Template — Customize for your organization. This template covers the minimum requirements under 45 CFR §164.504(e).
This is a template only and does not constitute legal advice. Have your legal counsel review any BAA before execution.
This Business Associate Agreement ("Agreement") is entered into as of
by and between:
(collectively, the "Parties")
1. Definitions
Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the HIPAA Rules (45 CFR Parts 160 and 164), including:
Protected Health Information (PHI) — individually identifiable health information transmitted or maintained in any form or medium.
Electronic Protected Health Information (ePHI) — PHI that is transmitted or maintained in electronic media.
Breach — the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI.
Security Incident — the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations.
2. Obligations of Business Associate
Business Associate agrees to:
Use and Disclosure Limitations. Not use or disclose PHI other than as permitted or required by this Agreement or as required by law.
Safeguards. Use appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of PHI, and comply with the Security Rule with respect to ePHI.
Reporting. Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement, any Security Incident, or any Breach of Unsecured PHI, without unreasonable delay and no later than 30 calendar days after discovery.
Subcontractors. Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of BA agree to the same restrictions and conditions that apply to BA under this Agreement.
Access to PHI. Make available PHI in a Designated Record Set to CE or the individual as required under 45 CFR §164.524.
Amendment of PHI. Make available PHI for amendment and incorporate any amendments to PHI as required under 45 CFR §164.526.
Accounting of Disclosures. Make available the information required to provide an accounting of disclosures as required under 45 CFR §164.528.
HHS Access. Make internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining compliance.
Minimum Necessary. To the extent required by the Minimum Necessary standard, limit use, disclosure, and requests for PHI to the minimum necessary to accomplish the intended purpose.
3. Permitted Uses and Disclosures
Business Associate may use or disclose PHI as necessary to perform the following services on behalf of Covered Entity:
Business Associate may also:
Use PHI for the proper management and administration of BA, provided disclosures are required by law or BA obtains reasonable assurances from the recipient.
Use PHI to provide Data Aggregation services to CE as permitted by 45 CFR §164.504(e)(2)(i)(B).
De-identify PHI in accordance with 45 CFR §164.514(a)-(c).
4. Obligations of Covered Entity
Covered Entity agrees to:
Notify BA of any limitations in the CE's Notice of Privacy Practices that may affect BA's use or disclosure of PHI.
Notify BA of any changes in, or revocation of, the permission by an individual to use or disclose their PHI.
Notify BA of any restriction on the use or disclosure of PHI that CE has agreed to in accordance with 45 CFR §164.522.
5. Term and Termination
5.1 Term
This Agreement shall be effective as of the Effective Date and shall terminate when all PHI provided by CE to BA, or created or received by BA on behalf of CE, is destroyed or returned to CE.
5.2 Termination for Cause
Either Party may terminate this Agreement if it determines that the other Party has violated a material term of this Agreement. The non-breaching Party shall provide written notice of the breach and allow 30 calendar days to cure. If the breach is not cured, the non-breaching Party may terminate this Agreement.
5.3 Obligations Upon Termination
Upon termination, BA shall return or destroy all PHI received from CE or created or received by BA on behalf of CE. If return or destruction is not feasible, BA shall extend the protections of this Agreement to the PHI and limit further uses and disclosures to the purposes that make return or destruction infeasible.
6. Breach Notification
Business Associate shall, following the discovery of a Breach of Unsecured PHI, notify Covered Entity without unreasonable delay and in no case later than 30 calendar days after discovery. The notification shall include:
Identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, affected.
A description of the nature of the Breach, including the types of PHI involved.
The date of the Breach and date of discovery.
A description of what BA is doing to investigate, mitigate harm, and protect against further Breaches.
7. Miscellaneous
Regulatory References. Any reference to a regulatory section means the section as in effect or as amended.
Amendment. This Agreement may not be modified except in writing signed by both Parties.
Survival. The obligations of BA under Section 5.3 shall survive the termination of this Agreement.
Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with HIPAA Rules.