Business Associate Agreement — Subcontractor

BUSINESS ASSOCIATE AGREEMENT — SUBCONTRACTOR

PREAMBLE

This Business Associate Subcontractor Agreement ("Agreement") is entered into as of [__/__/____] ("Effective Date") by and between:

Business Associate ("BA"):

Name: [________________________________]

Address: [________________________________]

City/State/ZIP: [________________________________]

Contact Person: [________________________________]

Phone: [________________________________]

Email: [________________________________]

AND

Subcontractor:

Name: [________________________________]

Address: [________________________________]

City/State/ZIP: [________________________________]

Contact Person: [________________________________]

Phone: [________________________________]

Email: [________________________________]

(BA and Subcontractor are each a "Party" and collectively the "Parties.")

RECITALS

WHEREAS, BA is a business associate of one or more covered entities as those terms are defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and their implementing regulations at 45 C.F.R. Parts 160 and 164 (collectively, the "HIPAA Rules");

WHEREAS, BA desires to engage Subcontractor to perform certain services on behalf of BA that require Subcontractor to create, receive, maintain, or transmit Protected Health Information ("PHI") and/or Electronic Protected Health Information ("ePHI") on behalf of BA;

WHEREAS, the HIPAA Rules require at 45 C.F.R. § 164.502(e)(1)(ii) and § 164.308(b)(2) that a business associate ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate agrees to the same restrictions and conditions that apply to the business associate with respect to such information;

WHEREAS, the HITECH Act, at § 13401, makes business associates and their subcontractors directly liable for compliance with certain provisions of the HIPAA Privacy and Security Rules;

WHEREAS, the Parties desire to enter into this Agreement to comply with the requirements of the HIPAA Rules and to establish the terms and conditions under which Subcontractor will use, disclose, and protect PHI;

NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

ARTICLE I: DEFINITIONS

1.1 Capitalized terms used in this Agreement and not otherwise defined shall have the meanings ascribed to them in the HIPAA Rules, including but not limited to 45 C.F.R. §§ 160.103 and 164.501.

1.2 "Agreement" means this Business Associate Subcontractor Agreement, including all exhibits, schedules, and amendments thereto.

1.3 "Breach" has the meaning set forth in 45 C.F.R. § 164.402, and includes the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI, subject to the exclusions in 45 C.F.R. § 164.402(1).

1.4 "Business Associate" or "BA" means the entity identified above that has entered into one or more business associate agreements with one or more Covered Entities and is engaging Subcontractor to perform services involving PHI.

1.5 "Covered Entity" means a health plan, health care clearinghouse, or health care provider that transmits any health information in electronic form, as defined in 45 C.F.R. § 160.103.

1.6 "Designated Record Set" has the meaning set forth in 45 C.F.R. § 164.501.

1.7 "Discovery" means the first day on which a Breach is known to Subcontractor, or, by exercising reasonable diligence, would have been known to Subcontractor. Subcontractor shall be deemed to have knowledge of a Breach if the Breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the Breach, who is a workforce member or agent of Subcontractor (as determined under the federal common law of agency).

1.8 "Electronic Protected Health Information" or "ePHI" has the meaning set forth in 45 C.F.R. § 160.103.

1.9 "Individual" has the meaning set forth in 45 C.F.R. § 160.103, and includes a person who qualifies as a personal representative under 45 C.F.R. § 164.502(g).

1.10 "Minimum Necessary" means the standard set forth in 45 C.F.R. § 164.502(b), requiring that uses, disclosures, and requests for PHI be limited to the minimum necessary to accomplish the intended purpose.

1.11 "Protected Health Information" or "PHI" has the meaning set forth in 45 C.F.R. § 160.103, limited to the PHI created, received, maintained, or transmitted by Subcontractor on behalf of BA.

1.12 "Required By Law" has the meaning set forth in 45 C.F.R. § 164.103.

1.13 "Secretary" means the Secretary of the U.S. Department of Health and Human Services or the Secretary's designee.

