A business associate agreement (BAA) is a contract between a covered entity and a business associate before activities that involve the disclosure of protected health information (PHI). It is a requirement under the Health Insurance Portability and Accountability Act (HIPAA) to protect the security of individuals’ health information.
A business associate agreement is required to be authorized before a party can receive, maintain, create, or transmit PHI on a covered entity’s behalf. [1]
A business associate agreement outlines the obligations of an individual or company that will be accessing a covered entity’s PHI which includes:
A business associate is a contractor, business entity, or service provider that performs services involving the handling of PHI on behalf of a covered entity. [9]
THIS AGREEMENT is entered into on [DATE] , by and between:
Covered Entity: [COVERED ENTITY’S NAME] , with a mailing address of [COVERED ENTITY’S ADDRESS] (“Covered Entity”), and
Business Associate: [BUSINESS ASSOCIATE’S NAME] , with a mailing address of [BUSINESS ASSOCIATE’S ADDRESS] (“Business Associate”).
WHEREAS, Business Associate provides certain services to or on behalf of Covered Entity, and in connection with those services, Business Associate creates, receives, maintains, or transmits protected health information (PHI);
NOW, THEREFORE, in consideration of the mutual promises below and the exchange of information pursuant to this Agreement, the parties agree as follows:
1. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
a. Business Associate agrees not to use or disclose PHI other than as permitted or required by the Agreement or as required by law.
b.Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
2. PROHIBITION ON UNAUTHORIZED USE OR DISCLOSURE
a. Business Associate will not use or disclose PHI other than as permitted or required by this Agreement or as required by law.
3. MITIGATION OF HARMFUL EFFECTS
a. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by the Business Associate in violation of the requirements of this Agreement.
4. OBLIGATIONS OF BUSINESS ASSOCIATE
a. Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of the PHI other than as provided for by this Agreement.
b. Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, and any Security Incident of which it becomes aware.
c. Business Associate agrees to ensure that any agent, including a subcontractor, agrees to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.
5. DUTIES UPON TERMINATION
a. Upon termination of this Agreement for any reason, Business Associate will return or destroy all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate.
6. INDEMNIFICATION
a. Business Associate agrees to indemnify, defend and hold harmless Covered Entity and its directors, officers, employees, and agents from and against all claims, damages, liabilities, judgments, costs, and expenses (including reasonable legal fees and expenses) arising out of or in connection with any breach of this Agreement by Business Associate, or any negligent or wrongful act or omission of Business Associate concerning its use or disclosure of PHI.
7. INSURANCE
a. Business Associate will maintain a policy or policies of insurance with coverage amounts that are commercially reasonable and customary for the risks associated with this Agreement.
8. TERM AND TERMINATION
a. The Term of this Agreement shall be effective as of mentioned herein and shall terminate when all of the PHI provided by Covered Entity to Business Associate or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information.
b. Upon Covered Entity’s knowledge of a material breach by Business Associate, Covered Entity shall either:
i. Provide an opportunity for Business Associate to cure the breach or end the violation and terminate the contract if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity;
ii. Immediately terminate the contract if Business Associate has breached a material term of the contract and cure is not possible; or
iii. If neither termination nor cure is feasible, report the violation to the Secretary.
9. TRAINING
a. Business Associate shall train its employees and subcontractors on the requirements of HIPAA and the BAA.
10. DATA OWNERSHIP
a. It is agreed that all PHI is owned by the Covered Entity.
11. DISPUTE RESOLUTION
a. The parties agree to negotiate in good faith to resolve any disputes that arise out of this Agreement.
This Agreement is executed the day and year first written above and is binding upon the parties, their successors, and assigns.
Covered Entity:
Signature: ____________________________ Date: ______________
Name: ____________________________
Title: ____________________________
Business Associate:
Signature: ____________________________ Date: ______________
Name: ____________________________
Title: ____________________________