| |
| |
| |
|
 |
|
|
|
|
|
|
|
| |
 |
|
| |
THIS IS A SAMPLE HIPAA BUSINESS
ASSOCIATE AGREEMENT
This Business Associate Agreement,
effective xxxxxxxxxxxx (“Effective Date”),
is entered into by and between Excellence in Practice Management, Inc.
a company with office at 54 Mattawang Drive, Somerset, NJ 08873
(the “Business Associate”)
and xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (the “Covered
Entity”) with office / practice located
at xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
(each a “Party” and collectively the
“Parties”).
This Business Associate Agreement
shall serve as an agreement between the Parties
(the “Agreement”) under which the
Business Associate uses and/or discloses Protected
Health Information (as that term is defined in
the Health Insurance Portability and Accountability
Act of 1996 and its related regulations, 45 CFR
Part 164 (“HIPAA”), in its performance
of the services described below and/or in the
Agreement.
Business Associate hereby acknowledges
that Covered Entity is a “covered entity”
and that Business Associate is a “business
associate” as those terms are defined in
HIPAA.
The Parties agree that each of
them and all of their employees, agents and contractors
shall comply with all provisions of the Standards
for Security and Privacy of Identifiable Health
Information (“Security and Privacy Regulations”)
under HIPAA as currently written and as amended
from time to time. Business Associate will instruct
its employees, agents and subcontractors in the
requirements of this Agreement, and will ensure
their compliance with this agreement. |
|
|
|
| |
1. |
Permitted Uses
And Disclosures By Business Associate Of Protected
Health Information |
|
|
|
| |
|
| 1.1
|
Services.
Pursuant to the Agreement, Business Associate
provides services for the Covered Entity that
involve the use and/or disclosure of Protected
Health Information. Except as otherwise specified
herein, the Business Associate may use Protected
Health Information to the extent necessary
to perform its obligations under the Agreement.
Business Associate may disclose Protected
Health Information, for the purposes authorized
by this Agreement only, (i) to its employees,
subcontractors and agents, in accordance with
Section 2.1(e) below; (ii) as directed by
the Covered Entity, or (iii) as otherwise
permitted by the terms of this Agreement or
as required by law. All other uses and disclosures
not authorized by this Agreement are prohibited. |
|
|
1.2
|
Business
Activities of Business Associate. . [The Business
Associate Agreement may, but is not required
to, permit these activities].
Unless otherwise limited herein, the Business
Associate may also: |
|
|
| |
a.
|
use the Protected
Health Information in its possession for
its proper management and administration
and to fulfill any present or future legal
responsibilities of the Business Associate
provided that such uses are permitted under
state and federal confidentiality laws;
or |
|
|
|
| |
b.
|
disclose the Protected Health
Information in its possession to third parties
for the purpose of its proper management and
administration or to fulfill any present or
future legal responsibilities of the Business
Associate, provided that (i) the disclosures
are required by law or (ii) the Business Associate
has received from the third party written
assurances that such Protected Health Information
will be held confidentially and used or further
disclosed only as required by law or for the
purpose for which it was disclosed to the
third party, and that the third party will
notify the Business Associate of any instance
of which it is aware in which the confidentiality
or security of the Protected Health Information
has been breached. |
|
|
1.3 |
Additional Activities of Business Associate.
[only if applicable, at the discretion of
Covered Entity] |
|
|
| |
a.
|
In connection
with the permitted uses and disclosures set
forth in Sections 1.1 and 1.2 above, Business
Associate may aggregate the Protected Health
Information in its possession with the Protected
Health Information of other covered entities
that the Business Associate has in its possession
through its capacity as a business associate
to said other covered entities provided that
the purpose of such aggregation is to provide
the Covered Entity with data analyses relating
to the Health Care Operations of the Covered
Entity. Under no circumstances may the Business
Associate disclose Protected Health Information
of one covered entity to another covered entity
absent the explicit authorization of the Covered
Entity. |
|
|
|
| |
2. |
Responsibilities Of The
Business Associate With Respect To Protected Health
Information |
|
|
|
| |
|
| 2.1
|
With regard to its use and/or disclosure of
Protected Health Information, the Business
Associate hereby agrees to do the following: |
|
|
| |
a.
|
Use and Disclosure.
