HIPAA Business Associate Agreement

This Business Associate Agreement (the "Agreement" or "BAA") is entered into as of effective_date (the "Effective Date") by and between covered_entity (the "Covered Entity") and business_associate (the "Business Associate"), collectively referred to as the "Parties."

WHEREAS, Covered Entity is a covered entity as defined under the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, "HIPAA"); and WHEREAS, Business Associate performs certain functions, activities, or services on behalf of or for Covered Entity that involve the use and/or disclosure of Protected Health Information ("PHI"); and WHEREAS, HIPAA requires that Covered Entity obtain satisfactory assurances from Business Associate that Business Associate will appropriately safeguard PHI; NOW, THEREFORE, in consideration of the mutual covenants herein, the Parties agree as follows:

1. Definitions

1.1 HIPAA Definitions

All capitalized terms used in this Agreement that are not otherwise defined herein shall have the meanings ascribed to them under HIPAA, including the Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164), the Security Rule (45 CFR Part 160 and Subparts A and C of Part 164), the Breach Notification Rule (45 CFR Part 160 and Subpart D of Part 164), and the HITECH Act (Title XIII of the American Recovery and Reinvestment Act of 2009).

1.2 Protected Health Information (PHI)

"Protected Health Information" or "PHI" means individually identifiable health information, as defined in 45 CFR Section 160.103, that is created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity, including Electronic Protected Health Information ("ePHI").

1.3 Electronic Protected Health Information (ePHI)

"Electronic Protected Health Information" or "ePHI" means PHI that is created, received, maintained, or transmitted in electronic form, as defined in 45 CFR Section 160.103.

1.4 Business Associate

"Business Associate" shall have the meaning given to such term under HIPAA, including 45 CFR Section 160.103, and in reference to this Agreement, shall mean business_associate.

1.5 Covered Entity

"Covered Entity" shall have the meaning given to such term under HIPAA, including 45 CFR Section 160.103, and in reference to this Agreement, shall mean covered_entity.

1.6 Breach

"Breach" shall have the meaning given to such term in 45 CFR Section 164.402, and shall mean the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, except as excluded under the definition in the regulations.

1.7 Security Incident

"Security Incident" shall have the meaning given to such term in 45 CFR Section 164.304, and shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

2. Obligations of Business Associate

2.1 Permitted Uses and Disclosures

Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement or as required by law. Business Associate shall use and disclose PHI only for the purposes of performing the services specified in the underlying service agreement between the Parties (the "Underlying Agreement") and as permitted by this Agreement.

2.2 Appropriate Safeguards

Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards to prevent the unauthorized use or disclosure of PHI. Business Associate shall comply with the requirements of the Security Rule, including 45 CFR Sections 164.308, 164.310, 164.312, and 164.316, with respect to ePHI, to prevent the unauthorized use, disclosure, acquisition, access, modification, or destruction of ePHI.

2.3 Minimum Necessary

Business Associate shall limit its use, disclosure, and request for PHI to the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request, in accordance with the minimum necessary standard set forth in 45 CFR Section 164.502(b) and the HITECH Act. Business Associate shall develop and implement policies and procedures to comply with the minimum necessary requirement.

2.4 Reporting

Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware, including any Breach of Unsecured PHI as required by 45 CFR Section 164.410. Business Associate shall report any Security Incident of which it becomes aware to Covered Entity. Such reports shall be made without unreasonable delay and in no event later than specified in Section 5 of this Agreement.

2.5 Subcontractors

Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement with respect to such PHI. Business Associate shall enter into a written agreement with each subcontractor that contains provisions substantially similar to those in this Agreement. Business Associate shall be responsible for the acts or omissions of its subcontractors.

2.6 Access to PHI

Business Associate shall make available to Covered Entity, or to an individual as directed by Covered Entity, PHI in the possession of Business Associate as necessary for Covered Entity to fulfill its obligations under the Privacy Rule, including the individual's right of access under 45 CFR Section 164.524. Business Associate shall respond to such requests within fifteen (15) business days.

2.7 Amendment of PHI

Business Associate shall make any amendments to PHI in a Designated Record Set as directed by Covered Entity pursuant to 45 CFR Section 164.526, or as requested by an individual through Covered Entity. Business Associate shall make such amendments within thirty (30) days of receiving Covered Entity's direction.

2.8 Accounting of Disclosures

Business Associate shall document and make available to Covered Entity the information required for Covered Entity to provide an accounting of disclosures in accordance with 45 CFR Section 164.528. Business Associate shall maintain a record of all disclosures of PHI made by Business Associate, including the date, name of the recipient, a description of the PHI disclosed, and the purpose of the disclosure. Business Associate shall maintain such records for a period of six (6) years from the date of the disclosure.

