Compliance Foundations

Business Associate Agreement Template (2026) + Counterparty Tracker

10 min read · Last reviewed May 23, 2026

A HIPAA Business Associate Agreement (BAA) is a contract required by 45 CFR § 164.504(e) any time a covered entity discloses PHI to a vendor for a function on its behalf. Every BAA must include ten specific clauses: permitted uses, prohibition on further disclosure, safeguards, breach reporting, subcontractor flow-down, individual access support, accounting of disclosures support, compliance with the covered entity's Privacy Rule obligations when the BA carries them out (per 45 CFR § 164.504(e)(2)(ii)(I)), internal-practices availability to HHS, and return-or-destruction at termination.

What auditors actually want

OCR Resolution Agreements through 2025 cite three BAA defects repeatedly: BAA missing entirely, BAA executed with the wrong legal entity (parent vs. operating subsidiary), and BAA that contains the section heads but is silent on breach notification timeline or subcontractor flow-down. Raleigh Orthopaedic ($750,000) involved a missing BAA with an imaging vendor; North Memorial Health ($1.55M) involved a missing BAA with a contractor at an off-site location.

In our analysis of 400+ d3rx client binders, the most common defect is not the BAA text itself — vendor templates are usually adequate. The defect is the counterparty tracker. Practices have BAAs in a folder but cannot answer: how many vendors process PHI, who has a current BAA, when does each expire, who is the subcontractor downstream, and which vendor saw the last breach notice.

The required entities to name in a credible BAA discussion: HHS Office for Civil Rights (OCR), the 45 CFR Part 164 Subpart E Privacy Rule, the Omnibus Final Rule (78 Fed. Reg. 5566, January 25, 2013) which extended direct liability to business associates, the HHS Sample BAA Provisions, and the breach notification rule at 45 CFR § 164.410.

The template — section by section

The BAA below is a 2026 version of HHS's sample provisions, tightened for clauses OCR enforcement most often cites. Use it as a starting point and have the practice's counsel review before signing.

