Business Associate Agreement
Effective Date: [Insert Date here]
This Business Associate Agreement is made as of the Effective Date set forth above, by and between [Insert Organization Name Here] (“Organization”) and [Insert Name of Business Associate Here] (“B.A.”)
Whereas, the Organization is a “covered entity” and B.A. is a Business Associate within the meaning of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. §1320(d)) (“HIPAA”);
Whereas, B.A. may use Individually Identifiable Health Information in the course of providing services as set forth in the contract between the parties.
Whereas, the Organization and B.A. desire to enter this Agreement in order to permit B.A. to use or disclose Individually Identifiable Health Information received from the Organization or another business associate of the Organization for the purposes of performing the assigned services for the Organization as described above;
Whereas; the Organization and B.A. wish to comply with HIPAA including the Standards for Privacy of Individually Identifiable Health Information (42 C.F.R., Part 160 and 164) the Standards for Electronic Transactions (45 C.F.R., Part 160 and 162) and the Security Standards (45 C.F.R., Parts 160, 162, and 164) (collectively, the “Standards”) promulgated or to be promulgated by the Secretary of Health and Human Services (the “Secretary”).
Now, therefore, in consideration of the mutual promises, requirements, undertakings, and considerations set forth in this Agreement, the Organization and B.A. agree as follows:
Article I. Definitions
The following terms, as used in this Agreement, shall have the meanings set forth below:
1.1 “Designated Record Set” means a group of records maintained by or for the Organization that is (i) the medical records and billing records about individuals maintained by or for the Organization, (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) used, in whole or in part, by or for the Organization to make decisions about individuals. As used in this Agreement, the term “Record” means any item, collection, or grouping of information that includes Protected Health Information and is maintained, collected, used, or disseminated by or for the Organization.
1.2 “Electronic Media” means (a) electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory media, such as magnetic tape or disk, optical disk, or digital memory card; or (b) transmission media used to exchange information already in electronic storage media. Transmission media include the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media.
Certain transmissions, including paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, as the information being exchanged did not exist in electronic form before the transmission.
1.3 “Individually Identifiable Health Information” means information that is a subset of health information, including demographic information collected from an individual, and:
(a) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(b) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and (i) identifies the individual, or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
1.4 “Protected Health Information” or “PHI” means Individually Identifiable Health Information that is (a) transmitted by electronic media, (b) maintained in any medium constituting Electronic Media; or (c) transmitted or maintained in any other form or medium. “Protected Health Information” excludes individually identifiable health information in (a) education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. §1232g; (b) records described at 20 U.S.C. 1232g(a)(4)(B)(iv), and (c) employment records held by a covered entity in its role as an employer.
1.5 “Electronic Protected Health Information” or “ePHI” means individually identifiable health information that is transmitted by or maintained in electronic media.
Article II. Integration of Business Agreement
The terms and provisions of this Business Agreement are hereby incorporated into any pre-existing Agreement, if any, between the Organization and B.A. and shall supercede any conflicting or inconsistent terms and provisions in any pre-existing Agreement, including any exhibits or other attachments to, and any documents incorporated by reference in, the Agreement.
Article III. Obligations of B.A with Respect to PHI and ePHI
3.1 Use and Disclosure of PHI or ePHI. B.A. shall use and disclose PHI or ePHI only as required to satisfy its obligations under the Agreement or as required by law and shall not otherwise use or disclose any PHI or ePHI. the Organization shall not request B.A. to use or disclose PHI or ePHI in any manner that would not be permissible under the Standards for Privacy or Security if done by the Organization, except with respect to uses and disclosures of PHI or ePHI for management and administrative activities of B.A., as provided in Section 3.10 of this Agreement.
3.2 Purposes and Limitation on Use or Disclosure of PHI and ePHI
3.2.1 Purposes. Except as otherwise limited in this Agreement, B.A. may use or disclose PHI or ePHI on behalf of, or to provide services to, the Organization so long as such use or disclosure of PHI would not violate the Privacy or Security Standards if used or disclosed by the Organization. B.A. may also use PHI or ePHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).
3.2.2 Property Rights in PHI and ePHI. B.A. hereby acknowledges that, as between B.A. and the Organization, all PHI and ePHI shall be and remain the sole property of the Organization.
3.2.3 Minimum Necessary. B.A. acknowledges and agrees that to the extent B.A. requests the Organization to disclose PHI or ePHI to B.A., such request will be only for the minimum necessary PHI or ePHI for the accomplishment of B.A.’s purposes.