Use and/or disclose the Protected Health
Information only as permitted or required
by this Agreement or as otherwise required
by law. |
|
|
|
| |
b.
|
Reporting.
Report to the Covered Entity [specify the
title of the person to whom the report will
be made, or refer to the notice provisions
in the Agreement] in writing any use and/or
disclosure of the Protected Health Information
that is not permitted or required by this
Agreement or any breach of security of electronic
Protected Health Information of which Business
Associate becomes aware within three (3) business
days. |
|
|
|
| |
c.
|
Safeguards.
Use commercially reasonable efforts to maintain
the security of the Protected Health Information
and to prevent unauthorized use and/or disclosure
of such Protected Health Information; and
implement administrative, physical, and technical
safeguards that reasonably and appropriately
protect the confidentiality, integrity and
availability of electronic Protected Health
Information that it creates, receives, maintains
or transmits on behalf of the Covered Entity.
|
|
|
|
| |
d.
|
Subcontractors
and Agents. Require all of its
subcontractors and agents that receive or
use, or have access to, Protected Health Information
under this Agreement to agree, in writing,
to adhere to the same restrictions and conditions
on the use and/or disclosure of Protected
Health Information that apply to the Business
Associate pursuant to this Agreement. |
|
|
|
| |
e.
|
Audit
and Inspection. Make available
all records, books, agreements, policies and
procedures relating to the use , disclosure,
and safeguarding of Protected Health Information
to the Secretary of Health and Human Services
for purposes of determining the Covered Entity’s
compliance with the Privacy and Security Regulations,
[when applicable to the services
provided, “subject to attorney-client
and any other applicable privileges”]
provided that Business Associate
will notify Covered Entity in writing promptly
upon receiving any requests for such documents
and information from the Secretary of Health
and Human Services or his/her representative. |
|
|
|
| |
f.
|
Covered
Entity Access and Inspection.
Upon prior written request, make available
to the Covered Entity during normal business
hours at Business Associate’s offices
all records, books, agreements, policies and
procedures relating to the use and/or disclosure
of Protected Health Information within three
(3) business days for purposes of enabling
the Covered Entity to determine the Business
Associate’s compliance with the terms
of this Agreement. |
|
|
|
| |
g. |
Maintenance
of Disclosure Records. Maintain
sufficient information (including date of
disclosure, name of receiver and address (if
known), description of Protected Health Information
disclosed and the purpose of disclosure) to
permit a complete accounting of all disclosure
of Protected Health Information within the
previous six (6) years (and subsequent to
April 14, 2003), excluding disclosures made
for treatment, payment and health care operations,
as part of a limited data set, pursuant to
the patient’s authorization, for national
security or intelligence purposes or other
purposes excepted under 45 C.F.R. Section
164.528; and provide to the Covered Entity
notice of each such disclosure promptly, in
order to permit the Covered Entity to respond
to requests by individuals for an accounting
of the disclosures of the individuals’
Protected Health Information in accordance
with 45 C.F.R. Sections 164.528 and 164.314. |
|
|
|
| |
h. |
Access
for Patient Inspection and Amendment.
To the extent that Business Associate is maintaining
a “designated record set” for
Covered Entity, within 15 days of receiving
a written request from Covered Entity or directly
from a patient or authorized patient representative,
provide to Covered Entity such records and
information as is requested to permit Covered
Entity to timely respond to an individual’s
request to (i) inspect and/or copy Protected
Health Information within the designated record
set in accordance with 45 C.F.R. Section 164.124;
and/or (ii) amend Protected Health Information
in accordance with 45 C.F.R. Section 164.526. |
|
|
|
| |
i. |
Return
or Destruction. To the extent
feasible, return or destroy the Protected
Health Information within its possession upon
termination of the Agreement. If it is not
feasible to immediately return or destroy
the Protected Health Information because of
other obligations or legal requirements, the
protections of this Agreement shall apply
until the Protected Health Information is
returned or destroyed, and no other uses or
disclosures may be made except for the purposes
which prevented the return or destruction
of the Protected Health Information. |
|
|
|
| |
j. |
Mitigation
and Injunction. Establish procedures
for mitigating, and cooperate with Covered
Entity to mitigate, to the greatest extent
possible, any deleterious effects from any
improper use and/or disclosure of Protected
Health Information, regardless of its cause.
