Business Associate Agreement Template (HIPAA)

This Business Associate Agreement (hereinafter referred to as the "Agreement") is entered into on   (the "Effective Date") by and between

WHEREAS this Agreement sets forth the terms and conditions of the disclosure and use of the Protected Health Information (PHI) provided by, created, or received by the Business Associate from or on behalf of the Covered Entity. The Parties agree to be obliged by the privacy rule and the security rule promulgated under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and other related rules and regulations.

DEFINITIONS. For the purpose of this Agreement, the terms of this Agreement are defined as follows: 

The term "Protected Health Information" or "PHI" has the same meaning as the term "Protected Health Information" in 45 CFR §160.103, which is limited to the information created or received by the Business Associate on behalf of or from the Covered Entity. Protected Health Information shall include any health information in electronic form and any other form. 

The "Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the privacy rule, which compromises the security or privacy of the PHI.

The "CFR" means the Code of Federal Regulations. 

The "Breach Notification Rule" means the portion of HIPAA set forth in Subpart D of 45 CFR Part 164.

The "Individual" means the person who is the subject of the Protected Health Information. 

The "Privacy Rule" refers to the standards for privacy of individually identifiable health information at 45 CFR Part 160 and Part 164, Subparts A and E. 

The "Security Rule" means the Security Standards at 45 CFR Part 160 and Part 164, Subparts A and C.

The terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the Privacy Rule and Security Rule. 

SUBJECT OF THE AGREEMENT. The Parties have entered or will enter into a service or any other agreement under which the Business Associate shall provide specific services to the Covered Entity (the "Master Agreement"). Executing the Master Agreement requires the Covered Entity to disclose the PHI and the Business Associate to receive and use it.

USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION. Business Associate may use or disclose the PHI following the terms and conditions of this Agreement, as permitted under the Privacy Rule and as required by law.

The Business Associate agrees to use, disclose, and request the PHI in accordance with the minimum necessary policies and procedures of the Covered Entity.

Except as otherwise limited by this Agreement, federal or state law, the Covered Entity authorizes the Business Associate: 

The Business Associate may disclose the PHI for the purposes specified herein above. These disclosures must comply with the following conditions:

• Before disclosing the PHI to a third party, the Business Associate should obtain written assurance from the third party. This assurance should confirm that the PHI shall be held confidential under the terms outlined in this Agreement and used or further disclosed only as required by law or for the purpose it was disclosed to this third party. 
• An agreement must be obtained from this third party to immediately notify the Business Associate of any breaches of PHI confidentiality to the extent the Business Associate is aware of the Breach. 

The Business Associate shall use appropriate safeguards and comply, where applicable, with the Privacy Rule to prevent the use or disclosure of the PHI other than as provided by the Agreement. 

The Business Associate will not use or disclose PHI in any way other than as specified in this Agreement, as permitted by the Privacy Rule, or as required by law. When disclosing or using the PHI, the Business Associate shall make reasonable efforts to limit it to a minimum necessary amount or as a limited data set to fulfill the intended purpose of the use or disclosure, following the specifications of Section 13405(b) of the HITECH Act (codified at 42 USC §17935(b)).

The Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit the PHI on behalf of the Business Associate agree to the same restrictions and conditions that apply to the Business Associate concerning such information. 

The Business Associate shall make reasonable efforts to mitigate any harmful effect known to the Business Associate of any use or disclosure of the PHI by the Business Associate or the agents or subcontractors in violation of the requirements of this Agreement.

REPORTING DISCLOSURES OF THE PHI AND SECURITY INCIDENTS. The Business Associate shall report to the Covered Entity any unauthorized use or disclosure of information not permitted by the Agreement of which the Business Associate becomes aware, including any breaches of the PHI as required by the Privacy Rule. The Business Associate agrees to report any such event within   business days.

REPORTING BREACHES AND UNSECURED PHI. The Business Associate shall promptly notify the Covered Entity in writing of any discovery of the Breach concerning unsecured PHI within a maximum time frame of   calendar days, but in no case later than 60 calendar days after discovery of the Breach, unless a shorter time frame exists under state law. 

The Business Associate shall reimburse the Covered Entity for any costs incurred in compliance with the requirements of Subpart D of 45 CFR §164 imposed on the Covered Entity as a result of the Breach committed by the Business Associate. 

AUDIT REPORT. Upon request by the Covered Entity, the Business Associate shall provide a copy of the most recent independent HIPAA compliance report (AT-C 315) or other third-party audit report based on independent standards. 

