What is a HIPAA Business Associate Agreement?
A HIPAA business associate agreement (BAA) is a legal contract between a covered entity and its business associate. A business associate is any person or entity that performs functions or activities on behalf of a covered entity that involves the use or disclosure of PHI.
A BAA is required under HIPAA to ensure that PHI is protected by the business associate and used only for authorized purposes. The BAA outlines the specific responsibilities of the business associate in protecting PHI and complying with HIPAA regulations.
The BAA also establishes the terms and conditions of the relationship between the covered entity and the business associate. This includes provisions related to termination of the agreement, indemnification, and liability for breaches of PHI.
HIPAA Business Associate Agreement Template:
This Business Associate Agreement (the "Agreement") is entered into by and between [Covered Entity Name], a [Type of Entity] with a principal place of business at [Address], ("Covered Entity") and [Business Associate Name], a [Type of Entity] with a principal place of business at [Address], ("Business Associate"). Covered Entity and Business Associate may each be referred to as a "Party" or collectively as the "Parties".
Background
A. Covered Entity and Business Associate are parties to certain agreements or arrangements (the "Agreements") under which Business Associate may receive, create, maintain or transmit protected health information ("PHI") of individuals who are patients or clients of Covered Entity.
B. The Parties acknowledge that this Agreement is necessary to comply with the Health Insurance Portability and Accountability Act of 1996, as amended, and the regulations promulgated thereunder ("HIPAA").
Agreement
1. Definitions
Capitalized terms not defined in this Agreement shall have the same meaning as in HIPAA.
2. Permitted Uses and Disclosures of PHI
Business Associate may use or disclose PHI only as necessary to perform the services set forth in the Agreements, or as required by law. Business Associate shall not use or disclose PHI for any other purpose without the prior written consent of Covered Entity.
3. Safeguards
Business Associate agrees to implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI in accordance with HIPAA.
4. Reporting of Breaches
Business Associate shall promptly report to Covered Entity any breach of unsecured PHI as required by HIPAA. Business Associate shall also cooperate with Covered Entity in investigating and mitigating the breach, as necessary.
5. Access and Amendment
Business Associate shall provide access to PHI to Covered Entity in accordance with HIPAA. Business Associate shall also cooperate with Covered Entity in responding to requests for amendment of PHI.
6. Termination
In the event of termination of the Agreements, Business Associate shall return or destroy all PHI in its possession, in accordance with HIPAA.
7. Indemnification and Liability
Business Associate shall indemnify and hold harmless Covered Entity from and against any and all claims, damages, losses, liabilities, and expenses arising out of Business Associate's use or disclosure of PHI in violation of HIPAA or this Agreement.
8. Governing Law
This Agreement shall be governed by and construed in accordance with the laws of the state where the Covered Entity is located.
9. Entire Agreement
This Agreement, together with the Agreements, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior or contemporaneous oral or written agreements or understandings with respect to the subject matter hereof.
10. Amendments
This Agreement may not be amended except in writing signed by both Parties.
11. Counterparts
This Agreement may be executed in counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument.
IN WITNESS WHEREOF, the Parties have executed this Agreement as of the date first above written.
[Covered Entity Name]
By: ________________________________ Print Name: ___________________________ Title: ________________________________
[Business Associate Name]
By: ________________________________ Print Name: ___________________________ Title: ________________________________