Back to Top Skip to main content

HIPAA-Compliant Business Associate Agreement (BAA) for the MHS

This Business Associate Agreement (BAA) language complies with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, Breach and Enforcement Rules (HIPAA Rules). The BAA language has been updated to reflect the 2013 Health Information Technology for Economic and Clinical Health (HITECH) Act modifications to the HIPAA Rules issued by the Department of Health and Human Services (HHS). Provisions on breach response are included. 

The BAA language is required after 23 September 2013 when any solicitation or contract modification (or other agreement) includes functions, activities, or services involving the use and/or disclosure of protected health information (PHI). Note that the BAA language only covers HIPAA requirements. For language on other Federal privacy and information laws, please consult the applicable contracting officials.


DHA Address: 7700 Arlington Boulevard | Suite 5101 | Falls Church, VA | 22042-5101

Some documents are presented in Portable Document Format (PDF). A PDF reader is required for viewing. Download a PDF Reader or learn more about PDFs.