Business Associate Agreement

Company Letterhead

{{company_name}}

{{company_address}}

{{phone}}

{{email}}

{{website}}

BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement ("Agreement") is entered into effective as of {{effective_date}} ("Effective Date"), by and between:

Covered Entity:

{{covered_entity_name}}

{{covered_entity_address}}

and

Business Associate:

{{business_associate_name}}

{{business_associate_address}}

(hereinafter collectively referred to as "Parties" and individually as "Party").

RECITALS

WHEREAS, Covered Entity is a "Covered Entity" as defined by the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended ("HIPAA"); and

WHEREAS, Business Associate provides certain services to Covered Entity that involve the creation, receipt, maintenance, or transmission of Protected Health Information ("PHI") on behalf of Covered Entity; and

WHEREAS, the Parties desire to enter into this Agreement to comply with the requirements of HIPAA, including the HITECH Act and other applicable federal and state laws, governing the privacy and security of PHI.

DEFINITIONS

For purposes of this Agreement, terms not otherwise defined shall have the meaning given to them in HIPAA, including without limitation the following:

1. "Protected Health Information" or "PHI" shall have the same meaning as the term "protected health information" in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.

2. "Electronic Protected Health Information" or "ePHI" shall have the same meaning as the term "electronic protected health information" in 45 CFR § 160.103.

3. "Breach" shall have the same meaning as the term "breach" in 45 CFR § 164.402.

4. "Security Incident" shall have the same meaning as the term "security incident" in 45 CFR § 164.304.

OBLIGATIONS OF BUSINESS ASSOCIATE

Business Associate agrees to:

1. Not use or disclose PHI other than as permitted or required by this Agreement or as required by law.

2. Use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement.

3. Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI.

4. Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including breaches of unsecured PHI as required by 45 CFR § 164.410, and any Security Incident of which it becomes aware.

5. In accordance with 45 CFR § 164.502(e)(1)(ii) and 45 CFR § 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions that apply to Business Associate.

6. Make available PHI in a designated record set to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.524.

7. Make available PHI for amendment and incorporate any amendments to PHI in a designated record set as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.526.

8. Make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.528.

9. To the extent Business Associate is to carry out one or more of Covered Entity's obligations under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation.

10. Make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary of Health and Human Services for purposes of determining compliance with the HIPAA Rules.

11. Not engage in any acts or omissions that would constitute a violation of the HIPAA Rules if done by Covered Entity.

OBLIGATIONS OF COVERED ENTITY

1. Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices under 45 CFR § 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of PHI.

2. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI.

3. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.

PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE

1. Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in this Agreement, provided that such use or disclosure would not violate the HIPAA Rules if done by Covered Entity.

2. Business Associate may use PHI for its internal management, administration, data aggregation, and legal responsibilities, or to carry out its responsibilities under this Agreement.

3. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(1).

4. Business Associate may disclose PHI to third parties for the purpose of its proper management and administration or to carry out its legal responsibilities, provided that (i) the disclosures are required by law or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

TERM AND TERMINATION

1. Term. The Term of this Agreement shall commence on the Effective Date and shall terminate when all PHI created or received by Business Associate from or on behalf of Covered Entity is destroyed or returned to Covered Entity, or, if such destruction or return is not feasible, extended to allow Business Associate to continue to have obligations hereunder with respect to such PHI.

2. Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Business Associate, Covered Entity shall have the right to:

(a) Provide a reasonable opportunity for Business Associate to cure the breach or end the violation.

(b) Terminate this Agreement if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity.

(c) If neither of the above options is feasible, Covered Entity shall report the violation to the Secretary of Health and Human Services.

3. Effect of Termination. Upon termination of this Agreement for any reason, Business Associate shall, if feasible, return or destroy all PHI received from, or created or received by Business Associate on behalf of Covered Entity that Business Associate still maintains in any form. Business Associate shall retain no copies of the PHI.

If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.

MISCELLANEOUS

1. Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.

2. No Third-Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate, and their respective successors and assigns, any rights, remedies, obligations, or liabilities whatsoever.

3. Entire Agreement. This Agreement constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, negotiations, and discussions of the Parties, whether written or oral.

4. Amendment. The Parties agree to take any action necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the HIPAA Rules and other applicable law.

5. Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the jurisdiction of {{governing_law_jurisdiction}}.

SIGNATURES

IN WITNESS WHEREOF, the Parties have executed this Business Associate Agreement as of the Effective Date.

COVERED ENTITY:

By: _________________________

Name: {{ce_signatory_name}}

Title: {{ce_signatory_title}}

Date: {{ce_signature_date}}

BUSINESS ASSOCIATE:

By: _________________________

Name: {{ba_signatory_name}}

Title: {{ba_signatory_title}}

Date: {{ba_signature_date}}