BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“BAA”), effective as of [DATE] (“Effective Date”) is entered into by and between [ENTITY NAME] (“Business Associate”) and [ENTITY NAME] on behalf of itself and its subsidiaries (“Covered Entity”). For purposes of this BAA, Covered Entity and Business Associate may each be referred to as a “Party” and collectively as “Parties.”
WHEREAS, Covered Entity has retained Business Associate to provide certain services to be performed for or on behalf of Covered Entity, which are described and set forth in one or more separate agreements for services between the Parties, order form(s), and/or statement(s) of work (collectively, “Service Agreement”) and, in connection with those services, Business Associate may use or disclose certain individual health information that is subject to protection under the HIPAA Privacy & Security Rules; and
WHEREAS, the Parties desire to establish the terms under which Business Associate may use or disclose PHI such that Covered Entity may comply with applicable requirements of the HIPAA Privacy & Security Rules and the requirements of the HITECH Act that are applicable to business associates.
NOW THEREFORE, in consideration of these premises and the mutual promises and agreements hereinafter set forth, Covered Entity and Business Associate hereby agree as follows:
1.1. Unless otherwise specified in this BAA, all capitalized terms used in this BAA and not otherwise defined herein have the meanings established for purposes of the HIPAA Privacy & Security Rules and the requirements of the HITECH Act.
1.2. “Breach” means the acquisition, access, use or disclosure of PHI in a manner not permitted by the HIPAA Privacy & Security Rules that compromises the security or privacy of the PHI.
1.3. “Business Associate” means any entity controlling, controlled by or under common control with Business Associate and each of Business Associate’s contractors that create, receive, maintain, or transmit PHI on behalf of Business Associate.
1.4. “ePHI” means all PHI that is transmitted or maintained in electronic media.
1.5. “HIPAA Privacy & Security Rule” means the Health Insurance Portability and Accountability Act of 1996, codified at 45 C.F.R. Parts’160 and 164 (”Privacy Rule”) and 45 C.F.R. Parts 160, 162 and 164 (”Security Rule”) including the requirements of the final modifications as issued on January 25, 2013, and the implementing regulations related to privacy, security, breach notification, and enforcement, as amended from time to time.
1.6. “HITECH Act” means Subtitle D of the Health Information Technology for Economic and Clinical Health Act provisions of the American Recovery and Reinvestment Act of 2009, 42 U.S.C. §§l792I-I7954, and all associated existing and future implementing regulations, when and as each is effective.
1.7. “PHI” means “protected health information” as defined in 45 C.F.R §160.103, and is limited to the information received from, or received or created on behalf of, Covered Entity by Business Associate pursuant to performance of the services set forth in a Services Agreement.
1.8. “Security Incident” means an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system and involves only PHI that is created, received, maintained, or transmitted by or on behalf of Business Associate in electronic form.
1.9. “Unsecured PHI” means PHI that is not secured through the use of a technology or methodology specified by guidance issued by the U.S. Department of Health and Human Services from time to time.
2. RESPONSIBILITIES OF BUSINESS ASSOCIATE
2.1 Permitted Uses and Disclosures. Except as otherwise provided in this BAA, Business Associate agrees to use PHI only as necessary to provide the services set forth in a Service Agreement and Business Associate agrees to limit disclosure of PHI, to the extent practical, to the minimum necessary to accomplish the intended purpose of such use, disclosure, or request. Business Associate will not use or further disclose PHI other than as permitted or required by this BAA or a Service Agreement or as required by law.
2.2 Safeguards. Business Associate agrees to implement and use appropriate administrative, physical and technical safeguards to (a) prevent use or disclosure of PHI; and (b) reasonably protect the confidentiality, integrity, and availability of the ePHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity. Such safeguards include a written information security policy, a response plan for Security Incidents, periodic security awareness training, and confidentiality/nondisclosure agreements with those independent subcontractors and consultants with which Business Associate has delegated duties under this BAA.
2.3 Reporting a Breach. Business Associate agrees to promptly report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including Unsecured PHI and any Security Incident of which Business Associate becomes aware.
