September 17, 2013 Page 1 of 7
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (the “BAA”) is made and entered into as of the
_________day of ________________, 20 __ by and between
_______________________________________________________ (the “Covered Entity”) and
_______________________________________________________ (the “Business Associate”).
Definitions:
Business Associate “Business Associate” shall have the same meaning as the term “business
associate” at 45 CFR §160.103, and in reference to the party to this agreement, shall be the party
designated as a Business Associate in the first paragraph of this agreement.
Covered Entity – “Covered Entity” shall have the same meaning as the term “covered entity” at
45 CFR §160.103, and in reference to the party to this agreement, shall be the party designated as
a Covered Entity in the first paragraph of this agreement.
Terms capitalized and used herein but not otherwise defined in this Business Associate
Agreement (“BAA”) shall have the same meaning as those terms are defined in the Health
Insurance Portability and Accountability Act and related regulations found at 45 CFR Part 160
and Part 164, and the HITECH Act of 2009 (Health Information Technology for Economic and
Clinical Health) as amended, revised or updated from time to time.
I. Obligations and Activities of Business Associate.
A. Business Associate may use or disclose Protected Health Information (“PHI”) as
follows:
1. as reasonably necessary to provide the services described in the separate
primary agreement with Covered Entity (“Agreement”), and to undertake
other activities of Business Associate permitted or required to satisfy its
obligations under such Agreement;
2. as Required by Law;
3. for the proper management and administration of Business Associate,
provided, that such use or disclosure is Required by Law;
4. to carry out the legal and compliance responsibilities of Business Associate;
and
5. to report violations of law to appropriate Federal and State authorities.
September 17, 2013 Page 2 of 7
B. Business Associate will:
1. use reasonable and appropriate safeguards to prevent use or disclosure of PHI
other than as provided for by the Agreement;
2. conduct a risk assessment and implement administrative, physical, and
technical safeguards that reasonably and appropriately protect the
confidentiality, integrity, and availability of PHI, which it creates, receives,
maintains or transmits on behalf of Covered Entity. Business Associate
acknowledges that the applicable provisions of the HIPAA Security Rule set
forth at 45 C.F.R. §§ 164.308, 164.310, 164.312 and 164.316 are applicable to
Business Associate;
3. agree to cooperate in a timely manner with the Covered Entity to make any
amendments of PHI in its possession; and
4. will use reasonable efforts to limit PHI to the minimum necessary to
accomplish the intended purpose of the use, disclosure, or request.
C. Business Associate shall take reasonable measures to mitigate, to the extent
practicable, any harmful effect that is known to Business Associate of a use or
disclosure of PHI by Business Associate or its agents or subcontractors in
violation herein.
D. Business Associate will ensure through a separate, written Business Associate
Agreement that any agent, including a subcontractor, to whom it provides or
transmits PHI, including electronic PHI, agrees to restrictions and conditions that
apply herein to Business Associate with respect to such information.
E. Business Associate shall promptly report to Covered Entity: (i) any use,
disclosure or compromise of PHI not provided for herein, and (ii) any Security
Incident.
F. Business Associate shall report to Covered Entity any Breach (or potential
Breach) of Unsecured PHI as soon as possible without unreasonable delay but in
no case later than thirty (30) calendar days after discovery of the Breach (except
where a law enforcement official determines that such reporting would impede an
investigation or cause damage to national security). Covered Entity shall have
final determination as to whether a Breach has actually occurred. Where the
Business Associate is also the Covered Entity, the Business Associate may issue
the notification. The reporting required under this section shall include, to the
extent practicable:
September 17, 2013 Page 3 of 7
1. information that identifies the Individual(s) whose Unsecured PHI has been or
is reasonably believed by Business Associate to have been accessed, acquired,
used or disclosed during the Breach;
2. a brief description of what happened;
3. a description of the Unsecured PHI involved in the Breach;
4. steps that the Individual(s) could take to protect him/herself from potential
harm; and
5. a brief description of steps taken by Business Associate to investigate,
mitigate or protect against the Breach.
