HIPAA Business Associate Agreement (BAA)

HIPAA BUSINESS ASSOCIATE AGREEMENT

TABLE OF CONTENTS

1. Definitions
2. Obligations of Business Associate
3. Permitted Uses and Disclosures
4. Obligations of Covered Entity
5. Security Safeguards
6. Breach Notification
7. Subcontractors
8. Individual Rights
9. Term and Termination
10. Miscellaneous

BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement ("BAA" or "Agreement") is entered into as of [__/__/____] ("Effective Date") by and between:

Covered Entity: [________________________________] ("Covered Entity")
Address: [________________________________]
Contact Person: [________________________________]
Phone: [________________________________]
Email: [________________________________]

Business Associate: [________________________________] ("Business Associate")
Address: [________________________________]
Contact Person: [________________________________]
Phone: [________________________________]
Email: [________________________________]

1. DEFINITIONS

1.1 "Breach" shall have the meaning given in 45 C.F.R. § 164.402.

1.2 "Designated Record Set" shall have the meaning given in 45 C.F.R. § 164.501.

1.3 "Electronic Protected Health Information" ("ePHI") shall have the meaning given in 45 C.F.R. § 160.103.

1.4 "Individual" shall have the meaning given in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative under 45 C.F.R. § 164.502(g).

1.5 "Protected Health Information" ("PHI") shall have the meaning given in 45 C.F.R. § 160.103, limited to the information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.

1.6 "Required by Law" shall have the meaning given in 45 C.F.R. § 164.103.

1.7 "Security Incident" shall have the meaning given in 45 C.F.R. § 164.304.

1.8 "Subcontractor" shall have the meaning given in 45 C.F.R. § 160.103.

1.9 "Unsecured Protected Health Information" shall have the meaning given in 45 C.F.R. § 164.402.

2. OBLIGATIONS OF BUSINESS ASSOCIATE

2.1 Use and Disclosure Limitations. Business Associate shall not use or further disclose PHI other than as permitted or required by this Agreement or as Required by Law.

2.2 Appropriate Safeguards. Business Associate shall use appropriate administrative, physical, and technical safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent the use or disclosure of PHI other than as provided for by this Agreement.

2.3 Reporting. Business Associate shall report to Covered Entity:

• (a) Any use or disclosure of PHI not permitted by this Agreement of which it becomes aware, including Breaches of Unsecured PHI as required by 45 C.F.R. § 164.410;
• (b) Any Security Incident of which it becomes aware.

2.4 Mitigation. Business Associate shall mitigate, to the extent practicable, any harmful effect known to Business Associate of a use or disclosure of PHI in violation of this Agreement.

2.5 HHS Access. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining Covered Entity's compliance with HIPAA.

2.6 Minimum Necessary. Business Associate shall request, use, and disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use, or disclosure in compliance with 45 C.F.R. § 164.502(b).

3. PERMITTED USES AND DISCLOSURES

3.1 Services. Business Associate is permitted to use and disclose PHI as necessary to perform the following services on behalf of Covered Entity:

☐ Claims processing and administration
☐ Data analysis, processing, or administration
☐ Utilization review and quality assurance
☐ Billing and payment activities
☐ Practice management services
☐ Legal services
☐ Actuarial services
☐ Accounting services
☐ IT hosting, maintenance, and cloud storage
☐ Consulting services
☐ Other: [________________________________]

3.2 Management and Administration. Business Associate may use and disclose PHI for its proper management and administration or to carry out its legal responsibilities, provided that:

• (a) The disclosures are Required by Law; or
• (b) Business Associate obtains reasonable assurances from any recipient that the PHI will be held confidentially, used or further disclosed only as Required by Law or for the purposes for which it was disclosed, and that the recipient will notify Business Associate of any instances of which it becomes aware in which the confidentiality of the PHI has been breached.

3.3 Data Aggregation. Business Associate may use PHI to provide data aggregation services to Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).

3.4 De-Identification. Business Associate may use PHI to create de-identified health information in accordance with 45 C.F.R. § 164.514(a)-(c), provided such de-identification is within the scope of the services agreement.

4. OBLIGATIONS OF COVERED ENTITY

4.1 Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitations in its Notice of Privacy Practices that may affect Business Associate's use or disclosure of PHI.

4.2 Permission Changes. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI.

4.3 Restriction Requests. Covered Entity shall notify Business Associate of any restrictions on the use or disclosure of PHI agreed to by Covered Entity pursuant to 45 C.F.R. § 164.522.

5. SECURITY SAFEGUARDS

5.1 Administrative Safeguards. Business Associate shall implement administrative safeguards as required by 45 C.F.R. § 164.308, including:

• (a) Designation of a security official;
• (b) Workforce training and management;
• (c) Information access management;
• (d) Contingency planning; and
• (e) Risk analysis and risk management.

