HIPAA Business Associate Agreement
Contract required between a HIPAA-covered entity and a business associate that will create, receive, maintain, or transmit protected health information.
Instructions
Include required provisions under 45 CFR 164.504(e): permitted and required uses of PHI, safeguards the business associate must implement, breach notification obligations, return or destruction of PHI upon termination, and subcontractor requirements. Both parties must sign. Review and update agreements when business relationships change. Failure to have a BAA in place is itself a HIPAA violation.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.