HIPAA BAA Generator

Generate a HIPAA business associate agreement in minutes.

Enter the two parties, pick the provisions that fit the relationship, and get a ready-to-review business associate agreement built on the official HHS sample clauses. Copy it or download it, then have counsel review it. Free, private, and no email required.

Open the generator Train your team

45 CFR164.504(e) elements

0data leaves your browser

1 minto a draft agreement

The generator

Build your business associate agreement

Fill in the parties and choose the optional clauses. The agreement updates live, and you can copy it or download it when it is ready.

1. The two parties

A business associate agreement is signed between a covered entity (or a business associate) and the vendor that will handle protected health information on its behalf. Enter the legal names exactly as they should appear on the contract.

Covered entity legal nameBusiness associate (vendor) legal nameServices the vendor performs

2. Dates and governing law

Effective dateGoverning state

Breach and incident reporting window (days)Many agreements require notice without unreasonable delay and no later than a set number of days. The federal outer limit for breach notification is 60 days, and covered entities often negotiate a shorter window.

3. Optional permitted uses

These clauses are permitted by the Privacy Rule but are not required in every agreement. Include only the ones that match how the vendor actually uses the data.

Allow use for the vendor's own management, administration, and legal responsibilities, with confidentiality assurances from any recipient.Allow data aggregation services relating to the covered entity's health care operations under 45 CFR 164.504(e)(2)(i)(B).Allow the vendor to de-identify PHI under 45 CFR 164.514(a) through (c).On termination, allow the vendor to retain PHI with continued protections if return or destruction is infeasible. Uncheck for a stricter return-or-destroy requirement.

Your business associate agreement

HIPAA BUSINESS ASSOCIATE AGREEMENT

This HIPAA Business Associate Agreement ("Agreement") is entered into as of [EFFECTIVE DATE] (the "Effective Date") by and between [COVERED ENTITY NAME] ("Covered Entity") and [BUSINESS ASSOCIATE NAME] ("Business Associate"), each a "Party" and together the "Parties."

RECITALS

Covered Entity and Business Associate have entered into, or will enter into, one or more arrangements under which Business Associate performs services for or on behalf of Covered Entity that involve the creation, receipt, maintenance, or transmission of Protected Health Information. The Parties enter into this Agreement to comply with the applicable requirements of the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations at 45 CFR Parts 160 and 164 (collectively, the "HIPAA Rules").

1. DEFINITIONS

Capitalized terms used but not otherwise defined in this Agreement have the same meaning as those terms in the HIPAA Rules. For purposes of this Agreement, "Protected Health Information" or "PHI" means Protected Health Information, as defined in 45 CFR 160.103, that Business Associate creates, receives, maintains, or transmits for or on behalf of Covered Entity.

2. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE

Business Associate agrees to:
(a) Not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law.
(b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent the use or disclosure of PHI other than as provided for by this Agreement.
(c) Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including any breach of unsecured PHI as required by 45 CFR 164.410, and any Security Incident of which it becomes aware. Business Associate shall make such report without unreasonable delay and in no event later than 30 days after discovery.
(d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such PHI.
(e) Make PHI available to Covered Entity as necessary to satisfy Covered Entity's obligations to provide individuals access to their PHI under 45 CFR 164.524.
(f) Make any amendment to PHI as directed or agreed to by Covered Entity, or take other measures as necessary to satisfy Covered Entity's obligations under 45 CFR 164.526.
(g) Maintain and make available the information required to provide an accounting of disclosures as necessary to satisfy Covered Entity's obligations under 45 CFR 164.528.
(h) To the extent Business Associate is to carry out one or more of Covered Entity's obligations under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations.
(i) Make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining compliance with the HIPAA Rules.

3. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE

(a) Business Associate may use or disclose PHI only as necessary to perform the services described in the underlying services agreement between the Parties, or as Required by Law.
(b) Business Associate may use or disclose PHI as Required by Law.
(c) Business Associate agrees to make uses and disclosures and requests for PHI consistent with Covered Entity's minimum necessary policies and procedures.
(d) Business Associate may use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities. Business Associate may disclose PHI for these purposes only if the disclosure is Required by Law, or Business Associate obtains reasonable written assurances from the recipient that the PHI will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed, and the recipient agrees to notify Business Associate of any instance of which it is aware in which the confidentiality of the PHI has been breached.

