Scribd Logo
Upload

Welcome to Scribd!

  • Sample Business Associate Agreement

    Uploaded by

    r.jeyashankar9550
    11 views4 pages
    What is the agreement to be entered into with a business associate?

    Copyright

    © © All Rights Reserved

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    What is the agreement to be entered into with a business associate?

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    11 views4 pages

    Sample Business Associate Agreement

    Uploaded by

    r.jeyashankar9550
    What is the agreement to be entered into with a business associate?

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    SampleBusinessAssociationAgreement.

    ThisModelformwaspreparedbytheDepartmentofHealthandHumanServicesasexplainedinthestatementof
    intent.

    StatementofIntent
    TheDepartmentprovidesthesesamplebusinessassociatecontractprovisionsinresponsetonumerousrequestsfor
    guidance.Thisisonlysamplelanguage.Theseprovisionsaredesignedtohelpcoveredentitiesmoreeasilycomply
    withthebusinessassociatecontractrequirementsofthePrivacyRule.However,useofthesesampleprovisionsis
    notrequiredforcompliancewiththePrivacyRule.Thelanguagemaybeamendedtomoreaccuratelyreflect
    businessarrangementsbetweenthecoveredentityandthebusinessassociate.
    Theseorsimilarprovisionsmaybeincorporatedintoanagreementfortheprovisionofservicesbetweentheentities
    ortheymaybeincorporatedintoaseparatebusinessassociateagreement.Theseprovisionsonlyaddressconcepts
    andrequirementssetforthinthePrivacyRuleandalonearenotsufficienttoresultinabindingcontractunderState
    law.Theydonotincludemanyformalitiesandsubstantiveprovisionsthatarerequiredortypicallyincludedina
    validcontract.RelianceonthissampleisnotsufficientforcompliancewithStatelawanddoesnotreplace
    consultationwithalawyerornegotiationsbetweenthepartiestothecontract.
    Furthermore,acoveredentitymaywanttoincludeotherprovisionsthatarerelatedtothePrivacyRulebutthatare
    notrequiredbythePrivacyRule.Forexample,acoveredentitymaywanttoaddprovisionsinabusinessassociate
    contractinorderforthecoveredentitytobeabletorelyonthebusinessassociatetohelpthecoveredentitymeetits
    obligationsunderthePrivacyRule.Inaddition,theremaybepermissibleusesordisclosuresbyabusinessassociate
    thatarenotspecificallyaddressedinthesesampleprovisions,forexamplehavingabusinessassociatecreatea
    limiteddataset.Theseandothertypesofissueswillneedtobeworkedoutbetweentheparties.
    SampleBusinessAssociateContractProvisions1
    Definitions(alternativeapproaches)
    Catchalldefinition:
    Termsused,butnototherwisedefined,inthisAgreementshallhavethesamemeaningasthosetermsinthe
    PrivacyRule.
    Examplesofspecificdefinitions:
    0.

    BusinessAssociate."BusinessAssociate"shallmean[InsertNameofBusinessAssociate].

    a.

    CoveredEntity."CoveredEntity"shallmean[InsertNameofCoveredEntity].

    b.

    Individual."Individual"shallhavethesamemeaningastheterm"individual"in45CFR
    164.501andshallincludeapersonwhoqualifiesasapersonalrepresentativeinaccordancewith
    45CFR164.502(g).

    c.

    PrivacyRule."PrivacyRule"shallmeantheStandardsforPrivacyofIndividuallyIdentifiable
    HealthInformationat45CFRPart160andPart164,SubpartsAandE.

    d.

    ProtectedHealthInformation."ProtectedHealthInformation"shallhavethesamemeaningasthe
    term"protectedhealthinformation"in45CFR164.501,limitedtotheinformationcreatedor
    receivedbyBusinessAssociatefromoronbehalfofCoveredEntity.

    e.

    RequiredByLaw."RequiredByLaw"shallhavethesamemeaningastheterm"requiredbylaw"
    in45CFR164.501.

    f.