1.14 "Security Incident" has the meaning set forth in 45 C.F.R. § 164.304.

1.15 "Services" means the services described in the Underlying Agreement and any related services performed by Subcontractor on behalf of BA that involve the creation, receipt, maintenance, or transmission of PHI.

1.16 "Subcontractor" means the entity identified above that creates, receives, maintains, or transmits PHI on behalf of BA.

1.17 "Underlying Agreement" means the services agreement, contract, purchase order, or other arrangement between BA and Subcontractor under which Subcontractor provides services to BA, as identified in Exhibit A.

1.18 "Unsecured PHI" has the meaning set forth in 45 C.F.R. § 164.402, and means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance issued under 42 U.S.C. § 17932(h)(2).

ARTICLE II: SCOPE OF SERVICES AND PHI

2.1 Description of Services. Subcontractor shall perform the Services described in the Underlying Agreement (Exhibit A), which involve the following categories of PHI:

☐ Medical records and clinical data

☐ Claims and billing data

☐ Eligibility and enrollment data

☐ Electronic health records (EHR) data

☐ Laboratory and diagnostic results

☐ Prescription and pharmacy data

☐ Mental health and behavioral health records

☐ Substance use disorder records (42 C.F.R. Part 2)

☐ HIV/AIDS-related information

☐ Genetic information

☐ Administrative and demographic data

☐ Other: [________________________________]

2.2 Minimum Necessary. Subcontractor shall limit its use, disclosure, and request of PHI to the minimum necessary to accomplish the intended purpose, in accordance with 45 C.F.R. § 164.502(b) and § 164.514(d).

ARTICLE III: PERMITTED AND REQUIRED USES AND DISCLOSURES

3.1 Permitted Uses and Disclosures. Except as otherwise limited by this Agreement, Subcontractor may use or disclose PHI only as follows:

(a) As necessary to perform the Services described in Section 2.1 and the Underlying Agreement, provided such use or disclosure would not violate the HIPAA Rules if done by BA or the Covered Entity (45 C.F.R. § 164.504(e)(2)(i));

(b) For the proper management and administration of Subcontractor, provided that:

• (i) The disclosures are Required By Law; or
• (ii) Subcontractor obtains reasonable assurances from the person to whom the PHI is disclosed that: (A) the information will be held confidentially and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person; and (B) the person will notify Subcontractor of any instances of which it is aware in which the confidentiality of the PHI has been breached (45 C.F.R. § 164.504(e)(4));

(c) To provide data aggregation services to BA as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B);

(d) To de-identify PHI in accordance with 45 C.F.R. § 164.514(a)-(c), provided that Subcontractor may do so only if: (i) such de-identification is specifically authorized under the Underlying Agreement; and (ii) the de-identified data is used only for the purposes set forth in the Underlying Agreement.

3.2 Prohibited Uses and Disclosures. Subcontractor shall NOT:

(a) Use or disclose PHI other than as permitted or required by this Agreement or as Required By Law;

(b) Use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 (Privacy Rule) if done by the Covered Entity, except as permitted under Sections 3.1(b) and 3.1(c);

(c) Use or disclose PHI for marketing purposes (as defined in 45 C.F.R. § 164.501) without the individual's valid written authorization (45 C.F.R. § 164.508(a)(3));

(d) Sell PHI (as prohibited by 45 C.F.R. § 164.502(a)(5)(ii) and HITECH Act § 13405(d)) without the individual's valid written authorization;

(e) Use or disclose genetic information for underwriting purposes (as prohibited by GINA and 45 C.F.R. § 164.502(a)(5)(i));

(f) Use or disclose PHI in violation of any applicable state law that is more restrictive than the HIPAA Rules.

3.3 Required Disclosures. Subcontractor shall disclose PHI:

(a) To BA when requested, for any purpose permitted under this Agreement;

(b) To the Secretary, for investigations or compliance reviews, in accordance with 45 C.F.R. § 164.502(a)(2);

(c) To the Individual (or the Individual's personal representative), when required to facilitate BA's or the Covered Entity's obligation to provide access under 45 C.F.R. § 164.524;

(d) As Required By Law.

