HIPAA Business Associate Agreement

Next level National Stategic Group services can be unlocked through the HIPAA form below (it’s a standard form, we just tweaked it a bit to try to avoid legal words and use the equivalent English words).

Basically you are giving us permission to see your patients data and says that we must follow HIPAA compliance rules in protecting that data. This agreement does NOT change how you handle your data within your systems.

COVERED ENTITY:

Address(Required)

This Business Associate Agreement (“BAA”) is entered into and effective on [datetoday] (“Effective Date”) by and between National Strategic Group (“Business Associate”) and the Covered Entity identified below (each a “Party” and collectively, the “Parties”).

Purpose of Agreement

Covered Entity is a “Covered Entity” as that term is defined under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-91), as amended, (“HIPAA”), and the regulations promulgated thereunder by the Secretary of the U.S. Department of Health and Human Services (“Secretary”), including, without limitation, the regulations codified at 45 C.F.R. Parts 160 and 164 (“HIPAA Regulations”);

Business Associate seeks to perform Services for or on behalf of Covered Entity, and in performing said Services, Business Associate will create, receive, maintain, or transmit Protected Health Information (“PHI”) or Electronic Protected Health Information ("ePHI");

The parties intend to protect the privacy and provide for the security of PHI and ePHI disclosed by Covered Entity to Business Associate, or received or created by Business Associate, when providing services in compliance with HIPAA, its corresponding regulations, and the Health Information Technology for Economic and Clinical Health Act (“the HITECH Act”); and all other applicable state and federal laws, all as amended from time to time;

Covered Entity is required under HIPAA to enter into a Business Associate Agreement with Business Associate that meets certain requirements with respect to the use or disclosure of PHI; and

Business Associate is required under HIPAA to comply with the terms of the Business Associate Agreement, as set forth in 45 C.F.R. 164.502(e)(2) and 164.504(e). 

1 - Definition of Terms

Capitalized terms used in this Business Associate Agreement and not otherwise defined will have the meanings ascribed to them in HIPAA, the HIPAA Regulations, or the HITECH Act, as applicable.

1.1.  “Protected Health Information” (“PHI”) is defined in 45 C.F.R. § 160.103 amd means any information, whether oral or recorded in any form or medium, that: 

(a) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that
(b) identifies the individual, or for which there is a reasonable basis for believing that the information can be used to identify the individual. 

1.2. “Breach” is defined in 42 U.S.C. § 17921(1) and 45 C.F.R. § 164.402.

1.3. "Data Aggregation" is defined in 45 C.F.R. § 164.501.

1.4. “Designated Record Set” is defined in 45 C.F.R. § 164.501.  

1.5. “Disclose” and “Disclosure” mean the release, transfer, provision of, access to, or divulging in any other manner, of PHI outside of Business Associate or to other than members of its workforce, per 45 C.F.R. § 160.103.

1.6.  “Electronic PHI” or “ePHI” means PHI that is transmitted or maintained in electronic media, per 45 C.F.R. § 160.103.

1.7.  “Security Incident” is defined in 45 C.F.R. § 164.304. 

1.8. “Services” means the services for or functions performed by Business Associate on behalf of Covered Entity pursuant to any service agreement(s) between Covered Entity and Business Associates which may be in effect now or from time to time (“Underlying Agreement”), or, if no such agreement is in effect, the services or functions performed by Business Associate that constitute a Business Associate relationship, per 45 C.F.R. § 160.103, Definition of "Business Associate."

1.9. “Subcontractor” Subcontractor means a person to whom a Business Associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of the Business Associate.

1.10. “Unsecured PHI” is defined in 42 U.S.C. § 17932(h), 45 C.F.R. § 164.402, and Federal Register documents, including, but not limited to, Federal Register document 74; Federal Register 19006 (April 27, 2009); and 78 Federal Register 5565 (January 25, 2013).

1.11. “Use” or “Uses” mean, with respect to PHI, the sharing, employment, application, utilization, examination, or analysis of such PHI within Business Associate’s internal operations, per 45 C.F.R. § 160.103.

1.12. “Workforce” is defined in 45 C.F.R. § 160.103.

2 - Business Associate (National Strategic Group) Obligations 

2.1.  Permitted Uses and Disclosures of Protected Health Information

Business Associate will not use or disclose PHI other than for the purposes of performing the Services; as permitted or required by this BAA; or as Required By Law.  Business Associate will not use or disclose PHI in any manner that would constitute a violation of Subpart E of 45 C.F.R. Part 164 if so used or disclosed by Covered Entity.  However, Business Associate may use or disclose PHI (i) for the proper management and administration of Business Associate; (ii) to carry out the legal responsibilities of Business Associate, provided that with respect to any such disclosure either: (a) the disclosure is Required by Law; or (b) Business Associate obtains reasonable assurances  from the person to whom the PHI is to be disclosed that such person will hold the PHI in confidence and will not use or further disclose such PHI except as Required by Law and for the purpose(s) for which it was disclosed by Business Associate to such person, and that such person will promptly notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached; and (iii) pursuant to 45 C.F.R. § 164.501 and 164.504(e)(2)(i)(B), for Data Aggregation purposes for the healthcare operations of Covered Entity. Business Associate may use and disclose PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1) and applicable state laws. Business Associate may de-identify Protected Health Information, provided that such de-identification is performed in accordance with 45 CFR § 164.514(b).

