Do I need a separate BAA template for each vendor?

Yes. HIPAA requires a separate BAA with each business associate — each vendor or subcontractor that handles PHI on your behalf. You can use the same template as a starting point, but each agreement must identify the specific parties and the specific services being provided.

Free HIPAA Business Associate Agreement Template

Quick answer

A HIPAA-compliant BAA template must contain the 6 mandatory elements of 45 CFR § 164.504(e): permitted uses/disclosures, safeguard obligations, breach notification, subcontractor requirements, individual rights support, and termination provisions. The template below is built on HHS model language — generate a version customized to your parties for free in minutes.

Under HIPAA, any vendor or service provider that handles Protected Health Information (PHI) on your behalf must sign a Business Associate Agreement before you share PHI with them. The BAA establishes the vendor's obligations to protect that data and what happens if there's a breach.

This page explains exactly what a compliant template must include — clause by clause — and lets you generate a custom version with your specific business details in minutes.

Customize this template for your business →

What a HIPAA BAA Template Must Include

Required under 45 CFR § 164.504(e) — all 6 elements below are mandatory

Permitted Uses and Disclosures of PHI

The template must specify exactly what the business associate is permitted to do with PHI — and prohibit everything else. It should list: (a) uses permitted to perform the contracted services, (b) uses required by law, and (c) uses for the business associate's own proper management and administration.

Template language (§ 164.504(e)(2)(i)):
"Business Associate may use or disclose Protected Health Information only as permitted or required by this Agreement or as Required by Law. Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate."

Safeguard Obligations

The business associate must agree to implement appropriate administrative, physical, and technical safeguards to protect ePHI — the same standards required of covered entities under the HIPAA Security Rule (45 CFR §§ 164.308, 164.310, 164.312).

Template language (§ 164.504(e)(2)(ii)(B)):
"Business Associate shall use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent use or disclosure of the information other than as provided for by this Agreement."

Breach Notification

The business associate must agree to report any breach of unsecured PHI to the covered entity without unreasonable delay and no later than 60 days after discovery (45 CFR § 164.410). The template should specify a shorter internal deadline — typically 10–30 days — to give the covered entity time to meet the 60-day regulatory deadline.

Template language (§ 164.504(e)(2)(ii)(C)):
"Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement, including breaches of unsecured PHI as required by 45 CFR § 164.410, within [X] calendar days of discovery."

Subcontractor (Downstream) Assurances

If the business associate engages subcontractors who will access PHI, the template must require the business associate to obtain a BAA from those subcontractors too (45 CFR § 164.504(e)(2)(ii)(D)). This creates a chain of BAA coverage down the subcontractor chain.

Template language:
"Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement."

Individual Rights Support

Covered entities must be able to fulfill patients' rights under HIPAA — the right to access, amend, and request an accounting of disclosures of their PHI. The BAA template must require the business associate to cooperate with these requests and provide the covered entity with the necessary PHI to respond.

Template language (§ 164.504(e)(2)(ii)(E–G)):
"Business Associate shall make available PHI in a Designated Record Set to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.524 [access], § 164.526 [amendment], and § 164.528 [accounting of disclosures]."

Termination & Return/Destruction of PHI

Upon termination of the agreement, the business associate must return or destroy all PHI it holds on behalf of the covered entity — and certify that it has done so. The template must include both a termination-for-cause clause (if the BA materially breaches the BAA) and an obligation to handle PHI at termination.

Template language (§ 164.504(e)(2)(ii)(J)):
"Upon termination of this Agreement, Business Associate shall, at the option of Covered Entity, return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures."

Recommended Optional Clauses

Not required by the regulation, but standard in well-drafted BAAs

Limitation of Liability

Cap the business associate's liability to the fees paid in the prior 12 months or a fixed dollar amount. Without this, a small vendor is exposed to unlimited liability for a breach — which is commercially unreasonable and often negotiated out.

Governing Law & Dispute Resolution

Specify which state's law governs the agreement and how disputes are resolved (litigation, arbitration, mediation). Without this, default contract law of the jurisdiction where a breach occurs may apply.

Permitted De-Identification

Specify whether the business associate may de-identify PHI (per 45 CFR § 164.514) and use the resulting data for analytics, product improvement, or research. Not addressed in the HHS model — needs to be added explicitly.

Security Incident Response

Beyond the breach notification required by § 164.410, specify how the business associate must cooperate in breach investigations, preserve evidence, and support remediation — including notification to affected individuals.

Template vs. BAA Generator: Which Is Right for You?

Both use the same HHS model language. The difference is personalization and time.

	Generic Template	BAA Generator
Party names pre-filled	You fill in manually	Auto-generated
PHI types specified	Generic "all PHI"	Your specific PHI types
Breach notification deadline	Blank — you decide	You choose 5–30 days
Governing law	Blank	Your state selected
Time to complete	30–60 min	5 minutes
Output format	PDF (edit yourself)	PDF + Word .docx ($29)
Cost	Free (but your time)	Free or $29

Frequently Asked Questions

Is a generic HIPAA BAA template legally valid?

Yes — a BAA template is legally valid as long as it contains the mandatory provisions required by 45 CFR § 164.504(e). These include permitted uses and disclosures, safeguard obligations, breach notification, subcontractor assurances, individual rights support, and termination provisions. Using a template based on HHS model language satisfies these requirements.

What is the difference between a BAA template and a custom BAA?

A template is a generic document you fill in manually. A custom BAA is generated with your specific business details, services, PHI types, and governing law pre-filled. BAA Generator creates a custom BAA for your exact relationship in minutes — built from the same HHS model language as any good template, but personalized to your parties and use case.

Do I need a separate BAA for each vendor?

Yes. HIPAA requires a separate BAA with each business associate — each vendor or subcontractor that handles PHI on your behalf. You can use the same template structure for each, but each agreement must identify the specific parties and the specific services being performed.

Can I use HHS's model BAA template directly?

Yes. HHS published model BAA language that satisfies 45 CFR § 164.504(e). BAA Generator uses this model as its foundation and adds customization fields (party names, PHI types, governing law, breach notification timeframes) so the output is specific to your relationship rather than a generic fill-in-the-blank form.

How much does a BAA cost from an attorney?

Attorney-drafted BAAs typically cost $500–$2,500 depending on the attorney's hourly rate and the complexity of the relationship. Healthcare attorneys often charge $350–$600/hour, and a BAA review plus drafting typically takes 1–4 hours. BAA Generator produces the same core legal structure for $29 or free with a watermark.