ACCESS AND AMENDMENT TO THE PHI. Upon the request of the Covered Entity, the Business Associate agrees to provide copies of the PHI maintained by the Business Associate in a designated record set in the time and manner specified by the Covered Entity to enable the Covered Entity to respond to an Individual's request for access to PHI.

If the Individual or a personal representative directly requests access to the Individual's PHI from the Business Associate, the Business Associate shall promptly forward that request to the Covered Entity within 10 business days. The Covered Entity is solely responsible for any decision related to the disclosure or non-disclosure of the requested PHI and compliance with the requirements concerning an Individual's right to access the PHI.

Upon request and instruction from the Covered Entity, the Business Associate shall amend PHI or records about the Individual in a designated record set. These records are maintained by or otherwise within the possession of the Business Associate as directed by the Covered Entity following procedures established by the Security Rule. The Business Associate shall complete any request by the Covered Entity to amend such information within 15 business days of the Covered Entity's request.

If any Individual requests that the Business Associate amend such Individual's PHI or records in a designated record set, the Business Associate shall forward this request to the Covered Entity within 10 business days. The Covered Entity is solely responsible for any decisions regarding the amendment or non-amendment of the PHI or records requested by the Individual, as well as compliance with the requirements for the Individual's right to request amendments in PHI.

RESPONSIBILITIES OF THE COVERED ENTITY. The Covered Entity is obligated to: 

• Notify the Business Associate about any limitations in its privacy practices and notice to the extent that such limitations may affect the Business Associate's use or disclosure of the PHI.

• Inform the Business Associate of any alterations or withdrawal of the Individual's permission to use or disclose the PHI if any alterations or withdrawals may affect the Business Associate's use or disclosure of PHI.

• Notify the Business Associate of any restriction on the use or disclosure of the PHI agreed upon by the Covered Entity if these restrictions may affect the Business Associate's use or disclosure of the PHI.

• Except for data aggregation or management and administrative activities of the Business Associate, the Covered Entity shall not request the Business Associate to use or disclose the PHI in any manner that would not be permissible under HIPAA if done by the Covered Entity.

TERM AND TERMINATION. This Agreement shall be effective as of the Effective Date and remain in effect until termination of the Master Agreement.

A material breach in the context of this Agreement encompasses any violation of the obligation outlined herein. 

If the Business Associate materially breaches the Agreement, the Covered Entity shall have the right to terminate the Agreement unilaterally. The Covered Entity shall provide written notice of the Breach, and if the Business Associate fails to remedy it within   days, the Covered Entity shall immediately terminate the Agreement. The Covered Entity also has the right to report the violation to the Secretary of Health and Human Services. 

RETURNING OF THE PHI. Once the Agreement is terminated, all the PHI received from the Covered Entity or created by the Business Associate on behalf of the Covered Entity should be returned or destroyed. This provision shall also apply to the PHI in the possession of the Business Associate's subcontractors or agents. The Business Associate should not retain any copies of the PHI. Upon request, the Business Associate shall provide the Covered Entity with a written certification of the destroyed PHI within   days. 

If returning or destroying the PHI is infeasible, all the PHI that is not returned or destroyed shall remain subject to the confidentiality obligations outlined in this Agreement.

NOTICE. Any notice or communication required to be given under this Agreement shall be deemed duly given if delivered personally or sent by registered mail, return receipt requested to the address specified in the opening paragraph or to such other address as one Party may have furnished to the other Party in writing, or to email addresses set forth below:

If to the Covered Entity:   

If to the Business Associate:  

Either Party may change its registered mail or email address for receipt of notices by giving written notice to the other Party. 

GOVERNING LAW AND DISPUTE RESOLUTION. This Agreement shall be governed by and interpreted under the laws of the State of  , and any disputes arising out of or in connection with this Agreement shall be exclusively resolved by the courts of the State of  .

SEVERABILITY. The invalidity or unenforceability of any provision of this Agreement shall not affect the validity or enforceability of any other provision of this Agreement.

ENTIRE AGREEMENT. This Agreement constitutes the entire understanding between the Parties and supersedes any prior oral or written agreements.

WAIVER. The failure of any Party to enforce a particular provision of this Agreement shall not constitute a waiver of their right to enforce that provision in the future.

AMENDMENTS. This Agreement may be amended or modified only by a written agreement signed by both Parties. Any amendments to this Agreement shall be binding if they are in writing and signed by both Parties.

BINDING EFFECT. This Agreement shall be binding for the Parties and their respective permitted successors and assigns.

IN WITNESS WHEREOF, the Parties have signed this Agreement as of the Effective Date.