Business Associate Agreement
BAA information and engagement-specific agreement planning for eligible HIPAA-regulated workflows.
This page is a starting point and information resource. It is not a generic one-size-fits-all Business Associate Agreement, and it is not itself an executed agreement.
ICM / GLC supports a diverse range of independent-study services, records workflows, research activities, consulting engagements, software platforms, prototypes, APIs, infrastructure services, and data-processing workflows. Every client, collaborator, learner, organization, and regulated workflow is different.
Engagement-specific review
Because every client relationship, technical implementation, and regulatory obligation is unique, Business Associate Agreements are typically developed or modified to reflect the specific services, data flows, security requirements, compliance obligations, and operational responsibilities associated with a particular engagement.
HIPAA, privacy, security, retention, access-control, and data-processing obligations may vary based on the services being provided, the data types involved, the regulatory requirements that apply, the technical architecture, and each party’s operational responsibilities.
BAA templates and tailored agreements
ICM / GLC maintains Business Associate Agreement templates for eligible healthcare, research, clinical, covered-entity, and regulated workflows. Depending on the nature of the services being provided, additional provisions, security requirements, data-processing terms, or project-specific obligations may be incorporated into the final agreement.
Organizations seeking a Business Associate Agreement are encouraged to contact ICM / GLC before transmitting, storing, processing, or granting access to Protected Health Information (PHI) so that an agreement appropriate to the engagement can be prepared.
Important limits
- Do not submit PHI through general contact, support, prototype, or website forms unless a written agreement and approved workflow are in place.
- Do not assume that a generic downloadable BAA is available for immediate signature or reliance without review.
- A BAA may need to be customized to reflect the specific relationship, data types, regulatory requirements, technical architecture, security requirements, and operational responsibilities involved.
- No blanket HIPAA compliance claim is made on this page; documented controls and service scope must be reviewed for each eligible workflow.
Discuss a tailored BAA
To discuss a Business Associate Agreement tailored to your organization, workflow, compliance requirements, or project scope, please contact ICM / GLC prior to onboarding or exchanging regulated information.
BAA requests should describe the organization type, expected workflow, data categories, systems involved, access needs, retention expectations, security requirements, and project scope.
