Business Associate Agreement
Business Associate Agreement
This Business Associate Agreement (“BAA”) is entered into by and between ____________________. (“Business Associate”) and the Covered Entity. This BAA is incorporated into and made part of the contractual agreements between the parties (whether existing now or entered into in the future) during the period in which the Business Associate provides services to the Covered Entity. In connection with such services, the Covered Entity may disclose or provide access to Protected Health Information (“PHI”) to the Business Associate, subject to the requirements of the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (45 C.F.R. Parts 160–164) (“HIPAA”), and the Health Information Technology for Economic and Clinical Health Act (“HITECH”).
Definitions
Catch-all definition:
The following terms used in this BAA shall have the same meaning as those terms in the HIPAA Rules:
Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
Specific definitions:
(a) Business Associate. “Business Associate” shall have the same meaning as the term “business associate” at 45 C.F.R. § 160.103, and in reference to this BAA shall mean the healthcare provider, dental practice, or laboratory that discloses or provides access to Protected Health Information to the Business Associate under this Agreement.
(b) Covered Entity. “Covered Entity” shall have the same meaning as the term “covered entity” at 45 C.F.R. § 160.103, and in reference to the party to this BAA, shall mean the healthcare provider, chiropractic practice, or laboratory that discloses or provides access to Protected Health Information to the Business Associate under this Agreement.
(c) HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and Part 164.
(d) Breach. “Breach” shall have the meaning given to such term under 45 C.F.R. § 164.402, and applicable state data breach notification laws.
(e) Breach Notification Rule. “Breach Notification Rule” shall mean the rule governing breach notification for Unsecured Protected Health Information (“Unsecured PHI”), as set forth at 45 C.F.R. Parts 160 and 164.
(f) Designated Record Set. “Designated Record Set” shall have the meaning given to such term under the Privacy Rule at 45 C.F.R. § 164.501.
(g) Electronic Protected Health Information (“EPHI”). “Electronic Protected Health Information” or “EPHI” shall have the meaning given to such term under the Security Rule, including but not limited to 45 C.F.R. § 160.103, and shall be limited to the information created, received, maintained, or transmitted by the Business Associate on behalf of the Covered Entity.
(h) Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information, as codified at 45 C.F.R. Parts 160 and 164, Subparts A and E.
(i) Protected Health Information (“PHI”). “Protected Health Information” or “PHI” shall have the meaning given to such term under the Privacy Rule and Security Rule at 45 C.F.R. § 160.103, and shall be limited to the information created, received, maintained, or transmitted by the Business Associate on behalf of the Covered Entity.
(j) Security Rule. “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information, as codified at 45 C.F.R. Part 164, Subparts A and C
Obligations and Activities of Business Associate Business Associate agrees to:
(a) Neither use nor disclose Protected Health Information other than as permitted or required by this BAA, the Contractual Agreements, or as required by law (Covered Entity represents and warrants that it has obtained all necessary licenses, approvals, and consents to use, disclose to Business Associate, or otherwise make available to Business Associate Protected Health Information);
(b) Use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic Protected Health Information (“PHI”) to prevent use or disclosure of Protected Health Information other than as provided for by this BAA.
(c) Report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including breaches of unsecured PHI as required under 45 C.F.R. § 164.410, and any Security Incident of which it becomes aware, within thirty (30) days of discovery. (Mere reporting of any such breaches does not constitute or impose on Business Associate liability for such breaches.) Business Associate may, but is not obligated to, perform its own risk assessment pursuant to 45 C.F.R. § 164.402; however, nothing herein is intended to relieve Covered Entity of its obligations under the HIPAA Breach Notification Rule.
(d) In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information, before any PHI is disclosed or made accessible.
(e) Make available PHI in a Designated Record Set to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.524, within thirty (30) days of receiving a written request.
(f) Make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by the Covered Entity or take other measures as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.526, within sixty (60) days of receiving a written request.
(g) Maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.528.
(h) To the extent the Business Associate is to conduct one or more of Covered Entity's obligation(s) under Subpart E of 45 C.F.R. Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
(i) Make its internal practices, books, and records available to the Secretary of the U.S. Department of Health and Human Services (HHS) for purposes of determining compliance with the HIPAA Rules, promptly upon receiving a written request from the Secretary.
