HIPAA BAA Template: What to Include and Common Mistakes to Avoid
TLDR
A HIPAA Business Associate Agreement must include permitted uses of PHI, safeguarding obligations, breach reporting requirements, subcontractor compliance requirements, and PHI return or destruction terms at contract end. HHS publishes model BAA language on hhs.gov. The most common mistake is using a generic NDA instead of a true BAA — which leaves you non-compliant even if nothing goes wrong.
What a HIPAA BAA Must Include
The HIPAA Privacy Rule (45 CFR § 164.504(e)) specifies the required elements of a Business Associate Agreement. A BAA that omits any of these is not compliant — even if both parties signed it in good faith.
1. Permitted uses and disclosures of PHI. The BAA must specify exactly what the business associate is allowed to do with PHI. For example, a billing company’s BAA should state that PHI may be used only for billing and collections on your behalf, not for the vendor’s own purposes.
2. Prohibition on unauthorized uses. The BAA must state that the business associate will not use or disclose PHI in ways not permitted by the agreement or required by law.
3. Safeguarding obligations. The business associate must agree to use appropriate administrative, physical, and technical safeguards to protect PHI from unauthorized use, disclosure, or breach.
4. Breach and security incident reporting. The business associate must agree to report any breach of unsecured PHI — and any security incident it becomes aware of — to the covered entity. The agreement should specify a reporting timeframe (HHS allows up to 60 days, but many BAAs require faster notification).
5. Subcontractor requirements. If the business associate uses subcontractors that handle PHI, those subcontractors must also sign BAAs. The business associate is responsible for ensuring their subcontractors comply.
6. Individual rights provisions. The BAA must include provisions allowing the covered entity to access, amend, and account for disclosures of PHI held by the business associate — so the covered entity can honor patient rights under HIPAA.
7. Return or destruction of PHI at termination. When the contract ends, the business associate must return or destroy all PHI. If return or destruction is not feasible (for example, PHI stored in backups), the BAA must state that the business associate will protect that PHI for as long as it is retained.
HHS provides model BAA language covering all seven elements. Access it directly at hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions.
Free HIPAA BAA Template
A properly structured HIPAA BAA template should cover all seven required elements above, plus practical fields for: vendor name and contact information, description of services provided, categories of PHI shared, agreement effective date, and signature blocks for both parties.
The HHS model provisions are the most defensible starting point because they use language OCR recognizes. From that baseline, most practices need to add vendor-specific details and adjust the permitted uses section to match the actual services being provided.
PHIGuard includes a signed BAA with every plan — no separate negotiation or legal review required. We also provide a BAA tracking template you can use to log agreements with your other vendors. Sign up to get the template delivered to your inbox.
Common BAA Mistakes to Avoid
Using a generic NDA instead of a BAA. A non-disclosure agreement protects confidential information broadly but does not satisfy HIPAA’s specific requirements. An NDA has no provisions for breach notification, subcontractor compliance, or PHI destruction. Courts and OCR treat them as entirely different instruments.
Not updating BAAs when vendor terms change. SaaS vendors update their terms of service regularly. If a vendor’s terms materially change how they handle your data, your BAA may no longer reflect the actual arrangement. Best practice: calendar an annual review of all vendor BAAs and re-execute when terms change.
Missing BAAs with cloud storage providers. If your practice stores documents, photos, or any files containing PHI in Google Drive, Dropbox, Microsoft OneDrive, or similar services, those providers are business associates. Google Workspace and Microsoft 365 offer signed BAAs; standard consumer Dropbox does not. Check before storing PHI.
No BAA log. OCR audits frequently start with a request for your list of business associates and evidence of signed agreements. Without a log, you have no way to demonstrate compliance quickly. A simple spreadsheet with vendor name, services provided, BAA execution date, and renewal date is sufficient.
Signing a BAA after already sharing PHI. The BAA must be in place before PHI is shared, not after. A retroactive BAA does not cure the period during which PHI was shared without a compliant agreement.
When Your Vendor Provides a BAA vs. When You Need Your Own
Most established healthcare SaaS vendors — EHR systems, billing platforms, telehealth tools — provide their own BAA for customers to sign. Accepting the vendor’s BAA is standard practice and is compliant as long as the agreement covers all required elements. Review it against the seven elements above before signing.
