Business Associate Agreement

{{company_name}}

{{company_address}}

Phone: {{phone}} | Email: {{email}} | Web: {{website}}

Business Associate Agreement

Business Associate Agreement

RECITALS

This Business Associate Agreement (“Agreement”) is entered into as of {{effective_date}} (the “Effective Date”), by and between {{covered_entity_name}}, a company duly organized and existing under the laws of {{jurisdiction}}, with its principal place of business located at {{covered_entity_address}} (“Covered Entity”), and {{business_associate_name}}, a company duly organized and existing under the laws of {{jurisdiction}}, with its principal place of business located at {{business_associate_address}} (“Business Associate”).

WHEREAS, Covered Entity is a covered entity as defined by applicable privacy regulations and is required to protect the privacy and security of Protected Health Information (as defined below);

WHEREAS, Business Associate provides certain services to Covered Entity that involve the creation, receipt, maintenance, or transmission of Protected Health Information on behalf of Covered Entity;

WHEREAS, the parties desire to enter into this Agreement to delineate their respective responsibilities regarding the privacy and security of Protected Health Information in accordance with applicable privacy regulations.

DEFINITIONS

“Protected Health Information” or “PHI” shall have the same meaning as the term “Protected Health Information” in 45 CFR § 160.103 and 45 CFR § 164.501, as amended.

“Privacy Regulations” refers to all applicable laws and regulations relating to the privacy and security of Protected Health Information, including without limitation the Protection of Personal Information Act of South Africa (POPIA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and their implementing regulations, as amended.

“Breach” shall have the same meaning as the term “breach” in 45 CFR § 164.402, as amended.

“Security Incident” shall have the same meaning as the term “Security Incident” in 45 CFR § 164.304, as amended.

OBLIGATIONS OF BUSINESS ASSOCIATE

Business Associate agrees to not use or disclose PHI other than as permitted or required by this Agreement or as required by law.

Business Associate shall implement appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity.

Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including Breaches of unsecured PHI, and any Security Incidents, within {{number_of_days}} days of discovery.

Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions and conditions that apply to the Business Associate with respect to such PHI.

OBLIGATIONS OF COVERED ENTITY

Covered Entity shall notify Business Associate of any limitation in its notice of privacy practices under 45 CFR § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.

Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.

Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.

TERM AND TERMINATION

This Agreement shall be effective as of the Effective Date and shall terminate automatically upon the termination of the underlying service agreement between Covered Entity and Business Associate.

Either party may terminate this Agreement if the other party is in material breach of its obligations under this Agreement and fails to cure the breach within {{number_of_days}} days after written notice from the non-breaching party.

Upon termination of this Agreement for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form. Business Associate shall not retain any copies of the PHI.

MISCELLANEOUS

This Agreement constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements and understandings, whether written or oral, relating to such subject matter.

This Agreement may not be amended or modified except in a writing signed by authorized representatives of both parties.

This Agreement shall be governed by and construed in accordance with the laws of {{jurisdiction}}.

Any notice required or permitted to be given under this Agreement shall be in writing and shall be deemed to have been duly given when delivered personally, sent by certified mail, return receipt requested, or sent by reputable overnight courier service, to the addresses set forth in the Recitals.