SAMPLE BUSINESS ASSOCIATE AGREEMENT PROVISIONS
(Printed January 25, 2013)
Introduction
A “enterprise affiliate” is an individual or entity, apart from a member of the workforce of a coated entity, who performs features or actions on behalf of, or supplies sure providers to, a coated entity that contain entry by the enterprise affiliate to protected well being info. A “enterprise affiliate” is also a subcontractor that creates, receives, maintains, or transmits protected well being info on behalf of one other enterprise affiliate. The HIPAA Guidelines typically require that coated entities and enterprise associates enter into contracts with their enterprise associates to make sure that the enterprise associates will appropriately safeguard protected well being info. The enterprise affiliate contract additionally serves to make clear and restrict, as applicable, the permissible makes use of and disclosures of protected well being info by the enterprise affiliate, primarily based on the connection between the events and the actions or providers being carried out by the enterprise affiliate. A enterprise affiliate could use or disclose protected well being info solely as permitted or required by its enterprise affiliate contract or as required by legislation. A enterprise affiliate is immediately liable below the HIPAA Guidelines and topic to civil and, in some instances, felony penalties for making makes use of and disclosures of protected well being info that aren’t licensed by its contract or required by legislation. A enterprise affiliate is also immediately liable and topic to civil penalties for failing to safeguard digital protected well being info in accordance with the HIPAA Safety Rule.
A written contract between a coated entity and a enterprise affiliate should: (1) set up the permitted and required makes use of and disclosures of protected well being info by the enterprise affiliate; (2) present that the enterprise affiliate is not going to use or additional disclose the knowledge apart from as permitted or required by the contract or as required by legislation; (3) require the enterprise affiliate to implement applicable safeguards to stop unauthorized use or disclosure of the knowledge, together with implementing necessities of the HIPAA Safety Rule with regard to digital protected well being info; (4) require the enterprise affiliate to report back to the coated entity any use or disclosure of the knowledge not offered for by its contract, together with incidents that represent breaches of unsecured protected well being info; (5) require the enterprise affiliate to reveal protected well being info as laid out in its contract to fulfill a coated entity’s obligation with respect to people’ requests for copies of their protected well being info, in addition to make out there protected well being info for amendments (and incorporate any amendments, if required) and accountings; (6) to the extent the enterprise affiliate is to hold out a coated entity’s obligation below the Privateness Rule, require the enterprise affiliate to adjust to the necessities relevant to the duty; (7) require the enterprise affiliate to make out there to HHS its inner practices, books, and information regarding the use and disclosure of protected well being info acquired from, or created or acquired by the enterprise affiliate on behalf of, the coated entity for functions of HHS figuring out the coated entity’s compliance with the HIPAA Privateness Rule; (8) at termination of the contract, if possible, require the enterprise affiliate to return or destroy all protected well being info acquired from, or created or acquired by the enterprise affiliate on behalf of, the coated entity; (9) require the enterprise affiliate to make sure that any subcontractors it could interact on its behalf that can have entry to protected well being info conform to the identical restrictions and situations that apply to the enterprise affiliate with respect to such info; and (10) authorize termination of the contract by the coated entity if the enterprise affiliate violates a fabric time period of the contract. Contracts between enterprise associates and enterprise associates which might be subcontractors are topic to those similar necessities.
This doc consists of pattern enterprise affiliate settlement provisions to assist coated entities and enterprise associates extra simply adjust to the enterprise affiliate contract necessities. Whereas these pattern provisions are written for the needs of the contract between a coated entity and its enterprise affiliate, the language could also be tailored for functions of the contract between a enterprise affiliate and subcontractor.