2.9 Government Access

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the Department of Health and Human Services (the "Secretary") for purposes of determining compliance with HIPAA. Business Associate shall cooperate with the Secretary's investigations and compliance reviews. Business Associate shall promptly notify Covered Entity of any inquiries, investigations, or enforcement actions by the Secretary relating to this Agreement or the PHI.

2.10 Restrictions

Business Associate shall comply with any restrictions on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR Section 164.522, provided that Covered Entity has notified Business Associate of such restrictions. Business Associate shall accommodate any reasonable requests by Covered Entity to communicate PHI by alternative means or to alternative locations.

3. Permitted Uses and Disclosures

3.1 Services

Business Associate is permitted to use and disclose PHI as necessary to perform the services specified in the Underlying Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity, except for the specific uses and disclosures authorized in this Section.

3.2 Business Associate's Own Management

Business Associate is permitted to use and disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that: (a) the use is necessary for such purpose; (b) any disclosure is required by law; or (c) Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that the information will remain confidential, will be used or further disclosed only as required by law or for the purposes for which it was disclosed, and that the person will notify Business Associate of any instances of which it is aware in which the confidentiality has been breached.

3.3 Data Aggregation

Business Associate is permitted to use PHI to provide data aggregation services to Covered Entity as permitted by 45 CFR Section 164.504(e)(2)(i)(B). Data aggregation means the combining of PHI by Business Associate with the PHI received by Business Associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the healthcare operations of the respective covered entities.

3.4 De-Identification

Business Associate may use PHI to create de-identified health information in accordance with 45 CFR Section 164.514. De-identified information is not PHI and is not subject to the terms of this Agreement. Business Associate shall use appropriate methods to de-identify the information and shall ensure that the de-identified data cannot be re-identified.

4. Security Requirements

4.1 Administrative Safeguards

Business Associate shall implement administrative safeguards as required by 45 CFR Section 164.308, including but not limited to: (a) designating a security official responsible for development and implementation of security policies and procedures; (b) implementing workforce security measures, including authorization and supervision procedures, termination procedures, and access management; (c) implementing security awareness and training for all workforce members; (d) implementing security incident procedures for detecting, responding to, and mitigating security incidents; (e) developing a contingency plan for responding to emergencies or other events that damage systems containing ePHI; and (f) conducting periodic evaluations of the effectiveness of security measures.

4.2 Physical Safeguards

Business Associate shall implement physical safeguards as required by 45 CFR Section 164.310, including but not limited to: (a) facility access controls to limit physical access to systems containing ePHI; (b) workstation use and security policies; and (c) device and media controls for the disposal, re-use, and movement of electronic media containing ePHI.

4.3 Technical Safeguards

Business Associate shall implement technical safeguards as required by 45 CFR Section 164.312, including but not limited to: (a) access controls, including unique user identification, emergency access procedures, automatic logoff, and encryption and decryption; (b) audit controls to record and examine activity in information systems containing ePHI; (c) integrity controls to ensure that ePHI is not improperly altered or destroyed; (d) person or entity authentication mechanisms; and (e) transmission security, including encryption of ePHI transmitted over electronic communications networks.

4.4 Encryption

Business Associate shall encrypt all ePHI at rest and in transit using encryption standards consistent with NIST guidelines (NIST Special Publication 800-111 for data at rest and FIPS 140-2 for data in transit). If encryption is not feasible in a particular circumstance, Business Associate shall document the reasons and implement equivalent alternative safeguards.

4.5 Risk Assessment

Business Associate shall conduct and document a thorough risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI at least annually. Business Associate shall implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. Business Associate shall make the results of its risk assessments available to Covered Entity upon request.

5. Breach Notification

5.1 Discovery of Breach

Business Associate shall report to Covered Entity any Breach of Unsecured PHI without unreasonable delay and in no event later than thirty (30) calendar days after discovery of the Breach. A Breach shall be treated as discovered as of the first day on which the Breach is known or, by exercising reasonable diligence, would have been known to Business Associate (including any person, other than the individual committing the breach, that is an employee, officer, or other agent of Business Associate).

