Template for counsel review
Business Associate Agreement Template
This template is a starting point for U.S. HIPAA-covered customers and should be reviewed and adapted by legal counsel before signing.
Business Associate Agreement
This Business Associate Agreement (“BAA”) is entered into by and between [Covered Entity / Customer Name] (“Covered Entity”) and [TherapyAgent Service Provider Legal Name] (“Business Associate”) as of [Effective Date].
1. Purpose
Business Associate provides software services that may involve creating, receiving, maintaining, or transmitting Protected Health Information (“PHI”) on behalf of Covered Entity. The parties enter into this BAA to comply with HIPAA, HITECH, and applicable implementing regulations.
2. Definitions
Terms such as “Business Associate,” “Covered Entity,” “Protected Health Information,” “Electronic Protected Health Information,” “Security Incident,” “Breach,” “Subcontractor,” and “Unsecured PHI” have the meanings given under HIPAA unless otherwise defined in this BAA.
3. Permitted uses and disclosures
Business Associate may use or disclose PHI only as necessary to provide the services, as permitted by the underlying services agreement, as required by law, and as otherwise permitted by this BAA. Business Associate may use PHI for proper management and administration and to carry out legal responsibilities, subject to HIPAA limits.
4. Safeguards
Business Associate will use appropriate administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of ePHI and prevent uses or disclosures not permitted by this BAA.
5. Reporting
Business Associate will report to Covered Entity any Breach of Unsecured PHI without unreasonable delay and in no case later than [__] calendar days after discovery. Business Associate will also report Security Incidents as required by HIPAA and as further specified in the services agreement.
6. Subcontractors
Business Associate will ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in writing to substantially similar restrictions and safeguards.
7. Access, amendment, and accounting
To the extent required by HIPAA and reasonably requested by Covered Entity, Business Associate will assist Covered Entity in responding to individual requests for access, amendment, and accounting of disclosures.
8. Minimum necessary
Business Associate will request, use, and disclose only the minimum necessary PHI needed to perform the services, except as otherwise permitted or required by law.
9. Internal practices and government access
Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS as required by HIPAA.
10. Return or destruction of PHI
Upon termination, Business Associate will return or destroy PHI if feasible. If return or destruction is not feasible, Business Associate will extend the protections of this BAA to the retained PHI and limit further uses and disclosures to the purposes that make return or destruction infeasible.
11. Term and termination
This BAA remains in effect while Business Associate maintains PHI on behalf of Covered Entity. Covered Entity may terminate this BAA and the related services agreement if Business Associate materially breaches this BAA and fails to cure within a reasonable cure period, if cure is possible.
12. Order of precedence
If this BAA conflicts with another agreement between the parties, this BAA controls with respect to PHI and HIPAA obligations.
13. Signatures
Covered Entity: ___________________________ Date: ____________
Business Associate: _________________________ Date: ____________