Signbeesignb.ee
Templates
All templates

Healthcare Template

Free Business Associate Agreement (BAA) Template

A BAA is required under HIPAA when a covered entity shares PHI with a business associate.

Template

Copy this markdown, replace the {{variables}}, and send via API.

Markdown
# Business Associate Agreement

**Covered Entity:** {{coveredEntityName}}
**Business Associate:** {{businessAssociateName}}
**Date:** {{date}}

## Permitted Uses

{{permittedUses}}

## Safeguards

{{safeguards}}

## Breach Notification

Business Associate shall notify Covered Entity within {{notificationPeriod}} of a breach.

## Return/Destruction of PHI

{{dataReturnTerms}}

## Term

{{termLength}}

Send for e-signature

curl
curl -X POST https://signb.ee/api/send \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "content": "YOUR_RENDERED_MARKDOWN",
    "senderName": "Your Name",
    "senderEmail": "you@company.com",
    "recipientName": "Recipient",
    "recipientEmail": "recipient@email.com"
  }'

What happens next

  1. Signbee converts the markdown to a professional PDF
  2. Recipient gets an email with a signing link
  3. Both parties sign with an animated handwriting signature
  4. Both receive the signed PDF with a SHA-256 certificate

All signatures are legally binding under the ESIGN Act, eIDAS, and ECA.

More details

A Business Associate Agreement (BAA) is required under HIPAA whenever a covered entity shares Protected Health Information (PHI) with a third-party service provider. It's the healthcare equivalent of a Data Processing Agreement under GDPR.

Who is a business associate? Any person or organisation that performs functions or activities on behalf of a covered entity that involve access to PHI: cloud hosting providers, billing companies, IT service providers, shredding companies, consultants, attorneys, and accountants.

Notable non-business-associates: Conduits (postal service, ISPs that merely transmit data), members of the covered entity's workforce, and other covered entities in a treatment relationship.

Required BAA provisions under 45 CFR 164.504(e): 1. Permitted uses and disclosures — The business associate may only use PHI as specified in the agreement. Any other use is a HIPAA violation. 2. Safeguards — The business associate must implement administrative, physical, and technical safeguards to protect PHI. After the HITECH Act, business associates are directly subject to HIPAA Security Rule requirements. 3. Breach notification — Must notify the covered entity within 60 days of discovering a breach (many BAAs specify shorter periods, e.g., 24-72 hours). 4. Subcontractor management — If the business associate uses subcontractors who access PHI, it must ensure those subcontractors agree to the same restrictions. 5. PHI access and amendment — Must make PHI available for patient access requests and amendment requests. 6. Accounting of disclosures — Must document disclosures and make records available to the covered entity. 7. Return or destruction — Upon termination, must return or destroy all PHI. If not feasible, must extend protections indefinitely.

Penalties for operating without a BAA: HIPAA fines range from $100 to $50,000 per violation, up to $1.5 million per year per violation category. Operating without a BAA when one is required is itself a violation, even if no breach occurs.

Frequently asked questions

What is a Business Associate Agreement?

A BAA is a HIPAA-required contract between a healthcare covered entity and any third-party service provider that accesses Protected Health Information. It defines how PHI may be used, safeguard requirements, breach notification obligations, and data destruction procedures.

What happens if you don't have a BAA?

Operating without a required BAA is itself a HIPAA violation, even if no breach occurs. Fines range from $100 to $50,000 per violation, up to $1.5 million annually per violation category. Both the covered entity and the business associate can be penalised.

Can a BAA be signed electronically?

Yes. BAAs are valid with electronic signatures under ESIGN (US). The electronic record provides timestamped evidence of when both parties agreed to the PHI protection terms — important documentation for HIPAA compliance audits.

Related resources

Guide

How to Sign a Service Agreement Online

Guide

How to Sign a Partnership Agreement Online

Glossary

Click-Wrap Agreement

Use Case

SaaS Terms of Service

Use Case

Agency Agreements

Blog

Clickwrap Agreement Guide

Send this template for signing — free, no credit card.

Read the docsGet started free