5.2 Content of Breach Notification

The breach notification to Covered Entity shall include, to the extent possible: (a) the identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the Breach; (b) a description of what happened, including the date of the Breach and the date of discovery; (c) a description of the types of Unsecured PHI involved in the Breach (such as full name, Social Security number, date of birth, home address, account number, diagnosis, disability code, or other types of information); (d) any steps Business Associate has taken or will take to investigate the Breach, mitigate harm, and protect against further Breaches; and (e) contact information for individuals who can answer questions about the Breach.

5.3 Cooperation

Business Associate shall cooperate with Covered Entity in investigating the Breach, making notifications to affected individuals, the Secretary, and the media as required by HIPAA, and taking any other actions required by law. Business Associate shall preserve any forensic evidence relating to the Breach.

5.4 Mitigation

Business Associate shall take prompt corrective action to cure any Breach, mitigate any harmful effects of the Breach, and prevent further Breaches. Business Associate shall provide Covered Entity with a written remediation plan within fifteen (15) business days of discovering the Breach.

5.5 Security Incident Reporting

Business Associate shall report to Covered Entity any Security Incident of which it becomes aware. For unsuccessful Security Incidents (such as pings on a firewall, port scans, unsuccessful login attempts, or denial-of-service attacks that do not result in unauthorized access), Business Associate shall provide a summary report on a quarterly basis or as otherwise agreed by the Parties.

6. Obligations of Covered Entity

6.1 Notice of Privacy Practices

Covered Entity shall provide Business Associate with a copy of its Notice of Privacy Practices produced in accordance with 45 CFR Section 164.520, as well as any changes to such notice. Covered Entity shall notify Business Associate of any limitations in the notice that may affect Business Associate's use or disclosure of PHI.

6.2 Restrictions and Permissions

Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI. Covered Entity shall notify Business Associate of any restrictions on the use or disclosure of PHI to which Covered Entity has agreed in accordance with 45 CFR Section 164.522.

6.3 Permissible Requests

Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity, except as specifically authorized in Section 3 of this Agreement.

7. Term and Termination

7.1 Term

This Agreement shall be effective as of the Effective Date and shall continue in effect until all obligations of the Parties have been fulfilled, including the return or destruction of all PHI, or until terminated as provided herein. If the Underlying Agreement terminates, this Agreement shall remain in effect to the extent necessary to address the disposition of PHI as described in this Section.

7.2 Termination for Breach

Either Party may terminate this Agreement if the other Party materially breaches the terms of this Agreement and fails to cure such breach within thirty (30) days of receiving written notice of the breach. If cure is not possible, the non-breaching Party may immediately terminate this Agreement.

7.3 Reporting to Secretary

If Covered Entity determines that Business Associate has materially breached this Agreement and cure is not possible, Covered Entity may report the problem to the Secretary of HHS in addition to terminating this Agreement.

7.4 Return or Destruction of PHI

Upon termination of this Agreement, Business Associate shall return to Covered Entity or destroy all PHI in the possession of Business Associate or its subcontractors, including all copies in any form or medium. Business Associate shall certify in writing to Covered Entity that all PHI has been returned or destroyed. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to the PHI retained and shall limit further uses and disclosures to the purposes that make return or destruction infeasible.

7.5 Survival

The obligations of Business Associate under this Section with respect to PHI that is retained after termination shall survive the termination of this Agreement for so long as Business Associate retains any PHI.

8. Representations and Warranties

8.1 Business Associate Representations

Business Associate represents and warrants that: (a) it has implemented and will maintain appropriate safeguards to protect the confidentiality, integrity, and availability of PHI; (b) it has designated a privacy official and a security official; (c) it has trained and will continue to train its workforce on HIPAA requirements; (d) it has implemented and will maintain policies and procedures for compliance with HIPAA; (e) it has conducted and will regularly conduct risk assessments; and (f) it will promptly correct any deficiencies in its HIPAA compliance program.

8.2 Covered Entity Representations

Covered Entity represents and warrants that: (a) it has obtained all necessary consents, authorizations, and permissions required for the disclosure of PHI to Business Associate; (b) it has provided Business Associate with its Notice of Privacy Practices; and (c) it will promptly notify Business Associate of any changes to its privacy practices that may affect Business Associate's use or disclosure of PHI.

9. Indemnification

9.1 Business Associate Indemnification

Business Associate shall indemnify, defend, and hold harmless Covered Entity from and against any and all claims, damages, losses, fines, penalties, costs, and expenses (including reasonable attorneys' fees) arising from or relating to: (a) any Breach of Unsecured PHI caused by Business Associate or its subcontractors; (b) any unauthorized use or disclosure of PHI by Business Associate or its subcontractors; (c) any violation of HIPAA by Business Associate or its subcontractors; (d) any failure of Business Associate to comply with the terms of this Agreement; or (e) any negligent or wrongful act or omission of Business Associate or its workforce in connection with PHI.