When you need your own template: when hiring individual contractors, consultants, or transcriptionists who handle PHI; when using a vendor that offers no BAA of their own; or when you want a specific, narrow statement of permitted uses that a vendor’s standard template does not provide.
Keep signed copies of all BAAs on file for at least six years.
Tools That Include a BAA by Default
Not all software vendors offer BAAs, and those that do often require an enterprise plan or a separate request.
PHIGuard includes a signed BAA with every plan — Practice ($20/mo) and Clinic ($49/mo) — with no separate negotiation. BAA coverage is not an upsell; it is a baseline requirement for a HIPAA-native tool.
Google Workspace for Healthcare offers a BAA through their Google Workspace agreement, but only for the paid business tiers. Standard Gmail and consumer Google accounts do not qualify.
Microsoft 365 includes a BAA through the Microsoft Products and Services Data Protection Addendum, available to business subscribers.
Zoom for Healthcare offers a BAA; standard Zoom accounts do not include HIPAA-compliant settings by default.
If you use any software platform for scheduling, messaging, or task management in your practice, verify that a BAA is in place before routing any patient-related information through it. “But we don’t store PHI there” is not a reliable defense if patient names, appointment details, or callback notes appear in the platform.
Like what you're reading?
Try PHIGuard free — no credit card required.
- Business Associate Agreement (BAA)
- A HIPAA-required contract between a covered entity and a business associate that defines permitted uses of PHI, requires safeguards, mandates breach reporting, and governs PHI destruction at contract termination.
DEFINITION
- Business Associate
- A person or entity that performs functions or services on behalf of a covered entity and, in doing so, creates, receives, maintains, or transmits protected health information.
DEFINITION
- Subcontractor
- Under HIPAA, a subcontractor is a person or entity to whom a business associate delegates functions involving PHI. Business associates must obtain BAAs from their subcontractors, just as covered entities must obtain BAAs from business associates.
DEFINITION
Q&A
What must a HIPAA Business Associate Agreement include?
A compliant BAA must include: (1) a description of permitted uses and disclosures of PHI, (2) a prohibition on uses or disclosures not permitted by the agreement, (3) obligations to use appropriate safeguards, (4) requirements to report breaches and security incidents to the covered entity, (5) requirements to ensure subcontractors sign their own BAAs, (6) provisions for the covered entity to access and amend PHI, and (7) requirements to return or destroy PHI at contract termination. HHS publishes model language covering all seven elements at hhs.gov.
Q&A
Where can I find a free HIPAA BAA template?
HHS publishes model Business Associate Agreement provisions on the HHS website at hhs.gov/hipaa. The model language is not mandatory — you can adapt it — but it covers all required elements and serves as a reliable baseline. Sign up for PHIGuard to receive a formatted BAA template you can use with your vendors, along with a BAA tracking log.
Q&A
What are the most common HIPAA BAA mistakes?
The most common mistakes are: using a generic NDA instead of a true BAA, not updating BAAs when a vendor changes their terms of service, not having BAAs with cloud storage providers (Google Drive, Dropbox, etc.) that store files containing PHI, and failing to maintain a BAA log. A BAA log is essential because OCR audits often start with a request for your list of business associates and their signed agreements.
Want to learn more?
Does every vendor I use need a HIPAA BAA?
Can I use a vendor's BAA template instead of my own?
What happens if I use a vendor without a signed BAA?
How long should I keep signed BAAs?
Keep reading
What Is a Business Associate Agreement (BAA)? HIPAA Explained
A Business Associate Agreement (BAA) is a HIPAA-required contract between your medical practice and any vendor handling patient data. Without one, you're exposed.
What Is a HIPAA Covered Entity? Definition, Types, and Obligations
A HIPAA covered entity is a health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically. Learn which practices qualify and what compliance requires.
Best HIPAA Compliance Software for Small Medical Practices (2026)
We compared the top HIPAA compliance tools for small practices. These are the ones that deliver real value — and the ones that are overpriced for what small clinics actually need.