Business Associate Agreement | HIPAA

Create a high quality document online now!

Updated February 13, 2022

A business associate agreement (BAA) is between a covered entity that agrees to share medical records with a business associate. The medical records, PHI or ePHI, are required to be shared in a secure and protected manner. 

Table of Contents

Main Purpose

The main purpose of a business associate agreement is to share medical records in a secure manner between 2 or more parties.

Aside from being required under HIPAA law (45 § 164.502(e)(2)), the agreement requires the business associate, not the covered entity, to assume ALL LIABILITY in the event of a security breach (unless negligence is found on behalf of the covered entity).

If a breach occurs, a business associate has 60 days to notify and will assume the financial damages in accordance with HIPAA penalties.

What Happens after a BAA Terminates?

After a BAA terminates, all patient health information is required to be returned to the covered entity or destroyed by the business associate (45 CFR 164.504(e)(2)(ii)(J)).

Glossary (3)

Medical Records

Medical records are known as Protected Health Information (PHI) or Electronic Protected Health Information (ePHI) (45 CFR § 160.103).

Medical records are considered sensitive information that may only be shared in accordance with HIPAA law.

Covered Entity

A covered entity is a medical organization defined under HIPAA law (45 CFR § 160.103). Whether or not a covered entity provides medical services, if it can share medical records, it’s considered a covered entity.

Business Associate

A business associate is an independent contractor that is authorized to access a covered entity‘s medical records (45 CFR § 160.103).

A business associate includes:

  • Data Security Companies
  • IT or Tech Support Providers
  • Cloud Integration Companies
  • Bookkeepers/CPAs
  • Attorneys/Lawyers

A business associate does not include:

  • Government agencies;
  • Health care providers;
  • Health insurance companies;
  • Health plan sponsors (incl. group health plans); or
  • Any organized health care arrangement.


Download: Adobe PDF, MS Word, OpenDocument

How to Write

Download: Adobe PDF, MS Word (.docx) or OpenDocument

I. Business Associate Agreement Effective Date

(1) Calendar Date. The date that signifies when the agreement below begins and holds each Party responsible to its conditions must be documented.

II. Covered Entity

(2) Covered Entity Name. The name of the Covered Entity (i.e. a Health Care Provider) is required during the introduction of this agreement. Locate the area labeled “Covered Entity” then display the full name of the Covered Entity as it appears in its legal paperwork and on the books.

(3) Covered Entity Status. The way the Covered Entity’s Organization is classified should be included in this area. Therefore, one of the four checkboxes on display must be selected to indicate if the Covered Entity is an “LLC” (Limited Liability Company), a “Partnership,” or a different type of Entity. If the Covered Entity is a different type of Entity the third checkbox (“Other”) must be marked and the classification of the Covered Entity’s Organization should be documented.

III. Business Associate

(4) Business Associate Name. The Business Associate requesting the health care information will also need identification in the introduction. Locate the appropriate area, then dispense the entire legal name of the Business Associate.

(5) Business Associate Status. The type of Entity the Business Associate operates requires definition to further identify this Party. Therefore, choose one checkbox to establish that the Business Associate is an “LLC,” a “Corporation,” or a “Partnership.” If none of these categories is an accurate description of the Business Associate, select the “Other” box and define the Business Associate’s status as an Entity to the space provided.

IV. Notices

(6) Covered Entity Recipient Information. The address where the Covered Entity may receive all official communication regarding this agreement, the information being shared, and the Parties involved should be documented to Item A in Article 18. This must be a formal address where a signature may be obtained from a Recipient authorized to receive such mail aimed at the Covered Entity. It is therefore imperative that the name of a specific Department or Person that the Covered Entity authorizes to act as a Recipient be provided to the “Attn” line be presented as a part of this address.

(7) Covered Entity Electronic Information. The Covered Entity’s daytime business phone number must be supplied to this document along with its official email address.

(8) Business Associate Mailing Information. Item B has been reserved to present the address where the Business Associate wishes all mail (i.e. notices, communications, court orders) regarding this agreement and all affected Parties to be sent. Notice the “Attn” line will seek the name of a specific Recipient (i.e. An Individual or Department) to whom all such communication sent should be directed.

(9) Business Associate Phone And Email. Furnish the Business Associate’s telephone number and electronic mail address to the spaces provided. Both of these methods of communication should be considered secure and well-monitored since sensitive information may be requested or received using either of these means.

IV. Covered Entity Execution

(10) Signature Of Covered Entity. The Covered Entity that is participating in this agreement must deliver a signature to enter it. Therefore, its ruling Members or the appropriate Department must authorize a Signature Representative to sign his or her full name to this document as well as indicate the current date.

(11) Printed Name And Title Of Covered Entity. The full name of the Covered Entity’s Organization including its status suffix should be furnished in print along with the title the Signature Representative holds with the Covered Entity (i.e. “Vice-President,” “Manager,” “Representative”).

V. Business Associate Signature

(12) Business Associate Signing Process. The Business Associate named at the beginning of this document is also obligated to enter this agreement by signature. Therefore, the Business Associate must elect a Signature Party to sign his or her name and deliver the current date. As the Signature Party representing the Business Associate, and authorized by the Business Associate to do so, his or her signature will officially bind the Business Associate to the conditions above.

(13) Business Associate Identity. The Business Associate’s full name, including suffixes of status (i.e. corp), should be presented during the signature process. Once the Signature Party has identified the name of the Business Associate he or she represents, the title of his or her Office with the Business Associate should be documented.