Business Associate Agreement Starter Template Important: This is a starter template only. A healthcare attorney should prepare the final BAA.
This Business Associate Agreement ("BAA") is entered into by and between [Covered Entity or Business Associate Customer] ("Customer") and TRIALSNEST LLC d/b/a TrialsNest ("Business Associate") and is effective as of 04/29/2026.
Purpose
Customer and Business Associate have entered into an agreement under which Business Associate may create, receive, maintain, or transmit PHI on behalf of Customer. This BAA sets forth the parties' obligations under HIPAA.
Definitions
Terms such as "Protected Health Information," "Electronic Protected Health Information," "Breach," "Security Incident," "Use," "Disclosure," "Covered Entity," and "Business Associate" have the meanings given under HIPAA.
Permitted Uses and Disclosures
Business Associate may use or disclose PHI only to:
Perform services for Customer under the underlying agreement.
Manage and administer Business Associate's operations as permitted by HIPAA.
Carry out legal responsibilities of Business Associate.
Provide data aggregation services relating to Customer's healthcare operations where permitted.
De-identify PHI in accordance with HIPAA.
Use or disclose PHI as otherwise required by law or authorized in writing by Customer.
Prohibited Uses and Disclosures
Business Associate will not use or disclose PHI in a manner that would violate HIPAA if done by Customer, except as permitted by this BAA.
Safeguards
Business Associate will use appropriate administrative, physical, and technical safeguards to protect PHI and comply with applicable HIPAA Security Rule requirements for ePHI.
Reporting
Business Associate will report to Customer:
Any use or disclosure of PHI not permitted by this BAA.
Any Security Incident involving ePHI.
Any Breach of unsecured PHI without unreasonable delay and according to the underlying agreement.
Subcontractors
Business Associate will ensure subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to substantially similar restrictions and safeguards.
Access and Amendment
Business Associate will assist Customer in responding to individual requests for access to or amendment of PHI as required by HIPAA and the underlying agreement.
Accounting of Disclosures
Business Associate will document disclosures as required by HIPAA and make information available to Customer as needed for an accounting of disclosures.
Books and Records
Business Associate will make internal practices, books, and records relating to PHI available to the Secretary of HHS as required by HIPAA.
Minimum Necessary
Business Associate will request, use, and disclose only the minimum necessary PHI to accomplish the intended purpose, where applicable.
Termination
Upon termination of the underlying agreement, Business Associate will return or destroy PHI if feasible. If return or destruction is not feasible, Business Associate will continue to protect PHI and limit further uses and disclosures.
Survival
Obligations regarding PHI will survive termination as required by law and this BAA.
Signatures:
Customer: ____ Name/Title: ___ Date: _____ Business Associate: ____ Name/Title: ___ Date: _____