ARTICLE IV: SAFEGUARDS

4.1 Administrative Safeguards. Subcontractor shall implement administrative safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of BA, as required by 45 C.F.R. § 164.308, including but not limited to:

(a) Designating a security official responsible for development and implementation of security policies and procedures;

(b) Implementing workforce security measures, including authorization and supervision, clearance procedures, and termination procedures;

(c) Implementing security awareness and training for all workforce members;

(d) Implementing security incident procedures for detecting, reporting, and responding to security incidents;

(e) Establishing a contingency plan, including data backup, disaster recovery, and emergency mode operation plans;

(f) Conducting periodic evaluations of its security policies and procedures;

(g) Conducting a risk analysis and implementing a risk management program.

4.2 Physical Safeguards. Subcontractor shall implement physical safeguards as required by 45 C.F.R. § 164.310, including but not limited to:

(a) Facility access controls (including contingency operations, facility security plan, access control and validation procedures, and maintenance records);

(b) Workstation use and workstation security policies;

(c) Device and media controls (including disposal, media re-use, accountability, and data backup and storage).

4.3 Technical Safeguards. Subcontractor shall implement technical safeguards as required by 45 C.F.R. § 164.312, including but not limited to:

(a) Access controls (including unique user identification, emergency access procedure, automatic logoff, and encryption and decryption);

(b) Audit controls to record and examine activity in information systems that contain or use ePHI;

(c) Integrity controls to protect ePHI from improper alteration or destruction;

(d) Person or entity authentication;

(e) Transmission security (including integrity controls and encryption for ePHI transmitted over electronic communications networks).

4.4 Policies and Procedures. Subcontractor shall maintain and implement reasonable and appropriate policies and procedures to comply with the HIPAA Security Rule standards and implementation specifications, as required by 45 C.F.R. § 164.316.

4.5 Encryption Standards. Subcontractor shall encrypt all ePHI:

(a) At rest, using AES-128 or AES-256 encryption (or equivalent), consistent with NIST SP 800-111;

(b) In transit, using TLS 1.2 or higher (or equivalent), consistent with NIST SP 800-52;

(c) On all portable devices and removable media.

Note: Encryption that meets the standards specified by the Secretary in guidance issued under 42 U.S.C. § 17932(h)(2) renders PHI "secured" and exempt from breach notification requirements.

ARTICLE V: BREACH NOTIFICATION AND SECURITY INCIDENT REPORTING

5.1 Breach Reporting. Subcontractor shall report to BA any Breach of Unsecured PHI without unreasonable delay and in no event later than [____] calendar days after Discovery of the Breach (the "Breach Notification Deadline"). The notification shall include, to the extent available:

(a) The identification of each Individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed;

(b) A brief description of what happened, including the date of the Breach and the date of Discovery;

(c) A description of the types of Unsecured PHI involved (e.g., full name, Social Security number, date of birth, home address, account number, diagnosis, disability code, or other types of information);

(d) Any steps the Individual should take to protect against potential harm resulting from the Breach;

(e) A brief description of what Subcontractor is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any further Breaches;

(f) Contact information for Subcontractor, including a toll-free telephone number, an email address, a website, or a postal address.

5.2 Breach Notification Chain.

5.3 Security Incident Reporting. Subcontractor shall report to BA any Security Incident of which it becomes aware, as follows:

(a) Successful Security Incidents (incidents resulting in unauthorized access, use, disclosure, modification, or destruction of ePHI, or interference with system operations in a system containing ePHI): Report within [____] calendar days of becoming aware.

