HIPAA BAA Template

Download a clinic-side HIPAA BAA evaluation guide and negotiation checklist. Covers what to require from vendors, red flags in vendor-drafted agreements, and a BAA tracker for active relationships.

Short answer

A clinic-side guide to evaluating and negotiating Business Associate Agreements — including required provisions, red flags in vendor-drafted terms, and a tracker for your executed agreement inventory.

What is inside

A required-provisions checklist so you know whether a vendor's draft covers every §164.504(e)(2) element
A red-flag guide listing the clauses that shift risk unfairly onto your clinic — and what to push back on
A BAA tracker template: one row per vendor, with status, expiration, and subcontractor fields
Guidance on what 'HIPAA-compliant' vendor claims actually require in a signed agreement
A comparison of clinic-side versus vendor-side BAA drafting conventions

We publish the same practical templates and decision tools that clinics use to structure recurring HIPAA work. No enterprise gate. No resource-library gimmicks. Just practical material delivered quickly.

Editorial details

Written by: Angel Campa

Reviewed by: PHIGuard Compliance Research

Updated: April 23, 2026

Best next step: Open the matching product path

Verified: April 23, 2026

Sources

45 CFR §164.504(e) — Requirements for Business Associate Contracts | eCFR / HHS
Business Associates | HHS
Sample Business Associate Agreement Provisions | HHS
45 CFR §164.308(b) — Business Associate Contracts and Other Arrangements (Admin Safeguards) | eCFR / HHS
45 CFR §164.314(a) — Business Associate Contracts (Security Rule) | eCFR / HHS
45 CFR §164.410 — Notification by a Business Associate | eCFR / HHS

Download the PDF

A clinic-side BAA checklist and negotiation guide — so you know what to require before signing any vendor's agreement

Enter your email and we will send the PDF.

Questions

How is this different from the PHIGuard BA-side BAA template?

The existing PHIGuard BAA template (available at /resources/baa-template) is a full contract template drafted from the covered entity perspective, designed for clinics to present to vendors. This resource is a negotiation and evaluation guide for clinics reviewing a vendor's own BAA draft — covering what to require, what to reject, and how to track executed agreements.

Can I just accept a vendor's standard BAA without reviewing it?

Accepting a vendor's BAA without review is common and risky. Standard SaaS terms of service do not satisfy §164.504(e). Even vendor-provided HIPAA addenda frequently omit breach notification timelines, subcontractor flow-down provisions, or data return obligations. This guide walks you through each required element.

When does a BAA need to be re-executed?

Anytime the underlying services agreement materially changes, the vendor adds a subcontractor that will touch PHI, or the vendor is acquired. Build an annual review into your BAA tracker so agreements do not silently expire or go stale.

Do business associates need a BAA with their subcontractors?

Yes. Under 45 CFR §164.502(e)(2), business associates must obtain satisfactory assurances — in effect a BAA — from subcontractors that create, receive, maintain, or transmit PHI. Your BAA with the vendor should require them to flow down these obligations.