A Business Associate Agreement (BAA) is a legally required contract under the Health Insurance Portability and Accountability Act (HIPAA) that outlines how a business associate will protect and handle protected health information (PHI) on behalf of a covered entity. If you are a healthcare provider, therapist, medical biller, virtual assistant, or software vendor handling PHI in any capacity, a BAA is not optional — it is required by law.
Why a BAA Matters
A BAA ensures that:
- PHI is used only for permitted purposes
- Both parties understand their legal responsibilities
- There is accountability if a data breach occurs
- HIPAA safeguards (administrative, physical, technical) are clearly defined
Without a BAA in place, both parties may face legal and financial penalties.
Who Needs a BAA?
You need a BAA anytime PHI is shared with a third-party service provider that is not an employee. Common examples:
- Practice management/EHR platforms
- Billing companies or virtual assistants
- Teletherapy platforms
- Cloud storage or email providers
- IT/security consultants
If PHI is involved — you need a BAA.
Blank Fillable Business Associate Agreement (Template)
Here is a fillable PDF template contract. It should serve your needs, but be sure to read it over carefully before using it.