THIS IS AN OUTLINE ONLY As a service to our members, MGMA Government Affairs has developed this outline of a business associate agreement (BAA) in consultation with its Washington Counsel, Powers Pyles Sutter & Verville, PC. The outline is based in large part on sample provisions provided by the Department of Health and Human Services Office for Civil Rights (“OCR”) and available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html. At certain points throughout the outline, direct reference is made to OCR guidance. This outline is intended to help members understand the HIPAA requirements and optional provisions which a medical group practice, as a “covered entity” under HIPAA, may wish to consider when entering into a BAA with a vendor or other business associate having access to Protected Health Information (“PHI”). In this outline, provisions required in a BAA under HIPAA law and regulations are identified as “Required,” while those which are not are identified as “Optional.” Failure to include a required provision may compromise the group’s or business associate’s compliance under HIPAA and constitute grounds for enforcement action against the group and/or the business associate. MGMA-ACMPE does not provide individual legal advice to its members on HIPAA or other federal regulatory matters. The privacy and security of individually identifiable health information is a complex area of both federal and state law. Arrangements between medical groups and others with whom they may share PHI are diverse, and a BAA suitable for one arrangement may not be suitable for another. Members using this outline in the development or negotiation of a BAA should be guided by legal advice from competent counsel of their own choosing. THIS IS AN OUTLINE ONLY OUTLINE OF BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (“Agreement”), is entered into as of the effective date described on the Signature Page of this Agreement (the “Effective Date”) between ____________________, with an address at _________________ (“Business Associate”) and _______________, with an address at _____________ (“Covered Entity”) (each a “Party” and collectively the “Parties”). Recital The Parties have entered into a prior agreement entitled_________ dated _________ (the “Underlying Agreement”). 1 Performance of the Underlying Agreement may involve Protected Health Information (“PHI”) (as defined in 45 C.F.R. § 164.501) that is subject to the federal privacy and security regulations issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the regulations promulgated thereunder by the United States Department of Health and Human Services (“HHS”), codified at 45 CFR Parts 160 and 164 (commonly known as the Privacy and Security Rules), (collectively referred to herein as the “HIPAA Rules”). The purpose of this Agreement is to set forth the obligations of the Parties with respect to such PHI. In consideration of the mutual promises below and the exchange of information pursuant to this Agreement, the parties agree as follows: I. (Optional) Definitions. A. (Optional) Protected Health Information or PHI. “Protected Health Information” or “PHI” shall have the same meaning as the term “Protected Health Information” in 45 C.F.R. §160.103, limited to the information created or received by Business Associate on behalf of or from Covered Entity. PHI will include PHI in electronic form (“Electronic PHI”) unless specifically stated otherwise. B. (Optional) Terms used but not otherwise defined in this Agreement shall have the same meaning as given to those terms in the Health Information Portability and Accountability Act of 1996, as codified at 42 U.S.C. §1320d (“HIPAA”), the Health Information Technology Act of 2009, as codified at 42 U.S.C.A. prec. §17901 (“HITECH”), and any current and future regulations promulgated under either (HIPAA, HITECH, and any regulations collectively, the “Law and Regulations”). (Catch-all definition) II. Business Associate’s Obligations. A. (Optional) Relationship of Parties.2 In providing these services, Business Associate will be acting as an independent contractor and not as an employee or agent of 1 This document assumes the existence of a separate document outlining the business arrangement between the Covered Entity and the Business Associate, thereby limiting this document to the provisions necessary to address the Parties’ obligations under HIPAA. 2 This provision should only be included where the Business Associate is not acting as an agent of the Covered Entity. It is included for the benefit of the Covered Entity to help reduce the scope of their liability under the “agency” theory. 78 Fed. Reg. 5581. However, the contractual language alone is not enough to ensure that the Business Associate will be determined to not be an agent of the Covered Entity. 