- Business Associate Obligations
- Obligations and Restrictions. may not use or disclose PHI other than as described in this BAA, as permitted under the Privacy Rule, or as otherwise required by applicable law.
- Permitted Uses and Disclosures. Except as otherwise permitted or required in this BAA, may only use or disclose PHI as reasonably necessary to provide the Services or as otherwise required by applicable law.
- Privacy and Information Security Program. will maintain a privacy and information security program that takes steps to ensure that employees or agents of comply with this BAA. This includes giving training to workforce to ensure compliance with this BAA, implementing policies and practices that meet the current standards for the protection of PHI, and appointing Privacy and Security Officials as required under HIPAA.
- Safeguards. will implement appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI that it receives, creates, maintains, or transmits on behalf of . will maintain appropriate technical and organizational safeguards to reduce the risk of misuse or disclosure of PHI except as permitted under this BAA. In addition, will comply with its obligations under the Security Rule.
- Assessments. agrees to conduct regular assessments of its compliance with its obligations under the Privacy Rule and Security Rule. will make available a summary of such assessments to upon reasonable request.
- Mitigation of Risks. agrees to mitigate, to the extent practicable, any harmful effect that is known to of a use or disclosure of PHI by and to promptly communicate to any actions taken pursuant to this paragraph.
- Subcontractors. Except as restricted by applicable , (a) may disclose PHI to a Subcontractor; and (b) may allow the Subcontractor to create, receive, maintain, or transmit PHI on its behalf. However, must first ensure that each Subcontractor executes a binding, written agreement requiring the Subcontractor to protect PHI under terms substantially similar to and no less stringent than this BAA. will not be in compliance with this BAA if knew of a pattern of activity or practice of a Subcontractor that constituted a material breach or violation of the Subcontractor’s obligations under any agreement between and the Subcontractor. will conduct appropriate due diligence on all Subcontractors.
- Books and Records to HHS. Upon request, will make its books, records, and internal policies and procedures relating to the use and disclosure of PHI available to the Secretary of HHS for the purpose of determining and compliance with HIPAA.
- Audit of Books and Records. Upon reasonable request, will make its books, records, and internal policies and procedures relating to its compliance with this BAA available to . However, is not required to provide any information or records that interfere with confidentiality or proprietary rights or that would otherwise impact compliance with its legal obligations.
- Individual Requests. will take reasonable efforts to support in completing requests related to individuals’ rights under HIPAA as related to the Services in a timely manner, but in no event will response take more than ten business days. Examples of individual rights under HIPAA include the right to access PHI pursuant to 45 CFR §164.524, amend PHI pursuant to 45 CFR §164.526, and receive accounting of disclosures pursuant to 45 CFR §164.528. If relevant to the Services, will maintain an accounting of disclosures it makes on behalf as required under 45 CFR §164.528(a). Except as directed by or required by law, will not respond directly to any individual requests regarding their rights under HIPAA.
- Compliance with Covered Entity’s Obligations. To the extent that carries out obligations under the Privacy Rule, will comply with the requirements of the relevant Privacy Rule regulations that apply to in the performance of such obligations.
- Company Obligations
- Notice of Privacy Practices. Upon request, will provide with its current notice of privacy practices adopted as required by the Privacy Rule. will notify if any limitations in its notice of privacy practices impact use or disclosure of PHI under the BAA.
- Notice of Changes. will notify in a timely manner of any changes to how uses or discloses PHI to the extent that the changes impact how uses or discloses PHI under the BAA.
- Notice of Restrictions. will notify in a timely manner of any restrictions agreed upon with an individual or their legal representative to the extent that the restrictions may impact use or disclosure of PHI under the BAA.
- Compliance with Laws. will only use and disclose PHI to in accordance with its obligations under HIPAA and with applicable law.
- Data Rights & Restrictions
- Offshoring PHI. Except as restricted by applicable , is permitted to use and disclose PHI outside of the United States to provide the Services.
- De-Identification. Except as restricted by applicable , may de-identify PHI.
- Aggregation. Except as restricted by applicable , may aggregate PHI for its own purposes.