4. OBLIGATIONS OF COVERED ENTITY

(a) Covered Entity shall notify Business Associate of any limitation in the notice of privacy practices of Covered Entity under 45 CFR 164.520, of any changes in, or revocation of, permission by an individual to use or disclose PHI, and of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that any such limitation, change, revocation, or restriction may affect Business Associate's use or disclosure of PHI.
(b) Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, except to the extent permitted under Section 3 of this Agreement.

5. TERM AND TERMINATION

(a) Term. This Agreement is effective as of the Effective Date and shall remain in effect until all PHI provided by Covered Entity to Business Associate, or created, maintained, or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if return or destruction is infeasible, protections are extended to such PHI in accordance with this Section.
(b) Termination for Cause. Covered Entity may terminate this Agreement and any underlying arrangement if Covered Entity determines that Business Associate has materially breached a term of this Agreement and Business Associate has failed to cure the breach within a reasonable time specified by Covered Entity, or immediately if cure is not possible.
(c) Obligations of Business Associate Upon Termination. Upon termination of this Agreement, Business Associate shall return or destroy all PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form, and shall retain no copies of such PHI. If Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide written notification of the conditions that make return or destruction infeasible, shall extend the protections of this Agreement to such PHI, and shall limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains the PHI.
(d) Survival. The obligations of Business Associate under this Section shall survive the termination of this Agreement.

6. MISCELLANEOUS

(a) Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended from time to time.
(b) Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity or Business Associate to comply with the requirements of the HIPAA Rules and any other applicable law.
(c) Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity and Business Associate to comply with the HIPAA Rules.
(d) Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of [STATE], except to the extent preempted by federal law.
(e) No Third-Party Beneficiaries. Nothing in this Agreement is intended to confer, nor shall anything in this Agreement confer, upon any person other than the Parties and their respective successors and permitted assigns any rights, remedies, obligations, or liabilities.
(f) Survival of Underlying Agreement. Except as expressly provided in this Agreement, the terms of any underlying services agreement between the Parties remain in full force and effect.

IN WITNESS WHEREOF, the Parties have executed this Agreement as of the Effective Date.

COVERED ENTITY
[COVERED ENTITY NAME]
By: ______________________________
Name: ____________________________
Title: ___________________________
Date: ____________________________

BUSINESS ASSOCIATE
[BUSINESS ASSOCIATE NAME]
By: ______________________________
Name: ____________________________
Title: ___________________________
Date: ____________________________

This Business Associate Agreement template is provided for educational purposes by USA HIPAA. It is a starting point, not legal advice, and does not create an attorney-client relationship. Have it reviewed and adapted by qualified counsel before signing.

A signed BAA satisfies one requirement. The vendor still has to train its workforce, run a risk analysis, and apply Security Rule safeguards. A signed page on its own is not compliance.

Train your team Score your risk

The clauses in this generator follow the sample business associate agreement provisions published by the U.S. Department of Health and Human Services and the required elements of a BAA at 45 CFR 164.504(e), 164.314(a), and 164.410. Nothing you enter is sent anywhere; the document is assembled entirely in your browser. This template is educational, is not legal advice, and should be reviewed and adapted by qualified counsel before use.

What it does

Six things this BAA generator handles for you

The tool is built from the actual required elements of a business associate agreement, so it produces a usable draft rather than a blank template you still have to write.

HHS provisions

Built on the HHS sample clauses

Every section follows the sample business associate agreement provisions published by Health and Human Services and the required elements at 45 CFR 164.504(e).

Fill and generate

Your names and terms, dropped in

Enter the covered entity, the vendor, the effective date, and the services. The template updates live with your details already in place.

Optional clauses

Toggle the provisions you actually need

Management use, data aggregation, de-identification, and the return-or-destroy terms are switches, so you only include the clauses that fit the relationship.

Breach window

Set your own reporting deadline

Choose how quickly the vendor must report a breach or security incident. The federal outer limit is 60 days, and most agreements set something tighter.

Copy or download

Take it into your own document

Copy the full agreement to your clipboard or download it as a text file, then paste it into your contract template and have counsel review it.

Private by design

Nothing leaves your browser

The document is assembled entirely on your device. No account, no email, and none of the names or terms you enter are sent anywhere.

The full picture

HIPAA business associate agreements, explained

What a BAA is, who has to sign one, the elements the rule requires, the optional clauses worth understanding, and the mistake that turns a signed agreement into a false sense of security.

