Legal Templates

Free (HIPAA) Business Associate Agreement

Use our HIPAA Business Associate Agreement if your business has access to health information and wants a third party to handle it.

HIPAA Business Associate Agreement

Create a Document in 3 Easy Steps

  1. 1

    Get Started

    Choose Your Form Type
    or Location to Begin

  2. 2

    Answer Questions

    Complete Your Free Document
    in under 15 Minutes

  3. 3

    Download Document

    Download Your Custom Form and
    Print for Free (MS Word & PDF)

A HIPAA business associate agreement (BAA) establishes the guidelines and responsibilities for safeguarding protected health information (PHI) when a primary health care provider or health plan needs another entity to handle the sensitive information.

HIPAA Law

The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to enter into business associate agreements with every third-party service provider that may come into contact with protected health information.

Business associate agreements are just one aspect of HIPAA compliance, but they’re essential in ensuring business associates properly handle and safeguard PHI.

Table of Contents

Key Terminology

Here’s some key terminology to know when creating a BAA:

Covered Entity

A covered entity is any health care provider, health plan, or health care clearinghouse that must comply with HIPAA rules. It can be an individual or an organization. Examples of covered entities include the following:

  • Pharmacies
  • Nursing homes
  • Chiropractors
  • Dentists
  • Psychologists
  • Clinics
  • Doctors
  • Government programs paying for medical care (like Medicaid, Medicare, and military health care programs)
  • Company health plans
  • HMOs
  • Health insurance companies

The CMS-covered entity guidance tool can help determine if your practice must be HIPAA-compliant.

Protected Health Information

The HIPAA Privacy Rule defines protected health information (PHI) as all “individually identifiable health information. Covered entities and business associates must restrict how they use this information, including a person’s full name, address, or Social Security Number, through a BAA.

Some medical data that falls under the categorization of PHI includes the following:

  • An individual’s past, present, or future physical or mental health.
  • The extent and type of health care a physician provides to an individual.
  • The past, present, or future payment for an individual’s health care.

Business Associate

A business associate is any individual, agency, or organization with access to protected health information (PHI) to perform a service for a covered entity. They can only use or disclose PHI as their BAA describes.

Employees and contractors that a health care provider hires solely to work for a covered entity are not business associates. Instead, they should sign a confidentiality agreement to meet HIPAA compliance requirements.

Data Safeguards

Data safeguards are controls business associates and covered entities implement to protect the PHI’s availability, integrity, and confidentiality.

With the advancement of technology and increasing reliance on digital tools in the health care industry, entities must consider factors like audit trails, encryption, access controls, cloud storage, electronic health record systems, and digital communication platforms when establishing and reviewing BAAs.

While the HIPAA Privacy Rule protects sensitive health information in any medium, the HIPAA Security Rule protects health information in electronic forms.

Business Associate Agreement Requirements

The Code of Federal Regulations (CFR) outlines three main requirements that a BAA must contain:

1. Permissible Uses

Here are the permissible uses to include in BAAs:

  1. The business associate may only use or disclose protected health information. You have two options:
    1. Provide a specific list of acceptable purposes.
    2. Reference an underlying service agreement.
  2. The business associate may use or disclose PHI as the law requires.
  3. The business associate agrees to make requests, disclosures, and uses for PHI under one of two conditions:
    1. Consistent with the covered entity’s policies and procedures for the minimum necessary rule.
    2. Subject to outlined minimum necessary requirements.
  4. The business associate may not use or disclose PHI in a way that would violate 45 CFR Subpart E.
  5. Optional: The business associate may use PHI to manage and administer the business associate properly or to carry out their legal responsibilities.
  6. Optional: The business associate may provide data aggregation services about the covered entity’s healthcare operations.

2. Business Associate Obligations

Here are some obligations a business associate must fulfill:

  • To not use or disclose PHI as the agreement and HIPAA law forbid.
  • To use appropriate safeguards and comply with 45 CFR Subpart C relating to electronic PHI.
  • To report any prohibited use or disclosure of PHI or security incident to their covered entity (per 45 CFR § 164.410).
  • To ensure any subcontractors that create, maintain, receive, or transmit PHI on the business associate’s behalf adhere to the same requirements, conditions, and restrictions that apply to the business associate (per 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2)).
  • To make PHI available in a designated record set to the covered entity (per 45 CFR 164.524).
  • To make any amendments to PHI in a designated record (per 45 CFR 164.526).
  • To maintain and make available the necessary information to provide an accounting of disclosures to the covered entity (per 45 CFR 164.528).
  • To make its records, books, and internal practices available to the Secretary, who can determine if they comply with HIPAA.

3. Termination Provisions

BAAs can terminate by an established end date or for cause if the associate violates a term.

Once the agreement terminates, a business associate has the following obligations:

  • Only retain PHI that’s essential for their continued operations or legal responsibilities.
  • Return to the covered entity (or destroy) any remaining PHI.
  • Continue using appropriate safeguards for protecting electronic PHI.
  • Do not disclose or use any remaining PHI for prohibited reasons.

Examples of Business Associate Agreement Failures

Explore some examples of BAA failures so you can better understand this document’s purpose:

Asking Every Contractor to Sign a BAA

Some covered entities will insist every contractor enters a BAA even when unnecessary. For example, covered entities may unnecessarily enter into a BAA even though they don’t need it because they’re both subject to HIPAA. A covered entity may also ask a contractor to sign a BAA even if they don’t have access to PHI, which can waste time and resources.

Assuming HIPAA Compliance With a Signed BAA

Simply having a business associate sign a BAA doesn’t guarantee HIPAA compliance. Some covered entities won’t follow through with their due diligence obligations, like auditing business associates, because they assume automatic compliance by completing a BAA.

Not Having a BAA for Business Associates through Which Electronic PHI Passes

Even if you don’t directly disclose PHI to an entity, it might still pass through their systems electronically. If you don’t implement a BAA, you could violate HIPAA as a covered entity.

Only Implementing Encryption as a Safeguard

While encryption is an important safeguard for protecting PHI, physical and administrative safeguards must also be implemented to ensure HIPAA compliance.

Esc
HIPAA Business Associate Agreement

The document above is a sample. Please note that the language you see here may change depending on your answers to the document questionnaire.

Fill in the details