Required clauses with sample language

``` BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement ("Agreement") is entered into between [Covered Entity legal name] ("Covered Entity") and [Business Associate legal name] ("Business Associate"), effective [Date].

  1. DEFINITIONS

Terms used but not defined have the meaning set forth in 45 CFR Parts 160 and 164.

  1. PERMITTED USES AND DISCLOSURES — 45 CFR § 164.504(e)(2)(i)

Business Associate may use and disclose PHI only as necessary to perform the services set forth in the underlying Service Agreement, as Required by Law, and as permitted by 45 CFR § 164.504(e)(4) for management, administration, or data aggregation services to Covered Entity.

  1. SAFEGUARDS — 45 CFR § 164.504(e)(2)(ii)(B), 164.308, 164.310, 164.312

Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any electronic PHI it creates, receives, maintains, or transmits on behalf of Covered Entity, in accordance with the HIPAA Security Rule.

  1. REPORTING — 45 CFR § 164.504(e)(2)(ii)(C), 164.410

Business Associate will report to Covered Entity: (a) Any use or disclosure of PHI not permitted by this Agreement. (b) Any Security Incident as defined in 45 CFR § 164.304. (c) Any Breach of Unsecured PHI as defined in 45 CFR § 164.402. Reports will be made without unreasonable delay and in no case later than [10] calendar days after Business Associate's discovery.

  1. SUBCONTRACTOR FLOW-DOWN — 45 CFR § 164.504(e)(2)(ii)(D)

Business Associate will ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on its behalf agrees in writing to the same restrictions, conditions, and requirements applied to Business Associate under this Agreement.

  1. INDIVIDUAL ACCESS — 45 CFR § 164.504(e)(2)(ii)(E), 164.524

Business Associate will, within [15] days of Covered Entity's request, make available PHI in a Designated Record Set so that Covered Entity can meet its access obligations.

  1. AMENDMENT — 45 CFR § 164.504(e)(2)(ii)(F), 164.526

Business Associate will incorporate amendments to PHI as directed by Covered Entity, in accordance with 45 CFR § 164.526.

  1. ACCOUNTING — 45 CFR § 164.504(e)(2)(ii)(G), 164.528

Business Associate will track disclosures of PHI required for an accounting under 45 CFR § 164.528 and provide the information to Covered Entity within [30] days of request.

  1. ACCESS TO INTERNAL PRACTICES — 45 CFR § 164.504(e)(2)(ii)(H)

Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance.

  1. COMPLIANCE WITH COVERED ENTITY'S PRIVACY RULE OBLIGATIONS —

45 CFR § 164.504(e)(2)(ii)(I) To the extent Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164 (the Privacy Rule), Business Associate will comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s).

  1. RETURN OR DESTRUCTION AT TERMINATION — 45 CFR § 164.504(e)(2)(ii)(J)

At termination, Business Associate will return or destroy all PHI received from Covered Entity or created on its behalf, and will retain no copies. If return or destruction is infeasible, Business Associate will extend the protections of this Agreement to the information and limit further uses and disclosures.

  1. TERMINATION FOR CAUSE — 45 CFR § 164.504(e)(2)(iii)

Covered Entity may terminate this Agreement upon Business Associate's material breach of any term, with a cure period of [30] days or immediate termination if cure is not feasible.

  1. GOVERNING LAW

This Agreement is governed by the law of [State], without regard to its conflict-of-law principles.

Signed: [Covered Entity signatory, title, date] [Business Associate signatory, title, date] ```

Field choices worth defending

  • Breach reporting window: 10 calendar days is tight but standard. The Privacy Rule allows up to 60 days for the covered entity to notify the individual under § 164.404; the BAA should give the covered entity time to investigate and notify, so a 10-day BA-to-CE window is appropriate. 30 days is too generous if the covered entity has 60 days total.
  • Individual access turnaround: 15 days lines up with the Privacy Rule's 30-day total access window at § 164.524, leaving the covered entity 15 days to assemble the response.
  • Accounting turnaround: 30 days for the BA buys the covered entity room inside HIPAA's overall 60-day accounting deadline under 45 CFR § 164.528(c)(1) (which allows one 30-day extension on top of the initial 60 days). It is a buffer, not a mirror.
  • Cure period: 30 days is standard. Immediate termination must remain available for un-curable breaches.
Scenario · Vendor risk

What would you do?

Your EHR vendor announces a new third-party integration: an AI scribe that listens to the visit, drafts a SOAP note, and writes it back into the EHR. The vendor's sales rep says 'we are HIPAA compliant, no BAA needed because we don't store PHI.'

You are about to enable the integration for the clinic.

Operational self-diagnosis tool. Not legal advice, not a credential of any kind, not a substitute for counsel. The practice remains responsible for the decision it actually makes.

How to use this template

Step 1: Identify every business associate. Walk every vendor invoice for the last 12 months and every login screen on every workstation. Any vendor that creates, receives, maintains, or transmits PHI on the practice's behalf is a BA. Cross-check against the BAA vendor list for typical small-practice categories.

Step 2: Use the vendor's BAA when offered. Large vendors (EHRs, cloud providers, RCM firms) publish their own BAAs. Read them against the ten required clauses above; they are usually adequate but occasionally narrow the reporting window, remove the subcontractor flow-down, or omit the § 164.504(e)(2)(ii)(I) Privacy-Rule-obligation clause.

Step 3: Where no vendor BAA is offered, send the template above. Have the practice's counsel review the BAA the first time you adopt it and again any time you customize it.

Step 4: Track every executed BAA in the counterparty tracker below. The agreement is only useful if the practice can find it on demand.

The counterparty tracker

| Vendor (legal entity) | Service category | PHI types accessed | BAA executed (date) | BAA renewal | Subcontractors named | Last breach report | Status | |---|---|---|---|---|---|---|---| | EHR Vendor Inc. | EHR | dx, rx, labs, demographics | 2024-04-12 | Auto-renew | Cloud hosting (AWS BAA flow-down) | — | Current | | Email Vendor LLC | Email | dx, demographics | 2023-11-08 | Auto-renew | — | — | Current | | RCM Partner Corp | Billing | claims, demographics | 2025-02-20 | 2027-02-20 | Subcontractor list filed | 2025-08 incident report | Current | | Lab Interface Co. | Lab orders/results | labs, dx | 2024-09-15 | 2026-09-15 | — | — | Renewal due soon | | Transcription Services | Encounter notes | dx, treatment | 2022-06-10 | Expired | Unknown | — | EXPIRED — escalate | | IT MSP | Managed IT | full system access | 2025-01-05 | 2028-01-05 | Backup vendor (flow-down on file) | — | Current |

