Generate a customized BAA template for any vendor relationship. HIPAA-compliant, professionally formatted. Free.
This template is for informational purposes only and should be reviewed by legal counsel before execution.
Fill in required fields (*) to generate your BAA template
Stay ahead of regulatory changes. Free newsletter for small practices.
A Business Associate Agreement (BAA) is a legally binding contract required under HIPAA between a covered entity (your medical practice) and any business associate (vendor) that creates, receives, maintains, or transmits Protected Health Information (PHI) on your behalf. The requirement comes directly from 45 CFR 164.504(e).
The BAA defines exactly how the vendor may use and disclose PHI, what safeguards they must implement, and what happens in the event of a breach. Without a signed BAA, both you and your vendor are in violation of HIPAA, even if no breach has occurred.
Under the HITECH Act, business associates are directly liable for HIPAA compliance. This means your vendors can be fined independently by the Office for Civil Rights (OCR), but your practice remains jointly responsible for ensuring the BAA is in place.
Any time a third party will access, store, process, or transmit PHI on your behalf, you need a BAA. Here are the most common scenarios for small practices:
Any cloud-based or hosted electronic health record system storing patient data requires a BAA.
Third-party billers who process claims with patient information are business associates.
Cloud hosting, backup, email hosting, and IT support firms that can access systems with PHI.
Organizations that process electronic claims between your practice and payers.
Video conferencing and virtual visit platforms used for patient consultations.
Document destruction services that handle paper records containing PHI.
Any AI platform that processes clinical notes, patient data, or practice analytics with PHI.
After-hours call services that take patient messages or access scheduling systems.
The most common and most costly mistake. OCR has issued fines exceeding $1 million for missing BAAs alone. Every vendor with PHI access needs one, no exceptions. The HIPAA Omnibus Rule of 2013 made this unambiguous.
A BAA should specify exactly what PHI the vendor can access, for what purposes, and under what conditions. A one-size-fits-all template that does not reflect your actual vendor relationship leaves dangerous gaps.
BAAs have terms. If your agreement expires and you continue sharing PHI, you are operating without a BAA. Maintain a central log of all BAAs with effective dates, expiration dates, and renewal reminders.
Your vendor may use subcontractors who also handle PHI. Under HIPAA, your BAA must require the business associate to have downstream BAAs with all subcontractors. If they do not, you share the liability.
Your BAA must include specific breach notification timelines (no more than 60 days under HIPAA). Vague language like "promptly" is insufficient. The BAA should spell out exactly what information must be reported and how.