To the extent that Business Associate breaches
its obligations under this Agreement, Business
Associate shall promptly cure such breach
and take any necessary steps, at its own expense,
to mitigate any harm caused. Notwithstanding
the foregoing, Covered Entity maintains the
right to intervene and, in addition to any
other remedies available to Covered Entity
at law or in equity, to an injunction or other
decree of specific performance to effectuate
a cure of any breach of Business Associate’s
duties under this Agreement. Business Associate
agrees that any breach of this Agreement will
result in irreparable harm to Covered Entity. |
|
|
|
| |
k. |
Indemnification.
Business Associate shall indemnify, hold harmless
and defend Covered Entity from and against
any and all claims, losses, liabilities, costs
and other expenses resulting from or relating
to the acts or omissions of Business Associate
in connection with a breach of the representations,
duties and obligations of Business Associate
under this Agreement. |
|
|
|
| |
3. |
Term And Termination |
|
|
|
| |
|
| 3.1
|
Term. This Agreement shall become
effective as of the Effective Date and shall
continue in effect until all obligations of
the Parties have been met. The terms and conditions
of this Agreement shall survive the expiration
or termination of the Agreement. |
|
|
3.2
|
Termination
by the Covered Entity. The Covered
Entity may immediately terminate the Agreement
and any related agreements if the Covered
Entity makes the determination that the Business
Associate has breached a material term of
this Agreement, or if a finding or stipulation
that Business Associate has violated any standard
or requirement of the Privacy and Security
Regulations or other security or privacy laws
is made in any administrative or civil proceeding
in which Business Associate has been joined.
|
|
|
|
| |
4. |
Miscellaneous |
|
|
|
| |
|
| 4.1
|
Amendment.
The Parties agree to enter into a mutually
acceptable amendment to this Agreement as
necessary to comply with applicable federal
laws and regulations governing the use and/or
disclosure of individually identifiable health
information. Such amendment shall be entered
into on or before the date on which compliance
is required. Covered Entity may terminate
the Agreement upon thirty (30) days’
written notice in the event that Business
Associate does not promptly enter into an
amendment that Covered Entity, in its sole
discretion, deems sufficient to ensure Covered
Entity’s compliance with such laws and
regulations. |
|
|
4.2
|
State
Law. Nothing in this Agreement
shall be construed to require Business Associate
to use or disclose Protected Health Information
without a written authorization from an individual
who is a subject of the Protected Health Information,
or written authorization from any other person,
where such authorization would be required
under state law for such use or disclosure.
|
|
|
4.3 |
No
Third Party Beneficiaries. Nothing
express or implied in this Agreement is intended
or shall be deemed to confer upon any person
other than Covered Entity, Business Associate,
and their respective successors and assigns,
any rights, obligations, remedies or liabilities.
|
|
|
4.4 |
Conflicting
Terms. To the extent that there
is any conflict between the terms of the Agreement
and the terms of this Agreement, the terms
of this Agreement shall prevail. |
|
|
4.5 |
Defined
Terms. Terms used in this Agreement
that are not defined in this Agreement shall
have the meanings ascribed to them under HIPAA.
|
|
|
|
| |
|
IN WITNESS WHEREOF,
each of the Parties has caused this Business Associate
Agreement to be duly executed in its name and on
its behalf effective as of the date first written
above. |
|
|
|
| |
|
COVERED ENTITY
By: ___________________________
Print Name: ____________________
Print Title: _____________________
Date: __________________________ |
BUSINESS ASSOCIATE
By: ___________________________
Print Name: ____________________
Print Title: _____________________
Date: _________________________
|
|
| |
|
|
|
|
|
|
 |
Copyright
® All Rights Reserved Excellence in Practice Management, Inc. 2000-2010 |
 |
|
|
|
