PRODUCT | March 1

Why You Should Use Business Associate Agreement Templates

BAA's are now an industry standard document that is required by HIPAA to maintain compliance on both sides of the agreement.

Accountable staff

Aside from covered entities, we talked at length about how HIPAA laws extends to all business associates – and subcontracted associates – involved with said covered entities. To put it simply: any organization or individual dealing with Protected Health Information (PHI) in a professional capacity must abide by HIPAA regulations.

As a covered entity that works within HIPAA guidelines on a daily basis, you might know what this entails. Your business associates – who likely work with companies from a variety of industries – may not be as informed when it comes to HIPAA laws.

For this reason, covered entities are required by law to create a business associate agreement (BAA) to be signed by both the entity and associate during any business transaction involving PHI. Additionally, covered entities and business associates are required to have subcontracted hirees sign a BAA, as well.

Of course, creating these documents from scratch is a time- and resource-consuming process. Accountable makes this process quick and easy by providing business associate agreement templates for covered entities and business associates to use when forging a new business relationship.

But before we dive into how using these templates can benefit your organization, let’s discuss why they’re necessary, and what they should include.

Why Business Associate Agreements are Mandatory

Above all else, business associate agreements are mandated by HIPAA in order to protect the private health information of all patients who attend a healthcare facility of any kind.

Failure to draft and sign a business associate agreement is, in fact, a violation of HIPAA in itself. Even if no other violation throughout the course of a business relationship, if no BAA is in place, both the covered entity and business associate can face heavy fines, possibly up to $1.5 million.

Furthermore, even if no BAA is in place, both covered entities and business associates will be held accountable if additional violations occur.

In short, a BAA explains in clear detail the duties of a business associate in terms of handling PHI provided by the covered entity. It also informs business associates of their obligation to create similar documentation when contracting out to other organizations.

While the mere existence of a BAA won’t necessarily exonerate covered entities if their associate violates HIPAA on their own terms, such an agreement can add an extra layer of legal protection for covered entities.

Again, though: the onus is always on the covered entity to provide a clear and full explanation of how PHI is to be handled by both business associates and their subcontracted agents.

Now, let’s take a look at what a business associate agreement should include.

What Should a Business Associates’ Agreement Include?

A business associates’ agreement is a comprehensive document that covers all related HIPAA mandates regarding a business associate’s use of PHI when working with a covered entity.

All BAAs need to include – at the very least – the following information:

  • Definitions of how the business associate is to use PHI.
  • Definitions of safeguards and security measures the business associate must have in place.
  • Information regarding mandatory reporting of disclosure and security breaches, and the protocol for doing so.
  • Information regarding the business associate’s responsibility to mitigate or minimize damage caused by unwarranted disclosure or a security breach.
  • A clause informing the business associate of their responsibility to inform subcontractors of their obligation to comply with HIPAA and PHI laws.
  • An agreed-upon method for recording chain of custody of PHI. This includes reporting who is involved in the transfer, when the transfer occurred, how the data was transferred, and why the transfer was necessary.
  • A clause relating to transparency, stating the business associate must make internal records related to PHI available to the Secretary of the Department of Health and Human Services to determine and confirm the covered entity’s level of compliance.
  • A termination clause defining how PHI will either be destroyed or stored by the business associate if or when the professional relationship between the two parties ends.
  • Other contractual terms not necessarily related to HIPAA, such as severability.

Though each business associate agreement a covered entity creates will be unique to the specific business relationship at hand, each should include the information listed above.

Why You Should Use a BAA Template

Using a template to create business associates’ agreements benefits a covered entity in a few ways:

  • The template sets the standard for future BAAs.
  • The template ensures accuracy.
  • The template saves time, money, and other resources for the covered entity.

Let’s break down each of these benefits a little more to gain a better understanding of why you should be using them when forging relationships with business associates.

BAA Templates Set a Baseline for Future Documentation

As mentioned earlier, though each business associates’ agreement will be unique in some ways, they should all include similar baseline information regarding the professional relationship being created.

A BAA template builds a foundation to be used in every BAA a covered entity creates. From the general terms of all future agreements, to the specific language that each agreement should use, the template will include the basics – allowing the covered entity to focus on ironing out the unique terms of each individual agreement.

A flexible template ultimately requires the covered entity to have a foundational understanding of HIPAA laws, but also provides assistance to these entities as they adjust each agreement they create.

BAA Templates Ensure Accuracy

The organizations who create business associates’ agreement templates have a thorough understanding of current HIPAA laws and protocols.

To create the templates offered at Accountable, we’ve worked with a law firm that specializes in guiding covered entities and their business associates through the process of maintaining HIPAA compliance.

By consulting with the firm while creating our templates, we ensure our documents are up-to-date and meet the current standards of HIPAA rules and regulations.

BAA templates also reflect fairness when it comes to the shared burden of responsibility between a covered entity and a business associate. Though both parties share a large amount of responsibility when it comes to PHI, BAA templates help determine situations in which either the covered entity or business associate is solely responsible, as well.

When it comes to creating a business associates’ agreement, accuracy is essential to maintaining HIPAA compliance. BAA templates created by vetted organizations can ensure such agreements hold covered entities and their business associates accountable for the duties they are bound by law to perform.

BAA Templates Save Time, Money, and Resources

Without a template to help covered entities create their business associates’ agreements, they’d be left with two options:

  • Draw up each BAA they need on their own.
  • Hire an attorney to draw up a new BAA for each business relationship.

Creating a business associates’ agreement from scratch would require a covered entity to invest a large amount of time and resources into the process. Not only that, but the covered entity would run the risk of overlooking or omitting essential information from the agreement, potentially leading to a number of violations down the line.

Hiring an attorney to create a new business associates’ agreement – or to at least look over one that was created in-house – will cost a covered entity thousands of dollars every time they forge a new business relationship.

By choosing to use a template, covered entities are able to draft accurate BAAs with relative ease – and save thousands in the process.


Along with saving time and money upfront, using a BAA template will ensure your organization remains compliant throughout the many business relationships you’ll accrue over time.

Above all else, you’ll ensure the information your patients provide you – as well as the information you discover while working with them – remains secure at all times.

Not only will this keep you free of HIPAA-related violations, but it will also go a long way toward making your clientele feel safe when working with your organization.

Ensure your organization has covered all the bases when it comes to HIPAA compliance. Check out Accountable’s free business associates’ agreement templates the next time you begin working with a third-party organization.