# Common Paper Business Associate Agreement A HIPAA business associate agreement cover page and standard terms, based on Common Paper's standard form. Covers the use and protection of protected health information (PHI) between a covered entity and a business associate. **Standard Terms:** https://commonpaper.com/standards/business-associate-agreement/1.0 ## Parties | Field | Description | Default | | --- | --- | --- | | Company Name | Official company name | | | Party Role | Role in the agreement (Business Associate or Covered Entity) | | ## Terms | Field | Description | Default | | --- | --- | --- | | Principal Agreement | Reference to the principal agreement | | | Subcontractor Role | Role of subcontractors | | | Free Text | Free text entry | | | Aggregation Restrictions | Specific aggregation restrictions | | | Offshoring Restrictions | Specific offshoring rights or restrictions | | | Breach Notification Unit | Unit for breach notification period | | | Breach Notification Number | Numeric value for the breach notification period (e.g. 5) | | | Other Changes | Prose describing other changes to BAA Standard Terms | | | Custom Effective Date | Custom effective date (if not date of last signature) | | | Maintains Designated Record Set | Whether Provider maintains PHI in a Designated Record Set | | ## Subcontracting | Field | Description | Default | | --- | --- | --- | | No Subcontracting | Provider will not subcontract | | | Subcontracting With Conditions | Provider will not subcontract unless conditions are met | | | Subcontract Notice Required | Notice must be provided to Company before subcontracting | | | Subcontract Permission Required | Company explicit permission required for subcontracting | | | No Offshoring | Offshoring of PHI and/or Services is not permitted | | | Offshoring With Conditions | Offshoring not permitted unless conditions met | | ## De-identification | Field | Description | Default | | --- | --- | --- | | No Deidentification | Provider will not de-identify PHI | | | Deidentification With Conditions | Provider will not de-identify PHI unless conditions met | | | Deidentification Purpose | Specific purpose(s) for which Provider may de-identify PHI (e.g. generating data analytics) | | | Deidentify For Purpose | De-identification for specific purposes only | | | Deidentify Additional Requirements | Additional requirements for de-identifying PHI | | | No Aggregation | Provider will not aggregate PHI | | | Aggregation With Conditions | Provider will not aggregate PHI unless conditions met | | ## Signature Block | Field | Description | Default | | --- | --- | --- | | Provider Signatory Type | Whether the Provider signatory is an entity or individual | entity | | Provider Signatory Name | Full legal name of the Provider's signatory | | | Provider Signatory Title | Title/role of the Provider's signatory (entity only) | | | Provider Signatory Company | Company name for the Provider signatory (entity only) | | | Provider Signatory Email | Notice email address for the Provider | | | Company Signatory Type | Whether the Company signatory is an entity or individual | entity | | Company Signatory Name | Full legal name of the Company's signatory | | | Company Signatory Title | Title/role of the Company's signatory (entity only) | | | Company Signatory Company | Company name for the Company signatory (entity only) | | | Company Signatory Email | Notice email address for the Company | | --- Based on the Common Paper Business Associate Agreement, available at https://commonpaper.com. Licensed under CC BY 4.0. Copyright Common Paper, Inc. _This template is a drafter's starting point. It does not constitute legal advice. Workflow support only. Not legal advice._