2.4 Assistance with Breach Investigation. In the event of a Breach, Business Associate will provide reasonable assistance to and cooperate with Covered Entity in investigating the Breach and Business Associate agrees to provide the following information in writing to Covered Entity: (a) Identification of each individual who is the subject of Unsecured PHI that has been, or is reasonably believed by Business Associate to have been accessed, acquired, or disclosed; (b) a brief description of the events; (c) date of the potential Breach; (d) date of discovery; (e) type of PHI involved; (f) any preliminary steps taken to mitigate the damage; and (g) a description of the investigatory steps taken.
2.5 Internal Practices. Business Associate agrees to make available its internal practices, books, and records relating to the use and disclosure of PHI created for or from Covered Entity to the U.S. Department of Health and Human Services for purposes of determining Business Associate’s compliance with the HIPAA Privacy & Security Rules or this BAA.
2.6 Disclosure Accounting. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI. In addition, within [NUMBER] ([NUMERALS]) days after receiving a written request from Covered Entity, Business Associate will make available to Covered Entity the information necessary for Covered Entity to make an accounting of disclosures of PHI about an Individual, in accordance with 45 C.F.R. § 164.528.
2.7 Subcontractors. Business Associate will require its subcontractors to provide reasonable assurance, evidenced by written agreement, of compliance with the same privacy and security obligations, restrictions, and conditions with respect to PHI and ePHI as applies to Business Associate through this BAA. Business Associate may disclose PHI to other business associates of Covered Entity without requiring the written agreement described herein.
2.8 Availability of Information. Business Associate agrees to provide access to Covered Entity, within [NUMBER] ([NUMERALS]) days after receiving a written request from Covered Entity, to PHI in a Designated Record Set about an Individual, sufficient to allow Covered Entity to provide access to such Individual to his or her PHI, in compliance with the requirements of 45 C.F.R. §164.524. Business Associate will make such information available in an electronic format where required by the HITECH Act.
2.9 Amendment of Information. To the extent that the PHI in Business Associate’s possession constitutes a Designated Record Set, within [NUMBER] ([NUMERALS]) days after a written request by Covered Entity, Business Associate will make PHI available to Covered Entity as reasonably required to fulfill Covered Entity’s obligations to amend such PHI pursuant to the HIPAA Privacy & Security Rules and Business Associate will, as directed by Covered Entity, incorporate any amendments to PHI into copies of such PHI maintained by Business Associate, all in accordance with 45 C.F.R. §164.526.
2.10 Management and Administration. Business Associate agrees to only use or disclose PHI received in its capacity as a business associate to Covered Entity for Business Associate’s own operations if: (a) the use relates to the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate or to provide data aggregation services relating to health care operations of Covered Entity; or (b) the disclosure of information received in such capacity will be made in connection with Business Associate’s performance of the services set forth in a Service Agreement and such disclosure is required by law or Business Associate receives assurance from the person to whom the information will be disclosed that it will be kept confidential and the person further agrees to notify Business Associate of any Security Incident or Breach.
2.11 Data Aggregation Services. Except as otherwise prohibited by this BAA, Business Associate may use PHI to provide data aggregation services to Covered Entity as permitted by 45 C.F.R. §164.504(e)(2)(i)(B).
2.12 Prohibited Communications. Business Associate will not make or cause to be made any communication about a product or service that is prohibited by 42 U.S.C. § 17936(a).
2.13 Prohibited Fundraising. Business Associate will not make or cause to be made any written fundraising communication that is prohibited by 42 U.S.C. § 17936(b).
2.14 Carrying Out Covered Entity’s Obligations. To the extent Business Associate is to carry out one or more of Covered Entity’s obligations under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations.
2.15 Mitigation of Damages. Business Associate agrees to mitigate, to the extent practical, any harmful effect that is known to Business Associate of the use or disclosure of PHI by Business Associate in violation of the requirements of this BAA.
3. RESPONSIBILITIES OF COVERED ENTITY
3.1 Identification of Records. With respect to the records Covered Entity furnishes to Business Associate, Covered Entity will identify those records that it considers to be PHI for purposes of this BAA.
3.2 Minimum Necessary. Covered Entity will provide to Business Associate only the minimum PHI necessary to perform the services set forth in a Service Agreement.
