Free HIPAA Business Associate Agreement Template

By BAA Generator Editorial  ·  Published Apr 20, 2026  ·  Last reviewed Apr 20, 2026  ·  5 min read

What HIPAA Requires in a BAA

The HIPAA Privacy Rule at 45 CFR § 164.504(e) specifies the elements that must appear in a Business Associate Agreement. A BAA that omits any of these elements is not HIPAA-compliant, regardless of how it is labeled. For a detailed explanation, see what is a business associate agreement.

Required elements under 45 CFR § 164.504(e):

• Permitted uses and disclosures — The BAA must describe the specific purposes for which the BA may use and disclose PHI. Any use not listed is prohibited.
• Prohibition on unauthorized uses — The BA may not use or disclose PHI except as permitted by the BAA or required by law.
• Appropriate safeguards — The BA must implement appropriate administrative, physical, and technical safeguards as required by the Security Rule.
• Breach and security incident reporting — The BA must report any breach of unsecured PHI, security incident, or impermissible disclosure to the covered entity.
• Subcontractor BAAs — The BA must ensure any subcontractors who handle PHI agree to the same restrictions by signing their own BAAs.
• Individual access rights — The BA must cooperate with covered entity obligations regarding individual rights to access, amend, and account for disclosures of their PHI.
• HHS access — The BA must make its internal practices and records available to HHS for compliance investigations.
• Return or destruction of PHI at termination — At termination, the BA must return or destroy all PHI it holds. If neither is feasible, protections extend indefinitely.
• Termination rights — The covered entity must have the right to terminate if the BA materially violates the BAA.

What to Customize in a Template

A generic template covers the required elements but must be customized to be meaningful and enforceable in your specific vendor relationship. Key customization areas include:

• Party names and contact information — Legal entity names, addresses, and designated contacts for breach notification
• Service description — Precisely describe what the vendor does and the specific PHI they access (e.g., "medical billing services involving patient demographic and claims data")
• Permitted uses — List only the specific uses needed for the vendor's services — not broad catchall language
• Breach notification timeline — Set a specific number of days (5–15 days is best practice) rather than just referencing the statutory 60-day maximum
• Term and termination — Specify the agreement's initial term, renewal conditions, and termination notice period

What to Avoid in Free Templates

Not all free BAA templates found online are adequate. Common problems in low-quality templates include:

• Missing subcontractor clause — If the template doesn't require the BA to obtain BAAs from its own subcontractors, it fails to comply with HITECH
• No data return or destruction provision — This is a required element; its absence makes the BAA non-compliant
• No breach notification timeline — Simply referencing "applicable law" without specifying a contractual timeline leaves the CE vulnerable
• Pre-2013 language — Templates predating the 2013 HIPAA/HITECH Final Rule may lack required elements; always verify the template has been updated to reflect current law
• Overly broad permitted uses — A template that permits the BA to use PHI "as needed to perform services" provides no real restriction on secondary uses

The HHS Model BAA

HHS published a model BAA available at hhs.gov/hipaa that serves as an official reference document. It is a useful baseline that satisfies the minimum regulatory requirements. However, the HHS model is intentionally generic — it is designed to show what HIPAA requires, not to be operationally specific to any particular vendor relationship.

The HHS model lacks: a breach notification timeline, data residency provisions, liability allocation, specific return/destruction procedures, and subprocessor disclosure requirements. It is a starting point, not a finished document. For most vendor relationships, BAA Generator's customizable template provides a more complete and practically useful agreement than the HHS model alone. For guidance on reviewing BAAs you receive from vendors, see how to review a HIPAA BAA.

Frequently Asked Questions

Where can I find a free HIPAA BAA template?

BAA Generator provides a free, customizable HIPAA BAA template at baagenerator.com. You can customize the template for your specific vendor and download it instantly at no cost and without creating an account. HHS also publishes a model BAA at hhs.gov/hipaa, though this model is intentionally generic and typically needs additional customization for operational use with a specific vendor.

What must a HIPAA BAA template include?

Under 45 CFR § 164.504(e), a HIPAA BAA template must include: identification of the parties and description of services, permitted uses and disclosures of PHI, a prohibition on unauthorized uses, required safeguards (Security Rule compliance), breach notification obligations, subcontractor BAA requirements, provisions regarding individual rights (access, amendment, accounting), HHS access provisions, data return or destruction at termination, and termination rights for material breach. A template missing any of these elements is not HIPAA-compliant.

Is the HHS model BAA template good enough to use?

The HHS model BAA is legally sufficient for basic compliance purposes and is a legitimate resource. However, it lacks operational specificity — it does not address breach notification timelines, liability allocation, data return procedures, or subprocessor restrictions that are important in practice. For most vendor relationships, you should use the HHS model as a reference and supplement it with provisions specific to your vendor type and risk tolerance. BAA Generator's template incorporates the required elements plus operationally important provisions.

Can I use a generic BAA template for any vendor?

A generic template can satisfy HIPAA's minimum requirements, but vendor-specific customization is strongly recommended. Different vendor types — SaaS, telehealth, billing companies, IT support, legal counsel — create different PHI risks and require different permitted uses language, data handling provisions, and termination procedures. BAA Generator allows you to customize your BAA for the specific type of vendor you are contracting with, making the agreement more enforceable and more practically protective for your organization.