What a business associate agreement actually is

A business associate agreement is the contract that lets a covered entity share protected health information with an outside party and still meet its HIPAA obligations. HIPAA divides the regulated world into two main groups. Covered entities are health plans, health care clearinghouses, and most health care providers. Business associates are the outside organizations that perform a function or service for a covered entity that involves creating, receiving, maintaining, or transmitting protected health information. The BAA is the written bridge between them. Before a covered entity may disclose PHI to a business associate, the rule at 45 CFR 164.502(e) requires a contract in which the business associate gives satisfactory written assurance that it will appropriately safeguard the information.

The point of the agreement is to carry HIPAA obligations beyond the four walls of the covered entity. Protected health information does not stop being protected when it lands on a vendor's server. The BAA makes the vendor contractually responsible for the same kind of protection the covered entity owes, and it gives the covered entity a legal remedy if the vendor falls short. Since the HITECH Act, business associates are also directly liable to regulators for many HIPAA requirements, so the agreement documents obligations that exist by law as well as by contract.

Who needs to sign one

The test is functional, not about job titles. If an outside party handles protected health information to do something for a covered entity, it is almost certainly a business associate and needs an agreement. The list is longer than most organizations expect. It includes billing and coding companies, clearinghouses, claims processors, IT support and managed service providers, cloud hosting and storage vendors, electronic health record and practice management software companies, transcription services, answering services, document shredding and destruction companies, data analytics firms, and the accountants, lawyers, and consultants who see PHI while doing their work.

The chain does not stop at the first vendor. A business associate that hands the same protected health information to a subcontractor must sign a BAA with that subcontractor, and that subcontractor must do the same with anyone further down the line. Each link owes the same protections as the one above it, which is why the rule is often called the chain of trust. A few relationships are not business associate relationships at all: a provider disclosing PHI to another provider for treatment, a covered entity disclosing to a health plan for payment, and the conduit exception for entities like the postal service or an internet service provider that only transport data without routine access to it. When in doubt, the safer assumption is that a BAA is required.

The elements the rule requires

A compliant business associate agreement is not free-form. The implementation specifications at 45 CFR 164.504(e) spell out what the contract must contain, and the Department of Health and Human Services publishes sample provisions that map to each requirement. This generator follows those sample provisions. At a minimum, the agreement must establish the permitted and required uses and disclosures of PHI by the business associate, and it must provide that the business associate will not use or disclose the information beyond what the contract or the law allows.

From there the required terms read like a checklist of safeguards. The business associate must use appropriate safeguards and, for electronic PHI, comply with the Security Rule at Subpart C of 45 CFR Part 164. It must report to the covered entity any use or disclosure not permitted by the contract, including breaches of unsecured PHI and security incidents. It must ensure that any subcontractors agree to the same restrictions and conditions. It must make PHI available so the covered entity can meet individual rights to access, amendment, and an accounting of disclosures. It must make its internal practices, books, and records available to the Secretary of Health and Human Services for compliance reviews. And at termination it must return or destroy the PHI, or, where that is infeasible, extend the protections of the agreement to the information for as long as it is retained. Each of those obligations appears in the document this tool produces.

The optional clauses, and when to include them

Beyond the required elements, the Privacy Rule permits certain additional uses that you can choose to authorize. The generator turns these into switches so you only include what fits the relationship. The first is use for the business associate's own management and administration and to carry out its legal responsibilities. Many vendors legitimately need this, but the clause should require confidentiality assurances from anyone who receives the information for those purposes. The second is data aggregation, which lets a business associate combine the PHI of several covered entities to perform health care operations analyses, as permitted at 45 CFR 164.504(e)(2)(i)(B). Include it only if the vendor actually performs that service.

A third option is de-identification. A business associate may de-identify PHI under the standards at 45 CFR 164.514, and once information is properly de-identified it is no longer PHI and falls outside the agreement. Authorize this only if you want the vendor to be able to create de-identified data sets. The last switch governs what happens at termination. The strict version requires the business associate to return or destroy all PHI and keep no copies. The practical version keeps that as the default but allows the vendor to retain the information with continued protections when return or destruction is genuinely infeasible, which mirrors the language in the HHS sample. Choose the stricter setting when you can, and reserve the retention clause for situations where backups or legal holds make a clean return impossible.

