Business Associate Agreement (HIPAA)

BUSINESS ASSOCIATE AGREEMENT

AGREEMENT INFORMATION

Agreement Date: [DATE]

Effective Date: [EFFECTIVE DATE]

Agreement Number: [BAA-XXXX]

PARTIES

Covered Entity

Name: [COVERED ENTITY NAME]

Entity Type: ☐ Healthcare Provider ☐ Health Plan ☐ Healthcare Clearinghouse

Address: [ADDRESS]

Contact Person: [NAME]

Phone: [PHONE]

Email: [EMAIL]

(Hereinafter referred to as "Covered Entity" or "CE")

Business Associate

Name: [BUSINESS ASSOCIATE NAME]

Entity Type: [TYPE OF BUSINESS]

Address: [ADDRESS]

Contact Person: [NAME]

Phone: [PHONE]

Email: [EMAIL]

(Hereinafter referred to as "Business Associate" or "BA")

RECITALS

WHEREAS, Covered Entity is a [healthcare provider/health plan/healthcare clearinghouse] subject to the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations, including the Privacy Rule at 45 CFR Part 164 Subpart E, the Security Rule at 45 CFR Part 164 Subpart C, and the Breach Notification Rule at 45 CFR Part 164 Subpart D;

WHEREAS, Business Associate provides services to Covered Entity that involve the creation, receipt, maintenance, or transmission of Protected Health Information;

WHEREAS, the parties wish to comply with the requirements of HIPAA and the Health Information Technology for Economic and Clinical Health Act ("HITECH Act") by entering into this Business Associate Agreement;

WHEREAS, 45 CFR § 164.504(e) requires Covered Entity to obtain satisfactory assurances from Business Associate that Business Associate will appropriately safeguard PHI;

NOW, THEREFORE, in consideration of the mutual covenants and agreements set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:

ARTICLE 1: DEFINITIONS

Capitalized terms used in this Agreement shall have the meanings set forth below or as defined in 45 CFR Parts 160 and 164:

1.1 "Breach" shall have the meaning given to such term under 45 CFR § 164.402.

1.2 "Business Associate" shall have the meaning given to such term under 45 CFR § 160.103.

1.3 "Covered Entity" shall have the meaning given to such term under 45 CFR § 160.103.

1.4 "Designated Record Set" shall have the meaning given to such term under 45 CFR § 164.501.

1.5 "Electronic Protected Health Information" or "ePHI" shall have the meaning given to such term under 45 CFR § 160.103.

1.6 "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, as amended.

1.7 "HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.

1.8 "HITECH Act" means the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009.

1.9 "Individual" shall have the meaning given to such term under 45 CFR § 160.103 and shall include a person who qualifies as a personal representative under 45 CFR § 164.502(g).

1.10 "Privacy Rule" means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 164, Subpart E.

1.11 "Protected Health Information" or "PHI" shall have the meaning given to such term under 45 CFR § 160.103, limited to the information created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity.

1.12 "Required by Law" shall have the meaning given to such term under 45 CFR § 164.103.

1.13 "Secretary" means the Secretary of the U.S. Department of Health and Human Services or the Secretary's designee.

1.14 "Security Incident" shall have the meaning given to such term under 45 CFR § 164.304.

1.15 "Security Rule" means the Security Standards for the Protection of Electronic Protected Health Information at 45 CFR Part 164, Subpart C.

1.16 "Subcontractor" shall have the meaning given to such term under 45 CFR § 160.103.

1.17 "Unsecured PHI" shall have the meaning given to such term under 45 CFR § 164.402.