That is solely pattern language and use of those pattern provisions is just not required for compliance with the HIPAA Guidelines. The language could also be modified to extra precisely mirror enterprise preparations between a coated entity and enterprise affiliate or enterprise affiliate and subcontractor. As well as, these or comparable provisions could also be included into an settlement for the availability of providers between a coated entity and enterprise affiliate or enterprise affiliate and subcontractor, or they could be included right into a separate enterprise affiliate settlement. These provisions handle solely ideas and necessities set forth within the HIPAA Privateness, Safety, Breach Notification, and Enforcement Guidelines, and alone is probably not enough to end in a binding contract below State legislation. They don’t embody many formalities and substantive provisions that could be required or sometimes included in a legitimate contract. Reliance on this pattern is probably not enough for compliance with State legislation, and doesn’t substitute session with a lawyer or negotiations between the events to the contract.
Pattern Enterprise Affiliate Settlement Provisions
Phrases or phrases contained in brackets are meant as both elective language or as directions to the customers of those pattern provisions.
Definitions
Catch-all definition:
The next phrases used on this Settlement shall have the identical that means as these phrases within the HIPAA Guidelines: Breach, Knowledge Aggregation, Designated File Set, Disclosure, Well being Care Operations, Particular person, Minimal Crucial, Discover of Privateness Practices, Protected Well being Info, Required By Regulation, Secretary, Safety Incident, Subcontractor, Unsecured Protected Well being Info, and Use.
Particular definitions:
(a) Enterprise Affiliate. “Enterprise Affiliate” shall typically have the identical that means because the time period “enterprise affiliate” at 45 CFR 160.103, and in reference to the occasion to this settlement, shall imply [Insert Name of Business Associate].
(b) Coated Entity. “Coated Entity” shall typically have the identical that means because the time period “coated entity” at 45 CFR 160.103, and in reference to the occasion to this settlement, shall imply [Insert Name of Covered Entity].
(c) HIPAA Guidelines. “HIPAA Guidelines” shall imply the Privateness, Safety, Breach Notification, and Enforcement Guidelines at 45 CFR Half 160 and Half 164.
Obligations and Actions of Enterprise Affiliate
Enterprise Affiliate agrees to:
(a) Not use or disclose protected well being info apart from as permitted or required by the Settlement or as required by legislation;
(b) Use applicable safeguards, and adjust to Subpart C of 45 CFR Half 164 with respect to digital protected well being info, to stop use or disclosure of protected well being info apart from as offered for by the Settlement;
(c) Report back to coated entity any use or disclosure of protected well being info not offered for by the Settlement of which it turns into conscious, together with breaches of unsecured protected well being info as required at 45 CFR 164.410, and any safety incident of which it turns into conscious;
[The parties may wish to add additional specificity regarding the breach notification obligations of the business associate, such as a stricter timeframe for the business associate to report a potential breach to the covered entity and/or whether the business associate will handle breach notifications to individuals, the HHS Office for Civil Rights (OCR), and potentially the media, on behalf of the covered entity.]
(d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if relevant, be sure that any subcontractors that create, obtain, keep, or transmit protected well being info on behalf of the enterprise affiliate conform to the identical restrictions, situations, and necessities that apply to the enterprise affiliate with respect to such info;
(e) Make out there protected well being info in a delegated report set to the [Choose either “covered entity” or “individual or the individual’s designee”] as essential to fulfill coated entity’s obligations below 45 CFR 164.524;
[The parties may wish to add additional specificity regarding how the business associate will respond to a request for access that the business associate receives directly from the individual (such as whether and in what time and manner a business associate is to provide the requested access or whether the business associate will forward the individual’s request to the covered entity to fulfill) and the timeframe for the business associate to provide the information to the covered entity.]
(f) Make any modification(s) to protected well being info in a delegated report set as directed or agreed to by the coated entity pursuant to 45 CFR 164.526, or take different measures as essential to fulfill coated entity’s obligations below 45 CFR 164.526;
[The parties may wish to add additional specificity regarding how the business associate will respond to a request for amendment that the business associate receives directly from the individual (such as whether and in what time and manner a business associate is to act on the request for amendment or whether the business associate will forward the individual’s request to the covered entity) and the timeframe for the business associate to incorporate any amendments to the information in the designated record set.]