2 THIS IS AN OUTLINE ONLY Covered Entity. Covered Entity shall have no authority, express or implied, to commit or obligate Business Associate in any manner whatsoever. B. (Required) No Permitted Use or Disclosure of PHI. Business Associate shall not use or disclose PHI other than as permitted or required by the Agreement or as Required By Law. C. (Required) Safeguards.3 Business Associate shall use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent use or disclosure of PHI other than as provided for by the Agreement; D. (Required) Notice to Covered Entity: Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for in the Agreement, any Security Incident involving electronic PHI, and any Breach of Unsecured PHI as required at 45 CFR 164.410. Such report shall be provided promptly and without unreasonable delay, but no later than [x] days after Business Associate first learns of the unauthorized use or disclosure, Security Incident or Breach. 4 1. (Optional) (Consider adding requirements as to what information should be included in the breach notification.) 2. (Optional) Covered Entity shall be responsible for providing notification to individuals whose unsecured PHI has been disclosed, as well as the Secretary and the media, as required by HIPAA Rules. 3. (Optional) The parties agree that this section satisfies any notices necessary by Business Associate to Covered Entity of the ongoing existence and occurrence of unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required. For purposes of this Agreement, such unsuccessful Security Incidents include, without limitation, activity such as pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Electronic PHI. E. (Required) Subcontractors.5 Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information, in accordance with 45 CFR §§ 164.502(e)(1)(ii) and 164.308(b)(2). 3 A Covered Entity may wish to include specific safeguards if it feels additional protections are necessary. For example a Covered Entity may require encryption of PHI, require specific HIPAA training provided by the Covered Entity, or may prohibit off-shoring of PHI. 4 A Covered Entity should specify a timeframe for reporting. Federal law requires that the CE provide notification of a breach “without unreasonable delay but in no case later than 60 calendar days after discovery.” 45 CFR § 164.404(b). Some state laws require stricter timeframes for reporting than those provided for under HIPAA. 5 This provision may be deleted if the Underlying Agreement does not permit the Business Associate to subcontract its duties. As an alternative this section can be revised to note that Business Associate may only use permitted subcontractors. 3 THIS IS AN OUTLINE ONLY F. (Required) Access to PHI. To the extent that Business Associate possesses an applicable Designated Record Set, and within a reasonable amount of time of receipt of a request from Covered Entity or Individual to access such PHI, Business Associate shall make available such PHI, to the extent required for Covered Entity’s compliance with its obligations under 45 C.F.R. §164.524. 1. (Optional)(As noted by OCR, consider adding specificity as to how to respond to a request such as whether and in what time and manner a Business Associate is to act on the request for access or whether the Business Associate will forward the Individual’s request to the Covered Entity and the specific timeframe for the Business Associate to provide the PHI.) G. (Required) Amendment of PHI. To the extent that Business Associate possesses an applicable Designated Record Set, and within a reasonable amount of time of receipt of a request from Covered Entity or Individual, Business Associate shall make any amendment(s) to such PHI as directed or agreed to by the Covered Entity pursuant to 45 CFR § 164.526, or take other measures as necessary to satisfy covered entity’s obligations under 45 CFR § 164.526 1. (Optional)(As noted by OCR, consider adding specificity as to how to respond to a request such as whether and in what time and manner a Business Associate is to act on the request for amendment or whether the Business Associate will forward the Individual’s request to the Covered Entity and the specific timeframe for the BA to amend the PHI.) H. (Required) Accounting. Business Associate shall document and make available such disclosures of PHI as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528. 1. (Optional)(As noted by OCR, consider adding specificity as to how to respond to a request such as whether and in what time and manner a Business Associate is to act on the request for accounting or whether the Business Associate will forward the Individual’s request to the Covered Entity and the specific timeframe for the BA to provide the information.) I. (Required) Compliance with Covered Entity Obligations. To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s). J. (Required) Availability of Compliance Records. Business Associate shall make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules. (Optional) Notwithstanding this provision, no attorneyclient or other applicable legal privilege will be deemed waived by Covered Entity as a result of complying with such a request. (Optional) Business Associate shall promptly provide Covered Entity with a copy of any PHI that Business Associate provides pursuant to any governmental inquiry. K. (Optional) Mitigation. Business Associate shall mitigate, to the extent practicable and at its cost, any harmful effects from any use or disclosure of PHI by Business Associate not permitted by this Agreement, regardless of Business Associate’s fault or negligence. All such efforts shall be subject to the Covered Entity’s prior written approval. 