Business Associate Agreement

Definitions

Unless otherwise defined in this BAA, capitalized terms have the same meanings as in HIPAA and its implementing regulations, including but not limited to 45 C.F.R. §160.103 and Part 164 (e.g., “Protected Health Information” or “PHI,” “ePHI,” “Covered Entity,” “Business Associate,” “Privacy Rule,” “Security Rule,” “Breach,” “Unsecured PHI,” etc.).

​

​

Permitted Uses

1. Business Associate may use or disclose PHI only as reasonably necessary to perform the services for Covered Entity (e.g., data hosting, analytics, reporting, storage, processing) as agreed between the Parties. Such use or disclosure must be consistent with HIPAA. 

2. Business Associate may use PHI for its proper management and administration or to carry out its legal responsibilities (e.g., compliance, audits, internal operations), provided that such use or disclosure is not for marketing, sale, or other unauthorized purposes. 

3. Business Associate may de-identify PHI in accordance with applicable law (e.g., 45 C.F.R. §164.514(a)- (c)) and, once de-identified, may use or disclose such information for its legitimate business purposes (e.g., benchmarking, analytics, service improvement). De-identified information is no longer subject to the PHI restrictions of this BAA.

​​

​

Prohibited Uses

Business Associate shall not use or disclose PHI in any manner not permitted or required by this BAA or by law. In particular, Business Associate shall not:

• Sell PHI or use PHI for marketing purposes;

• Use or disclose PHI beyond the “minimum necessary” to accomplish the intended purpose;

• Use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity.

​

​

Safeguards​

​​Business Associate agrees to implement and maintain appropriate administrative, physical, and technical safeguards to reasonably safeguard the confidentiality, integrity, and availability of PHI (and ePHI) — consistent with the HIPAA Security Rule. Safeguards may include, but are not limited to: access controls, encryption, secure storage, audit logging, multi-factor authentication (MFA), workforce training, and policies to prevent unauthorized use or disclosure. 

​​

Business Associate shall ensure that any subcontractor or agent to whom it provides PHI agrees in writing to the same restrictions and safeguards as set forth in this BAA. Business Associate remains fully responsible for any such subcontractor’s or agent’s compliance.

​​

​​​​

Reporting

​​Business Associate will promptly report to Covered Entity any use or disclosure of PHI not permitted under this BAA or HIPAA, including any “Security Incident” or actual “Breach” of unsecured PHI, as soon as reasonably practicable after discovering the event. The report shall include (to the extent known):

• A description of the nature of the incident;

• The types of PHI involved;

• Approximate number of affected individuals (if applicable);

• Steps Business Associate has taken to mitigate harm;

• Steps Business Associate proposes to prevent future occurrences. 

 

Business Associate will cooperate with Covered Entity in any required breach-notification procedures under HIPAA and applicable state laws.

​

​

Access​

If Covered Entity or an individual requests access to PHI, amendment of PHI, or an accounting of disclosures (as applicable under HIPAA), and Business Associate maintains that PHI, Business Associate shall, within a reasonable time and in the form requested by Covered Entity (or by the individual, through Covered Entity), provide access, make amendments, or provide an account of disclosures. 

​

​

Term & Termination

Term: This BAA remains in effect so long as Business Associate retains any PHI on behalf of Covered Entity. 

​

Termination for Cause: Covered Entity may terminate this BAA immediately if Business Associate materially breaches any provision of this BAA and fails to cure within a defined period (e.g., 30 days after written notice).

​

Return or Destruction: Upon termination or expiration, Business Associate shall, at Covered Entity’s direction, return all PHI to Covered Entity or securely destroy it (and all copies), unless return or destruction is infeasible (e.g., for legal, archival or technical reasons). If infeasible, Business Associate will extend all protections of this BAA to the retained PHI and limit further use or disclosure to only those purposes permitted under this BAA.

​

​

Subcontractors

If Business Associate engages any subcontractor or agent to perform functions involving PHI on behalf of Covered Entity, Business Associate shall ensure that such subcontractor or agent enters into a written agreement requiring the same restrictions, conditions, and safeguards that apply to Business Associate under this BAA. Business Associate remains liable for any breach by a subcontractor or agent.

​

​​

Regulatory Compliance

• Business Associate agrees to comply with all applicable federal and state laws and regulations governing PHI, including HIPAA, the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), and any implementing regulations. 

• If changes in applicable law, regulation, or guidance require modification of this BAA, the Parties agree to negotiate in good faith to amend this BAA as necessary.

• Any ambiguity in this BAA shall be resolved in favor of a meaning that permits compliance with HIPAA and all other applicable laws.

​

​

Entire Agreement​

• This BAA does not create any rights for any third party; only Covered Entity and Business Associate have rights under this BAA. 

• This BAA constitutes the entire agreement between the Parties with respect to PHI. It supersedes any prior agreements related to PHI between the Parties. Any amendments must be in writing and signed by both Parties.​

​

​​