Business Associate Agreement (BAA) Template

Required BAAs

You must obtain BAAs from all vendors that handle PHI:

Cloud Provider BAAs
BAA Template

Required Vendors:

✅ Google Cloud Platform - BAA available
✅ Amazon Web Services (AWS) - BAA available
✅ Microsoft Azure - BAA available

LLM Provider BAAs:

✅ Anthropic (Claude) - BAA available for Enterprise
✅ Google (Gemini via Vertex AI) - Covered under GCP BAA
⚠️ OpenAI - No BAA available (do not use for PHI)
⚠️ AWS Bedrock - BAA available (verify model-specific coverage)

# Business Associate Agreement (BAA) Template

This Business Associate Agreement ("Agreement") is entered into as of [DATE]
by and between:

**Covered Entity**: [Healthcare Organization Name]
**Business Associate**: [Vendor Name]

## 1. Definitions

Terms used, but not otherwise defined, shall have the same meaning as those
terms in HIPAA and the HIPAA Regulations.

## 2. Obligations and Activities of Business Associate

Business Associate agrees to:

a) Not use or disclose PHI other than as permitted by this Agreement or as
   required by law;

b) Use appropriate safeguards to prevent use or disclosure of PHI other than
   as provided for by this Agreement;

c) Implement administrative, physical, and technical safeguards that reasonably
   and appropriately protect the confidentiality, integrity, and availability
   of ePHI;

d) Report to Covered Entity any use or disclosure of PHI not provided for by
   this Agreement within 24 hours of discovery;

e) Ensure that any subcontractors that create, receive, maintain, or transmit
   PHI on behalf of Business Associate agree to the same restrictions;

f) Make PHI available to individuals in accordance with 45 CFR § 164.524;

g) Make PHI available to the Secretary of HHS for purposes of determining
   Covered Entity's compliance with HIPAA;

h) Return or destroy all PHI upon termination of this Agreement;

i) Maintain and make available audit logs for a minimum of seven (7) years.

## 3. Permitted Uses and Disclosures

Business Associate may use or disclose PHI to perform functions, activities,
or services for, or on behalf of, Covered Entity as specified in the Services
Agreement.

## 4. Term and Termination

**Term**: This Agreement shall become effective on [DATE] and shall terminate
on [DATE] or upon termination of the Services Agreement.

**Termination for Cause**: Covered Entity may immediately terminate this
Agreement if Business Associate violates a material term of this Agreement.

## 5. Breach Notification

Business Associate shall notify Covered Entity within 24 hours of discovery
of any breach of unsecured PHI.

---

Covered Entity: ________________________   Date: __________

Business Associate: ____________________   Date: __________

Next Steps

Technical Safeguards

Implement required security measures

Compliance Checklist

Verify BAA requirements

Back to Overview

Return to HIPAA overview

GDPR Compliance

HIPAA Compliance

SOC 2 Compliance

Business Associate Agreement (BAA) Template

Business Associate Agreement (BAA) Template

Required BAAs

Next Steps

Technical Safeguards

Compliance Checklist

Back to Overview

GDPR Compliance

HIPAA Compliance

SOC 2 Compliance

Documentation Index

​Business Associate Agreement (BAA) Template

​Required BAAs

​Next Steps

Technical Safeguards

Compliance Checklist

Back to Overview

Business Associate Agreement (BAA) Template

Required BAAs

Next Steps