3.3 Safeguards. B.A. agrees to use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement or as required by law. The B.A. agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that the B.A. creates, receives, maintains, or transmits on behalf of the Organization. Further, in order to comply with security safeguard requirements, the B.A. may need to encrypt ePHI that is stored and transmits; implement strong access controls, including physical locks, firewalls, and strong passwords; use and update antivirus software; adopt contingency planning procedures, including data back up and disaster recovery plans; and conduct periodic security training when applicable.
3.4 Reporting Disclosures of PHI; Mitigation. B.A. agrees to report to the Organization any use or disclosure of PHI not provided for by this Agreement of which B.A. becomes aware. B.A. agrees to mitigate, to the extent practicable, any harmful effect that is known to B.A. of a use or disclosure of PHI by B.A. in violation of the requirements of this Agreement.
3.5 Reporting Disclosures of ePHI; Security Incident. Pertaining to Security Standards and ePHI, the B.A. agrees to report to the Organization any security incident within five (5) business days of becoming aware of such incident. For purposes of this specific requirement, “security incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with systems operations in an information system.”
3.6 Agents. B.A. agrees to ensure that any agent, including a subcontractor to whom B.A. provides PHI or ePHI received from, or created or received by, B.A. on behalf of the Organization, agrees to the same restrictions and conditions that apply through this Agreement to B.A. with respect to such PHI and ePHI, including any applicable necessary safeguards.
3.7 Revocation or Modification of Consumer Permission. the Organization shall notify B.A. of any changes in, or revocation of, permission by an individual to use, or disclose PHI or ePHI, to the extent that such changes may affect B.A.’s use or disclosure of PHI or ePHI.
3.8 Consumer Restrictions on Uses and Disclosures. the Organization shall notify B.A. of any restrictions on the use or disclosure of any PHI or ePHI that the Organization has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect B.A.’s use or disclosure of PHI or ePHI.
3.9 Availability of Books and Records. B.A. agrees to make internal practices, books, and records, including policies and procedures and PHI or ePHI, relating to the use and disclosure of PHI or ePHI received from or created to the use and disclosure of PHI/ePHI received from, or created or received by B.A. on behalf of, the Organization available to the Organization or to the Secretary, in a time and manner reasonably designated by the Organization or designated by the Secretary, for purposes of the Secretary determining the Organization’s compliance with the Privacy and Security Standards. The provisions of this section of the Agreement shall survive the termination of this Agreement.
3.10 Proper Management and Administration of B.A.
3.10.1 Permissible Uses. Except as otherwise limited in this Agreement, B.A. may use PHI or ePHI for the proper management and administration of B.A. or carry out the legal responsibilities of B.A.
3.10.2 Permissible Disclosures. Except as otherwise limited in this Agreement, B.A. may disclose PHI or ePHI for the proper management and administration of B.A., provided that disclosures are required by law or that B.A obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies B.A. of any instances of which it is aware in which the confidentiality of the information has been breached.
Article IV Term and Termination
4.1 Term. The Term of this Agreement shall be effective as of the effective date and shall terminate upon the earlier of (a) the expiration of the pre-existing agreement between the Organization and B.A., or (b) upon 30 days notice of either party.
4.2 Termination for Cause. Notwithstanding any other provision of this Agreement, upon the violation of a material term of this Agreement by B.A., the Organization may elect to immediately terminate this agreement without notice. Depending upon the extent and/or seriousness of the violation as determined by the Organization, the Organization may elect to provide B.A. with written notice of the violation and an opportunity to cure the violation within the 30 day period following the provision of notice. If B.A. does not cure the violation to the reasonable satisfaction of the Organization during the 30 day cure period, the Organization may terminate this Agreement immediately upon written notice to B.A. the Organization reserves the right to report the violation to the Secretary.
4.3 Return or Destruction of PHI or ePHI upon Termination
4.3.1 General Provisions. In the event that B.A. possesses any PHI or ePHI upon the termination of this Agreement, B.A. shall return or destroy, at the option of the Organization, all PHI or ePHI received from the Organization, or created or received by B.A. on behalf of the Organization and which B.A. still maintains in any form. B.A. shall not retain any copies of such PHI or versions of ePHI. This provision shall apply to PHI or ePHI that is in possession of subcontractors or agents of B.A. B.A. shall retain no copies of PHI or ePHI.
