Business Associate Agreement Template

5. Procedures

BUSINESS ASSOCIATE AGREEMENT — KEY PROVISIONS

The following provisions shall be included in every BAA executed by [PRACTICE NAME]:

1. PERMITTED USES AND DISCLOSURES 1.1 This Agreement shall establish the permitted and required uses and disclosures of PHI by the Business Associate (45 CFR § 164.504(e)(2)(i)). The Business Associate may use and disclose PHI only to perform the functions, activities, or services specified in the underlying service agreement and as otherwise expressly permitted by this Agreement or required by law. [SPECIFY THE PERMITTED AND REQUIRED USES AND DISCLOSURES — e.g., the specific services the Business Associate performs.] 1.2 Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement or as required by law. 1.3 Business Associate shall not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 (Privacy Rule) if done by the Covered Entity, except that the Agreement may permit the Business Associate (a) to use PHI as necessary for the proper management and administration of the Business Associate or to carry out its legal responsibilities; (b) to disclose PHI for such management, administration, and legal responsibilities, provided the disclosure is required by law OR the Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed, and the recipient notifies the Business Associate of any breach of confidentiality (45 CFR § 164.504(e)(4)); and (c) to provide data aggregation services relating to the Covered Entity's health care operations (45 CFR § 164.504(e)(2)(i)(B)).

2. SAFEGUARDS 2.1 Business Associate shall use appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of PHI. 2.2 Business Associate shall implement safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of the Covered Entity, as required by the HIPAA Security Rule. 2.3 Business Associate shall comply with the HIPAA Security Rule as applicable to business associates under the HITECH Act.

3. REPORTING 3.1 Business Associate shall report to the Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including breaches of unsecured PHI as required by 45 CFR § 164.410. 3.1.1 Business Associate shall report to the Covered Entity any security incident of which it becomes aware, including breaches of unsecured PHI as required by 45 CFR § 164.410 (45 CFR § 164.314(a)(2)(i)(C)). 3.2 Breach notification shall be made to the Covered Entity without unreasonable delay and in no case later than [NUMBER — recommended 30, many BAAs specify shorter: 10, 5, or 3] calendar days after discovery of the breach. 3.3 The breach report shall include: identification of individuals affected, description of the PHI involved, description of the incident, corrective actions taken, and any other information reasonably requested by the Covered Entity.

4. SUBCONTRACTORS 4.1 Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to the same restrictions and conditions that apply to Business Associate under this Agreement. 4.2 Business Associate shall enter into a written agreement with each subcontractor that meets the requirements of 45 CFR § 164.504(e).

5. INDIVIDUAL RIGHTS 5.1 Business Associate shall make PHI available to the Covered Entity or, at the Covered Entity's direction, to the individual, to fulfill the individual's right of access under 45 CFR § 164.524. 5.2 Business Associate shall make PHI available for amendment and incorporate any amendments to PHI as directed by the Covered Entity, per 45 CFR § 164.526. 5.3 Business Associate shall make information available for an accounting of disclosures per 45 CFR § 164.528. 5.4 To the extent the Business Associate is to carry out one or more of the Covered Entity's obligations under Subpart E of 45 CFR Part 164 (Privacy Rule), the Business Associate shall comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s) (45 CFR § 164.504(e)(2)(ii)(H)).

6. HHS ACCESS 6.1 Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for determining the Covered Entity's compliance with HIPAA.

7. RETURN OR DESTRUCTION OF PHI 7.1 Upon termination of this Agreement, Business Associate shall, at the Covered Entity's direction, return or destroy all PHI received from or created on behalf of the Covered Entity. If return or destruction is not feasible, the protections of this Agreement shall extend to such PHI.

8. TERM AND TERMINATION 8.1 This Agreement shall be effective as of [EFFECTIVE DATE] and shall remain in effect until terminated. 8.2 The Covered Entity may terminate this Agreement if it determines that the Business Associate has violated a material term. The Covered Entity shall provide [NUMBER] days written notice and an opportunity to cure before termination. 8.3 If cure is not possible, the Covered Entity may immediately terminate this Agreement.

9. MISCELLANEOUS 9.1 Regulatory References: Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the Covered Entity to comply with HIPAA. 9.2 Amendment: This Agreement shall be amended as necessary to comply with changes in HIPAA and its implementing regulations. 9.3 Survival: The obligations of the Business Associate under Sections 2, 5, 6, and 7 shall survive termination of this Agreement.

BUSINESS ASSOCIATE MANAGEMENT PROCEDURES

10. VENDOR DUE DILIGENCE 10.1 Before engaging a new business associate, the Privacy Officer shall: determine whether the vendor qualifies as a business associate, evaluate the vendor's security practices (via security questionnaire or SOC 2 report review), and ensure a signed BAA is in place before any PHI is shared.

11. BAA TRACKING 11.1 The Privacy Officer shall maintain a BAA Tracking Log that includes: business associate name and contact, services provided, date BAA executed, BAA expiration or renewal date, and date of last security assessment.

11.2 The BAA Tracking Log shall be reviewed at least annually to verify all active business associates have current BAAs.

6. Roles & Responsibilities

Privacy Officer ([PRIVACY OFFICER NAME]): Identifies vendors that qualify as business associates. Ensures BAAs are executed before PHI is shared. Maintains the BAA Tracking Log. Conducts vendor due diligence. Manages breach notifications from business associates.

Security Officer ([SECURITY OFFICER NAME]): Reviews business associate security practices. Evaluates vendor security questionnaires and SOC 2 reports. Participates in risk assessment of business associate relationships.

Practice Administrator ([ADMINISTRATOR NAME]): Approves new business associate engagements. Authorizes termination of BAAs when vendors are non-compliant.

All Workforce Members: Do not share PHI with any vendor or external party without confirming a BAA is in place. Report any concerns about vendor PHI handling to the Privacy Officer.

7. Review Schedule

BAAs shall be reviewed at least annually and updated when: regulations change, the scope of services changes, the business associate's security posture changes, or the BAA approaches its renewal date. The BAA Tracking Log shall be reviewed quarterly to ensure completeness.

8. Regulatory References

45 CFR § 164.502(e) — Business associate contracts and other arrangements 45 CFR § 164.504(e) — Business associate contracts (required provisions) 45 CFR § 164.314 — Organizational requirements (Security Rule business associate contract requirements) 45 CFR § 160.103 — Definitions (covered entity, business associate) 45 CFR § 164.308(b) — Business associate contracts and arrangements (Security Rule) 42 U.S.C. § 17934 — HITECH Act — Application of security provisions to business associates 45 CFR § 164.410 — Business associate breach notification to covered entity