3.3 Increased Privacy Protections. In the event that Covered Entity honors a request to restrict the use or disclosure of PHI pursuant to 45 C.F.R. §164.522, Covered Entity will notify Business Associate of any restriction to the extent any such restriction may limit Business Associate’s ability to use and/or disclose PHI as permitted or required under this BAA or impose obligations on Business Associate additional to or inconsistent with the obligations assumed under this BAA. However, should such revisions materially increase Business Associate’s cost of providing services under this BAA, Covered Entity shall reimburse Business Associate for such increase in cost.
3.4 Privacy Notice Limitations. Covered Entity will notify Business Associate of any limitations in its Notice of Privacy Practices in accordance with 45 C.F.R. §164.520, to the extent that any such limitation may affect Business Associate’s use or disclosure of PHI or impose obligations on Business Associate additional to or inconsistent with the obligations assumed under this BAA. In the event that any such limitation materially increases Business Associate’s cost of providing services under this BAA, Covered Entity agrees to reimburse Business Associate for such increase in cost.
3.5 Changes in Permission. Covered Entity will notify Business Associate of any changes in or revocation of permission by an individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI or impose obligations on Business Associate additional to or inconsistent with the obligations assumed under this BAA. In the event that any such change in or revocation of permission materially increases Business Associate’s cost of providing services under this BAA, Covered Entity agrees to reimburse Business Associate for such increase in cost.
3.6 Breach Notification. In the event of a Breach or Security Incident, Covered Entity will have the sole right to determine whether notice is to be given to any individuals, regulators, law enforcement agencies, consumer reporting agencies, media outlets, the U.S. Department of Health & Human Services, or others as required by law or in Covered Entity’s discretion. In addition, Covered Entity will have the sole right to determine the contents of such notice, whether any type of remediation may be offered to affected individuals, as well as the nature and extent of any such remediation. Covered Entity will be solely responsible for providing such notice and for the costs thereof.
3.7 Other Business Associates. Covered Entity agrees to be solely responsible for ensuring that any contractual relationships it has with other business associates comply with the HIPAA Privacy & Security Rules.
3.8 Permissible Uses Only. Except as otherwise provided under this BAA, Covered Entity will not ask Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity. Business Associate offers and recommends encryption related to the transmission of data for the provision of services set forth in a Service Agreement. If Covered Entity does not use encryption, Covered Entity is responsible for any resulting liability caused by failing to encrypt information such as ePHI.
4. PERMITTED USES AND DISCLOSURES OF PHI
Unless otherwise limited in this BAA, in addition to any other uses and/or disclosures permitted or required by this BAA, Business Associate may:
4.1 Make any and all uses and disclosures of PHI necessary to provide the services set forth in a Service Agreement to Covered Entity.
4.2 Use and disclose to subcontractors and agents the PHI in its possession for its proper management and administration or to carry out the legal responsibilities of Business Associate.
4.3 Subject to the confidentiality provisions of the BAA, de-identify any and all PHI received or created by Business Associate under this BAA, which de-identified information shall not be subject to this BAA and may be used and disclosed on Business Associate’s own behalf, all in accordance with the de-identification requirements of the HIPAA Privacy & Security Rules.
4.4 Provide Data Aggregation Services relating to the Health Care Operations of the Covered Entity in accordance with the HIPAA Privacy & Security Rules.
4.5 Identify Research projects conducted by Business Associate, third parties for which PHI may be relevant, obtain on behalf of Covered Entity documentation of individual authorizations or an Institutional Review Board or a Privacy Board waiver that meets the requirements of 45 C.F.R. §164.512(i)(1) (each an “Authorization” or “Waiver”) related to such projects, provide Covered Entity with copies of such Authorizations or Waivers, subject to confidentiality obligations (“Required Documentation”); and disclose PHI for such Research.
4.6 Make PHI available for reviews preparatory to Research and obtain and maintain written representations in accordance with 45 C.F.R. §164.512(i)(1)(ii) that the requested PHI is sought solely as necessary to prepare a Research protocol or for similar purposes preparatory to Research, that the PHI is necessary for the Research, and that no PHI will be removed in the course of the review.
4.7 Use the PHI to create a Limited Data Set in compliance with 45 C.F.R. 164.514(e) for Research, Health Care Operations or Public Health purposes.