(j) In the event Business Associate receives requests directly from an individual regarding his/her PHI, Business Associate, as a courtesy, may—but is not required to—provide responses and notices directly to the individual; however, nothing herein relieves the Covered Entity of its obligations and liabilities under the HIPAA Breach Notification Rule or the Contractual Agreements.
(k) Both parties agree to comply with the prohibition on using or disclosing PHI to investigate, impose liability, or penalize any individual, entity, or provider for seeking, obtaining, providing, or facilitating reproductive health care. Any such uses or disclosures must comply with applicable laws, including the HIPAA Privacy Rule and the policies of Covered Entity. Any request for PHI related to reproductive health care must include assurances, consistent with HIPAA and applicable law, that the request does not violate these prohibitions.
Permitted Uses and Disclosures by Business Associate
(a) Business Associate may make all uses or disclosures of Protected Health Information as set forth in the Contractual Agreements and as necessary to perform the services described in this BAA and the Contractual Agreements.
(b) Business Associate may use or disclose Protected Health Information as required by law. Business Associate shall notify Covered Entity of any such disclosure within thirty (30) calendar days after the later of:
1. The use or disclosure, or
2. Becoming aware of the requirement—unless prohibited by law.
(c) Business Associate agrees to make uses, disclosures, and requests for Protected Health Information consistent with Covered Entity’s written policies and procedures, as provided to Business Associate in accordance with this BAA. Business Associate shall implement such policies as soon as commercially practicable after receipt.
(d) Business Associate may not use or disclose Protected Health Information in a manner that would violate Subpart E of 45 CFR Part 164 if performed by Covered Entity, except as specifically permitted under this BAA or the Contractual Agreements.
(e) Covered Entity represents and warrants that it has obtained all necessary licenses, approvals, and consents to use, disclose to, or otherwise make available to Business Associate any Protected Health Information.
(f) Business Associate may use or disclose Protected Health Information for its proper management and administration or to fulfill its legal responsibilities. All such disclosures must be documented and made available to Covered Entity upon request and in a timely manner.
(g) Business Associate may de-identify PHI in accordance with 45 C.F.R. § 164.514 and may use such de-identified data. Upon request, Business Associate shall provide Covered Entity with a general description of its de-identification process.
(h) Business Associate may provide data aggregation services related to the health care operations of the Covered Entity.
Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions
a) Covered Entity shall notify Business Associate in writing of any limitation(s) in the notice of privacy practices of Covered Entity under 45 CFR § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of Protected Health Information. Such notification shall be provided promptly upon the Covered Entity becoming aware of the limitation.
b) Covered Entity shall notify Business Associate in writing of any changes in, or revocation of, an individual’s permission to use or disclose Protected Health Information, to the extent such changes may affect Business Associate’s use or disclosure of such information. Notification shall be provided promptly upon Covered Entity being informed of the change or revocation.
c) Covered Entity shall notify Business Associate in writing of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent such restriction may affect Business Associate’s use or disclosure of such information. Notification shall be provided promptly upon Covered Entity agreeing to the restriction.
Permissible Requests by Covered Entity
a) Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity, or in any manner that would violate this BAA, the Contractual Agreements, or the HIPAA Rules.
b) Covered Entity may request that Business Associate provide the name and contact information of its designated Security Officer and reasonable assurances regarding the implementation of appropriate safeguards with respect to PHI once per calendar year. Business Associate shall provide the requested information in a timely manner and in such form and detail as reasonably determined by the Business Associate. Covered Entity shall be responsible for any costs, fees, or expenses associated with such requests.
Indemnification
Each party (“Indemnifying Party”) shall indemnify, defend, and hold harmless the other party (“Indemnified Party”) and its officers, directors, employees, agents, affiliates, and successors from and against any and all third-party claims, demands, damages, losses, liabilities, costs, and expenses (including reasonable attorneys’ fees and costs of investigation) to the extent arising out of or relating to:
(a) the Indemnifying Party’s gross negligence or willful misconduct; or
(b) the Indemnifying Party’s material breach of this BAA that results in a violation of HIPAA, HITECH, or other applicable data protection laws.
The Indemnifying Party shall not settle any claim in a manner that imposes an obligation on the Indemnified Party, admits liability, or requires any payment by the Indemnified Party without the Indemnified Party’s prior written consent.