    Secretary."Secretary"shallmeantheSecretaryoftheDepartmentofHealthandHumanServices
    orhisdesignee.

    ObligationsandActivitiesofBusinessAssociate
    0. BusinessAssociateagreestonotuseordiscloseProtectedHealthInformationotherthanaspermittedor
    requiredbytheAgreementorasRequiredByLaw.
    a. BusinessAssociateagreestouseappropriatesafeguardstopreventuseordisclosureoftheProtectedHealth
    InformationotherthanasprovidedforbythisAgreement.
    b. BusinessAssociateagreestomitigate,totheextentpracticable,anyharmfuleffectthatisknownto
    BusinessAssociateofauseordisclosureofProtectedHealthInformationbyBusinessAssociatein
    violationoftherequirementsofthisAgreement.[Thisprovisionmaybeincludedifitisappropriateforthe
    CoveredEntitytopassonitsdutytomitigatedamagestoaBusinessAssociate.]
    c. BusinessAssociateagreestoreporttoCoveredEntityanyuseordisclosureoftheProtectedHealth
    InformationnotprovidedforbythisAgreementofwhichitbecomesaware.
    d. BusinessAssociateagreestoensurethatanyagent,includingasubcontractor,towhomitprovides
    ProtectedHealthInformationreceivedfrom,orcreatedorreceivedbyBusinessAssociateonbehalfof
    CoveredEntityagreestothesamerestrictionsandconditionsthatapplythroughthisAgreementto
    BusinessAssociatewithrespecttosuchinformation.
    e. BusinessAssociateagreestoprovideaccess,attherequestofCoveredEntity,andinthetimeandmanner
    [Insertnegotiatedterms],toProtectedHealthInformationinaDesignatedRecordSet,toCoveredEntityor,
    asdirectedbyCoveredEntity,toanIndividualinordertomeettherequirementsunder45CFR164.524.
    [Notnecessaryifbusinessassociatedoesnothaveprotectedhealthinformationinadesignatedrecordset.]
    f. BusinessAssociateagreestomakeanyamendment(s)toProtectedHealthInformationinaDesignated
    RecordSetthattheCoveredEntitydirectsoragreestopursuantto45CFR164.526attherequestof
    CoveredEntityoranIndividual,andinthetimeandmanner[Insertnegotiatedterms].[Notnecessaryif
    businessassociatedoesnothaveprotectedhealthinformationinadesignatedrecordset.]
    g. BusinessAssociateagreestomakeinternalpractices,books,andrecords,includingpoliciesandprocedures
    andProtectedHealthInformation,relatingtotheuseanddisclosureofProtectedHealthInformation
    receivedfrom,orcreatedorreceivedbyBusinessAssociateonbehalfof,CoveredEntityavailable[tothe
    CoveredEntity,or]totheSecretary,inatimeandmanner[Insertnegotiatedterms]ordesignatedbythe
    Secretary,forpurposesoftheSecretarydeterminingCoveredEntity'scompliancewiththePrivacyRule.
    h. BusinessAssociateagreestodocumentsuchdisclosuresofProtectedHealthInformationandinformation
    relatedtosuchdisclosuresaswouldberequiredforCoveredEntitytorespondtoarequestbyanIndividual
    foranaccountingofdisclosuresofProtectedHealthInformationinaccordancewith45CFR164.528.
    i. BusinessAssociateagreestoprovidetoCoveredEntityoranIndividual,intimeandmanner[Insert
    negotiatedterms],informationcollectedinaccordancewithSection[InsertSectionNumberinContract
    WhereProvision(i)Appears]ofthisAgreement,topermitCoveredEntitytorespondtoarequestbyan
    IndividualforanaccountingofdisclosuresofProtectedHealthInformationinaccordancewith45CFR
    164.528.
    PermittedUsesandDisclosuresbyBusinessAssociate
    GeneralUseandDisclosureProvisions[(a)and(b)arealternativeapproaches]
    0. Specifypurposes:
    ExceptasotherwiselimitedinthisAgreement,BusinessAssociatemayuseordiscloseProtectedHealth
    Informationonbehalfof,ortoprovideservicesto,CoveredEntityforthefollowingpurposes,ifsuchuse
    ordisclosureofProtectedHealthInformationwouldnotviolatethePrivacyRuleifdonebyCoveredEntity
    ortheminimumnecessarypoliciesandproceduresoftheCoveredEntity:
    [ListPurposes].
    a. Refertounderlyingservicesagreement:
    ExceptasotherwiselimitedinthisAgreement,BusinessAssociatemayuseordiscloseProtectedHealth
    Informationtoperformfunctions,activities,orservicesfor,oronbehalfof,CoveredEntityasspecifiedin