(b) Unsuccessful Security Incidents (attempted but failed incidents, such as unsuccessful log-in attempts, pings on a firewall, port scans, attempts to access a computer or network that are denied by the system, or denial-of-service attacks that are effectively deflected): The Parties acknowledge that unsuccessful security incidents occur on a routine basis. Subcontractor shall provide an aggregate summary of such incidents to BA on a [☐ monthly ☐ quarterly ☐ annual] basis, or more frequently upon BA's reasonable request.

5.4 Cooperation in Breach Investigation. Subcontractor shall cooperate fully with BA and, as applicable, with the Covered Entity and law enforcement in the investigation of any Breach or Security Incident, including:

(a) Preserving evidence and forensic data;

(b) Providing access to affected systems and records;

(c) Making workforce members available for interviews;

(d) Assisting in the preparation of notifications to Individuals, HHS, and media as required.

5.5 Mitigation. Subcontractor shall mitigate, to the extent practicable, any harmful effect that is known to Subcontractor of a use or disclosure of PHI by Subcontractor in violation of this Agreement (45 C.F.R. § 164.530(f)).

ARTICLE VI: DOWNSTREAM SUBCONTRACTORS

6.1 Flow-Down Requirements. Subcontractor shall ensure that any agent or downstream subcontractor to whom it provides PHI agrees in writing to the same restrictions, conditions, and requirements that apply to Subcontractor under this Agreement with respect to such PHI, as required by 45 C.F.R. § 164.502(e)(1)(ii) and § 164.504(e)(2)(ii)(D).

6.2 Prior Approval. Subcontractor shall not engage any downstream subcontractor that will create, receive, maintain, or transmit PHI on behalf of BA without:

☐ BA's prior written approval (required)

☐ BA's prior written approval (required only for subcontractors accessing more than [____] records)

☐ Notification to BA within [____] business days of engagement

6.3 Responsibility for Downstream Subcontractors. Subcontractor shall be directly responsible for the acts and omissions of its downstream subcontractors with respect to PHI, to the same extent as if such acts or omissions were those of Subcontractor.

6.4 Monitoring. Subcontractor shall implement a program to monitor its downstream subcontractors' compliance with the terms of their agreements regarding PHI, including periodic assessments of their security posture.

ARTICLE VII: INDIVIDUAL RIGHTS

7.1 Access to PHI. Subcontractor shall, within [____] business days of a request from BA, make available PHI in a Designated Record Set to BA for purposes of satisfying the Covered Entity's obligations under 45 C.F.R. § 164.524 (Individual's right of access). If an Individual makes a request for access directly to Subcontractor, Subcontractor shall promptly forward the request to BA.

7.2 Amendment of PHI. Subcontractor shall, within [____] business days of a request from BA, make PHI in a Designated Record Set available to BA for amendment, and shall incorporate any amendments to PHI as directed by BA, in accordance with 45 C.F.R. § 164.526.

7.3 Accounting of Disclosures. Subcontractor shall:

(a) Document all disclosures of PHI and information related to such disclosures as required for BA or the Covered Entity to respond to a request by an Individual for an accounting of disclosures in accordance with 45 C.F.R. § 164.528;

(b) Make this information available to BA within [____] business days of a request;

(c) Maintain this documentation for a minimum of six (6) years from the date of the disclosure.

7.4 Restrictions on Disclosures. Subcontractor shall comply with any restrictions on the use or disclosure of PHI that BA has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restrictions affect Subcontractor's use or disclosure of PHI, provided that BA notifies Subcontractor of any such restrictions.

7.5 Confidential Communications. Subcontractor shall accommodate reasonable requests by BA (made on behalf of the Covered Entity) to communicate PHI by alternative means or at alternative locations, in accordance with 45 C.F.R. § 164.522(b).

ARTICLE VIII: AUDIT AND INSPECTION

8.1 HHS Access. Subcontractor shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining compliance with the HIPAA Rules, as required by 45 C.F.R. § 164.504(e)(2)(ii)(H).

