KapacyberKapacyber
Healthcare & VendorsFree Template

The HIPAA Business Associate Agreement template every practice needs.

A plain-English business associate agreement (BAA) covering all eight elements required by 45 CFR 164.504(e) — drafted to fill in and sign. For covered entities putting BAAs in place with their IT, cloud, billing, and other vendors, and for business associates that need one ready to offer.

What's inside

Nine sections — every element 164.504(e) requires.

Each section uses plain-English language you can adapt, fill-in-the-blank party and date fields, and a signature block. Built to be the starting point your attorney reviews — not a substitute for that review.

  1. 1Definitions (PHI, ePHI, the parties)
  2. 2Permitted Uses & Disclosures of PHI
  3. 3Required Safeguards & Security Rule Compliance
  4. 4Reporting of Incidents & Breaches
  5. 5Subcontractor Flow-Down
  6. 6Support for Individual Rights
  7. 7Availability of Records to HHS
  8. 8Return or Destruction at Termination
  9. 9Term, Termination & Signature Block

Free download — drop your work email

We'll unlock the template immediately and add you to our dealership-security list (unsubscribe any time).

By submitting, you agree to our Privacy Policy. We don't sell or share your information.

The template is a printable web document. Use your browser's Print → Save as PDF to keep an offline copy.

Why this matters

OCR asks for the signed document. Either you have it, or you don't.

No BAA is a violation by itself

Sharing PHI with a vendor that hasn't signed a BAA is a HIPAA violation independent of any breach. OCR has issued multi-million-dollar settlements where a missing or inadequate BAA was the central failure.

Insurers and OCR both ask

A current BAA on file is one of the first things a cyber-insurance questionnaire and an OCR investigator request. "We think we have one" isn't an answer — the signed document is.

Most templates miss elements

A bare one-page template often omits breach-notification timelines or subcontractor flow-down. This sample is built around all eight elements 45 CFR 164.504(e) actually requires.

Already have vendors to vet? Pair this with the BAA checklist & vendor tracker to verify each agreement and keep a current BAA on file for every business associate.

A BAA is one line in a bigger programme.

The agreement commits your vendor to safeguards. Kapacyber runs the ones you're on the hook for — documented risk analysis, MFA on the EHR, encryption, the vendor inventory behind your BAAs, and monthly reporting. Start with a free HIPAA-readiness assessment.

See the Healthcare StackRead the BAA Guide