ARTICLE 2: SERVICES PROVIDED BY BUSINESS ASSOCIATE

2.1 Description of Services

Business Associate provides the following services to Covered Entity that involve PHI (the "Services"):

☐ [SERVICE 1]
☐ [SERVICE 2]
☐ [SERVICE 3]
☐ [SERVICE 4]
☐ Other: [SPECIFY]

2.2 Underlying Service Agreement

This Business Associate Agreement supplements and is incorporated into the following underlying service agreement(s):

Agreement Name: [SERVICE AGREEMENT NAME]

Agreement Date: [SERVICE AGREEMENT DATE]

Agreement Reference Number: [REFERENCE NUMBER]

ARTICLE 3: PERMITTED USES AND DISCLOSURES

3.1 Permitted Uses and Disclosures

Business Associate may use or disclose PHI only as follows:

(a) As necessary to perform the Services described in Article 2;

(b) As Required by Law;

(c) For the proper management and administration of Business Associate, provided that:
(i) The disclosure is Required by Law; or
(ii) Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially, used or further disclosed only as Required by Law or for the purpose for which it was disclosed, and the recipient will notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached;

(d) To provide Data Aggregation services relating to the Health Care Operations of Covered Entity, if permitted under the underlying service agreement;

(e) To de-identify PHI in accordance with 45 CFR § 164.514(a)-(c), provided that Business Associate may not use or disclose the de-identified information except as permitted by this Agreement or the underlying service agreement.

3.2 Prohibited Uses and Disclosures

Business Associate shall NOT:

(a) Use or disclose PHI in a manner that would violate the Privacy Rule if done by Covered Entity, except as specifically permitted under Section 3.1(c) and (d);

(b) Use or disclose PHI for marketing purposes without prior written authorization from Covered Entity and the Individual (45 CFR § 164.508);

(c) Sell PHI without prior written authorization from Covered Entity and the Individual (45 CFR § 164.502(a)(5)(ii));

(d) Use or disclose genetic information for underwriting purposes (45 CFR § 164.502(a)(5)(i));

(e) Use or disclose PHI in any manner not authorized by this Agreement or Required by Law.

3.3 Minimum Necessary Standard

Business Associate agrees to use, disclose, or request only the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request, in accordance with 45 CFR § 164.502(b) and 45 CFR § 164.514(d).

ARTICLE 4: OBLIGATIONS OF BUSINESS ASSOCIATE

4.1 Safeguards

Business Associate shall implement appropriate safeguards, and comply with the Security Rule with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this Agreement, including but not limited to:

(a) Administrative Safeguards (45 CFR § 164.308): Security management process, assigned security responsibility, workforce security, information access management, security awareness and training, security incident procedures, contingency plan, evaluation, and business associate contracts;

(b) Physical Safeguards (45 CFR § 164.310): Facility access controls, workstation use and security, and device and media controls;

(c) Technical Safeguards (45 CFR § 164.312): Access controls, audit controls, integrity controls, person or entity authentication, and transmission security.

4.2 Reporting Obligations

(a) Security Incidents: Business Associate shall report to Covered Entity any Security Incident of which it becomes aware within [3/5/10] business days of discovery.

(b) Breaches: Business Associate shall report to Covered Entity any Breach of Unsecured PHI within [30/60] days of discovery, as required by 45 CFR § 164.410. The report shall include:
(i) Identification of each Individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed;
(ii) A brief description of what happened;
(iii) The date of the Breach and the date of discovery;
(iv) A description of the types of Unsecured PHI involved;
(v) A description of the investigation;
(vi) Any steps Business Associate has taken to mitigate harm; and
(vii) Any other information Covered Entity reasonably requests.

(c) Unsuccessful Security Incidents: The parties acknowledge that unsuccessful Security Incidents (e.g., pings, port scans, unsuccessful log-on attempts) occur regularly and do not require individual reporting. Business Associate shall provide summary reports of unsuccessful Security Incidents upon request.

4.3 Subcontractors

(a) In accordance with 45 CFR § 164.502(e)(1)(ii) and 45 CFR § 164.504(e)(2)(ii)(D), Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement;

(b) Business Associate shall enter into written agreements with all Subcontractors that impose at least the same obligations as this Agreement;

(c) Business Associate shall provide to Covered Entity, upon request, a list of all Subcontractors that have access to PHI.