8.2 BA Audit Rights. BA shall have the right to audit Subcontractor's compliance with this Agreement, including:

(a) The right to conduct on-site inspections of Subcontractor's facilities, systems, and records related to PHI, upon [____] business days written notice;

(b) The right to request and receive copies of Subcontractor's security policies, procedures, and risk assessments;

(c) The right to request and receive evidence of Subcontractor's security certifications, penetration testing results, vulnerability scan reports, and SOC 2 (or equivalent) audit reports;

(d) The right to engage a qualified independent third party to conduct an audit or security assessment, at BA's expense (unless the audit reveals material non-compliance, in which case Subcontractor shall bear the cost);

(e) The right to request and receive a completed security questionnaire or assessment on an annual basis or upon material change in Subcontractor's security posture.

8.3 Remediation. If an audit or inspection reveals non-compliance with this Agreement or the HIPAA Rules, Subcontractor shall, at its own expense, promptly remediate the non-compliance and provide BA with written evidence of remediation within [____] calendar days.

ARTICLE IX: INSURANCE AND INDEMNIFICATION

9.1 Insurance Requirements. Subcontractor shall obtain and maintain, at its sole expense, the following insurance coverage throughout the term of this Agreement and for a period of [____] years following termination:

(a) Cyber Liability / Technology Errors and Omissions Insurance with minimum limits of $[________________________________] per occurrence and $[________________________________] in the aggregate, including coverage for:

• Data breach response costs (notification, credit monitoring, identity restoration)
• Network security liability
• Privacy liability
• Regulatory defense and penalties
• Media liability (if applicable)

(b) Commercial General Liability Insurance with minimum limits of $[________________________________] per occurrence and $[________________________________] in the aggregate;

(c) Professional Liability / Errors and Omissions Insurance with minimum limits of $[________________________________] per occurrence;

(d) Workers' Compensation Insurance as required by applicable law.

Subcontractor shall provide certificates of insurance to BA upon request and shall notify BA at least [____] days prior to any material change in, cancellation of, or non-renewal of coverage.

9.2 Indemnification. Subcontractor shall indemnify, defend, and hold harmless BA, its Covered Entity clients, and their respective officers, directors, employees, agents, successors, and assigns from and against any and all claims, losses, damages, liabilities, costs, and expenses (including reasonable attorneys' fees, expert witness fees, court costs, and costs of investigation and remediation) arising out of or relating to:

(a) Subcontractor's Breach of Unsecured PHI;

(b) Subcontractor's violation of this Agreement;

(c) Subcontractor's violation of the HIPAA Rules;

(d) Any acts or omissions of Subcontractor's workforce members, agents, or downstream subcontractors with respect to PHI;

(e) Any regulatory investigation, enforcement action, or civil money penalty imposed by HHS or a state attorney general arising from Subcontractor's acts or omissions;

(f) Any third-party claims, including class action litigation, arising from Subcontractor's unauthorized use or disclosure of PHI.

9.3 Notification Costs. In the event of a Breach caused by Subcontractor's acts or omissions, Subcontractor shall bear all costs of:

(a) Breach notification to affected Individuals (45 C.F.R. § 164.404);

(b) Credit monitoring and identity theft protection services for affected Individuals for a period of not less than [____] months;

(c) Call center services for affected Individuals;

(d) Forensic investigation;

(e) Regulatory notification and response.

ARTICLE X: DATA LOCATION AND PERSONNEL REQUIREMENTS

10.1 Data Location. Subcontractor shall create, receive, maintain, and transmit PHI only within the following geographic restrictions:

☐ United States only (all 50 states and U.S. territories)

☐ United States and the following approved countries: [________________________________]

☐ No geographic restriction (Subcontractor must identify all locations where PHI is stored or accessed)

10.2 Notification of Change in Data Location. Subcontractor shall provide BA with [____] days prior written notice before storing, accessing, or transmitting PHI from any new location not previously approved.

10.3 Personnel Requirements.

(a) Background Checks. Subcontractor shall conduct background checks on all workforce members who will have access to PHI, at minimum including criminal history, employment verification, and identity verification, prior to granting access. Background checks shall be repeated at least every [____] years.

