HIPAA Business Associate Agreement

HIPAA Business Associate Agreement

HIPAA BUSINESS ASSOCIATE AGREEMENT

This HIPAA Business Associate Agreement (“Agreement”) is made effective as of ____________________, 20______, by and between ____________________________ (“Covered Entity”), of ____________________________________________________ [Address] and ____________________________ (“Business Associate”), of __________________________________ _______________________ [Address] (collectively, the “Parties”).

WHEREAS, Business Associate, in connection with its services, may maintain, transmit, create or receive data for or from Covered Entity that constitutes Protected Health Information (“PHI”);

WHEREAS, Covered Entity is or may be subject to the requirements of the Federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and related regulations;

WHEREAS, with respect to the foregoing, Business Associate is or may be subject to the requirements of HIPAA, HITECH and related regulations;

NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, the Parties hereby agree as follows:

1. Definitions.
2. General. The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Electronic Protected Health Information, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.

1. Specific.

160. Business Associate. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this Agreement, shall mean ____________________________ [Business Associate].

160. Covered Entity. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this Agreement, shall mean ____________________________ [Covered Entity].

iii. Electronic Health Record. “Electronic Health Record” shall have the same meaning as the term “electronic health record’ in the HITECH Act, Section 13400.

1. HIPAA. “HIPAA” collectively refers to the HIPAA Statute, including the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164, the HITECH Act, and any associated Regulations, as such may be amended from time to time.

 

2. Obligations and Activities of Business Associate.

1. Business Associate agrees to not use or disclose PHI other than as permitted or required by the Agreement or as required by law.

1. Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent use or disclosure of PHI other than as provided for by the Agreement.

164. Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by the Agreement of which it becomes aware, including breaches of unsecured PHI as required at 45 CFR 164.410, and any security incident of which it becomes aware.

164. In accordance with 45 CFR 164.502(e)(1) and 164.308(b)(2), if applicable, Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.

164. In accordance with 45 CFR 164.524, Business Associate agrees to make available PHI in a designated record set to the Covered Entity within __________ days of a request by Covered Entity for access to PHI about an individual. In the event that any individual requests access to PHI directly from Business Associate, Business Associate shall forward such request to Covered Entity within __________ days of receiving such request.

How access requests should be handled (Optional): __________________________________________

________________________________________________________________________________________________________________________________________________________________________

164. In accordance with 45 CFR 164.526, Business Associate agrees to make any amendment(s) to PHI in a designated record within __________ days of a request by Covered Entity. Business Associate shall provide such information to Covered Entity for amendment and incorporate any amendments in the PHI as required by 45 CFR 164.526. In the event a request for an amendment is delivered directly to Business Associate, Business Associate shall forward such request to Covered Entity within __________ days of receiving such request.

How amendments should be handled (Optional): _____________________________________________

________________________________________________________________________________________________________________________________________________________________________

164. Except for disclosures of PHI by Business Associate that are excluded from the accounting obligation as set forth in 45 CFR 164.528 or regulations issued pursuant to HITECH, Business Associate shall record for each disclosure the information required to be recorded by Covered Entities pursuant to 45 CFR 164.528. Within __________ days of notice by Covered Entity to Business Associate that it has received a request for an account of disclosures of PHI, Business Associate shall make available to Covered Entity, or if requested by Covered Entity, to the individual, the information required to be maintained pursuant to this Agreement. In the event the request for an accounting is delivered directly to Business Associate, Business Associate shall forward such request to Covered Entity within __________ days of receiving such request.

How disclosure requests should be handled (Optional): _______________________________________

________________________________________________________________________________________________________________________________________________________________________

1. To the extent the Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).

1. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining compliance with HIPAA.

3. Permitted Uses and Disclosures by Business Associate

1. Business Associate may use or disclose PHI for the following purposes: (Check one)

☐ As necessary to perform the services as agreed to between the Parties, notwithstanding the restrictions on such uses and disclosures as set forth in HIPAA and this Agreement.

☐ Other: ___________________________________________________________________________

____________________________________________________________________________________

164. Business Associate may only de-identify PHI if permitted by Covered Entity and in any event may only de-identify PHI in accordance with 45 CFR 164.514(a)-(c).

1. Business Associate may use or disclose PHI as required by law or where Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

1. Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity except for the specific uses and disclosures set forth herein.

4. Permissible Requests by Covered Entity

1. Except as otherwise permitted by this Agreement, Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity.

5. Term and Termination

1. Term. The Term of this Agreement shall be effective as of ____________________, 20______, and shall terminate on the date the business relationship, or any services agreements, between the Parties end or are terminated or on the date Covered Entity terminates for cause as authorized in paragraph (b) of this Section.

1. Termination for Cause. Business Associate authorizes termination of this Agreement by Covered Entity, if Covered Entity determines Business Associate has violated a material term of the Agreement and Business Associate has not cured the breach or ended the violation within __________ days written notice. If it is determined by Covered Entity that cure is not possible, Covered Entity may immediately terminate this Agreement. The termination of this Agreement shall automatically terminate the business relationship and any services agreements between the Parties.

1. Obligations of Business Associate Upon Termination. Upon termination of this Agreement, Business Associate shall either return or destroy all PHI that Business Associate still maintains in any form. Business Associate shall not retain any copies of such PHI. In the event Business Associate determines that returning or destroying the PHI is infeasible, the terms of this Agreement shall survive termination with respect to such PHI and limit further uses and disclosures of such PHI for so long as Business Associate maintains such PHI. In addition, Business Associate shall continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI to prevent use or disclosure of the PHI for as long as business associate retains the PHI.

1. Survival. The obligations of Business Associate under this Section shall survive the termination of this Agreement.

6. General Provisions.

1. This agreement sets forth the entire understanding of the Parties. Any amendments must be in writing and signed by both Parties. This Agreement shall be construed under the laws of the State of _________________, without regard to conflict of law provisions. Any ambiguity in the terms of this Agreement shall be resolved to permit compliance with HIPAA. Any references in this Agreement to a section in HIPAA means the section as in effect or as may be amended. This Agreement may be modified or amended from time to time as is necessary for compliance with the requirements of HIPAA and other applicable law. Amendments must be made in writing and signed by the Parties. The failure of either Party to enforce any provision of this Agreement shall not be construed as a waiver or limitation of that Party’s right to subsequently enforce and compel strict compliance with every provision of this Agreement. The terms of this Agreement are hereby incorporated into any service or business agreement that may be entered into between the Parties with the intent to form a business relationship. In the event of a conflict of terms between this Agreement and any such service or business agreement the terms of this Agreement shall prevail.

IN WITNESS WHEREOF, I have hereunto set my hand to this HIPAA Business Associate Agreement as of the date set forth above.

Covered Entity		Business Associate
By: ________________________ Title: ________________________		By: ________________________ Title: ________________________