    [InsertNameofServicesAgreement],providedthatsuchuseordisclosurewouldnotviolatethePrivacy
    RuleifdonebyCoveredEntityortheminimumnecessarypoliciesandproceduresoftheCoveredEntity.
    SpecificUseandDisclosureProvisions[onlynecessaryifpartieswishtoallowBusinessAssociatetoengageinsuch
    activities]
    0. ExceptasotherwiselimitedinthisAgreement,BusinessAssociatemayuseProtectedHealthInformation
    forthepropermanagementandadministrationoftheBusinessAssociateortocarryoutthelegal
    responsibilitiesoftheBusinessAssociate.
    a. ExceptasotherwiselimitedinthisAgreement,BusinessAssociatemaydiscloseProtectedHealth
    InformationforthepropermanagementandadministrationoftheBusinessAssociate,providedthat
    disclosuresareRequiredByLaw,orBusinessAssociateobtainsreasonableassurancesfromthepersonto
    whomtheinformationisdisclosedthatitwillremainconfidentialandusedorfurtherdisclosedonlyas
    RequiredByLaworforthepurposeforwhichitwasdisclosedtotheperson,andthepersonnotifiesthe
    BusinessAssociateofanyinstancesofwhichitisawareinwhichtheconfidentialityoftheinformationhas
    beenbreached.
    b. ExceptasotherwiselimitedinthisAgreement,BusinessAssociatemayuseProtectedHealthInformation
    toprovideDataAggregationservicestoCoveredEntityaspermittedby42CFR164.504(e)(2)(i)(B).
    c. BusinessAssociatemayuseProtectedHealthInformationtoreportviolationsoflawtoappropriateFederal
    andStateauthorities,consistentwith164.502(j)(1).
    ObligationsofCoveredEntity
    ProvisionsforCoveredEntitytoInformBusinessAssociateofPrivacyPracticesandRestrictions[provisions
    dependentonbusinessarrangement]
    0. CoveredEntityshallnotifyBusinessAssociateofanylimitation(s)initsnoticeofprivacypracticesof
    CoveredEntityinaccordancewith45CFR164.520,totheextentthatsuchlimitationmayaffect
    BusinessAssociate'suseordisclosureofProtectedHealthInformation.
    a. CoveredEntityshallnotifyBusinessAssociateofanychangesin,orrevocationof,permissionby
    IndividualtouseordiscloseProtectedHealthInformation,totheextentthatsuchchangesmayaffect
    BusinessAssociate'suseordisclosureofProtectedHealthInformation.
    b. CoveredEntityshallnotifyBusinessAssociateofanyrestrictiontotheuseordisclosureofProtected
    HealthInformationthatCoveredEntityhasagreedtoinaccordancewith45CFR164.522,totheextent
    thatsuchrestrictionmayaffectBusinessAssociate'suseordisclosureofProtectedHealthInformation.
    PermissibleRequestsbyCoveredEntity
    CoveredEntityshallnotrequestBusinessAssociatetouseordiscloseProtectedHealthInformationinanymanner
    thatwouldnotbepermissibleunderthePrivacyRuleifdonebyCoveredEntity.[Includeanexceptionifthe
    BusinessAssociatewilluseordiscloseprotectedhealthinformationfor,andthecontractincludesprovisionsfor,
    dataaggregationormanagementandadministrativeactivitiesofBusinessAssociate].
    TermandTermination
    0. Term.TheTermofthisAgreementshallbeeffectiveasof[InsertEffectiveDate],andshallterminatewhen
    alloftheProtectedHealthInformationprovidedbyCoveredEntitytoBusinessAssociate,orcreatedor
    receivedbyBusinessAssociateonbehalfofCoveredEntity,isdestroyedorreturnedtoCoveredEntity,or,
    ifitisinfeasibletoreturnordestroyProtectedHealthInformation,protectionsareextendedtosuch
    information,inaccordancewiththeterminationprovisionsinthisSection.[Termmaydiffer.]
    a. TerminationforCause.UponCoveredEntity'sknowledgeofamaterialbreachbyBusinessAssociate,
    CoveredEntityshalleither:
    1. ProvideanopportunityforBusinessAssociatetocurethebreachorendtheviolationand
    terminatethisAgreement[andthe_________Agreement/sections____ofthe______________
    Agreement]ifBusinessAssociatedoesnotcurethebreachorendtheviolationwithinthetime
    specifiedbyCoveredEntity;
    2. ImmediatelyterminatethisAgreement[andthe_________Agreement/sections____ofthe
    ______________Agreement]ifBusinessAssociatehasbreachedamaterialtermofthis
    Agreementandcureisnotpossible;or
    3. Ifneitherterminationnorcurearefeasible,CoveredEntityshallreporttheviolationtothe
    Secretary.