4.4 Access to PHI

In accordance with 45 CFR § 164.524 and 45 CFR § 164.504(e)(2)(ii)(E), Business Associate shall:

(a) Make PHI maintained in a Designated Record Set available to Covered Entity or, as directed by Covered Entity, to an Individual, within [15/30] days of a request;

(b) Make PHI available in the format requested if readily producible, or in a mutually agreed upon alternative format;

(c) Provide electronic access to ePHI as required by 45 CFR § 164.524(c)(2).

4.5 Amendment of PHI

In accordance with 45 CFR § 164.526 and 45 CFR § 164.504(e)(2)(ii)(F), Business Associate shall:

(a) Make PHI available for amendment;

(b) Incorporate any amendments to PHI as directed by Covered Entity within [15/30] days.

4.6 Accounting of Disclosures

In accordance with 45 CFR § 164.528 and 45 CFR § 164.504(e)(2)(ii)(G), Business Associate shall:

(a) Document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to an Individual's request for an accounting of disclosures;

(b) Make information available to Covered Entity or, as directed by Covered Entity, to an Individual, within [30] days of a request;

(c) Maintain such documentation for a period of [6] years from the date of the disclosure.

4.7 Availability of Books and Records

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining compliance with the HIPAA Rules, as required by 45 CFR § 164.504(e)(2)(ii)(H).

4.8 Mitigation

Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.

ARTICLE 5: OBLIGATIONS OF COVERED ENTITY

5.1 Notice of Privacy Practices

Covered Entity shall provide Business Associate with a copy of its Notice of Privacy Practices and any changes thereto.

5.2 Restrictions on Uses/Disclosures

Covered Entity shall notify Business Associate of any changes in, or revocation of, authorization by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI.

5.3 Restrictions Requested by Individuals

Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.

5.4 Permissible Requests

Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.

ARTICLE 6: TERM AND TERMINATION

6.1 Term

This Agreement shall be effective as of the Effective Date and shall remain in effect until:

(a) All PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity; or

(b) The Agreement is terminated in accordance with Section 6.2 or 6.3.

6.2 Termination for Cause

Upon Covered Entity's knowledge of a material breach of this Agreement by Business Associate, Covered Entity shall:

(a) Provide Business Associate with written notice of the breach;

(b) Allow Business Associate [30] days to cure the breach;

(c) If the breach is not cured within the cure period, Covered Entity may terminate this Agreement immediately upon written notice;

(d) If cure is not possible, Covered Entity may terminate this Agreement immediately upon written notice;

(e) If termination is not feasible, Covered Entity shall report the violation to the Secretary.

6.3 Termination Without Cause

Either party may terminate this Agreement without cause upon [60/90] days written notice to the other party, provided that termination of this Agreement shall not affect termination of any underlying service agreement which shall be governed by its own terms.

6.4 Effect of Termination

(a) Upon termination of this Agreement, Business Associate shall:

(i) Return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, as directed by Covered Entity;

(ii) Retain no copies of PHI;

(iii) If return or destruction is not feasible, extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.

(b) Business Associate shall certify in writing to Covered Entity that all PHI has been returned or destroyed within [30] days of termination, or, if destruction or return is not feasible, that Business Associate will protect the PHI and limit its use and disclosure as provided in this Section.

ARTICLE 7: INDEMNIFICATION

7.1 By Business Associate

Business Associate shall indemnify, defend, and hold harmless Covered Entity and its officers, directors, employees, and agents from and against any and all claims, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to:

(a) Any Breach of Unsecured PHI caused by Business Associate or its Subcontractors;

(b) Any violation of the HIPAA Rules by Business Associate or its Subcontractors;

(c) Any breach of this Agreement by Business Associate or its Subcontractors;

(d) Any negligent or wrongful acts or omissions of Business Associate or its Subcontractors in connection with this Agreement.

7.2 By Covered Entity

Covered Entity shall indemnify, defend, and hold harmless Business Associate and its officers, directors, employees, and agents from and against any and all claims, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to:

(a) Any negligent or wrongful acts or omissions of Covered Entity in connection with this Agreement;

(b) Covered Entity's failure to provide notice of restrictions or changes as required by Article 5.

