HIPAA Business Associate Agreement Template

This HIPAA Business Associate Agreement ("Agreement") is entered into as of [Date], by and between:

Covered Entity: [Full Name / Company Name]
Address: [Address]
Email: [Email Address]
Phone: [Phone Number]

and

Business Associate: [Full Name / Company Name]
Address: [Address]
Email: [Email Address]
Phone: [Phone Number]

Together referred to as the "Parties."

1. Purpose

This Agreement is intended to ensure compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations, specifically regarding the safeguarding of Protected Health Information (PHI).

2. Definitions

• PHI (Protected Health Information): Individually identifiable health information transmitted or maintained in any form.

• Covered Entity: A healthcare provider, health plan, or healthcare clearinghouse subject to HIPAA.

• Business Associate: A party that performs functions involving PHI on behalf of the Covered Entity.

  
  

3. Permitted Uses and Disclosures

The Business Associate may use or disclose PHI only:

• As required to perform services for the Covered Entity

• As permitted by this Agreement

• As required by law

  
  

4. Safeguards and Security

The Business Associate agrees to:

• Implement administrative, physical, and technical safeguards to protect PHI

• Comply with the HIPAA Security Rule for electronic PHI (ePHI)

• Prevent unauthorized use or disclosure of PHI

  
  

5. Reporting of Breaches

The Business Associate must:

• Report any use or disclosure of PHI not permitted by this Agreement

• Notify the Covered Entity of any breach of unsecured PHI within [X] days of discovery

• Cooperate with the Covered Entity’s investigation and response efforts

  
  

6. Subcontractors and Agents

The Business Associate shall ensure that any subcontractor or agent who has access to PHI agrees in writing to the same restrictions and conditions outlined in this Agreement.

7. Access and Amendments

Upon request by the Covered Entity, the Business Associate will:

• Provide access to PHI in a designated record set

• Make amendments to PHI as directed by the Covered Entity

  
  

8. Accounting of Disclosures

The Business Associate shall document and provide an accounting of disclosures of PHI upon request by the Covered Entity or the patient.

9. Return or Destruction of PHI

Upon termination of this Agreement, the Business Associate shall:
☐ Return all PHI to the Covered Entity
☐ Destroy all PHI (with written confirmation)
☐ If return or destruction is not feasible, extend protections of this Agreement to the PHI retained

10. Term and Termination

• This Agreement shall remain in effect for the duration of the services and until all PHI is returned or destroyed.

• The Covered Entity may terminate this Agreement immediately if the Business Associate is found to be in material breach.

  
  

11. No Third-Party Beneficiaries

This Agreement is intended solely for the benefit of the Parties and does not create rights in any third party.

12. Governing Law

This Agreement shall be governed by the laws of [State] and applicable federal HIPAA regulations.

13. Entire Agreement

This document constitutes the full understanding between the Parties regarding PHI and supersedes all prior written or oral agreements related to the subject matter.

IN WITNESS WHEREOF, the Parties have executed this HIPAA Business Associate Agreement as of the date first written above.

Covered Entity Signature
Name:
Title:
Date:

Business Associate Signature
Name:
Title:
Date: