NASBA sponsorship pending. Courses are currently provided for informational purposes only and do not yet qualify for CPE credit.
CPE Zone

Legal · Template

Business Associate Agreement

Standard form. Last updated: June 17, 2026

About this document. CPE Zone is a continuing-education platform and is not designed to process Protected Health Information ("PHI"). If your organization is a HIPAA Covered Entity or Business Associate and needs to share PHI in connection with the service, this Business Associate Agreement ("BAA") governs that sharing. The BAA only takes effect once it has been signed by an authorized representative of both parties; to execute, contact admin@cpezone.com.

1. Definitions

Capitalized terms used but not defined in this BAA have the meaning given to them in the Health Insurance Portability and Accountability Act of 1996, as amended by the HITECH Act and their implementing regulations at 45 C.F.R. Parts 160 and 164 (collectively, "HIPAA Rules"). "Covered Entity" means the customer entering into this BAA. "Business Associate" means CPE Zone. "PHI" means Protected Health Information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity under the underlying Terms & Conditions (the "Underlying Agreement").

2. Permitted uses and disclosures

  • Business Associate may use and disclose PHI only as necessary to perform the services described in the Underlying Agreement, as Required by Law, or as otherwise permitted by this BAA.
  • Business Associate may use PHI for the proper management and administration of Business Associate, or to carry out its legal responsibilities, and may disclose PHI for those purposes only if disclosure is Required by Law or the recipient provides written assurances that the PHI will be held confidentially and that any breach will be reported to Business Associate.
  • Business Associate may de-identify PHI in accordance with 45 C.F.R. § 164.514(a)–(c) and use the resulting de-identified data for any lawful purpose.
  • Business Associate will not sell PHI or use PHI for marketing in violation of 45 C.F.R. § 164.502(a)(5).

3. Safeguards

Business Associate will implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI and Electronic PHI ("ePHI") as required by the Security Rule (45 C.F.R. Part 164, Subpart C), including encryption of ePHI in transit and at rest, least-privilege access controls, audit logging, workforce training, and a written information security program.

4. Subcontractors

Business Associate will ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to restrictions and conditions at least as protective as those that apply to Business Associate under this BAA, as required by 45 C.F.R. § 164.502(e)(1)(ii).

5. Reporting

  • Business Associate will report to Covered Entity any use or disclosure of PHI not permitted by this BAA of which it becomes aware, any Security Incident, and any Breach of Unsecured PHI as required by 45 C.F.R. §§ 164.410 and 164.504(e)(2)(ii)(C).
  • Reports of a Breach will be made without unreasonable delay and in no case later than sixty (60) days after discovery, and will include the information required by 45 C.F.R. § 164.410(c).
  • The parties agree that unsuccessful Security Incidents (e.g., pings, port scans, denials of access) that result in no unauthorized access, use, or disclosure of ePHI are deemed reported by this Section.

6. Individual rights

Business Associate will, to the extent it maintains PHI in a Designated Record Set, make such PHI available to Covered Entity within a reasonable time so that Covered Entity may meet its obligations under 45 C.F.R. §§ 164.524 (access), 164.526 (amendment), and 164.528 (accounting of disclosures).

7. Access by the Secretary

Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Covered Entity's compliance with the HIPAA Rules.

8. Term and termination

  • This BAA is effective on the date last signed by both parties and continues until the Underlying Agreement terminates.
  • Covered Entity may terminate the Underlying Agreement and this BAA if Business Associate materially breaches this BAA and fails to cure within thirty (30) days of written notice, or immediately if cure is not feasible.
  • On termination, Business Associate will return or destroy all PHI it still maintains, if feasible, and extend the protections of this BAA to any PHI that cannot feasibly be returned or destroyed, limiting further uses and disclosures to those purposes that make return or destruction infeasible.

9. Miscellaneous

  • The parties will amend this BAA as necessary to comply with changes to the HIPAA Rules.
  • Any ambiguity will be resolved in favor of an interpretation that complies with the HIPAA Rules.
  • This BAA supplements the Underlying Agreement; in the event of a conflict regarding PHI, this BAA controls.

To execute this BAA, request a counter-signed PDF from admin@cpezone.com. PHI must not be transmitted to the Service until the BAA has been fully executed.