(g) Keep and make out there the knowledge required to offer an accounting of disclosures to the [Choose either “covered entity” or “individual”] as essential to fulfill coated entity’s obligations below 45 CFR 164.528;
[The parties may wish to add additional specificity regarding how the business associate will respond to a request for an accounting of disclosures that the business associate receives directly from the individual (such as whether and in what time and manner the business associate is to provide the accounting of disclosures to the individual or whether the business associate will forward the request to the covered entity) and the timeframe for the business associate to provide information to the covered entity.]
(h) To the extent the enterprise affiliate is to hold out a number of of coated entity’s obligation(s) below Subpart E of 45 CFR Half 164, adjust to the necessities of Subpart E that apply to the coated entity within the efficiency of such obligation(s); and
(i) Make its inner practices, books, and information out there to the Secretary for functions of figuring out compliance with the HIPAA Guidelines.
Permitted Makes use of and Disclosures by Enterprise Affiliate
(a) Enterprise affiliate could solely use or disclose protected well being info
[Option 1 – Provide a specific list of permissible purposes.]
[Option 2 – Reference an underlying service agreement, such as “as necessary to perform the services set forth in Service Agreement.”]
[In addition to other permissible purposes, the parties should specify whether the business associate is authorized to use protected health information to de-identify the information in accordance with 45 CFR 164.514(a)-(c). The parties also may wish to specify the manner in which the business associate will de-identify the information and the permitted uses and disclosures by the business associate of the de-identified information.]
(b) Enterprise affiliate could use or disclose protected well being info as required by legislation.
(c) Enterprise affiliate agrees to make makes use of and disclosures and requests for protected well being info
[Option 1] in keeping with coated entity’s minimal vital insurance policies and procedures.
[Option 2] topic to the next minimal vital necessities: [Include specific minimum necessary provisions that are consistent with the covered entity’s minimum necessary policies and procedures.]
(d) Enterprise affiliate could not use or disclose protected well being info in a way that might violate Subpart E of 45 CFR Half 164 if executed by coated entity [if the Agreement permits the business associate to use or disclose protected health information for its own management and administration and legal responsibilities or for data aggregation services as set forth in optional provisions (e), (f), or (g) below, then add “, except for the specific uses and disclosures set forth below.”]
(e) [Optional] Enterprise affiliate could use protected well being info for the right administration and administration of the enterprise affiliate or to hold out the authorized tasks of the enterprise affiliate.
(f) [Optional] Enterprise affiliate could disclose protected well being info for the right administration and administration of enterprise affiliate or to hold out the authorized tasks of the enterprise affiliate, offered the disclosures are required by legislation, or enterprise affiliate obtains cheap assurances from the particular person to whom the knowledge is disclosed that the knowledge will stay confidential and used or additional disclosed solely as required by legislation or for the needs for which it was disclosed to the particular person, and the particular person notifies enterprise affiliate of any situations of which it’s conscious during which the confidentiality of the knowledge has been breached.
(g) [Optional] Enterprise affiliate could present knowledge aggregation providers regarding the well being care operations of the coated entity.
Provisions for Coated Entity to Inform Enterprise Affiliate of Privateness Practices and Restrictions
(a) [Optional] Coated entity shall notify enterprise affiliate of any limitation(s) within the discover of privateness practices of coated entity below 45 CFR 164.520, to the extent that such limitation could have an effect on enterprise affiliate’s use or disclosure of protected well being info.
(b) [Optional] Coated entity shall notify enterprise affiliate of any modifications in, or revocation of, the permission by a person to make use of or disclose his or her protected well being info, to the extent that such modifications could have an effect on enterprise affiliate’s use or disclosure of protected well being info.
(c) [Optional] Coated entity shall notify enterprise affiliate of any restriction on the use or disclosure of protected well being info that coated entity has agreed to or is required to abide by below 45 CFR 164.522, to the extent that such restriction could have an effect on enterprise affiliate’s use or disclosure of protected well being info.
