BAA Generator
HomeSample BAA

Sample Business Associate Agreement

About this example

This is a complete, annotated example Business Associate Agreement between a fictional covered entity ("Riverside Family Medicine") and a fictional business associate ("CloudRx Solutions, Inc."). It is based on the HHS model BAA provisions under 45 CFR § 164.504(e). Blue callouts explain what each clause does and why it is required. Names are fictional. Generate a version with your own parties using the tool below.

Create a customized version with your business details → View template clause guide
Business Associate Agreement.pdf

Business Associate Agreement

Effective Date: March 15, 2026

This Business Associate Agreement ("Agreement") is entered into as of March 15, 2026 ("Effective Date"), by and between Riverside Family Medicine, P.C., a medical practice located at 420 Oak Street, Portland, Oregon 97201 ("Covered Entity"), and CloudRx Solutions, Inc., a Delaware corporation located at 88 Market Street, Suite 400, San Francisco, California 94105 ("Business Associate").

Identifies both parties. "Covered Entity" is a HIPAA-defined term — a healthcare provider, health plan, or healthcare clearinghouse. "Business Associate" is any entity that creates, receives, maintains, or transmits PHI on the covered entity's behalf.

Recitals

Covered Entity is a covered entity as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations. Business Associate provides electronic health record integration and prescription management services to Covered Entity ("Services"). In connection with the Services, Business Associate may create, receive, maintain, or transmit Protected Health Information ("PHI") on behalf of Covered Entity. The parties therefore agree as follows.

Describes the business relationship and explains why a BAA is needed. Courts and regulators look at this section to determine whether the vendor relationship was accurately characterized.

1. Definitions

Capitalized terms not otherwise defined herein shall have the meanings set forth in 45 CFR Parts 160 and 164.

"Breach" has the meaning set forth in 45 CFR § 164.402.

"Business Associate" has the meaning set forth in 45 CFR § 160.103.

"Covered Entity" has the meaning set forth in 45 CFR § 160.103.

"Designated Record Set" has the meaning set forth in 45 CFR § 164.501.

"Electronic Protected Health Information" or "ePHI" means PHI that is transmitted by electronic media or maintained in electronic media, as defined in 45 CFR § 160.103.

"Protected Health Information" or "PHI" has the meaning set forth in 45 CFR § 160.103, limited to information Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity.

"Required by Law" has the meaning set forth in 45 CFR § 164.103.

"Security Incident" has the meaning set forth in 45 CFR § 164.304.

"Unsecured PHI" has the meaning set forth in 45 CFR § 164.402.

Incorporating the regulatory definitions by reference ensures the agreement stays in sync with HIPAA as regulations evolve, rather than locking in a point-in-time definition.

2. Obligations and Activities of Business Associate

2.1 Permitted Uses and Disclosures. Business Associate may use or disclose PHI only:

  1. As necessary to perform the Services described in this Agreement;
  2. As required by law;
  3. For the proper management and administration of Business Associate, or to carry out the legal responsibilities of Business Associate, provided that (i) the disclosure is required by law, or (ii) Business Associate obtains reasonable assurances from the recipient that the PHI will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed, and that any breaches will be reported to Business Associate.

Business Associate shall not use or disclose PHI in any manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity.

This is the core restriction. The business associate can only use PHI to do its job, comply with law, or manage its own operations — nothing else. The final sentence is a catch-all: if the covered entity couldn't do it, the BA can't either.

2.2 Minimum Necessary. Business Associate shall, to the extent practicable, request, use, and disclose only the minimum PHI necessary to accomplish the intended purpose.

Mirrors the HIPAA minimum necessary standard (45 CFR § 164.514(d)). Not technically required in the BAA text but best practice — demonstrates compliance intent.

2.3 Safeguards. Business Associate shall implement appropriate administrative, physical, and technical safeguards to prevent use or disclosure of PHI other than as permitted by this Agreement. With respect to ePHI, Business Associate shall comply with the requirements of Subpart C of 45 CFR Part 164 (the Security Rule).

Required by § 164.504(e)(2)(ii)(B). This contractually obligates the BA to implement Security Rule controls (access management, encryption, audit logs, etc.) even if they wouldn't otherwise be a covered entity.

2.4 Reporting.

  1. Security Incidents. Business Associate shall report to Covered Entity any Security Incident of which it becomes aware, including any attempted unauthorized access. Reports of unsuccessful attempts may be provided in summary form no less than quarterly.
  2. Breaches of Unsecured PHI. Business Associate shall notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay and in no case later than fifteen (15) calendar days after Business Associate's discovery of such Breach. The notification shall include, to the extent possible, the elements required by 45 CFR § 164.410(c).
Required by § 164.504(e)(2)(ii)(C). The 15-day internal deadline is tighter than HIPAA's 60-day outer limit — this gives Covered Entity time to send its own notification to HHS and affected individuals within 60 days of the BA's discovery.

2.5 Subcontractors. Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree, by written agreement, to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement.

Required by § 164.504(e)(2)(ii)(D). Creates the downstream BAA chain. Without this clause, a subcontractor (e.g., a cloud hosting vendor used by the BA) has no contractual HIPAA obligations.

2.6 Access to PHI. Business Associate shall, within fifteen (15) days of a written request by Covered Entity, make available PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an individual, as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.524.

Required by § 164.504(e)(2)(ii)(E). Patients have the right to access their own health records. This clause ensures that if PHI is held by the BA, the covered entity can retrieve it to fulfill a patient access request.

