An attorney-developed Business Associate Agreement, drafted from the Covered Entity's side and aligned with 45 CFR §164.504(e). Quick-Start Guide, plain-English FAQ, and an execution-ready template — fillable .docx, ready in five minutes.
Lifeline Compliance
45 CFR §164.504(e) · Attorney-developed template
Parties
This Agreement is entered into as of EFFECTIVE DATE, by and between COVERED ENTITY NAME and BUSINESS ASSOCIATE NAME.
Section 1 · Description of Services
Section 2 · Obligations of the Business Associate
There is no such thing as “we'll get a BAA later.” The day a vendor first touches PHI without one, you are already in violation — regardless of how long the relationship has existed, or how trustworthy the vendor is.
A standalone BAA isn't just the agreement. It's everything you need to identify when one applies, complete it correctly, and sign it without a billable hour.
01 · GUIDE
Plain-English · ~3 pages
When a BAA is required, who counts as a Business Associate, and a step-by-step checklist for completing the template correctly the first time.
02 · FAQ
10 questions · plain answers
The questions practice managers actually ask — answered without legalese. The vendor refusal scenario, multi-vendor BAAs, the 2026 Security Rule changes, 42 CFR Part 2.
03 · TEMPLATE
Execution-ready · fillable .docx
The full agreement — six numbered sections, every required HIPAA provision, signature pages. Bracketed fields highlight everything you need to fill in.
Not just for tech vendors. The list of who counts is broader than most practices realize — and the rule applies retroactively the moment they first received PHI on your behalf.
Claims submission, payment posting, and any third-party RCM service that processes patient encounters.
Cloud-based EHRs, scheduling tools, patient-portal vendors, and any SaaS where charts live.
Anyone with credentialed access to systems containing PHI — even if they never look at a patient record.
Outsourced transcription, scribe services, and AI dictation vendors processing dictated notes.
Shredding companies and any vendor disposing of records, hard drives, or storage media.
Any third party pursuing patient balances on your behalf using identifiable account information.
Counsel reviewing patient records for litigation, malpractice, or compliance matters — yes, including yours.
Anywhere PHI lives outside your servers — including general-purpose cloud drives used to store patient files.
Not required for incidental contact. Banks processing payments and couriers delivering sealed packages don't need a BAA. When in doubt, sign one — the cost of an extra BAA is zero, the cost of a missing one is everything.
Without an executed BAA, every transfer of PHI to that vendor — past, present, future — is a HIPAA violation. The relationship's age and the vendor's reputation don't matter to OCR. The signed agreement does.
45 CFR §164.502(e)(1)
When you finally execute the BAA, it dates from today — not from when the vendor first received PHI. The gap is documented in your own records, and it's the first thing OCR will look at if a breach surfaces the relationship.
OCR enforcement guidance · BA contracting
If the vendor breaches and there's no BAA, you cannot point to contractual safeguards or a defined breach-notification process. You become the responsible party in a way that having a signed agreement specifically prevents.
45 CFR §164.410 · BA breach reporting
OCR penalty tiers turn on knowledge and intent. Sharing PHI without a BAA — when the requirement is well-established — pushes investigations toward the upper tiers, where penalties run into the tens or hundreds of thousands per violation.
45 CFR §160.404 · Civil money penalties
The BAA Template is the fastest way to plug a single gap. The Flagship is for practices that need every Lifeline document under one roof — including the BAA Inventory & Vendor Risk Review log that tracks each one.
SKU-203 · Standalone
$29 · one-time
A single execution-ready Business Associate Agreement, with a Quick-Start Guide and FAQ. The fastest way to fix one missing vendor BAA today.
SKU-901 · Flagship
$449 · one-time
Every Lifeline document — Core, Compliance Management, Breach Response, training, and the BAA Inventory log that tracks each one annually.
This template was written by a healthcare attorney who has spent fifteen years inside HIPAA enforcement matters, with one specific question in mind: what would I want my client to have signed before the OCR letter arrived?
It includes the Section 2.5 annual verification clause, the five-business-day breach reporting timeline, and the explicit 42 CFR Part 2 acknowledgment for SUD records. Vendor-drafted BAAs frequently omit all three.
Important · please read
This template is provided for general practice use. It does not constitute legal advice and does not create an attorney-client relationship. Consult qualified counsel for jurisdiction-specific guidance, complex vendor relationships, or substantive amendments to the required HIPAA provisions in Sections 2–5.
Yes. Operating without a BAA while sharing PHI is a HIPAA violation regardless of how long the relationship has existed or how trustworthy the vendor is. Execute one immediately, dated as of today — you cannot backdate to cover past activity, but signing now stops the violation from compounding further.
Either can work, but read theirs carefully first. Vendor-drafted BAAs often shift risk back to you and frequently omit annual verification, the five-business-day breach timeline, and 42 CFR Part 2 protections. This template is drafted from the Covered Entity's side and includes those safeguards by default.
No. Each Business Associate relationship requires its own BAA. One agreement cannot bind multiple separate legal entities. If a vendor has subsidiaries that will also handle your PHI, confirm whether they're covered by the same BAA or whether each entity needs its own.
You cannot legally share PHI with a vendor that refuses to execute a BAA. Two options: find a vendor that will, or restructure the relationship so the vendor never receives PHI. Document any refusal in your compliance records — refusal is itself a meaningful data point.
HHS proposed significant Security Rule updates in January 2025, with a final rule targeting mid-2026. Expected changes include mandatory encryption and multi-factor authentication for all Business Associates, annual verification of safeguards, and shorter breach-notification timelines. This template is drafted to align with that direction — review again once the final rule publishes.
Yes — it's a template, not a final document. Add provisions specific to your vendor relationship or state law. Do not remove the required HIPAA provisions in Sections 2, 3, 4, or 5 — those are mandated by federal law. If you make substantive changes, have counsel review the amended version before signing.
No. Because this is an instant-download digital document that cannot be "returned," all sales are final. If something is genuinely missing or broken in the file you receive, email us and we'll make it right.
Download, fill in the bracketed fields, send for signature. The vendor relationship you've been meaning to paper, papered.
Digital download · all sales final · not legal advice
Compliance Without the Complexity
The documents provided by Lifeline Compliance are attorney-developed templates for general informational and practice use only. They do not constitute legal advice and do not create an attorney-client relationship. Practices should consult qualified legal counsel for jurisdiction-specific compliance guidance, complex regulatory matters, or active government proceedings.
Copyright 2026 Highland Summit Consulting. All rights reserved.