4.3.2 Alternative Arrangements. Notwithstanding the foregoing, to the extent that the Organization agrees that it is not feasible to return or destroy such PHI or ePHI. B.A. shall provide to the Organization notification of the conditions that make the return or destruction infeasible. Thereupon, B.A. agrees to (a) extend the protections of this Agreement to such PHI or ePHI only for those purposes that make the return or destruction infeasible, (b) limit further uses and disclosures of such PHI or ePHI to such purposes, and (c) extend any term or provisions of this Agreement relating to PHI or ePHI so that such term or condition shall survive termination of this Agreement. Thereafter, such PHI or ePHI shall be used or disclosed solely for such purpose or purposes, which prevented the return or destruction of such PHI or ePHI.
4.4 Applicability of Provisions. The provisions of this section of the Agreement shall apply, to the same extent that it applies to B.A., to PHI and ePHI that is in the possession of agents (including subcontractors) of B.A.
4.5 Survival. The provisions of this Article IV of the Agreement shall survive the termination of this Agreement.
Article V Miscellaneous
5.1 Legislative or Regulatory Changes. the Organization and B.A. agree to amend this Agreement from time to time as is necessary for the Organization to comply with the requirements of HIPAA including the Privacy and Security Standards. Notwithstanding any other provisions of this Agreement, any ambiguity in a provision of the Standards shall be resolved to permit an interpretation of the Standards, which allows the Organization to comply with the Standards including without limitation those standards relating to preemption of State laws.
5.2 Governing Law and Choice of Forum. The parties agree that this Agreement shall be construed in accordance with the laws of the State of Michigan, without regard to conflict of laws principles. The parties further agree that any action arising out of, or relating to, this Agreement shall only be brought or filed in a court of competent jurisdiction within the State of Michigan.
5.3 Binding Agreement; Assignment. This Agreement shall inure to the benefit and be binding upon the parties hereto and their respective successors and assigns, provided, however, that
B.A. may not assign any rights or obligations nor delegate any duties under this Agreement without the prior written consent of the Organization.
5.4 Notices. Any notice, request, demand, report, approval, election, consent, or other communication required or permitted under the terms of this Agreement (collectively, “Notice”) shall be in writing and either delivered personally, by registered or certified mail, return receipt requested, postage prepaid, or by a reputable overnight courier, addressed as follows:
To: [Insert Name of Organization]:
[Insert Address of Organization]
To Business Associate: [Insert Name of Business Associate]
[Insert Address of Business Associate]
5.5 Amendment. This Agreement may not be amended, modified, or terminated orally, and no amendment, modification, termination or attempted waiver shall be valid unless in writing signed by the party against whom the same is sought to be enforced.
5.6 Severability. Should any provision of this Agreement or application thereof be held invalid, illegal, or unenforceable for any reason whatsoever, then notwithstanding such invalidity, illegality, or unenforceability, the remaining terms and provisions of this Agreement shall not be affected and shall continue to be valid and enforceable to the fullest extent permitted by law unless to do so would defeat the purpose of this Agreement.
5.7 Survival. All matters that (a) expressly survive the termination of this Agreement including without limitation the provisions of Sections 3.9, 3.10, 4.3, and 4.4, (b) relate to the termination of this Agreement, or (c) in the normal course would not occur or be effectuated until after any such termination, as well as all rights and obligations of the parties pertaining thereto, shall survive any termination and be given full force and effect notwithstanding any termination of this Agreement.
5.8 Waiver. The failure at any time by either party to require or demand strict performance of any provision of this Agreement shall not constitute a waiver by such party of such provision and shall not affect such party’s full right to require performance at any later time, even if the party accepting or acquiescing in the nonconforming performance knows of the nature of the performance and fails to object to it.
5.9 No Third-Party Beneficiary. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the parties to this Agreement, and their respective successors or assignees, any right, remedies, obligations, or liabilities whatsoever.
5.10 Headings. The headings to the various paragraphs of this Agreement have been inserted for convenient reference only and shall not modify, define, limit, or expand the provisions of this Agreement.
In Witness Whereof, the Organization and B.A. have caused this instrument to be duly executed by their authorized representatives as of the Effective Date.
[Insert Name of Organization]:
[Insert Address of Organization]
Business Associate: [Insert Name of Business Associate]
[Insert Address of Business Associate]
[Insert Name and Title Here]
[Insert Name and Title Here]