G. To the extent applicable, Business Associate shall provide PHI contained in a
Designated Record Set held by Business Associate (that is not duplicative of PHI
in possession of Covered Entity) to Covered Entity in order for Covered Entity to
meet the requirements under 45 CFR §164.524 or 45 CFR §164.526, as
applicable. If any Individual requests access to his or her PHI directly from
Business Associate, Business Associate shall forward such request to Covered
Entity so that Covered Entity can comply with the request. Any disclosure of, or
decision not to disclose, the PHI requested by an Individual or a personal
representative and compliance with the requirements applicable to an Individual’s
right to obtain access to PHI shall be the sole responsibility of the Covered Entity.
If the PHI that is requested is maintained electronically and the Individual
requests an electronic copy of such information, Business Associate will provide
access to the information in an electronic format that complies with 45 CFR §
164.524(c)(2)(ii).
H. Business Associate shall document disclosures of PHI and information related to
such disclosures as would be required for Covered Entity to respond to a request
by an Individual for an accounting of disclosures of PHI in accordance with 45
CFR § 164.528. Business Associate shall provide to Covered Entity, within a
timeframe mutually agreed to by Covered Entity and Business Associate,
information collected in accordance with this Section, to permit Covered Entity to
respond to a request by an Individual for an accounting of disclosures of PHI in
accordance with 45 CFR § 164.528. If any Individual requests access to the
foregoing information directly from Business Associate, Business Associate shall
forward such request to Covered Entity so that Covered Entity can comply with
the request.
I. Business Associate agrees to make its internal practices, books and records,
including policies and procedures, relating to the use and disclosure of PHI
received from, or created or received by Business Associate on behalf of Covered
Entity available to the Secretary of Health and Human Services (HHS), in a time
September 17, 2013 Page 4 of 7
and manner designated by the Secretary, for purposes of the Secretary
determining Covered Entity’s compliance with the Privacy Rule.
J. Business Associate acknowledges that the additional requirements of the
HITECH Act (Health Information Technology for Economic and Clinical Health
Act enacted as part of the American Recovery and Reinvestment Act of 2009) and
the Final Rule (also known as Omnibus Rule) issued by HHS on January 25, 2013
are applicable to Business Associate as described therein. Business Associate
further acknowledges restrictions on the sales and marketing of PHI without the
explicit authorization of the Individual.
K. In the event the Business Associate independently is also a Covered Entity under
HIPAA, the Business Associate may respond directly to an Individual’s request
for purposes of complying with applicable sections herein.
L. Any costs associated with Breach notifications, including mitigation costs, shall
be the responsibility of the party causing the Breach.
II. Obligations of Covered Entity.
A. Covered Entity shall not request Business Associate use or disclose PHI in any
manner that would not be permissible under HIPAA if done by the Covered
Entity.
B. Covered Entity shall:
1. notify Business Associate of any limitations in Covered Entity’s Notice of
Privacy Practices in accordance with 45 CFR § 164.520, if such limitations
may affect Business Associate’s use or disclosure of PHI;
2. provide Business Associate with any changes in, or revocation of, permission
by an Individual to use or disclose PHI, if such changes may affect Business
Associate’s use or disclosure of PHI, upon Covered Entity becoming aware of
such changes;
3. immediately notify Business Associate of any restriction to the use or
disclosure of PHI agreed to by Covered Entity in accordance with 45 CFR §
164.522, to the extent such restriction may affect Business Associate’s use or
disclosure of PHI;
4. provide written authorization to the Business Associate prior to requesting that
the Business Associate disclose, transfer or provide PHI to a third party; and
5. where applicable, rely on the plan sponsor’s representations certifying
amendments to their plan documents with appropriate restrictions covering
their use and disclosure of PHI.
September 17, 2013 Page 5 of 7
III. Term and Termination.
A. The term of the BAA shall commence on the Effective Date and shall continue in
full force and effect until it expires or is terminated as set forth herein.
