Free HIPAA Business Associate Agreement Template (2018)

By Posted on

A HIPAA Business Associate Agreement (BAA) is a legally binding contract between a covered entity (such as a healthcare provider, health plan, or healthcare clearinghouse) and a business associate. This agreement outlines the obligations of the business associate to protect the confidentiality, integrity, and availability of protected health information (PHI) that they receive or create on behalf of the covered entity.

Key Considerations for a Professional BAA Template

Scope of Work: Clearly define the scope of the business associate’s work and the types of PHI that will be shared. This includes specifying the services to be provided, the data to be accessed, and any limitations on the use and disclosure of PHI.

  • Data Security Requirements: Implement robust security measures to protect PHI from unauthorized access, use, disclosure, disruption, modification, or destruction. These measures should include:

    • Physical Safeguards:

  • Limiting physical access to locations where PHI is stored.
  • Implementing measures to protect against unauthorized access to and use of workstations and devices containing PHI.
  • Protecting against unauthorized access to and use of paper records containing PHI.

    • Technical Safeguards:

  • Access controls to limit access to PHI to authorized individuals.
  • Encryption of PHI during transmission and storage.
  • Audit trails to track access to and use of PHI.

    • Administrative Safeguards:

  • Conducting risk assessments to identify and address potential security threats.
  • Implementing policies and procedures for the use and disclosure of PHI.
  • Training employees on HIPAA privacy and security requirements.
  • Data Use and Disclosure Restrictions:

    • Limit the use and disclosure of PHI to the minimum necessary to accomplish the agreed-upon purpose.

    Prohibit the use or disclosure of PHI for any purpose other than as permitted by the BAA.

    Require the business associate to obtain prior written authorization from the covered entity or an individual for any use or disclosure of PHI beyond the permitted purposes.

  • Subcontractor Management: If the business associate engages subcontractors to assist in the performance of its work, the BAA should require the business associate to ensure that its subcontractors also comply with HIPAA requirements. This may involve entering into written agreements with subcontractors that include appropriate safeguards for PHI.
  • Data Breach Notification:

    • Establish procedures for the timely notification of the covered entity in the event of a data breach affecting PHI.

    Require the business associate to cooperate with the covered entity in responding to a data breach.

  • Term and Termination:

    • Specify the term of the agreement, including any renewal options.

    Outline the circumstances under which either party may terminate the agreement.

    Provide for the return or destruction of PHI upon termination of the agreement.

  • Audit and Inspection Rights:

    • Grant the covered entity the right to audit the business associate’s compliance with the terms of the BAA.

    Allow the covered entity to conduct on-site inspections of the business associate’s facilities and operations.

  • Indemnification and Liability:

    • Address the indemnification obligations of the parties in the event of a HIPAA violation.

    Determine the allocation of liability for any damages resulting from a HIPAA violation.

    Design Elements for a Professional BAA Template

    Clear and Concise Language: Use plain language that is easy to understand and avoid legal jargon whenever possible.

  • Professional Formatting: Use a clean and professional font, such as Arial, Times New Roman, or Calibri.
  • Consistent Formatting: Maintain consistent formatting throughout the document, including headings, subheadings, and bullet points.
  • White Space: Use white space effectively to improve readability and make the document visually appealing.
  • Logical Flow: Organize the information in a logical and easy-to-follow manner.
  • Professional Logo: Include the logos of both the covered entity and the business associate at the top of the agreement.
  • Professional letterhead: Use professional letterhead for both the covered entity and the business associate.

    • Conclusion

    A well-drafted HIPAA BAA is essential for protecting the privacy and security of PHI. By carefully considering the key elements outlined above and adhering to best practices for design and formatting, covered entities and business associates can create a professional and effective BAA that meets their specific needs and complies with HIPAA requirements.

    By following these guidelines, you can create a professional and effective HIPAA BAA that protects the privacy and security of PHI while maintaining a strong and collaborative business relationship.