Required columns for an audit-ready tracker: legal entity name (not d/b/a), the underlying service that triggers the BAA, the categories of PHI accessed, the BAA execution date, the renewal/term date, named subcontractors, the most recent breach or incident report from the vendor, and a status flag.

What goes wrong

The recurring defects in d3rx's review:

  1. Wrong legal entity. The BAA is signed with "EHR Vendor Inc." but invoices come from "EHR Vendor Operations LLC," a subsidiary. The OCR enforcement record treats this as no BAA on file.
  2. No renewal tracking. The original BAA was executed five years ago, the vendor has since restructured, no renewal or amendment is on file.
  3. Subcontractor flow-down silent. The BAA includes section 5 but the practice has no record of which subcontractors the vendor uses. When the subcontractor causes a breach, the chain breaks.
  4. Breach reporting window too long. A 60-day BA-to-CE window leaves the covered entity zero days to investigate and notify.
  5. No central tracker. The BAAs exist as PDFs in different mailboxes and shared drives. On audit day, the practice cannot produce the list.

Maintenance cadence

  • At onboarding (every new vendor): execute BAA before the vendor receives any PHI. File in the binder.
  • Monthly: review the tracker for expirations within 90 days. Escalate.
  • Annually: confirm subcontractor list with each major vendor. Re-execute BAA on any vendor restructure, name change, or merger.
  • On breach: file the BA's breach notice in the tracker against the vendor row.
  • At termination: capture the return-or-destruction certification and file with the expired BAA. Retain for at least six years (longer for CA, TX state retention).

State preemption note: California's CMIA, Texas HB 300, and New York SHIELD impose additional contractual and notification obligations that may modify the standard BAA. The BAA is the floor; state-specific addenda may be needed for practices in those jurisdictions.

How d3rx fits

The d3rx compliance binder prompts on every new vendor to capture the BAA, files the dated executed copy, and tracks renewal dates and subcontractor flow-down in the counterparty tracker. It is an administrative documentation aid, not a substitute for counsel review of the BAA text. The practice remains responsible for negotiating BAA terms and for the underlying vendor relationships.

Step 1 · Get the binder

Get the d3rx compliance binder for your practice

Pre-filled to address the gaps this guide coversBusiness Associate Agreement Template (2026) + Counterparty Tracker. We will email you the section preview and your binder intake link.

No PHI required. We use your email to send the binder preview and intake link only.

Frequently asked

Do I need a BAA with my commercial cleaning service if they clean after hours?

Generally no, if the cleaning service has no access to PHI as part of its function. The HHS conduit exception and the OCR commentary to the Omnibus Rule treat cleaning crews, janitorial staff, electricians, and pest control as not business associates — they may incidentally see PHI but do not handle it as part of the service. Lock charts, lock workstations, and document the access policy in your physical safeguards instead. A BAA only becomes necessary if the cleaner is also doing record shredding or any function that involves handling PHI.

Do I need a BAA with my EHR vendor? They told me their software is HIPAA compliant.

Yes, every EHR vendor that creates, receives, maintains, or transmits PHI on your behalf is a business associate and must have a BAA on file. 'HIPAA compliant software' is a marketing claim about the product, not a contractual transfer of liability. The BAA is the legally required contract under [45 CFR § 164.504(e)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.504). If your EHR vendor will not sign one, change vendors.

Is a BAA required with another covered entity I refer patients to?

Generally no. Disclosures between covered entities for treatment, payment, or health care operations are permitted without a BAA under the Privacy Rule, and participating with another covered entity in an organized health care arrangement (OHCA) is not itself a business-associate relationship. A BAA is required only when one party performs a business-associate function for another (e.g., claims processing, data analysis, or another service involving PHI on behalf of the covered entity) under [45 CFR § 164.504(e)](https://www.ecfr.gov/current/title-45/part-164/section-164.504). When in doubt, document the relationship and the permitted disclosure basis in the binder.

What happens if the vendor refuses to sign and I send PHI anyway?

The covered entity is in violation of [45 CFR § 164.502(e)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.502). OCR enforcement history includes settlements against covered entities specifically for missing BAAs — Raleigh Orthopaedic ($750,000), Care New England ($400,000), and North Memorial Health ($1.55M) all cited absent or deficient BAAs as a primary enforcement basis. Either get the vendor to sign, change vendors, or implement compensating controls that fully remove the vendor's PHI access.

How long do I need to keep an expired BAA on file?

At least six years from the date of expiration or termination, per [45 CFR § 164.530(j)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530). Some state laws require longer — California's CMIA-related retention rules and Texas medical record retention rules can push this to 7-10 years. File the executed BAA, every amendment, the termination notice, and any return-or-destruction certification together.

Turn this into a review-ready binder

The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.

Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.

This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Sources & Citations
  1. 45 CFR § 164.504(e)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.504
  2. 45 CFR Part 164 Subpart E Privacy Rulehttps://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E
  3. HHS Sample BAA Provisionshttps://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
  4. 45 CFR § 164.410https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.410
  5. 45 CFR § 164.528(c)(1)https://www.ecfr.gov/current/title-45/part-164/section-164.528

Sources verified as of May 23, 2026

Research Aid Notice

This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.