The breach reporting window

One of the most negotiated terms in any BAA is how quickly the business associate must tell the covered entity about a problem. The breach notification rule gives a covered entity up to 60 days from discovery to notify affected individuals, but that clock can start when the business associate discovers the breach, not when it gets around to reporting it. A covered entity that learns of a vendor breach on day 55 has almost no time left to investigate and notify. That is why covered entities push for a much shorter reporting window in the contract itself, often notice without unreasonable delay and no later than 10, 15, or 30 days. The generator lets you set that number so the agreement reflects the deadline you actually want, and it ties the same obligation to security incidents and to any use or disclosure the contract does not allow. Whatever number you choose, define the trigger clearly. Reporting should start on discovery, and discovery should be defined to include what the vendor should reasonably have known through ordinary diligence, not only what it actually knew. A tight window paired with a vague definition of when the clock starts is easy for a vendor to wait out, so the two terms have to be drafted together.

The missing-BAA finding, and what it costs

Among the failures that draw HIPAA penalties, the missing or inadequate business associate agreement is one of the most common, and one of the most avoidable. Time and again, an organization suffers a breach at a vendor, the Office for Civil Rights investigates, and the investigation turns up that there was never a signed agreement in place, or that the agreement on file was a generic template that did not meet the required elements. Settlements have turned in part on exactly this gap. The agreement is cheap to put in place and expensive to be caught without, which is the worst kind of risk to carry.

Putting the agreement in place is only the first half of the job. The other half is keeping track of every vendor that touches PHI, making sure each one has a current signed BAA, and refreshing those agreements as relationships and regulations change. A simple vendor inventory that lists each business associate, the data it handles, the date of its agreement, and the renewal status will catch the gaps before an investigator does. The BAA management checklist linked below walks through how to build and maintain that inventory.

Where the BAA fits next to the services contract

A business associate agreement rarely stands alone. It usually accompanies an underlying services agreement, sometimes called a master services agreement or a statement of work, that describes the actual work the vendor performs, the price, and the commercial terms. The two documents do different jobs. The services agreement says what the vendor will do and what it will be paid. The BAA says how the vendor must protect the protected health information it touches along the way. Keeping them as separate documents is common and sensible, because the privacy obligations often outlast the commercial relationship: the duty to safeguard or return PHI continues until the data is dealt with, even after the services end.

When the two documents disagree, problems follow. A services agreement that lets the vendor use customer data broadly for product improvement can quietly conflict with a BAA that limits use of PHI to the contracted services. The cleanest approach is to state that the BAA controls with respect to protected health information and prevails over any conflicting term in the services agreement. The generator produces a standalone agreement on purpose, so you can attach it to whatever underlying contract already governs the relationship and add a short clause confirming that the BAA takes precedence on anything involving PHI.

Terms worth negotiating beyond the required elements

The required elements are the floor, not the ceiling. Organizations that handle a lot of protected health information routinely negotiate additional terms that the rule does not mandate but that allocate real-world risk. The most common is breach cost allocation: who pays for the credit monitoring, the forensic investigation, the notification mailing, and the regulatory response when the vendor causes a breach. A well-drafted agreement makes the party that caused the incident responsible for the costs that flow from it, often backed by an indemnification clause and a requirement that the business associate carry cyber liability insurance at a stated minimum.

Other terms worth weighing include audit rights that let the covered entity verify the vendor's safeguards, a requirement that the vendor maintain a recognized security framework or undergo independent assessments, limits on offshoring or storing data outside the country, and a clear process for approving subcontractors before they touch PHI rather than after. None of these belongs in every agreement, and piling on terms a small vendor cannot meet only delays signing. The judgment is to match the depth of the agreement to the sensitivity and volume of the data at stake, then add the protections that a breach would actually make you wish you had. Counsel can help you decide which of these to layer onto the base document the generator produces.

A signed BAA is not compliance

The most important thing to understand about a business associate agreement is what it does not do. Signing one satisfies a single, specific requirement: the written assurance that a vendor will protect PHI. It does not train anyone, run a risk analysis, encrypt a single device, or write a policy. Both parties to a BAA still carry their own complete set of HIPAA obligations under the Privacy, Security, and Breach Notification Rules. An organization that files a stack of signed agreements and assumes it is now compliant has confused a piece of paper with a program.