To the extent that Business Associate carries out one or more of Covered Entity’s obligations under Subpart E of 45 C.F.R. Part 164, Business Associate must comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligations.

2.2.  Prohibited Marketing and Sale of PHI

Notwithstanding any other provision in this BAA, Business Associate will comply with the following requirements: (i) Business Associate will not use or disclose PHI for fundraising or marketing purposes, except to the extent expressly authorized or permitted by this BAA and consistent with the requirements and any exceptions of 42 U.S.C. § 17936, 45 C.F.R. § 164.514(f), and 45 C.F.R. § 164.508(a)(3); and (ii) Business Associate will not directly or indirectly receive remuneration in exchange for PHI, except with the prior written consent of Covered Entity and as permitted by the HITECH Act, 42 U.S.C. § 17935(d)(2), and 45 C.F.R. § 164.502(a)(5)(ii). 

2.3. Adequate Safeguards of PHI

Business Associate will implement and maintain appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this BAA.  Business Associate will reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity in compliance with Subpart C of 45 C.F.R. Part 164 to prevent use or disclosure of PHI other than as provided for by this BAA.

2.4 Mitigation

Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA.

2.5. Reporting Non-Permitted Use or Disclosure

2.5.1 Reporting Security Incidents and Non-Permitted Use or Disclosure

Business Associate will report to Covered Entity in writing each Security Incident or use or disclosure that is made by Business Associate, members of its workforce, or subcontractors that is not specifically permitted by this BAA, no later than five (5) business days after becoming aware of such security incident or non-permitted use or disclosure, in accordance with the notice provisions set forth herein.  Business Associate will investigate each Security Incident or non-permitted use or disclosure of Covered Entity’s PHI that it discovers, to determine whether such Security Incident or non-permitted use or disclosure constitutes a reportable breach of unsecured PHI.  Business Associate will document and retain records of its investigation of any Breach, including its reports to Covered Entity under this Section 2.5.1.  Upon request of Covered Entity, Business Associate will furnish to Covered Entity the documentation of its investigation and an assessment of whether such Security Incident or non-permitted use or disclosure constitutes a reportable Breach.  If such Security Incident or non-permitted use or disclosure constitutes a reportable breach of unsecured PHI, then Business Associate will comply with the additional requirements of Section 2.5.2 below. Notwithstanding the foregoing, the parties agree that this Section 2.5.1 constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined herein) for which no additional notice is required.  “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service, malware such as worms or viruses and any combination of the above, so long as such incidents do not result in unauthorized access, use or disclosure, modification or destruction of PHI. 

2.5.2 Breach of Unsecured PHI

If Business Associate determines that a reportable breach of unsecured PHI has occurred, Business Associate will provide a written report to Covered Entity without unreasonable delay but no later than thirty (30) calendar days after discovery of the breach. To the extent that information is available to Business Associate, Business Associate’s written report to Covered Entity will be in accordance with 45 C.F.R. §164.410(c). Business Associate will cooperate with Covered Entity in meeting Covered Entity’s obligations under HIPAA and the HITECH Act with respect to such breach. Covered Entity will have sole control over the timing and method of providing notification of such Breach to the affected individual(s), the HHS Secretary and, if applicable, the media, as required by HIPAA and the HITECH Act. Business Associate will reimburse Covered Entity for its reasonable costs and expenses in providing the notification, including, but not limited to, any administrative costs associated with providing notice, printing and mailing costs, and costs of mitigating the harm (which may include the costs of obtaining credit monitoring services and identity theft insurance for up to one year) for affected individuals whose PHI has or may have been compromised as a result of the Breach.

2.6. Availability of Internal Practices, Books, and Records to Government

Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, created, or received by the Business Associate on behalf of Covered Entity available to the Secretary for purposes of determining Covered Entity’s compliance with HIPAA, the HIPAA Regulations, and the HITECH Act.  Except to the extent prohibited by law, Business Associate will notify Covered Entity of all requests served upon Business Associate for information or documentation by or on behalf of the Secretary.  Business Associate agrees to provide to Covered Entity proof of its compliance with the HIPAA Security Standards.

