Business Associate Agreement

Company Letterhead

{{company_name}}

{{company_address}}

Phone: {{phone}}

Email: {{email}}

Website: {{website}}

BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement ("Agreement") is entered into effective as of {{effective_date}} (the "Effective Date"), by and between:

{{covered_entity_name}}, located at {{covered_entity_address}} ("Covered Entity"), and

{{business_associate_name}}, located at {{business_associate_address}} ("Business Associate").

WHEREAS, Covered Entity and Business Associate are parties to a certain service agreement (the "Service Agreement") pursuant to which Business Associate provides services to Covered Entity that involve the use or disclosure of Protected Health Information (as defined below); and

WHEREAS, in connection with the Service Agreement, Business Associate may receive, create, maintain, use, or transmit Protected Health Information on behalf of Covered Entity; and

WHEREAS, the parties desire to comply with the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations, including the Privacy, Security, and Breach Notification Rules (collectively, "HIPAA"), and other applicable data protection laws in Southern Africa.

NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, the parties agree as follows:

1. Definitions

"Breach" shall have the meaning given to that term in HIPAA.

"Protected Health Information" or "PHI" shall have the meaning given to that term in HIPAA, including electronic PHI (ePHI).

"Service Agreement" means the underlying agreement between Covered Entity and Business Associate for services, which this Agreement supplements.

Any other capitalized terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in HIPAA.

2. Obligations of Business Associate

2.1. Use and Disclosure of PHI. Business Associate agrees not to use or disclose PHI other than as permitted or required by the Service Agreement or as required by law.

2.2. Safeguards. Business Associate shall implement appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI, in accordance with HIPAA’s Security Rule and other applicable data protection laws.

2.3. Reporting of Breaches and Security Incidents. Business Associate shall report to Covered Entity any Breach of unsecured PHI or any Security Incident of which it becomes aware without unreasonable delay and in no event later than {{breach_reporting_days}} calendar days after discovery. The report shall include, to the extent possible, the identification of each individual whose unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed.

2.4. Subcontractors. Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions and conditions that apply to Business Associate.

2.5. Access to PHI. Business Associate shall provide access to PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual, to enable Covered Entity to meet its obligations under HIPAA’s Privacy Rule.

2.6. Amendments to PHI. Business Associate shall make any amendment(s) to PHI in a Designated Record Set as directed by Covered Entity.

2.7. Accounting of Disclosures. Business Associate shall make available to Covered Entity information required for Covered Entity to provide an accounting of disclosures of PHI.

2.8. Books and Records. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services or other relevant regulatory body for purposes of determining compliance with HIPAA.

2.9. Data Minimization. Business Associate shall, to the extent practicable, limit the PHI it uses, discloses, requests, or receives to the minimum necessary to accomplish the intended purpose.

3. Permitted Uses and Disclosures by Business Associate

3.1. General. Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Service Agreement, provided that such use or disclosure would not violate HIPAA if done by Covered Entity.

3.2. Management and Administration. Business Associate may use PHI for the proper management and administration of Business Associate and to carry out its legal responsibilities.

3.3. Data Aggregation. Business Associate may use PHI to provide data aggregation services relating to the health care operations of Covered Entity.

4. Obligations of Covered Entity

4.1. Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitation in its Notice of Privacy Practices that may affect Business Associate’s use or disclosure of PHI.

4.2. Changes in Permissions. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent such changes may affect Business Associate’s use or disclosure of PHI.

4.3. Restrictions. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to in accordance with HIPAA.

5. Term and Termination

5.1. Term. This Agreement shall be effective as of the Effective Date and shall terminate when all PHI created or received by Business Associate on behalf of Covered Entity is destroyed or returned to Covered Entity.

5.2. Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Business Associate, Covered Entity shall provide Business Associate with an opportunity to cure the breach. If Business Associate does not cure the breach within {{cure_period_days}} days, Covered Entity may immediately terminate this Agreement and the Service Agreement.

5.3. Effect of Termination. Upon termination of this Agreement for any reason, Business Associate shall return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity that Business Associate still maintains in any form. Business Associate shall retain no copies of the PHI.

6. Miscellaneous

6.1. Governing Law. This Agreement shall be governed by and construed in accordance with the laws of {{governing_law_jurisdiction}}.

6.2. Entire Agreement. This Agreement constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, representations, and understandings, whether written or oral.

6.3. Amendments. Any amendment to this Agreement must be in writing and signed by authorized representatives of both parties.

6.4. Assignment. Neither party may assign its rights or obligations under this Agreement without the prior written consent of the other party.

Signature Block

IN WITNESS WHEREOF, the parties have executed this Business Associate Agreement as of the Effective Date.

COVERED ENTITY:

_________________________________________

By: {{covered_entity_signer_name}}

Title: {{covered_entity_signer_title}}

Date: {{covered_entity_signature_date}}

BUSINESS ASSOCIATE:

_________________________________________

By: {{business_associate_signer_name}}

Title: {{business_associate_signer_title}}

Date: {{business_associate_signature_date}}