Limitation of Liability
Except for liabilities arising from a party’s gross negligence, willful misconduct, or intentional violation of applicable law, each party’s total cumulative liability under this BAA shall not exceed the greater of (a) $1,000,000 or (b) the total fees paid by Covered Entity to Business Associate under the Contractual Agreements in the twelve (12) months preceding the event giving rise to the claim. This limitation shall apply to all claims, including without limitation those arising from confidentiality or data protection obligations, except to the extent such claims result from the conduct described above.
Term and Termination
(a) Term. The Term of this BAA shall be effective as of the date executed by Covered Entity and shall terminate at the earliest of:
1. the date set out in the Contractual Agreements between the parties, as such date may be modified from time to time;
2. the date Covered Entity terminates for cause as authorized in paragraph (b) of this Section; or
3. the date Business Associate terminates for cause as authorized in paragraph (c) of this Section.
(b) Termination by Covered Entity for Cause. Covered Entity may terminate this BAA upon sixty (60) calendar days’ written notice if it determines that Business Associate has materially breached this BAA and failed to cure the breach within the notice period. Covered Entity’s termination of this BAA may also result in termination of any related Contractual Agreements, to the extent required for compliance with HIPAA.
(c) Termination by Business Associate for Cause. Business Associate may terminate this BAA upon sixty (60) calendar days’ written notice if it determines that Covered Entity has materially breached this BAA or any applicable law and failed to cure the breach within such notice period.
(d) Effect of Termination. Business Associate shall, unless a longer period is required by applicable law or Business Associate’s policies, retain Protected Health Information (PHI) received from Covered Entity for no more than sixty (60) days from the date of termination of this BAA, or for such other period as the parties may agree in writing to allow for return or authorized destruction of all PHI, except as otherwise provided in this section.
Thereafter, Business Associate shall return or securely destroy all PHI still maintained in any form. If Business Associate determines that return or destruction of the PHI (or any subset thereof) is not feasible or practicable, it shall, to the extent commercially practicable, provide Covered Entity with written notice of the conditions making return or destruction infeasible. For as long as Business Associate maintains such PHI, it shall extend the protections of this BAA to that PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible or not practicable.
Covered Entity is solely responsible for complying with all applicable laws and regulations related to medical record retention, patient access, and authorization to use, disclose, or release patient data. Without limiting the foregoing, Covered Entity represents and warrants that it has obtained all licenses, approvals, and consents required to use, disclose to Business Associate, or otherwise make available to Business Associate any PHI.
All costs, fees, and expenses associated with the return or migration of PHI under this BAA, or any Contractual Agreements shall be paid or reimbursed by Covered Entity, and Business Associate shall have no obligation to return PHI until such amounts are paid in full.
Survival
The obligations of Business Associate under this Section, together with the provisions regarding confidentiality, indemnification, limitation of liability, and the return or destruction of PHI, shall survive the termination of this BAA.
General Provisions
(a) Upon the effective date of any applicable final regulation or applicable amendment to final regulations promulgated by the Department of Health and Human Services, this BAA and Contractual Agreements of which it is part will automatically be deemed amended so that the parties remain in compliance with such regulations.
(b) The parties acknowledge and agree that this BAA will be deemed to have been jointly prepared by the parties and their respective legal counsel and will not be strictly construed against either party.
(c) Except as otherwise provided herein, the terms and conditions of this BAA will override and control any conflicting term or condition expressly stated in the Contractual Agreements between Covered Entity and Business Associate. All non-conflicting terms and conditions of such Contractual Agreements (including without limitation those related to customer data and security, warranties, disclaimers, indemnification, and limitations of liability) will remain in full force and effect.
(d) Any ambiguity in this BAA shall be resolved in favor of an interpretation that allows Covered Entity to comply with HIPAA or its Business Associate Agreement with its client.
(e) This Business Associate Agreement shall be governed in all respects by the laws of the state of California. The parties hereby consent to the exercise of exclusive jurisdiction in the County of San Diego, State of California for any claim relating to the enforcement of, or any rights under, this BAA.
(f) This BAA may be modified or amended by the Business Associate upon thirty (30) calendar days’ written notice to Covered Entity, solely to ensure compliance with applicable laws, regulations, or contractual obligations. Any such amendment shall:
1. Specify the provisions being modified; and
2. Include an effective date that is no less than thirty (30) calendar days from the date of notice, unless an earlier effective date is required by law.