(b) Training. Subcontractor shall ensure that all workforce members who access PHI receive training on HIPAA requirements, Subcontractor's privacy and security policies, and the obligations under this Agreement, prior to accessing PHI and at least annually thereafter.

(c) Confidentiality Agreements. All Subcontractor workforce members with access to PHI shall execute individual confidentiality agreements that include obligations consistent with this Agreement.

(d) Minimum Necessary Access. Subcontractor shall implement role-based access controls to ensure that workforce members have access only to the minimum PHI necessary to perform their assigned duties.

ARTICLE XI: TERMINATION

11.1 Term. This Agreement shall be effective as of the Effective Date and shall continue in effect until:

(a) All PHI has been returned or destroyed in accordance with Section 11.4; or

(b) The Agreement is terminated as provided herein.

11.2 Termination for Cause. BA may terminate this Agreement and the Underlying Agreement immediately upon written notice if:

(a) Subcontractor materially breaches this Agreement and fails to cure such breach within [____] calendar days of receiving written notice of the breach; or

(b) Subcontractor has breached a material term of this Agreement and BA determines, in its reasonable discretion, that cure is not possible; or

(c) Subcontractor becomes the subject of a voluntary or involuntary petition in bankruptcy or any proceeding relating to insolvency, receivership, liquidation, or composition for the benefit of creditors.

11.3 Effect of Termination of Underlying Agreement. This Agreement shall survive termination of the Underlying Agreement to the extent necessary to carry out the return or destruction of PHI and the surviving provisions set forth in Section 11.6.

11.4 Return or Destruction of PHI. Upon termination of this Agreement, for any reason, Subcontractor shall:

(a) Return to BA or destroy all PHI in Subcontractor's possession or control, including all copies in any form or medium (paper, electronic, or otherwise), within [____] calendar days of termination;

(b) Certify in writing to BA that all PHI has been returned or destroyed, specifying the method of destruction used;

(c) If return or destruction is not feasible (e.g., PHI is embedded in backup tapes or legal hold requirements apply), Subcontractor shall:

• (i) Notify BA in writing of the specific reasons why return or destruction is not feasible;
• (ii) Extend the protections of this Agreement to such PHI;
• (iii) Limit further uses and disclosures of such PHI to those purposes that make return or destruction infeasible; and
• (iv) Destroy such PHI as soon as destruction becomes feasible.

(d) Ensure that all downstream subcontractors return or destroy PHI in accordance with this Section.

11.5 Sanctions for Non-Compliance with Termination Obligations. Failure to return or destroy PHI as required under this Section shall constitute a material breach of this Agreement, entitling BA to all remedies available at law or in equity, including injunctive relief.

11.6 Survival. The following provisions shall survive termination of this Agreement: Article I (Definitions), Article V (Breach Notification), Article VII (Individual Rights, to the extent PHI is retained), Article VIII (Audit and Inspection, for 6 years), Article IX (Insurance and Indemnification), Section 11.4 (Return or Destruction), and this Section 11.6.

ARTICLE XII: REGULATORY CHANGES AND AMENDMENTS

12.1 Amendment for Regulatory Changes. The Parties agree that this Agreement shall be amended to the extent necessary to comply with any changes to the HIPAA Rules, the HITECH Act, or any other applicable federal or state law or regulation affecting the use, disclosure, or protection of PHI. The Parties shall negotiate in good faith to incorporate any required amendments within [____] calendar days of the effective date of such regulatory change.

12.2 Written Amendments. This Agreement may not be modified, amended, or supplemented except by a written instrument signed by authorized representatives of both Parties.

12.3 Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.

