This business associate agreement template has 3 pages and is a MS Word file type listed under our legal agreements documents.
Sample of our business associate agreement template:
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ("Agreement") is made and effective the [DATE], BETWEEN: [COMPANY NAME] (the "Covered Entity"), a corporation organized and existing under the laws of [STATE], with its head office located at: [YOUR COMPLETE ADDRESS] AND: [RECIPIENT NAME] (the "Business Associate"), a corporation organized and existing under the laws of [STATE], with its head office located at: [COMPLETE ADDRESS] The Covered Entity and Business Associate, collectively, the "Parties"), wish to enter into this agreement ("Agreement"). The Parties may contemplate entering into one or more agreements (the "Services Agreement") pursuant to which Business Associate is providing certain [insert the kind(s) of services provided by the Business Associate] ("Services") to the Covered Entity that require the disclosure and use of Protected Health Information ("PHI"). Unless the Services Agreement specifies otherwise, Business Associate is an independent contractor with respect to the performance of all Services, and neither Business Associate nor anyone employed by Business Associate will be deemed for any purpose to be the employee, agent, servant, or representative of the Covered Entity. Both Parties are committed to complying with the Privacy Rule and the Security Rule promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as well as the Health Information Technology for Economic and Clinical Health ("HITECH") Act and associated regulations. This Agreement sets forth the terms and conditions pursuant to which Protected Health Information that is provided by, or created or received by, the Business Associate from or on behalf of the Covered Entity, will be handled between the Business Associate and the Covered Entity and with third parties during the term of each Services Agreement and after its termination. All capitalized terms in this Agreement have the meanings ascribed to them in Section 1 below, unless otherwise noted or the context clearly requires otherwise. In consideration of the terms of this agreement, and other valuable consideration, the parties agree as follows: GENERAL TERMS AND CONDITIONS Definitions: All terms used in this Agreement shall have the meanings set forth in the HIPAA Security and Privacy Rule, unless otherwise defined herein. Existing Service Agreements: All existing Service Agreements and amendments thereto, between the Employer or Plan Sponsor and Business Associate are subject to this Agreement and are hereby amended by this Agreement. In the event of conflict between the terms of any Service Agreement and this Agreement, the terms and conditions of this Agreement shall govern. Where provisions of this Agreement are different from those mandated by the HIPAA Security and Privacy Rule, but are nonetheless permitted by the Rule, the provisions of this Agreement shall control. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Business Associate and the respective successors or assigns of the Business Associate, any rights, remedies, obligations, or liabilities whatsoever. PERMITTED USE AND DISCLOSURE Treatment, Payment and Operations ("TPO"): Business Associate agrees to create, receive, maintain, transmit, use, or disclose Protected Health Information only in a manner that is consistent with this Agreement and the HIPAA Security and Privacy Rule and only in connection with providing the services to or on behalf of Covered Entity identified in any existing Service Agreement and amendments thereto. Accordingly, in providing services to or on behalf of the Covered Entity, the Business Associate, for example, will be permitted to use and disclose Protected Health Information for Treatment, Payment and Healthcare Operations consistent with the HIPAA Security and Privacy Rule, without obtaining authorization. Protected Health Information does not include summary health information or information that has been de-identified in accordance with the standards for de-identification provided for in the HIPAA Security and Privacy Rule. Business Associate may only use or disclose Protected Health Information to the extent permitted or required by this Agreement or by law. Except as otherwise provided herein, the Business Associate may not use or disclose Protected Health Information in a manner that would violate HIPAA's Security and Privacy Rules if such use or disclosure were made by a Covered Entity. In particular, a Business Associate may use or disclose Protected Health Information (1) to fulfill its obligations as set out in any agreement between the Parties evidencing their business relationship, including the Arrangement Agreement, or (2) as required by applicable laws, rules or regulations, or by an accrediting or credentialing body to which a Covered entity must disclose such information, or (3) as permitted by this Agreement, the Arrangement Agreement (if consistent with this Agreement and the HIPAA Security and Privacy Rule) or the HIPAA Security and Privacy Rule, or (4) as permitted by the HIPAA Security and Privacy Rule as if such use or disclosure were made by a Covered entity. Business Associate may de-identify Protected Health Information only at the express request of the Covered Entity and only for its use. The Business Associate may not sell Protected Health Information except on the instructions of the Covered Entity and in accordance with the requirements of the HIPAA Security and Privacy Rule. Notwithstanding the prohibitions set forth in this Agreement, Business Associate may use Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate; Business Associate may disclose Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that as to any such disclosure, the following requirements are met: (A) The disclosure is required by law; or (B) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and will be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; Business Associate may provide data aggregation services relating to the health care operations of Covered Entity pursuant to any agreements between the Parties evidencing their business relationship. For purposes of this Agreement, data aggregation means the combining of Protected Health Information by Business Associate with the Protected Health Information received by Business Associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE Business Associate agrees as follows: Business Associate undertakes not to use or disclose protected health information other than as permitted or required by the Master agreement or as required by law. Business Associate undertakes to use appropriate safeguards and comply with the HIPAA Security Rule with respect to Electronically Protected Health Information to prevent the use or disclosure of Protected Health Information other than as provided in this Agreement and the Master Agreement. Business Associate undertakes to report to the Covered Entity any use or disclosure of the Protected Health Information not provided for in this Agreement of which it becomes aware.