2.7 Amendment of PHI. Business Associate shall make any amendments to PHI in a Designated Record Set as directed or agreed to by Covered Entity pursuant to 45 CFR § 164.526, or take other measures as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.526.

Required by § 164.504(e)(2)(ii)(F). Patients have the right to request corrections to inaccurate PHI. The BA must be able to make those corrections in its systems.

2.8 Accounting of Disclosures. Business Associate shall document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.

Required by § 164.504(e)(2)(ii)(G). Patients have the right to an accounting of certain disclosures of their PHI. The BA must track and report those disclosures to the covered entity.

2.9 Internal Practices. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for the purpose of determining Covered Entity's compliance with HIPAA.

Required by § 164.504(e)(2)(ii)(H). OCR can investigate any party in the chain — this clause ensures the BA cooperates with HHS audits and investigations.

3. Permitted Uses and Disclosures by Covered Entity

Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.

This clause protects the BA — the covered entity cannot use the BA to launder an impermissible disclosure. It shifts responsibility to the covered entity if it gives improper instructions.

4. Term and Termination

4.1 Term. This Agreement shall be effective as of the Effective Date and shall continue until terminated as set forth herein or until all Services under the underlying service agreement have been terminated.

4.2 Termination for Cause. Covered Entity may terminate this Agreement, and any related service agreement, upon thirty (30) days' written notice if Covered Entity determines that Business Associate has materially breached any provision of this Agreement and failed to cure such breach within the notice period. If cure is not possible, Covered Entity may terminate immediately.

Required by § 164.504(e)(2)(iii). The covered entity must have the ability to terminate the relationship if the BA violates the BAA — this is a regulatory floor, not a negotiated preference.

4.3 Effect of Termination. Upon termination of this Agreement for any reason:

  1. Business Associate shall return to Covered Entity, or destroy, all PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form.
  2. Business Associate shall retain no copies of PHI, except that if return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible, for as long as Business Associate retains such PHI.
  3. Business Associate shall certify in writing to Covered Entity that all PHI has been returned or destroyed within thirty (30) days of the date of termination.
Required by § 164.504(e)(2)(ii)(J). PHI cannot simply linger in the BA's systems after the relationship ends. The written certification creates an audit trail. The "infeasible" carve-out applies when PHI is embedded in backup tapes or similar infrastructure where deletion is not technically possible.

5. Miscellaneous

5.1 Regulatory References. Any reference to a regulatory provision shall mean the provision as in effect or as amended.

5.2 Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for the parties to comply with the requirements of HIPAA and the HITECH Act.

5.3 Interpretation. This Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA. Any ambiguity shall be resolved in favor of the meaning that most closely permits Covered Entity to comply with HIPAA.

5.4 No Third-Party Beneficiaries. Nothing in this Agreement shall confer any rights or remedies upon any person other than the parties hereto and their respective successors and permitted assigns.

5.5 Governing Law. This Agreement shall be governed by the laws of the State of Oregon, without regard to conflict of laws principles.

5.6 Entire Agreement. This Agreement, together with any service agreement between the parties, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements, understandings, negotiations, and discussions, whether oral or written.

Standard contract boilerplate, but particularly important in BAAs: the "regulatory references" and "amendment" clauses future-proof the agreement against regulatory changes without requiring a signed amendment every time HHS updates the rules.

6. Limitation of Liability

Business Associate's total aggregate liability to Covered Entity under this Agreement shall not exceed the greater of (a) the total fees paid by Covered Entity to Business Associate in the twelve (12) months immediately preceding the event giving rise to liability, or (b) five thousand dollars ($5,000). This limitation applies to all claims in the aggregate, regardless of the form of action or the theory of recovery. In no event shall either party be liable for indirect, incidental, consequential, special, or punitive damages.

Not required by HIPAA, but commercially standard. Without a liability cap, a small vendor faces potentially unlimited exposure for a breach. This cap is typically negotiated — covered entities often push for a higher cap or unlimited liability for willful misconduct.

Signature Block

COVERED ENTITY:

Riverside Family Medicine, P.C.

Signature

Printed Name & Title

Date

BUSINESS ASSOCIATE:

CloudRx Solutions, Inc.

Signature

Printed Name & Title

Date

Generate your own BAA

Replace the fictional parties above with your real business details. Answer 11 questions. Get a complete, customized BAA as a PDF (free) or clean PDF + Word .docx ($29).

Generate My Free BAA →

No account required

What's in this sample

  • Permitted uses & disclosures
  • Minimum necessary standard
  • Safeguard obligations (Security Rule)
  • Breach notification (15-day internal deadline)
  • Subcontractor / downstream BAA chain
  • Patient access rights (§ 164.524)
  • Amendment of PHI (§ 164.526)
  • Accounting of disclosures (§ 164.528)
  • HHS audit access
  • Termination for cause
  • Return/destruction of PHI at termination
  • Limitation of liability clause
  • Governing law clause
  • Signature block

Not legal advice. This sample uses fictional parties and is for educational purposes only. For agreements involving real PHI, consult a qualified healthcare attorney or use BAA Generator to create your own document.

Ready to create your version?

Replace the sample parties above with your real business details. Takes 5 minutes. Free watermarked PDF or $29 clean copy — no attorney required.

Generate My Free BAA →

Free watermarked PDF · $29 clean PDF + Word .docx · No subscription