ARTICLE XIII: STATE-SPECIFIC PROVISIONS

13.1 California

(a) Confidentiality of Medical Information Act (CMIA). To the extent Subcontractor receives medical information (as defined in Cal. Civ. Code § 56.05) from a provider of health care, health care service plan, pharmaceutical company, or contractor, Subcontractor shall comply with the CMIA (Cal. Civ. Code §§ 56–56.37). Specifically:

• Subcontractor shall not further disclose medical information except as authorized by the patient or as permitted by the CMIA;
• Subcontractor shall implement and maintain appropriate administrative, technical, and physical safeguards to protect medical information from unauthorized access;
• Subcontractor acknowledges that the CMIA provides a private right of action with statutory damages of $1,000 per violation and actual damages (Cal. Civ. Code § 56.35–56.36).

(b) Subcontractor shall comply with Cal. Civ. Code § 1798.82 (data breach notification).

13.2 Texas

(a) Texas Medical Privacy Act (Tex. Health & Safety Code Ch. 181, as amended by HB 300). Subcontractor shall comply with the Texas Medical Privacy Act, including:

• Training requirements for employees on state and federal health privacy laws (Tex. Health & Safety Code § 181.101);
• Prohibition on the sale of PHI without the individual's authorization (Tex. Health & Safety Code § 181.153);
• Authorization requirements that may be more restrictive than HIPAA (Tex. Health & Safety Code § 181.154);
• Compliance with the Texas AG-approved standard authorization form.

(b) The Texas Attorney General has independent enforcement authority for violations of the Texas Medical Privacy Act, with civil penalties of up to $250,000 per violation.

(c) Mental Health Records. Subcontractor shall comply with Tex. Health & Safety Code Ch. 611 for mental health records, including heightened confidentiality requirements.

13.3 Florida

(a) Subcontractor shall comply with Fla. Stat. § 501.171 (Florida Information Protection Act of 2014), including:

• Notification to the Florida Department of Legal Affairs within 30 days of a data breach determination affecting 500 or more individuals;
• Individual notification without unreasonable delay and no later than 30 days after determination of a breach.

(b) Subcontractor shall comply with Fla. Stat. § 395.3025 (patient record rights) and § 456.057 (ownership and control of patient records) to the extent applicable.

(c) HIV Records. Subcontractor shall comply with Fla. Stat. § 381.004 for HIV test results.

13.4 New York

(a) SHIELD Act (N.Y. Gen. Bus. Law § 899-aa). Subcontractor shall comply with the Stop Hacks and Improve Electronic Data Security Act, including:

• Implementation of a data security program that includes reasonable administrative, technical, and physical safeguards for private information of New York residents;
• Breach notification requirements to affected New York residents, the NY Attorney General, the NY Department of State, and the NY Division of State Police;
• Expanded definition of "private information" that includes biometric information, username/email with password, and health information in combination with other data elements.

(b) Subcontractor shall comply with N.Y. Pub. Health Law § 18 (patient access to medical records) and N.Y. Mental Hygiene Law § 33.13 (confidentiality of mental health records) to the extent applicable.

(c) HIV Records. Subcontractor shall comply with N.Y. Pub. Health Law Article 27-F (§§ 2780–2787) for HIV-related information.

ARTICLE XIV: CLOUD SERVICE PROVIDER PROVISIONS

This Article applies if Subcontractor provides cloud computing, hosting, SaaS, PaaS, or IaaS services involving ePHI.

14.1 Service Level Agreement. Subcontractor shall maintain system availability of not less than [____]% uptime, measured monthly, exclusive of scheduled maintenance windows.

14.2 Data Segregation. Subcontractor shall logically segregate BA's ePHI from data of other customers. Subcontractor shall not commingle BA's ePHI with the data of other customers without appropriate access controls.

14.3 Security Certifications. Subcontractor shall maintain and provide evidence of the following certifications (check all that apply):

☐ SOC 2 Type II

☐ HITRUST CSF Certification

☐ ISO 27001 Certification

☐ FedRAMP Authorization (if applicable)

☐ Other: [________________________________]

14.4 Data Portability. Upon termination, Subcontractor shall provide BA's data in a standard, commercially reasonable format within [____] business days and shall permanently delete all copies within [____] calendar days of confirmed receipt by BA.

