data-compliance
Common Paper Business Associate Agreement
A HIPAA business associate agreement cover page and standard terms, based on Common Paper's standard form. Covers the use and protection of protected health information (PHI) between a covered entity and a business associate.
35 fields
CC-BY-4.0
Source: Common Paper
Fill this template
With Claude Code
Just ask Claude — no installation required:
Fill the common-paper-business-associate-agreement template for my companyWith the CLI
npx -y open-agreements@latest fill common-paper-business-associate-agreement -d values.json -o output.docxWith the hosted MCP
Add to your MCP config for zero-install access to all templates:
{
"mcpServers": {
"open-agreements": {
"url": "https://openagreements.ai/api/mcp"
}
}
}Fields (35)
| Field | Type | Description |
|---|---|---|
company_name |
string | Official company name |
party_role |
string | Role in the agreement (Business Associate or Covered Entity) |
principal_agreement |
string | Reference to the principal agreement |
subcontractor_role |
string | Role of subcontractors |
free_text |
string | Free text entry |
aggregation_restrictions |
string | Specific aggregation restrictions |
offshoring_restrictions |
string | Specific offshoring rights or restrictions |
breach_notification_unit |
string | Unit for breach notification period |
breach_notification_number |
string | Numeric value for the breach notification period (e.g. 5) |
other_changes |
string | Prose describing other changes to BAA Standard Terms |
custom_effective_date |
string | Custom effective date (if not date of last signature) |
maintains_designated_record_set |
boolean | Whether Provider maintains PHI in a Designated Record Set |
no_subcontracting |
boolean | Provider will not subcontract |
subcontracting_with_conditions |
boolean | Provider will not subcontract unless conditions are met |
subcontract_notice_required |
boolean | Notice must be provided to Company before subcontracting |
subcontract_permission_required |
boolean | Company explicit permission required for subcontracting |
no_offshoring |
boolean | Offshoring of PHI and/or Services is not permitted |
offshoring_with_conditions |
boolean | Offshoring not permitted unless conditions met |
no_deidentification |
boolean | Provider will not de-identify PHI |
deidentification_with_conditions |
boolean | Provider will not de-identify PHI unless conditions met |
deidentification_purpose |
string | Specific purpose(s) for which Provider may de-identify PHI (e.g. generating data analytics) |
deidentify_for_purpose |
boolean | De-identification for specific purposes only |
deidentify_additional_requirements |
boolean | Additional requirements for de-identifying PHI |
no_aggregation |
boolean | Provider will not aggregate PHI |
aggregation_with_conditions |
boolean | Provider will not aggregate PHI unless conditions met |
provider_signatory_type |
enum | Whether the Provider signatory is an entity or individual |
provider_signatory_name |
string | Full legal name of the Provider's signatory |
provider_signatory_title |
string | Title/role of the Provider's signatory (entity only) |
provider_signatory_company |
string | Company name for the Provider signatory (entity only) |
provider_signatory_email |
string | Notice email address for the Provider |
company_signatory_type |
enum | Whether the Company signatory is an entity or individual |
company_signatory_name |
string | Full legal name of the Company's signatory |
company_signatory_title |
string | Title/role of the Company's signatory (entity only) |
company_signatory_company |
string | Company name for the Company signatory (entity only) |
company_signatory_email |
string | Notice email address for the Company |