthcare-privacy counsel. Cross-checked against current HHS guidance and OCR enforcement priorities.
A clean handoff, in 4 steps.
Download free template
Word + PDF formats. Editable. No email gate.
Fill in the parties
Covered Entity name + Business Associate name + addresses + signatory blocks.
Optional attorney customize
If the BA-CE relationship has nuance, we customize the template with healthcare-privacy counsel.
Both parties sign
E-sign or wet-sign. Counterparts allowed. Effective on later-signed date.
One-time, or part of your BOS.
- Word + PDF template
- All required clauses
- HITECH + Omnibus updated
- Subcontractor flow-down
- Termination language
- 1-hour attorney consult
- Customized clauses
- Cyber liability coordination
- Subcontractor flow-down review
- 30 days post-signing support
- Re-review for renewals
Common questions.
Who needs a BAA?
Any business that creates, receives, maintains, or transmits Protected Health Information on behalf of a Covered Entity (or another BA). Common examples: SaaS vendors, billing services, cloud hosting, accountants serving healthcare clients.
Covered Entity vs Business Associate: what's the difference?
Covered Entities are healthcare providers, health plans, and healthcare clearinghouses. Business Associates are vendors who handle PHI for a Covered Entity.
Is a BAA required if we never see the PHI?
If your service has access (even theoretical) to PHI: like cloud hosting where data passes through your systems encrypted: you are a Business Associate and need a BAA. The "no eyes on it" defense does not work.
What if our PHI is fully anonymized?
HIPAA does not apply to de-identified information that meets either the Safe Harbor (18 identifiers removed) or Expert Determination standard. A BAA is not required for truly de-identified data.
Can we customize the template ourselves?
Yes. The template is editable. Common customizations: indemnification scope, insurance requirements, audit rights. We recommend attorney review for non-standard changes.
Is our BAA enforceable in court?
Yes, as a contract between the parties. The HHS Office for Civil Rights (OCR) can also enforce HIPAA directly against either party with civil monetary penalties.
What are the penalties for non-compliance?
OCR penalties range from $137 per violation (no knowledge tier) up to $2,134,831 per violation (willful neglect, uncorrected) under 2024 amounts. Annual cap is $2,134,831 per violation category.
Do we need a separate BAA per Covered Entity client?
Yes. Each BA-CE relationship needs its own signed BAA. We can help structure a master template you customize per client.
What about state privacy laws?
HIPAA preempts less-stringent state laws but defers to more-stringent ones (e.g. California CMIA, Texas HB 300, New York SHIELD Act). Our attorney-customized version factors in state law overlay.