14.5 Subprocessors. Subcontractor shall maintain a current list of all subprocessors that access, store, or process ePHI and shall provide this list to BA upon request. Subcontractor shall notify BA at least [____] days prior to engaging a new subprocessor.

ARTICLE XV: GENERAL PROVISIONS

15.1 Governing Law. This Agreement shall be governed by and construed in accordance with federal HIPAA standards and the laws of the State of [________________________________], without regard to its conflict of law principles.

15.2 Entire Agreement. This Agreement, together with the Underlying Agreement and all exhibits and schedules, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, understandings, negotiations, and discussions.

15.3 Severability. If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

15.4 No Third-Party Beneficiaries. Nothing in this Agreement shall confer any rights upon any person or entity other than the Parties and their respective successors and permitted assigns, except that Individuals shall be considered third-party beneficiaries of this Agreement to the extent of their rights under the HIPAA Rules.

15.5 Assignment. Subcontractor may not assign or transfer this Agreement, or any rights or obligations hereunder, without BA's prior written consent.

15.6 Waiver. The failure of either Party to enforce any provision of this Agreement shall not constitute a waiver of that Party's right to enforce that or any other provision in the future.

15.7 Notices. All notices under this Agreement shall be in writing and delivered by certified mail (return receipt requested), nationally recognized overnight courier, or email with confirmed receipt, to the addresses set forth in the preamble.

15.8 Counterparts. This Agreement may be executed in counterparts, each of which shall be deemed an original, and all of which together shall constitute one and the same instrument. Electronic signatures shall have the same force and effect as original signatures.

ARTICLE XVI: SIGNATURES

Business Associate

Printed Name: [________________________________]

Title: [________________________________]

Signature: ______________________________

Date: [__/__/____]

Subcontractor

Printed Name: [________________________________]

Title: [________________________________]

Signature: ______________________________

Date: [__/__/____]

EXHIBIT A: DESCRIPTION OF UNDERLYING AGREEMENT AND SERVICES

Underlying Agreement Title: [________________________________]

Underlying Agreement Date: [__/__/____]

Description of Services: [________________________________]

Categories of PHI Involved: [________________________________]

Covered Entity/Entities for Whom Services Are Performed: [________________________________]

EXHIBIT B: APPROVED DOWNSTREAM SUBCONTRACTORS

Sources and References

• 45 C.F.R. § 164.502(e) — Uses and Disclosures of PHI: Business Associates: https://www.law.cornell.edu/cfr/text/45/164.502
• 45 C.F.R. § 164.504(e) — Business Associate Contracts: https://www.law.cornell.edu/cfr/text/45/164.504
• 45 C.F.R. § 164.314 — Organizational Requirements (Security Rule): https://www.law.cornell.edu/cfr/text/45/164.314
• 45 C.F.R. § 164.308(b) — Business Associate Contracts (Administrative Safeguards): https://www.law.cornell.edu/cfr/text/45/164.308
• HITECH Act (42 U.S.C. §§ 17931–17940): https://www.law.cornell.edu/uscode/text/42/chapter-156/subchapter-III
• HHS Guidance on Business Associates: https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
• HHS Business Associates Fact Sheet: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.pdf
• Cal. Civ. Code §§ 56–56.37 (CMIA): https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=1.&title=&part=2.6.&chapter=1.&article=
• Tex. Health & Safety Code Ch. 181: https://statutes.capitol.texas.gov/Docs/HS/htm/HS.181.htm
• Fla. Stat. § 501.171: http://www.leg.state.fl.us/Statutes/index.cfm?App_mode=Display_Statute&URL=0500-0599/0501/Sections/0501.171.html
• N.Y. Gen. Bus. Law § 899-aa (SHIELD Act): https://www.nysenate.gov/legislation/laws/GBS/899-AA
• HIPAA Business Associate Agreement — 2025 Update: https://www.hipaajournal.com/hipaa-business-associate-agreement/