HIPAA Ready

Business Associate Agreement Template

Regulatory basis: 45 CFR 164.314(a)(2)(i) requires covered entities to enter into business associate agreements with entities that create, receive, maintain, or transmit PHI on their behalf.

Required BAA Provisions

Under 45 CFR 164.314(a)(2)(i), a business associate agreement must include the following provisions. Each provision below is annotated with its regulatory citation.

1. Permitted Uses and Disclosures

45 CFR 164.314(a)(2)(i)(A)

Establish the permitted and required uses and disclosures of protected health information by the business associate. The agreement may not authorize the business associate to use or further disclose the information in a manner that would violate the Privacy Rule if done by the covered entity, except as provided in 164.504(e)(2)(i)(A) and (B).

2. Safeguards

45 CFR 164.314(a)(2)(i)(B)

Require the business associate to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 (the Security Rule) with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by the agreement.

3. Reporting

45 CFR 164.314(a)(2)(i)(C)

Require the business associate to report to the covered entity any use or disclosure of PHI not provided for by the agreement, including breaches of unsecured PHI as required by 45 CFR 164.410.

4. Subcontractors

45 CFR 164.314(a)(2)(i)(D)

Require the business associate to ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate under the agreement.

5. Access to PHI

45 CFR 164.314(a)(2)(i)(E)

Require the business associate to make available PHI in accordance with 45 CFR 164.524 (individual right of access) to satisfy the covered entity's obligations.

6. Amendment of PHI

45 CFR 164.314(a)(2)(i)(F)

Require the business associate to make PHI available for amendment and incorporate any amendments to PHI in accordance with 45 CFR 164.526.

7. Accounting of Disclosures

45 CFR 164.314(a)(2)(i)(G)

Require the business associate to make available the information required to provide an accounting of disclosures in accordance with 45 CFR 164.528.

8. HHS Access

45 CFR 164.314(a)(2)(i)(H)

Require the business associate to make its internal practices, books, and records available to the Secretary of HHS for purposes of determining the covered entity's compliance.

9. Return or Destruction of PHI

45 CFR 164.314(a)(2)(i)(I)

At termination of the agreement, require the business associate to return or destroy all PHI received from the covered entity, or created or received by the business associate on behalf of the covered entity. If return or destruction is not feasible, extend the protections of the agreement and limit further uses and disclosures.

10. Termination

45 CFR 164.314(a)(2)(i)(J)

Authorize termination of the agreement by the covered entity if the covered entity determines that the business associate has violated a material term of the agreement.

Implementation Notes

  • BAAs must be in place before any PHI is shared with a business associate.
  • The HITECH Act (Section 13401) made business associates directly liable for compliance with the Security Rule and certain provisions of the Privacy Rule.
  • BAAs should be reviewed annually and updated when the scope of services changes.
  • Retain executed BAAs for at least six years from the date of creation or last effective date, per 45 CFR 164.316(b)(2)(i).
  • Cloud service providers handling ePHI are generally considered business associates and require BAAs regardless of whether they can view the data.