Home/Legal Forms/HIPAA BAA
Legal forms
HIPAA · PHI · Security Rule

Generate a HIPAA BAA before you share PHI. Required by law.

HIPAA requires a Business Associate Agreement (BAA) between covered entities and any vendor that handles protected health information (PHI). Without a BAA, sharing PHI is a HIPAA violation regardless of how careful the vendor is. The BAA defines the vendor's obligations under the Privacy Rule and Security Rule, breach notification timing, subcontractor flow-down, and termination rights. We generate compliant BAAs with the configurable provisions OCR expects.

All 50 states + DC 60-day money-back SOC 2 Type II
How it works

How we handle HIPAA BAA, end-to-end.

HIPAA requires a Business Associate Agreement (BAA) between covered entities and any vendor that handles protected health information (PHI).

1

Identify the parties

Covered entity (healthcare provider, health plan, clearing house) or hybrid entity. Business associate (vendor handling PHI on behalf of the covered entity).

2

Define PHI scope

What PHI the business associate will access: limited data set, full PHI, electronic only, paper records. Defines what the BAA's protections cover.

3

Configure key terms

Permitted uses and disclosures, security safeguards (administrative, physical, technical), breach notification timing (60 days to OCR; 30-day discovery to covered entity), subcontractor flow-down, termination for breach.

4

E-sign and store

Optional e-sign with vault storage. SHA-256 hash for tamper-evident audit trail (required for HIPAA documentation).

What we'll set up for you

A clean handoff, in four steps.

You give us the basics. We handle the state, the IRS, and the compliance clock so you can focus on the business.

01 · Name + Brand

A name that's actually available.

Real-time check against the state register, USPTO trademark database, and matching domains.

02 · State filing

Filed with the Secretary of State.

We submit your Articles, pay the state fee on your behalf, and return the stamped certificate.

03 · Federal IDs

EIN + the right tax setup.

Federal Employer ID with the IRS, plus state tax accounts when your business needs them.

04 · Stay compliant

Registered Agent + deadline tracking.

Your agent on file in every state, with every renewal and annual report tracked in one calendar.

Pricing

Transparent hipaa baa pricing.

Government fees pass through at cost. No upsells.

Generate

$0
Unlimited BAAs.

Generate HIPAA BAAs in any volume. Free forever. Covers covered entity, business associate, and hybrid scenarios.

Get started

HIPAA Compliance Suite

$1499
BAA + policies + training.

Generated BAA plus our HIPAA policy templates (sanctions, workforce training, incident response), required annual workforce training, and risk assessment template. Annual subscription.

Get started
FAQ

About the HIPAA BAA Template Generator.

Who needs a BAA?
Any vendor that handles PHI on behalf of a covered entity. Examples: cloud hosting (AWS, GCP, Azure), email services, billing services, IT support, legal counsel, accountants, transcription services. Not required for treatment-related disclosures between covered entities.
What is PHI?
Protected Health Information: any individually identifiable health information held or transmitted by a covered entity or business associate. Includes names paired with diagnoses, billing records, lab results, demographics tied to health conditions.
What if the vendor refuses to sign?
Without a signed BAA, you cannot share PHI with the vendor. Common refusals: cloud SaaS that does not offer enterprise tier with BAA (use the enterprise tier or switch vendors), small vendors who do not know what HIPAA is (educate or switch). Some vendors have their own BAA template; review it carefully - vendor templates often have caps and exclusions that benefit the vendor.
Are subcontractor BAAs required?
Yes. If your business associate uses subcontractors that handle PHI, the business associate must have BAAs with each subcontractor. Our generator includes the flow-down clause requiring this.
What is the breach notification timeline?
Business associate must notify the covered entity within 60 days of discovery. Covered entity must notify affected individuals within 60 days of receiving notice. Covered entity must notify HHS OCR within 60 days for breaches affecting 500+ individuals, annually for smaller breaches.
What is the penalty for missing a BAA?
OCR fines for HIPAA violations range from $137 to $68,928 per violation (2025 amounts), capped at $2.067M per year per violation type. Sharing PHI without a BAA is a per-record violation. Plus state attorney general actions, civil suits, and class-action exposure.
Why File.Business

Premium compliance, no service-fee markup.

Trust you can verify

SOC 2 Type II audited platform. 220,000+ businesses served. 60-day money-back on service fees. State fees passed through at cost with no hidden markup. Explicit AUP on restricted industries.

A compliance partner, not a transaction

Most providers go quiet after checkout. We auto-track every annual report, registered agent renewal, and license deadline across your entities. The Business OS dashboard keeps your compliance score visible year-round.

Premium experience competitors cannot match

Premium positioning, transparent pricing, no service-fee markup on state or federal filings. Premium positioning, transparent pricing, no service-fee markup on state filings.

Start your business in the next 5 minutes.

No state-fee markup. Pay only the state fee. 60-day money-back guarantee.

No state-fee markup 60-day money-back Cancel anytime
$0 + state fee Start my business