B. This BAA may be terminated by Covered Entity if Business Associate materially
breaches these terms or its Agreement and fails to cure such breach within fifteen
(15) business days after receipt of written notice of the breach. This BAA will
automatically terminate upon the expiration or termination of the Agreement (or
such portion of the Agreement which gave rise to the requirement for this
Business Associate Agreement). If, in its reasonable discretion following
consultation with the other party, that neither termination of this BAA nor a cure
is feasible; the non-breaching party may report the breach to the Secretary.
C. Upon expiration or termination of this BAA for any reason, Business Associate
will return or destroy all PHI to Covered Entity. Business Associate shall not
retain any copies of the PHI. However, to the extent that Business Associate
determines that it is infeasible to return or destroy Covered Entity’s PHI, Business
Associate shall notify Covered Entity in writing of the conditions that make return
or destruction infeasible. For any PHI for which return or destruction is
infeasible, Business Associate will continue to extend the protections of this
Addendum to such PHI and limit further uses and disclosures of such PHI to those
purposes that make the return or destruction infeasible, for so long as Business
Associate maintains such PHI. If Business Associate elects to destroy all PHI, it
shall, if requested in writing by Covered Entity, certify in writing to Covered
Entity that such PHI has been destroyed.
The terms of this section shall survive the expiration or termination of this BAA.
IV. Confidential Information
A. “Confidential Information” means any information disclosed by or on behalf of a
Party ("Disclosing Party") to the other Party ("Receiving Party") whether
provided orally or in writing and on whatever medium, concerning the Disclosing
Party's business and/or operations and includes without limitation any materials,
trade secrets, know-how, formulas, processes, policies and procedures, training
materials, IT security, algorithms, ideas, strategies, inventions, data, designs, flow
charts, drawings, proprietary information, business and marketing plans, financial
and operational information, and all other non-public information, material or data
relating to the current and/or future business and operations of the Disclosing
Party.
September 17, 2013 Page 6 of 7
B. Confidential Information shall not include any information that:
1. is already in the public domain at the time of disclosure or later becomes
available to the public through no breach of this Agreement by the Receiving
Party or its employees;
2. is lawfully in the Receiving Party's possession, without an obligation of
confidentiality, prior to receipt hereunder;
3. is received independently by the Receiving Party from a third party who was
free to lawfully disclose such information to the Receiving Party; or
4. is independently developed by the Receiving Party without the use of
Confidential Information as evidenced by the Receiving Party's business
records.
C. The Receiving Party agrees to use at least the same degree of care, and no less
than reasonable care, to avoid disclosure of such Confidential Information as the
Receiving Party uses with respect to its own proprietary or Confidential
Information of like importance.
V. Amendment to Comply with Law.
The parties agree to take such action as is necessary to comply with and implement the
standards and requirements of HIPAA (including, without limitation, the prompt
amendment of this BAA). Notwithstanding the foregoing, if Covered Entity and
Business Associate have not amended this Agreement to address a law or final regulation
that becomes effective after the Effective Date and that is applicable to this Agreement,
then upon the effective date of such law or regulation (or any portion thereof) this
Agreement shall be amended automatically and deemed to incorporate such new or
revised provisions as are necessary for this Agreement to be consistent with such law or
regulation and for Covered Entity and Business Associate to be and remain in compliance
with all applicable laws and regulations.
VI. Interpretation.
If a term in Agreement conflicts or is otherwise inconsistent with a term in this BAA, the
provisions of this BAA will prevail with respect to the subject matter hereof. This BAA
and the Agreement shall be interpreted as broadly as necessary to implement and comply
with HIPAA.
VII. Indemnification.
The Parties agree that the indemnification provision contained in the Agreement between
the Business Associate and the Covered Entity shall apply to each party’s performance
and that of their respective agents or subcontractors under this BAA.
September 17, 2013 Page 7 of 7
Covered Entity:
Signature: _________________________________________________
Printed Name: ________________________________________________
Title: ________________________________________________
Organization: ________________________________________________
Date: ________________________________________________
Business Associate:
Signature: _________________________________________________
Printed Name: ________________________________________________
Title: ________________________________________________
Organization: ________________________________________________
Date: ________________________________________________