HIPAA Business Associate Agreement Template


This free tool is a HIPAA Business Associate Agreement / Contract Addendum template for the requirements of the HITECH Act of 2009 and Omnibus Final Rule 2013 in Microsoft Word format. Use it as a starting point and customize it to meet the requirements for your business associate agreements. For continued due diligence of third parties, consider vendor risk management software or vendor risk management services to evaluate their security position.

Business Associates (BAs) are described by HHS as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a covered entity (CE).” Examples of a BA include a consultant who does hospital utilization reviews or an attorney with PHI access for providing legal services to a hospital or healthcare system.

To ensure that BAs are using PHI in an appropriate, secure manner, you need to make sure a Business Associate Agreement (BAA) is in place. This is essentially a written contract that lays out each party’s responsibility when it comes to PHI. The CE must have a BAA in place for each BA. BAAs provide accountability for BAs to adhere to HIPAA controls and are also an essential component for HHS Audits. CEs can face severe fines from OCR for lack of compliance.

Our free HIPAA BAA/Contract Addendum template is a great way to check yourself and your BAs to ensure that everyone is adhering to the requirements of the HITECH Act of 2009 and Omnibus Final Rule 2013. Use it as a first step to ensure that your PHI isn’t being compromised by third parties and customize it to meet your specific needs.

We also offer automated and managed solutions

In addition to our free BAA, ComplyAssistant also offers a full turn-key solution for assessing a CE’s BAs using our compliance management portal. See our Vendor Risk Management Services page for further information.

Other free tools