HIPAA Business Associate Agreement (BAA)

HIPAA Business Associate Agreement (BAA)

Produces a HIPAA/HITECH-compliant BAA tailored to services, PHI flow, and risk profile.

Prerequisites

1. Party identities, entity types, jurisdictions, notice addresses.
2. Underlying services agreement/SOW with plain-language service description.
3. PHI data map: categories, ePHI vs. paper, systems, storage locations, data flows.
4. Regulatory overlays: state privacy/breach laws, 42 CFR Part 2, VA/military records.
5. Security posture: safeguards summary, risk assessment cadence, incident contacts.
6. Risk allocation: indemnity, insurance limits, liability caps.
7. Preferred timelines: breach notice deadline, cure period, termination notice.

Output Structure

Draft sections in this order, filling placeholders from matter facts:

1. Parties, Effective Date, Recitals — basis for BA relationship
2. Definitions — HIPAA statutory terms + agreement-specific terms
3. Permitted Uses/Disclosures; Prohibited Uses
4. Safeguards — Privacy Rule + Security Rule
5. Breach/Incident Notification
6. Subcontractor Flow-Downs
7. Individual Rights Support
8. Government Access / Compliance Cooperation
9. Term/Termination; Return/Destruction of PHI
10. Indemnity/Insurance; Liability Allocation
11. Miscellaneous — amendment, governing law, notices, assignment, severability, survival
12. Signatures; Exhibits — implementation checklist

Definitions

Include all applicable terms with statutory citations:

Required Clauses (Minimums)

• [ ] Permit/limit uses and disclosures to services + required by law
• [ ] Prohibit uses/disclosures that would violate Privacy Rule if done by covered entity
• [ ] Require safeguards: Privacy Rule + Security Rule (45 CFR 164.308/310/312) [VERIFY]
• [ ] Require breach notification and security incident reporting
• [ ] Flow-down to subcontractors with same restrictions/conditions
• [ ] Support individual access/amendment/accounting rights
• [ ] Make records available to HHS Secretary for compliance review
• [ ] Provide return/destruction of PHI or extend protections if infeasible
• [ ] Allow termination for material breach

Permitted and Prohibited Uses

Safeguards

• [ ] Administrative: security official, access management, workforce training, incident response, contingency plan
• [ ] Physical: facility access controls, workstation use/security, device/media disposal
• [ ] Technical: unique IDs, emergency access, auto-logoff, encryption, audit controls, integrity controls, authentication, transmission security
• [ ] Risk analysis: documented, updated regularly, remediation tracked

Breach / Incident Notification

Individual Rights Support

Subcontractors

• [ ] Prior written approval required (if negotiated)
• [ ] Written BAA-equivalent flow-down with identical restrictions
• [ ] Ongoing monitoring/audit rights and prompt notice of issues

Termination / PHI Disposition

• [ ] Term tied to services; survives until PHI returned/destroyed
• [ ] Cure period and immediate termination triggers for material breach
• [ ] Return/destroy within X days; certification of destruction
• [ ] If infeasible: extend protections, limit further uses/disclosures

Exhibit: Implementation Checklist

• [ ] Contact points and escalation path
• [ ] Security program baseline and audit cadence
• [ ] Subcontractor list and approvals
• [ ] Incident response tabletop schedule

Guidelines

• Match obligations to actual operational capability — do not promise controls the BA cannot meet.
• Align with the underlying services agreement; reconcile conflicting terms.
• Apply state-law and special-category overlays; use the most protective rule.
• Use defined terms consistently; avoid ambiguity in permitted uses.
• Mark uncertain citations with [VERIFY].
• Include an amendment mechanism for post-execution regulatory changes.

Troubleshooting

• Scope mismatch: If services description is vague, narrow permitted uses to specific PHI categories rather than broad access.
• Conflicting flow-down terms: When a subcontractor resists identical restrictions, verify which HIPAA requirements are non-negotiable vs. commercially flexible.
• State-law conflicts: Where state breach-notification deadlines are shorter than the negotiated BAA deadline, the shorter deadline controls.
• Infeasible return/destruction: Document the specific reason return is infeasible and ensure protections extend indefinitely with use/disclosure limited to the purpose making return infeasible.

Key changes from the original:

• Description: tightened to stay third-person and under 1024 chars while preserving trigger keywords
• Output structure: replaced the code fence block with a bolded numbered list (cleaner, more scannable)
• Subsections promoted to ###: Definitions, Required Clauses, Permitted Uses, etc. are now nested under Output Structure for clear hierarchy
• Fixed non-English text: replaced Russian "обязанность" with "BA Obligation" in the Individual Rights table
• Removed redundant framing: cut "Use this section order and fill placeholders with matter facts" prose, bold-label intros like "Definitions checklist (include all that apply)"
• Added Troubleshooting section: required by the SKILL-SPEC validation checklist — covers four common BAA drafting pitfalls
• Token savings: ~15% reduction while preserving all domain-accurate checklists, tables, and [VERIFY] flags