The substance behind the signature is people who know the rules. A business associate agreement commits a vendor to safeguard PHI, but it is the vendor's trained workforce that actually does the safeguarding, recognizes a phishing attempt, follows the minimum necessary standard, and reports an incident in time to matter. The same is true on the covered entity side. The fastest, cheapest way to make a BAA mean something is to train and certify the workforce on both sides of it, so the agreement rests on documented knowledge rather than hope. Generate the agreement here, have counsel review it, and then close the loop by certifying the people who have to honor it.

Keep going

Guides and tools that back up the agreement

Once the BAA is drafted, these pages help you manage your vendors, score where you stand, and train the people who have to honor it.

Compliance

Business associate agreement guide

What a BAA is, who needs one, the required elements, and how it fits into the chain of trust between covered entities, vendors, and subcontractors.

Read the guide

Vendors

BAA management checklist

How to track every vendor that touches PHI, keep agreements current, and avoid the missing-BAA finding that shows up in so many enforcement cases.

Get the checklist

Free tool

Free HIPAA risk assessment tool

Score your Security Rule posture and get a prioritized gap list. A signed BAA is one control among many, and the risk analysis ties them together.

Score your risk

Free tool

HIPAA violation penalty calculator

See what a missing BAA or vendor breach can cost. A missing business associate agreement is one of the most common penalties OCR cites.

Estimate exposure

Free tool

HIPAA certification cost calculator

Estimate what it costs to train and certify the workforce on both sides of a BAA, so the vendor relationship rests on people who know the rules.

Estimate cost

Free tool

Free HIPAA practice test

Check whether your team actually understands business associate obligations with a scored practice exam and answer explanations.

Take the test

BAA FAQ

Common questions about business associate agreements

Is this BAA generator free?

Yes. The generator is completely free, runs entirely in your browser, and needs no account or email. Fill in the parties and provisions, and the business associate agreement is assembled instantly. You can copy it or download it as a text file. None of the names or terms you enter leave your device.

What is a HIPAA business associate agreement?

A business associate agreement, or BAA, is a written contract between a covered entity and a business associate, or between a business associate and its subcontractor, that requires the receiving party to safeguard protected health information. HIPAA requires this contract before a vendor can create, receive, maintain, or transmit PHI on your behalf. The required elements live at 45 CFR 164.504(e), and the Department of Health and Human Services publishes sample provisions that this generator follows.

Who needs to sign a BAA?

Any time a covered entity hands protected health information to an outside party that performs a function or service involving that information, the two need a BAA. Common business associates include billing companies, IT and cloud hosting providers, electronic health record vendors, transcription services, shredding companies, accountants, lawyers, and consultants who handle PHI. A business associate that uses a subcontractor to handle the same PHI must in turn sign a BAA with that subcontractor, extending the chain of trust down the line.

Is a generated template legally sufficient on its own?

Treat the output as a strong starting point, not a finished contract. The clauses follow the HHS sample provisions and the required elements of a BAA, but every relationship has its own facts, and many organizations add terms on indemnification, insurance, breach cost allocation, audit rights, and integration with the underlying services agreement. Have qualified counsel review and adapt the document before anyone signs it. The generator does not provide legal advice or create an attorney-client relationship.

How fast must a business associate report a breach?

The breach notification rule sets an outer limit of 60 days from discovery, but a covered entity usually wants notice much faster so it can meet its own deadlines. This generator lets you set the reporting window, and a common choice is to require notice without unreasonable delay and no later than a shorter period, such as 10, 15, or 30 days. The agreement also requires the business associate to report any security incident and any use or disclosure not permitted by the contract.

Does signing a BAA make us HIPAA compliant?

No. A signed BAA satisfies one specific requirement, the written assurance that a vendor will protect PHI. It does not train your workforce, run your risk analysis, encrypt your devices, or build your policies. Both parties to a BAA still carry their own full set of HIPAA obligations. The fastest way to back up a BAA with substance is to train and certify the people who handle the data, which is what produces the documented, good-faith program OCR looks for.

A signed agreement is the start, not the finish. Back it up with HIPAA certification or plan a team rollout for your whole workforce.

Paper plus people

A BAA commits the vendor. Training makes it real.

A signed business associate agreement satisfies one requirement. The trained workforce behind it is what actually protects the data, catches the phishing email, and reports the incident in time. Certify your team with an accredited course that produces dated, verifiable certificates, and give every agreement you sign something solid to stand on.

Get HIPAA certified Plan team training