5.2 Physical Safeguards. Business Associate shall implement physical safeguards as required by 45 C.F.R. § 164.310.

5.3 Technical Safeguards. Business Associate shall implement technical safeguards as required by 45 C.F.R. § 164.312, including access controls, audit controls, integrity controls, and transmission security.

5.4 Encryption. Business Associate shall encrypt all ePHI at rest and in transit in accordance with NIST Special Publication 800-111 and applicable guidance from HHS.

6. BREACH NOTIFICATION

6.1 Discovery and Reporting. Business Associate shall report to Covered Entity any Breach of Unsecured PHI without unreasonable delay and in no event later than [____] calendar days after discovery of such Breach.

6.2 Content of Notice. The Breach report shall include, to the extent available:

• (a) Identification of each Individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed;
• (b) A description of the nature of the Breach;
• (c) The date of the Breach and the date of discovery;
• (d) A description of the types of Unsecured PHI involved;
• (e) The corrective actions taken or planned; and
• (f) Any other information Covered Entity is required to include in notification to the Individual under 45 C.F.R. § 164.404(c).

6.3 Cost of Notification. Business Associate shall bear the costs of notification to affected Individuals, HHS, and/or media (as applicable) when the Breach is caused by Business Associate's acts or omissions.

7. SUBCONTRACTORS

7.1 Subcontractor BAAs. Business Associate shall enter into a written agreement with each Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate, as required by 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.504(e)(2).

7.2 Flow-Down Obligations. Such agreement shall impose the same restrictions, conditions, and requirements on the Subcontractor that apply to Business Associate under this Agreement.

7.3 Prior Approval. Business Associate shall:
☐ Obtain prior written approval from Covered Entity before engaging any Subcontractor that will access PHI
☐ Provide written notice to Covered Entity within [____] days of engaging any Subcontractor that will access PHI

8. INDIVIDUAL RIGHTS

8.1 Access to PHI. Business Associate shall make PHI in a Designated Record Set available to Covered Entity or, at Covered Entity's direction, to an Individual, as necessary to satisfy Covered Entity's obligations under 45 C.F.R. § 164.524, within [____] days of a request.

8.2 Amendment of PHI. Business Associate shall make PHI available for amendment and incorporate any amendments to PHI in a Designated Record Set as directed by Covered Entity pursuant to 45 C.F.R. § 164.526, within [____] days of a request.

8.3 Accounting of Disclosures. Business Associate shall document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures pursuant to 45 C.F.R. § 164.528.

8.4 Right to Restrict. Business Associate shall comply with any restriction on the use or disclosure of PHI as communicated by Covered Entity in accordance with 45 C.F.R. § 164.522.

9. TERM AND TERMINATION

9.1 Term. This Agreement shall be effective as of the Effective Date and shall continue until all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if return or destruction is not feasible, until the protections of this Agreement are extended to the PHI.

9.2 Termination for Cause. Covered Entity may immediately terminate this Agreement if Covered Entity determines that Business Associate has violated a material term of this Agreement and Business Associate has not cured the breach or ended the violation within [____] days after receiving written notice.

9.3 Effect of Termination. Upon termination, Business Associate shall:

• (a) Return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, retaining no copies;
• (b) If return or destruction is not feasible, extend the protections of this Agreement to the PHI and limit further uses and disclosures to those purposes that make return or destruction not feasible; and
• (c) Provide written certification of destruction to Covered Entity within [____] days.

10. MISCELLANEOUS

10.1 Regulatory References. Any reference in this Agreement to a section of HIPAA or the HITECH Act shall mean the section as in effect or as amended.

10.2 Amendment. This Agreement may not be modified except by a written amendment signed by both parties.

10.3 Survival. The obligations of Business Associate under Sections 5, 6, 8, and 9.3 shall survive the termination of this Agreement.

10.4 Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with HIPAA, the HITECH Act, and applicable regulations.

10.5 Governing Law. This Agreement shall be governed by federal law and, to the extent not preempted, the laws of the State of [________________________________].

10.6 Indemnification. Business Associate shall indemnify and hold harmless Covered Entity from any claims, losses, or penalties arising from Business Associate's breach of this Agreement or violation of HIPAA.

10.7 Insurance. Business Associate shall maintain cyber liability insurance in the amount of no less than $[________________________________] covering data breaches and unauthorized disclosures of PHI.

SIGNATURES

COVERED ENTITY:

Signature: [________________________________]
Printed Name: [________________________________]
Title: [________________________________]
Date: [__/__/____]

BUSINESS ASSOCIATE:

Signature: [________________________________]
Printed Name: [________________________________]
Title: [________________________________]
Date: [__/__/____]

STATE-SPECIFIC CONSIDERATIONS

SOURCES AND REFERENCES

• HHS Business Associate Guidance
• HHS Sample BAA Provisions
• 45 C.F.R. § 164.504 — Organizational Requirements
• HITECH Act Breach Notification Requirements