Home/Compliance/BAA Template
BAA Template · HIPAA 45 CFR 164.504(e)

A HIPAA Business Associate Agreement, done right.

If your business handles Protected Health Information for a healthcare client, you need a BAA. Ours is counsel-reviewed, covers every required clause, and is free to download. We also offer attorney customization when the relationship has nuance.

Part of your File.Business BOS · 51 jurisdictions · 220K+ businesses
HIPAA 45 CFR 164.504(e)BUSINESS ASSOCIATE AGREEMENTPARTIESCOVERED ENTITYAcme Health ClinicPHIBUSINESS ASSOCIATESaaS Vendor LLCPHI · ENCRYPTED IN TRANSITREQUIRED CLAUSESPermitted uses + disclosures of PHISafeguards (admin / physical / technical)Breach notification within 60 daysSubcontractor flow-down requirementsReturn / destruction at terminationHIPAA + HITECH READYCounsel-reviewed template$FREE TEMPLATEOr $349 attorney-customized
What it covers

Every HIPAA requirement, in plain language.

All required clauses

Permitted uses + disclosures, safeguards, breach notification, subcontractor flow-down, return/destruction at termination.

HITECH 2009 + Omnibus 2013

Updated for HITECH Act subcontractor liability and the 2013 Omnibus Rule expansion of business associate definition.

Breach notification 60-day clock

60-day breach notification timing matches HHS rule. Defines what triggers notification and to whom.

Subcontractor flow-down

Your subcontractors who handle PHI need their own BAA with you. Our template includes the flow-down language.

Termination + data return

On termination, BA must return or destroy all PHI. Where infeasible, BA extends BAA protections indefinitely.

Counsel-reviewed

Drafted by healthcare-privacy counsel. Cross-checked against current HHS guidance and OCR enforcement priorities.

How it works

A clean handoff, in 4 steps.

1

Download free template

Word + PDF formats. Editable. No email gate.

2

Fill in the parties

Covered Entity name + Business Associate name + addresses + signatory blocks.

3

Optional attorney customize

If the BA-CE relationship has nuance, we customize the template with healthcare-privacy counsel.

4

Both parties sign

E-sign or wet-sign. Counterparts allowed. Effective on later-signed date.

Two ways to engage

One-time, or part of your BOS.

Free template
$0
Download the template, fill in the parties, both sides sign. Suitable for standard SaaS-to-clinic BA arrangements.
  • Word + PDF template
  • All required clauses
  • HITECH + Omnibus updated
  • Subcontractor flow-down
  • Termination language
Download free
RECOMMENDED
Attorney-customized BAA
$349 one-time
Healthcare-privacy counsel customizes the template for your specific BA-CE relationship.
  • 1-hour attorney consult
  • Customized clauses
  • Cyber liability coordination
  • Subcontractor flow-down review
  • 30 days post-signing support
  • Re-review for renewals
Order attorney-customized
FAQ

Common questions.

Who needs a BAA?

Any business that creates, receives, maintains, or transmits Protected Health Information on behalf of a Covered Entity (or another BA). Common examples: SaaS vendors, billing services, cloud hosting, accountants serving healthcare clients.

Covered Entity vs Business Associate: what's the difference?

Covered Entities are healthcare providers, health plans, and healthcare clearinghouses. Business Associates are vendors who handle PHI for a Covered Entity.

Is a BAA required if we never see the PHI?

If your service has access (even theoretical) to PHI: like cloud hosting where data passes through your systems encrypted: you are a Business Associate and need a BAA. The "no eyes on it" defense does not work.

What if our PHI is fully anonymized?

HIPAA does not apply to de-identified information that meets either the Safe Harbor (18 identifiers removed) or Expert Determination standard. A BAA is not required for truly de-identified data.

Can we customize the template ourselves?

Yes. The template is editable. Common customizations: indemnification scope, insurance requirements, audit rights. We recommend attorney review for non-standard changes.

Is our BAA enforceable in court?

Yes, as a contract between the parties. The HHS Office for Civil Rights (OCR) can also enforce HIPAA directly against either party with civil monetary penalties.

What are the penalties for non-compliance?

OCR penalties range from $137 per violation (no knowledge tier) up to $2,134,831 per violation (willful neglect, uncorrected) under 2024 amounts. Annual cap is $2,134,831 per violation category.

Do we need a separate BAA per Covered Entity client?

Yes. Each BA-CE relationship needs its own signed BAA. We can help structure a master template you customize per client.

What about state privacy laws?

HIPAA preempts less-stringent state laws but defers to more-stringent ones (e.g. California CMIA, Texas HB 300, New York SHIELD Act). Our attorney-customized version factors in state law overlay.

Start your business in the next 5 minutes.

No state-fee markup. Pay only the state fee. 60-day money-back guarantee.

No state-fee markup 60-day money-back Cancel anytime