    [Bracketedlanguageinthisprovisionmaybenecessaryifthereisanunderlyingservices
    agreement.Also,opportunitytocureispermitted,butnotrequiredbythePrivacyRule.]
    b. EffectofTermination.
    4. Exceptasprovidedinparagraph(2)ofthissection,uponterminationofthisAgreement,forany
    reason,BusinessAssociateshallreturnordestroyallProtectedHealthInformationreceivedfrom
    CoveredEntity,orcreatedorreceivedbyBusinessAssociateonbehalfofCoveredEntity.This
    provisionshallapplytoProtectedHealthInformationthatisinthepossessionofsubcontractorsor
    agentsofBusinessAssociate.BusinessAssociateshallretainnocopiesoftheProtectedHealth
    Information.
    5. IntheeventthatBusinessAssociatedeterminesthatreturningordestroyingtheProtectedHealth
    Informationisinfeasible,BusinessAssociateshallprovidetoCoveredEntitynotificationofthe
    conditionsthatmakereturnordestructioninfeasible.Upon[Insertnegotiatedterms]thatreturnor
    destructionofProtectedHealthInformationisinfeasible,BusinessAssociateshallextendthe
    protectionsofthisAgreementtosuchProtectedHealthInformationandlimitfurtherusesand
    disclosuresofsuchProtectedHealthInformationtothosepurposesthatmakethereturnor
    destructioninfeasible,forsolongasBusinessAssociatemaintainssuchProtectedHealth
    Information.
    Miscellaneous
    0. RegulatoryReferences.AreferenceinthisAgreementtoasectioninthePrivacyRulemeansthesectionas
    ineffectorasamended.
    a. Amendment.ThePartiesagreetotakesuchactionasisnecessarytoamendthisAgreementfromtimeto
    timeasisnecessaryforCoveredEntitytocomplywiththerequirementsofthePrivacyRuleandtheHealth
    InsurancePortabilityandAccountabilityActof1996,Pub.L.No.104191.
    b. Survival.TherespectiverightsandobligationsofBusinessAssociateunderSection[InsertSectionNumber
    Relatedto"EffectofTermination"]ofthisAgreementshallsurvivetheterminationofthisAgreement.
    c. Interpretation.AnyambiguityinthisAgreementshallberesolvedtopermitCoveredEntitytocomplywith
    thePrivacyRule.
    1

    Wordsorphrasescontainedinbracketsareintendedaseitheroptionallanguageorasinstructionstotheusersof
    thesesampleprovisionsandarenotintendedtobeincludedinthecontractualprovisions.

    You might also like