4.8 Use PHI to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. §164.502(J)(1).
5. TERM AND TERMINATION
5.1 Term. This BAA will continue in full force and effect for as long as a Service Agreement remains in full force and effect. The term of this BAA will be effective as of the Effective Date and will continue in effect unless terminated as authorized in Section 5.2. In addition, certain provisions and requirements of this BAA will survive expiration or termination in accordance with Section 6.2 herein.
5.2 Termination for Cause. Without limiting the rights of the Parties as set out in the Service Agreement, each Party will have the right to terminate this BAA and the Service Agreement if the other Party has engaged in a pattern of activity or practice that constitutes a material violation or breach of its obligations regarding PHI under this BAA. Prior to terminating this BAA, the terminating Party will provide the other Party with an opportunity to cure the material violation or breach. If these efforts to cure the violation or breach are unsuccessful, as determined by the terminating Party in its reasonable discretion, then the Parties will terminate this BAA and the Services Agreement as soon as administratively feasible. If a Party determines, in its sole discretion, that the other Party has breached the terms of this BAA and such breach is not cured, but the non-breaching Party decides that termination of the BAA is not feasible, the non-breaching Party may report such breach to the U.S Department of Health and Human Services.
5.3 Effect of Termination. Except as otherwise provided herein, the Parties agree that upon termination of this BAA for any reason, Business Associate will return to Covered Entity or, if agreed to by Covered Entity, destroy all PHI received from Covered Entity or created, maintained, or received by Business Associate on behalf of Covered Entity. In the event that Business Associate reasonably determines return or destruction of the PHI is not feasible, Business Associate will notify Covered Entity of the conditions that make return or destruction not feasible. Upon mutual agreement of the Parties, Business Associate may retain the PHI and will continue to extend all protections, limitations and restrictions contained in this BAA to Business Associate’s use and/or disclosure of PHI for so long as Business Associate maintains such PHI.
5.4 Cooperation. Each Party shall cooperate in good faith in all respects with the other Party in connection with any request by a federal or state governmental authority for additional information and documents or any governmental investigation, complaint, action or other inquiry.
6.1 Interpretation and References. Any ambiguity in this BAA or a Service Agreement shall be resolved to maintain compliance with the HIPAA Privacy & Security Rules and the HITECH Act. A reference to a section of the HIPAA Privacy & Security Rules means the section in effect or as amended and for which compliance is required.
6.2 Indemnification. [Business Associate agrees to indemnify and hold harmless Covered Entity, its Board of Directors, officers, agents, employees, and personnel (“Indemnified Party”) from and against any and all claims, demands, suits, losses, causes of action, or liability that the Indemnified Party may sustain as a result of Business Associate’s breach of its duties or its errors or omissions within the terms of this BAA. This indemnification shall include reasonable expenses, including attorney’s fees, incurred in defending such claims and damages.]
6.3 Survival. Sections 4.8, 5.2, 5.3, and 5.4 shall survive the expiration or termination for any reason of this BAA or a Service Agreement.
6.4 Governing Law. This BAA is governed by the laws of the State of _________. The federal and state courts located in _________ County, __________ will have jurisdiction to adjudicate any dispute arising out of or relating to this BAA. Each Party hereby consents to the jurisdiction of such courts and waives any right it may otherwise have to challenge the appropriateness of such forums, whether on the basis of the doctrine of forum non conveniens or otherwise.
6.5 Independent Contractor. Business Associate, including its directors, officers, employees and agents, is an independent contractor and not an agent of Covered Entity or a member of its workforce. Without limiting the generality of the foregoing, Covered Entity will have no right to control, direct, or otherwise influence Business Associate’s conduct in the course of performing the services, other than through the enforcement of this BAA or a Service Agreement, or the mutual amendment of the same.
6.6 No Third Party Beneficiaries. The Parties agree there are no intended third party beneficiaries under this BAA. Nothing express or implied in this BAA is intended to confer upon any person, other than the Parties and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever. This provision shall survive termination of this BAA and a Service Agreement.
IN WITNESS WHEREOF, the Parties acknowledge and agree to this BAA on the Effective Date.
Print Name: ______________________________
Print Name: ______________________________