9.2 Covered Entity Indemnification

Covered Entity shall indemnify, defend, and hold harmless Business Associate from and against any claims, damages, losses, and expenses arising from Covered Entity's breach of this Agreement or Covered Entity's violation of HIPAA that is not attributable to the acts or omissions of Business Associate.

10. Limitation of Liability

NEITHER PARTY SHALL BE LIABLE TO THE OTHER FOR ANY INDIRECT, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES ARISING FROM THIS AGREEMENT, EXCEPT THAT THIS LIMITATION SHALL NOT APPLY TO: (A) BREACHES OF PHI CAUSED BY BUSINESS ASSOCIATE'S NEGLIGENCE OR WILLFUL MISCONDUCT; (B) FINES OR PENALTIES IMPOSED BY THE SECRETARY; OR (C) INDEMNIFICATION OBLIGATIONS UNDER SECTION 9.

11. Insurance

Business Associate shall maintain cyber liability insurance with minimum limits of one million dollars ($1,000,000) per occurrence and two million dollars ($2,000,000) aggregate, covering data breaches, privacy violations, and related claims. Business Associate shall also maintain professional liability insurance and commercial general liability insurance in adequate amounts. Business Associate shall provide certificates of insurance to Covered Entity upon request.

12. Audit Rights

Covered Entity shall have the right, upon reasonable notice and during normal business hours, to audit Business Associate's compliance with this Agreement and HIPAA, including reviewing Business Associate's security policies, procedures, and practices, and inspecting Business Associate's facilities and systems. Business Associate shall cooperate fully with any such audit and shall provide Covered Entity with access to all relevant documents and personnel. Covered Entity shall conduct such audits no more frequently than once per year, unless a Breach or other compliance concern warrants additional review.

13. Regulatory Changes

The Parties agree to negotiate in good faith to amend this Agreement as necessary to comply with any changes to HIPAA, the Privacy Rule, the Security Rule, the Breach Notification Rule, or any other applicable law or regulation. If the Parties are unable to agree on an amendment within sixty (60) days of the effective date of the regulatory change, either Party may terminate this Agreement upon thirty (30) days' written notice.

14. Miscellaneous

14.1 Entire Agreement

This Agreement constitutes the entire agreement between the Parties regarding the use and protection of PHI and supersedes all prior agreements and understandings relating to the same subject matter.

14.2 Amendments

This Agreement may be amended only by a written instrument signed by both Parties, except as may be required to comply with changes in HIPAA or other applicable law.

14.3 No Third-Party Beneficiaries

Nothing in this Agreement is intended to confer any rights or remedies on any person or entity other than the Parties, except that individuals whose PHI is used or disclosed under this Agreement may enforce their rights under HIPAA.

14.4 Assignment

Neither Party may assign this Agreement without the prior written consent of the other Party, except that either Party may assign this Agreement in connection with a merger, acquisition, or sale of all or substantially all of its assets, provided that the assignee agrees to be bound by the terms of this Agreement.

14.5 Governing Law

This Agreement shall be governed by federal law (HIPAA and HITECH) to the extent applicable, and by the laws of the state in which Covered Entity is located for matters not addressed by federal law.

14.6 Severability

If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect, and the invalid provision shall be modified to the minimum extent necessary to comply with applicable law.

14.7 Waiver

No failure or delay in exercising any right under this Agreement shall constitute a waiver. Waivers must be in writing and signed by the waiving Party.

14.8 Notices

All notices under this Agreement shall be in writing and shall be deemed given when delivered personally, by confirmed email, or by overnight courier to the addresses set forth below or such other addresses as the Parties may designate in writing.

14.9 Interpretation

This Agreement shall be interpreted in a manner consistent with HIPAA and any ambiguity shall be resolved in favor of a meaning that complies with HIPAA. In the event of a conflict between this Agreement and HIPAA, HIPAA shall control.

14.10 Counterparts

This Agreement may be executed in counterparts, each of which shall be deemed an original. Electronic signatures shall be deemed original signatures for all purposes.

IN WITNESS WHEREOF, the Parties have executed this HIPAA Business Associate Agreement as of the Effective Date.

Covered Entity

covered_entity

[Electronic signature will be collected via zsign]

[Date will be recorded automatically]

Business Associate

business_associate

[Electronic signature will be collected via zsign]

[Date will be recorded automatically]