Permissible Requests by Coated Entity
[Optional] Coated entity shall not request enterprise affiliate to make use of or disclose protected well being info in any method that might not be permissible below Subpart E of 45 CFR Half 164 if executed by coated entity. [Include an exception if the business associate will use or disclose protected health information for, and the agreement includes provisions for, data aggregation or management and administration and legal responsibilities of the business associate.]
Time period and Termination
(a) Time period. The Time period of this Settlement shall be efficient as of [Insert effective date], and shall terminate on [Insert termination date or event] or on the date coated entity terminates for trigger as licensed in paragraph (b) of this Part, whichever is sooner.
(b) Termination for Trigger. Enterprise affiliate authorizes termination of this Settlement by coated entity, if coated entity determines enterprise affiliate has violated a fabric time period of the Settlement [and business associate has not cured the breach or ended the violation within the time specified by covered entity]. [Bracketed language may be added if the covered entity wishes to provide the business associate with an opportunity to cure a violation or breach of the contract before termination for cause.]
(c) Obligations of Enterprise Affiliate Upon Termination.
[Option 1 – if the business associate is to return or destroy all protected health information upon termination of the agreement]
Upon termination of this Settlement for any purpose, enterprise affiliate shall return to coated entity [or, if agreed to by covered entity, destroy] all protected well being info acquired from coated entity, or created, maintained, or acquired by enterprise affiliate on behalf of coated entity, that the enterprise affiliate nonetheless maintains in any type. Enterprise affiliate shall retain no copies of the protected well being info.
[Option 2—if the agreement authorizes the business associate to use or disclose protected health information for its own management and administration or to carry out its legal responsibilities and the business associate needs to retain protected health information for such purposes after termination of the agreement]
Upon termination of this Settlement for any purpose, enterprise affiliate, with respect to protected well being info acquired from coated entity, or created, maintained, or acquired by enterprise affiliate on behalf of coated entity, shall:
-
- Retain solely that protected well being info which is critical for enterprise affiliate to proceed its correct administration and administration or to hold out its authorized tasks;
- Return to coated entity [or, if agreed to by covered entity, destroy] the remaining protected well being info that the enterprise affiliate nonetheless maintains in any type;
- Proceed to make use of applicable safeguards and adjust to Subpart C of 45 CFR Half 164 with respect to digital protected well being info to stop use or disclosure of the protected well being info, apart from as offered for on this Part, for so long as enterprise affiliate retains the protected well being info;
- Not use or disclose the protected well being info retained by enterprise affiliate apart from for the needs for which such protected well being info was retained and topic to the identical situations set out at [Insert section number related to paragraphs (e) and (f) above under “Permitted Uses and Disclosures By Business Associate”] which utilized previous to termination; and
- Return to coated entity [or, if agreed to by covered entity, destroy] the protected well being info retained by enterprise affiliate when it’s not wanted by enterprise affiliate for its correct administration and administration or to hold out its authorized tasks.
[The agreement also could provide that the business associate will transmit the protected health information to another business associate of the covered entity at termination, and/or could add terms regarding a business associate’s obligations to obtain or ensure the destruction of protected health information created, received, or maintained by subcontractors.]
(d) Survival. The obligations of enterprise affiliate below this Part shall survive the termination of this Settlement.
Miscellaneous [Optional]
(a) [Optional] Regulatory References. A reference on this Settlement to a bit within the HIPAA Guidelines means the part as in impact or as amended.
(b) [Optional] Modification. The Events conform to take such motion as is critical to amend this Settlement now and again as is critical for compliance with the necessities of the HIPAA Guidelines and some other relevant legislation.
(c) [Optional] Interpretation. Any ambiguity on this Settlement shall be interpreted to allow compliance with the HIPAA Guidelines.
Study extra about enterprise associates
Again to High