HIPAA

Business Associate Agreement

Current version: v1 · April 2026

Sample template for transparency. The binding BAA is presented in-app the first time you activate a PHI workflow and is recorded in your audit log.

1. Definitions

Terms used in this Agreement have the meanings given in the HIPAA Privacy, Security, and Breach Notification Rules at 45 CFR Parts 160 and 164.

2. Permitted uses and disclosures

Business Associate may use or disclose PHI only as necessary to perform the services described in the underlying service agreement, or as required by law.

3. Safeguards

Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI it creates, receives, maintains, or transmits.

4. Breach notification

Business Associate will report any known breach of unsecured PHI to Covered Entity within 30 days of discovery, in accordance with 45 CFR § 164.410.

5. Termination

Upon termination, Business Associate will return or destroy all PHI received from Covered Entity, where feasible.

Request a countersigned copy at legal@agenciesforge.com.