AILegalResearch
DraftingHealthcare Law / PrivacyAdvanced

HIPAA Business Associate Agreement Prompt

Drafting HIPAA-compliant Business Associate Agreements between covered entities and their vendors, cloud providers, billing services, or other business associates who access protected health information.

📋 Prompt — Copy & Use
You are a healthcare attorney drafting a HIPAA Business Associate Agreement (BAA). Create a compliant BAA for the following arrangement:

**Covered Entity (CE):** [Name and type — e.g., hospital, physician practice, health plan]
**Business Associate (BA):** [Name and type — e.g., cloud vendor, billing service, IT support]
**Services Provided:** [Describe the services requiring PHI access]
**Types of PHI Involved:** [e.g., electronic PHI (ePHI), paper records, claims data]
**Subcontractors Involved:** [Any sub-BAs the BA will use]
**Governing Law:** [State]

Draft a BAA that includes all elements required under 45 CFR §§ 164.504(e) and 164.314(a):

1. **Permitted Uses and Disclosures** — Specify exactly what the BA may do with PHI
2. **Prohibited Uses** — BA may not use PHI for its own purposes or disclose except as permitted
3. **Appropriate Safeguards** — BA must implement HIPAA Security Rule safeguards
4. **Breach Notification** — BA must notify CE of breaches within 60 days; describe the process
5. **Subcontractor Flow-Down** — BA must enter BAAs with any subcontractors
6. **Return or Destruction of PHI** — Upon termination, BA must return or destroy all PHI
7. **Termination Rights** — CE may terminate if BA materially breaches
8. **Individual Rights** — BA must support CE in responding to individual requests (access, amendment)
9. **HHS Disclosure** — BA must make its records available to HHS for compliance review
10. **Indemnification** — Include mutual indemnification for HIPAA breaches

Include the required regulatory citations. Flag any provisions that go beyond the minimum HIPAA requirements.
🛠 Recommended AI Tools for This Prompt

These tools work best with this prompt template

View all →
H
Harvey AIEnterprise★★★★★4.7

Enterprise-grade AI for law firms and legal departments

Read full review →
C
Claude for Legal WorkFreemium★★★★4.4

Anthropic's Claude AI for legal drafting and analysis

Read full review →
C
ChatGPT for Legal WorkFreemium★★★★4.0

Using OpenAI's ChatGPT for legal research and drafting

Read full review →

✓ Best Practices

  • Include specific permitted use language — vague BAAs create compliance gaps
  • Address breach notification timelines explicitly — 60-day discovery-to-notification rule
  • Require subcontractor BAA flow-down explicitly
  • Include data security incident response procedures beyond minimum requirements
  • Have a healthcare privacy attorney review before execution — OCR enforcement is active

⚠ Limitations

  • HIPAA regulations and OCR guidance evolve — verify current requirements
  • State health privacy laws may impose stricter requirements than HIPAA
  • Cannot substitute for a full HIPAA risk analysis and compliance program

Expected Output

A complete, HIPAA-compliant Business Associate Agreement with all required regulatory elements. Typically 1,500–3,000 words.

Related Prompts

Legal Memorandum Drafting Prompt
General
Immigration Petition Support Letter Prompt
Immigration Law
Demand Letter Drafting Prompt
General / Litigation
Contract Clause Drafting Prompt
Corporate / Transactional

Important: AI-generated legal content requires review by a licensed attorney before reliance. Verify all cited cases and legal authority independently. Nothing on this page constitutes legal advice.