- Breach Notification
- Breach Reporting. will report to within the each use or disclosure of PHI not permitted under this BAA of which becomes aware, including breaches of unsecured PHI as required by §164.410 of HIPAA and any Security Incident involving PHI. In addition, each party will comply with its notification obligations under HIPAA regarding a Security Incident involving PHI.
- Unsuccessful Attempts. agrees that this section will be deemed as sufficient notice under Section 4.1 if periodically receives unsuccessful attempts for unauthorized access to, use of, or disclosure of PHI, or for general interference with the general operation of products and services.
- Security Incident Reimbursement. will reimburse for costs reasonably associated with a Security Incident caused by or one of its Subcontractors.
- Confidentiality. will not disclose information related to a Security Incident except as required by applicable law.
- Term & Termination
- Term. This BAA will start on the and will continue in effect until the later of when all obligations of the parties have been met under this BAA or when the ends or expires.
- Termination. Either party may terminate this BAA if the other party fails to cure a material breach of the BAA within 30 days after receiving notice of the breach. A material breach of the BAA will be deemed a material breach of the .
- Effect of Termination.
- Upon any expiration or termination of this BAA, or earlier if directed by , will either return or destroy, at discretion and according to instructions, all PHI maintained in any form by , its agents, or its Subcontractors.
- may not retain any copies of PHI unless directed to do so by . However, if neither return nor destruction are feasible, may retain PHI as long as continues to comply with all provisions of this BAA for the time it retains PHI and limits the use or disclosure of retained PHI to those purposes that made the return or destruction of PHI infeasible.
- Defining Variables. Variables have the meanings or descriptions given on the Cover Page. However, if the Cover Page omits or does not define a Variable, the default meaning will be “none” or “not applicable” and the correlating clause, sentence, or section does not apply to the BAA.
- “BAA” means the Cover Page between and that incorporates these BAA Standard Terms and any policies and documents referenced in or attached to the Cover Page.
- “BAA Standard Terms” means these Common Paper BAA Standard Terms Version 1.0, which are posted at https://commonpaper.com/standards/business-associate-agreement/1.0.
- “Breach” has the meaning given to it under HIPAA.
- “Business Associate” has the meaning given to it under HIPAA.
- “Covered Entity” has the meaning given to it under HIPAA.
- “Cover Page” means a document that is signed by the parties, identifies and , incorporates these BAA Standard Terms, and includes definitions or descriptions for Variables.
- “Designated Record Set” has the meaning given to it under HIPAA.
- “HHS” means the U.S. Department of Health and Human Services.
- “HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and the rules and regulations thereunder, as amended from time to time.
- “Privacy and Security Officials” has the meaning given to it under HIPAA.
- “Privacy Rule” means the federal privacy regulations issued pursuant to HIPAA, codified at 45 CFR Parts 160 and 164 (Subparts A & E).
- “Protected Health Information” or “PHI” has the meaning given to it under HIPAA.
- “Security Incident” has the meaning given to it under HIPAA.
- “Security Rule” means the federal security regulations issued pursuant to HIPAA, codified at 45 CFR Parts 160 and 164 (Subparts A & C).
- “Services” means the products and services provided by under the .
- “Subcontractor” means a third party to whom provides PHI under this BAA.
- “Variable” means a word or phrase in the BAA Standard Terms that is highlighted and capitalized, such as .
These Common Paper Business Associate Agreement Standard Terms (Version 1.0) will remain hosted on this page. Any future changes to these terms will be issued under a new version number and posted on a different web page.Learn more about the Business Associate Agreement
USING THIS BAA
To use this BAA, the parties must complete and sign or electronically accept a Cover Page. Variables have the meanings or descriptions given on the Cover Page. All other capitalized words have the meanings or descriptions given in these BAA Standard Terms.
Business Associate Agreement
Explanations and descriptions related to the Common Paper Business Associate Agreement Standard Terms (Version 1.0), including those appearing in any pop-up windows or elsewhere on this page, are for informational purposes only and are not incorporated into or otherwise made a part of the terms of the Common Paper Business Associate Agreement Standard Terms (Version 1.0).