4 THIS IS AN OUTLINE ONLY L. (Optional) Prohibition on Certain Uses and Disclosures. Business Associate shall not use or disclose PHI for any purpose other than as specifically permitted by this Agreement. Specifically, but without limitation, Business Associate shall not use or disclose PHI for fundraising or marketing purposes, and shall not directly or indirectly receive remuneration in exchange for PHI (which does not affect payment from Covered Entity for Business Associate’s services). 6 III. Permitted Use and Disclosure of PHI. (Required) A. Business Associate may only use or disclose PHI : 1. (Alternative 1) (Provide a specific list of permissible uses); 2. (or Alternative 2) As necessary to perform its obligations and functions under the Underlying Agreement; B. C. (Optional) Business Associate may use or disclose PHI as Required By Law; (Optional) Business Associate may use PHI to create de-identified information consistent with the standards of 45 C.F.R. §164.514(a)-(c). (As OCR notes, “the parties also may wish to specify the manner in which the business associate will de-identify the information and the permitted uses and disclosures by the business associate of the de-identified information.”) D. (Optional) Business Associate agrees to make uses and disclosures and requests for PHI 1. (Alternative 1) consistent with Covered Entity’s minimum necessary policies and procedures 2. (or Alternative 2) subject to the following minimum necessary requirements: (Include specific minimum necessary provisions that are consistent with the Covered Entity’s minimum necessary policies and procedures.) E. (Required) Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity, (Optional) except for the specific uses and disclosures set forth below (only include if allowing one of the uses and disclosures in (1)-(3)): 1. (Optional) For the proper management and administration of Business Associate or to carry out its legal responsibilities; 2. (Optional) For the proper management and administration of Business Associate or to carry out the legal responsibilities of the Business Associate, provided the disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and will be used or further disclosed only as Required By Law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. 6 If a Covered Entity has a concern that a Business Associate may use the terms of this Agreement or the Underlying Agreement to justify direct or indirect marketing, fundraising, or selling of PHI, this language may be added to the Agreement. 5 THIS IS AN OUTLINE ONLY 3. (Optional) Use PHI to provide data aggregation services to the extent specified in the Service Agreement; IV. (Optional) Covered Entity’s Obligations.7 A. (Optional) Notice of Change in Privacy Practices. Covered Entity shall notify Business Associate of any limitation(s) in Covered Entity’s notice of privacy practices in accordance with 45 C.F.R. §164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI. B. (Optional) Notice of Change in Permissions. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI. C. (Optional) Notice of Change in Use. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. §164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI. D. (Optional) Appropriate Requests. Covered Entity shall not request that Business Associate use or disclose PHI in any manner that would not be permissible under the Law and Regulations if done by Covered Entity. V. Term and Termination. A. (Optional) Term. This Agreement shall become effective on the date of execution of the Underlying Agreement, and shall terminate at the time of the termination or expiration of all Underlying Agreements. B. (Required) Termination for Cause. If Covered Entity reasonably determines that Business Associate has materially breached this Agreement, Covered Entity shall: 1. (Consider timeline) Provide Business Associate with [X] days written notice of the alleged material breach and an opportunity to cure the breach, immediately after which time this Agreement and the Services Agreement shall be automatically terminated if the breach is not cured; or 2. Immediately terminate this Agreement and the Services Agreement if cure is not possible; or 3. Report the violation to the Secretary if neither termination nor cure is feasible. C. (Optional) Termination for Change in Law. If a change in law causes the performance of the Agreement to violate the law, Business Associate and/or Covered Entity shall terminate this Agreement if cure is not possible. D. (Required) Effect of Termination. 