A written contract between a covered entity and a business associate (BA) that establishes the permitted and required uses and disclosures of protected health information by the BA; requires the BA to implement appropriate safeguards to prevent unauthorized use or disclosure; requires BA to report to covered entity any uses and disclosures not provided for in the contract; to the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, requires the business associate to comply with the requirements applicable to the obligation; requires BA to ensure any subcontractors agree to the same restrictions. See our HIPAA Business Associate Agreement Template.