7.3 Procedure

The indemnified party shall provide prompt written notice of any claim, shall allow the indemnifying party to control the defense, and shall cooperate in the defense as reasonably requested.

ARTICLE 8: INSURANCE

8.1 Business Associate Insurance Requirements

Business Associate shall maintain the following insurance coverage:

(a) Cyber Liability Insurance: Minimum coverage of $[AMOUNT] per occurrence, covering data breaches, privacy violations, and related claims;

(b) Professional Liability Insurance: Minimum coverage of $[AMOUNT] per occurrence;

(c) General Liability Insurance: Minimum coverage of $[AMOUNT] per occurrence.

8.2 Certificate of Insurance

Business Associate shall provide Covered Entity with certificates of insurance upon request.

ARTICLE 9: MISCELLANEOUS PROVISIONS

9.1 Regulatory References

Any reference in this Agreement to a regulatory provision shall be deemed to be a reference to such provision as amended from time to time.

9.2 Amendment

(a) The parties agree to negotiate in good faith to amend this Agreement as necessary to comply with changes in HIPAA Rules or other applicable law;

(b) No amendment to this Agreement shall be effective unless in writing and signed by both parties.

9.3 Survival

The obligations of Business Associate under Sections 4.6, 6.4, and Article 7 shall survive termination of this Agreement.

9.4 Interpretation

Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.

9.5 No Third-Party Beneficiaries

Nothing in this Agreement shall confer upon any person other than the parties and their successors and permitted assigns any rights or remedies under this Agreement.

9.6 Entire Agreement

This Agreement constitutes the entire agreement between the parties with respect to its subject matter and supersedes all prior agreements, understandings, negotiations, and discussions, whether oral or written.

9.7 Severability

If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

9.8 Waiver

No waiver of any breach of this Agreement shall constitute a waiver of any subsequent breach.

9.9 Assignment

Business Associate shall not assign this Agreement or any rights or obligations hereunder without the prior written consent of Covered Entity.

9.10 Notices

All notices shall be in writing and sent to the addresses set forth above, or to such other address as a party may designate in writing. Notices shall be effective upon receipt.

9.11 Governing Law

This Agreement shall be governed by federal law and, to the extent not preempted, the laws of the State of [STATE].

9.12 Counterparts

This Agreement may be executed in counterparts, each of which shall be deemed an original.

9.13 Electronic Signatures

This Agreement may be executed by electronic signature in accordance with applicable law.

ARTICLE 10: SIGNATURES

IN WITNESS WHEREOF, the parties have executed this Business Associate Agreement as of the date first written above.

COVERED ENTITY

Signature: ______________________________________

Printed Name: [NAME]

Title: [TITLE]

Date: ______________

BUSINESS ASSOCIATE

Signature: ______________________________________

Printed Name: [NAME]

Title: [TITLE]

Date: ______________

EXHIBIT A: DESCRIPTION OF SERVICES AND PHI

Services

[Detailed description of services provided by Business Associate]

Categories of PHI

The following categories of PHI may be created, received, maintained, or transmitted by Business Associate:

☐ Demographic information (name, address, date of birth)
☐ Social Security Numbers
☐ Medical record numbers
☐ Health plan beneficiary numbers
☐ Account numbers
☐ Clinical/medical information
☐ Diagnosis and treatment information
☐ Prescription information
☐ Laboratory results
☐ Billing and claims information
☐ Other: [SPECIFY]

Permitted Purposes

[List specific permitted purposes for use and disclosure]

EXHIBIT B: SECURITY REQUIREMENTS

Minimum Security Standards

☐ Encryption of ePHI at rest (AES-256 or equivalent)
☐ Encryption of ePHI in transit (TLS 1.2 or higher)
☐ Multi-factor authentication for access to systems containing PHI
☐ Annual security risk assessments
☐ Employee background checks
☐ Security awareness training
☐ Incident response plan
☐ Business continuity and disaster recovery plan
☐ Regular vulnerability scanning and penetration testing
☐ Other: [SPECIFY]