1. (Alternative 1) Destroy or Return All PHI. Upon termination or expiration of this Agreement, Business Associate shall, at Covered Entity’s option, return to 7 These provisions are not for the benefit of the Covered Entity and are optional as indicated. 6 THIS IS AN OUTLINE ONLY Covered Entity or destroy8 all PHI in Business Associate’s possession.9 Business Associate shall not retain any copies of the PHI. 2. (Alternative 2) Upon termination of this Agreement for any reason, Business Associate shall: a. Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities; b. At Covered Entity’s option, return to Covered Entity or destroy the remaining PHI that the Business Associate still maintains in any form; c. Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI to prevent use or disclosure of the PHI, other than as provided for in this Section, for as long as Business Associate retains the PHI; d. Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out at [Insert section number related to paragraphs II.E above] which applied prior to termination; and e. At Covered Entity’s option, return to Covered Entity or destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities. 3. (Alternative 3) (Per OCR, the Agreement also could provide that Business Associate will transmit the PHI to another business associate of the Covered Entity at termination.) 4. (Optional) Survival. The obligations of Business Associate under this Section shall survive the termination of this Agreement. Indemnification and Insurance.10 (Optional) Business Associate will defend and indemnify Covered Entity from and against any and all claims, damages, liabilities, losses and expenses (including reasonable attorney’s fees) based on or arising out of the breach of its obligations under this Agreement, including but not limited to losses and damages relating to third party claims. If Covered Entity requires, Business Associate shall obtain and maintain insurance coverage (if available) against improper uses and disclosures of PHI by Business Associate, naming Covered Entity as an additional insured. VI. 8 A Covered Entity may consider including acceptable methods for destroying PHI or requiring Business Associate to certify in writing to Covered Entity that such PHI has been destroyed. 9 A Covered Entity may consider adding terms requiring a Business Associate’s obligations to obtain or ensure the destruction of PHI created, received, or maintained by Subcontractors. 10 A Covered Entity may consider seeking indemnification by the Business Associate but should ensure that the indemnification provision and any limits to liability do not conflict between this Agreement and any Underlying Agreement. A Covered Entity may also want to consider requiring the Business Associate to maintain insurance to cover a breach of its obligations under this Agreement. 7 THIS IS AN OUTLINE ONLY Promptly following Covered Entity’s written request, Business Associate shall deliver to Covered Entity a certificate evidencing Business Associate’s maintenance of such insurance. VII. Miscellaneous. A. (Optional) Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect as of the effective date of the Agreement or as amended in the future. B. (Optional) Amendments. The Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representative of the Parties. The Parties shall amend this Agreement from time to time as is necessary to achieve and maintain compliance with the requirements of the HIPAA Rules and any other applicable law. C. (Optional) Interpretation. Any ambiguity in this Agreement shall be resolved to permit the Parties to comply with the requirements of the HIPAA Rules and any other applicable law. D. (Optional) Choice of Law. This Agreement shall be governed by the laws of the State of [__________] without regard to conflict of laws principles thereof. E. (Optional) Audits, Inspection and Enforcement. Upon request and with reasonable prior notice by Covered Entity, Business Associate and its agents shall allow Covered Entity to conduct a reasonable inspection of the facilities, systems, books, records, agreements, policies and procedures relating to the use or disclosure of PHI pursuant to this Agreement or for the purpose of determining whether Business Associate is in compliance with its obligations under this Agreement. F. (Optional) Relationship to Agreements with Covered Entity. In the event that a provision of this Agreement is contrary to a provision of any agreement with Covered Entity pertaining to Business Associate’s services, the provisions of this Agreement shall control. 8 THIS IS AN OUTLINE ONLY IN WITNESS WHEREOF, the parties have executed this Agreement as of the _ day of _____, 20__. (Business Associate) By _________________________________ (Covered Entity) By _________________________________ Title ________________________________ Title: _______________________________ 9