2.7.  Access to and Amendment of Protected Health Information

To the extent that Business Associate maintains a Designated Record Set on behalf of Covered Entity and within fifteen (15) days of receipt of a written request by Covered Entity, Business Associate will (a) make the PHI it maintains (or which is maintained by its Subcontractors) in Designated Record Sets available to Covered Entity for inspection and copying, or to an individual if directed by Covered Entity in writing, to enable Covered Entity to fulfill its obligations under 45 C.F.R. § 164.524, or (b) amend the PHI it maintains (or which is maintained by its Subcontractors) in Designated Record Sets to enable the Covered Entity to fulfill its obligations under 45 C.F.R. § 164.526. Business Associate will not disclose PHI to a health plan for payment or healthcare operations purposes if and to the extent that Covered Entity has informed Business Associate in writing that the patient has requested this special restriction, and has paid out of pocket in full for the health care item or service to which the PHI solely relates, consistent with 42 U.S.C. § 17935(a) and 42 C.F.R. § 164.522(a)(1)(vi).  If Business Associate maintains PHI in a Designated Record Set electronically, Business Associate will provide such information in the electronic form and format requested by the Covered Entity if it is readily reproducible in such form and format, and, if not, in such other form and format agreed to by Covered Entity to enable Covered Entity to fulfill its obligations under 42 U.S.C. § 17935(e) and 45 C.F.R. § 164.524(c)(2). Business Associate will notify Covered Entity within ten(10) days of receipt of a written request from Covered Entity for access to PHI.  In the event any Individual requests access to or amendment of PHI directly from Business Associate, Business Associate shall promptly notify Covered Entity of such request so that Covered Entity can respond directly to such individual. Any denials of access to or amendment of the PHI shall be the responsibility of Covered Entity. 

2.8. Accounting

To the extent that Business Associate maintains a Designated Record Set on behalf of Covered Entity, within thirty (30) days of receipt of a written request from Covered Entity that an individual has requested an accounting of disclosures of PHI, Business Associate and its Subcontractors will make available to Covered Entity the information required to provide an accounting of disclosures to enable Covered Entity to fulfill its obligations under 45 C.F.R. § 164.528 and its obligations under 42 U.S.C. § 17935(c).  Business Associate will notify Covered Entity within five (5) days of receipt of a request by an individual or other requesting party for an accounting of disclosures of PHI.

2.9. Use of Subcontractors

Business Associate will require each of its Subcontractors that creates, maintains, receives, or transmits PHI on behalf of Business Associate, to execute a Business Associate Agreement that imposes on such Subcontractors substantially the same, but no less stringent restrictions, conditions, and requirements that apply to Business Associate under this BAA with respect to PHI.

2.10. Minimum Necessary

Business Associate (and its Subcontractors) will, to the extent practicable, limit its request, use, or disclosure of PHI to the minimum amount of PHI necessary to accomplish the purpose of the request, use, or disclosure, in accordance with 42 U.S.C. § 17935(b) and 45 C.F.R. § 164.502(b)(1) or any other guidance issued there.

3 - Obligations of Covered Entity

3.1 Covered Entity shall provide Business Associate with a copy of its Notice of Privacy Practices that Covered Entity produces in accordance with 45 C.F.R. § 164.520, and shall promptly notify Business Associate in writing of any changes to such Notice of Privacy Practices to the extent such changes may affect Business Associate’s Use or Disclosure of PHI.

3.2 Covered Entity shall promptly notify Business Associate in writing of any changes in, or revocation of, permission by Individual to use or disclose PHI, if and to the extent such changes affect Business Associate's permitted or required uses and disclosures of PHI.

3.3 Covered Entity shall promptly notify Business Associate in writing of any restriction to the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by in accordance with 45 C.F.R. § 164.522, if and to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.

3.4 Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity. 

3.5 To the extent applicable, Covered Entity shall obtain any consent, authorization, or permission that may be required by the Privacy Rule or other applicable federal or state laws and regulations before disclosing to Business Associate the Protected Health Information pertaining to an Individual.

4. Term and Termination

4.1. Term

The term of this agreement will be effective as of the Effective Date and will terminate as of the date that all of the PHI provided by Covered Entity to Business Associate, created, or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy the PHI, protections are extended to such information, in accordance with Section 4.3, or on the date that Covered Entity terminated for cause as authorized in Section 4.2, whichever is sooner.  

3.2. Termination for Cause

Upon either Party’s knowledge of a material breach by the other Party, the terminating Party shall notify the other Party in writing and provide an opportunity for the breaching Party to cure the breach or end the violation within thirty (30) days of such notice, and terminate this Agreement if the breaching Party does not cure the breach or end the violation within the time specified. If a cure is not reasonably possible, the terminating Party may immediately terminate this Agreement and any such other agreement upon its knowledge of the material breach, upon written notice to the other Party. 

4.3 Disposition of Protected Health Information Upon Termination or Expiration:  

4.3.1. Upon termination or expiration of this BAA, Business Associate will either return or destroy all PHI received from, created, or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form and retain no copies of such PHI. If Covered Entity requests that Business Associate return PHI, PHI will be returned in a mutually agreed upon format and timeframe.
4.3.2. If return or destruction is not feasible, Business Associate will (a) retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities; (b) return to Covered Entity the remaining PHI that Business Associate still maintains in any form; (c) continue to extend the protections of this BAA to the PHI for as long as Business Associate retains the PHI; (d) limit further uses and disclosures of such PHI to those purposes that make the return or destruction of the PHI infeasible and subject to the same conditions set out in Section 2.1 and 2.2 above, which applied prior to termination; and (e) return to Covered Entity the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.

I Agree(Required)
This field is for validation purposes and should be left unchanged.