Section 16, Attachment A, Appendix 20

form page 1 of iv

Department of Community and Human Services

Behavioral Health and Recovery Division

Business Associate Agreement

This Agreement is entered into between ___________________________________("Covered Entity") and _______________________________________________ ("Business Associate").

The Business Associate acknowledges and agrees that Protected Health Information (PHI) can be used or shared only within the parameters of this document and the Department of Health and Human Services Privacy Regulations, Code of Federal Regulations, (CFR), Title 45, Sections 160 and 164, or as required by law.

CFR Title 45, Sections 160 and 164 are by way of reference, an integral part of this Agreement. Business Associate is charged with the knowledge of and agrees to abide by the terms and conditions of CFR Title 45, Sections 160 and 164.

The effective date of this Agreement is ___________________________.

  1. PURPOSE

The Covered Entity needs to make available and/or disclose to the Business Associate certain PHI for management, administration, and legal responsibilities during the normal course of business between the parties (per King County Contract No. __________).

  1. RESPONSIBILITIES OF BUSINESS ASSOCIATE

The Business Associate hereby agrees to do the following:

  1. Use and Disclosure: Use and/or disclose PHI only as permitted or required by this Agreement, Health Insurance Portability and Accountability Act (HIPAA), and the Health Information Technology for Economic and Clinical Health Act (HITECH) (Division A, Title XIII of the American Recovery and Reinvestment Act of 2009, Pub. Law 111-5, 2009 HR 1). The Business Associate shall use and disclose PHI only if such use or disclosure, respectively, is in compliance with each applicable requirement of 45 CFR §164.504(e). The Business Associate is directly responsible for full compliance with the privacy provisions of HIPAA and HITECH that apply to the Business Associate to the same extent as the Covered Entity.
  2. Security: Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI that it creates, receives, maintains, or transmits on behalf of the Covered Entity as required by CFR Title 45, Section 164, Subpart C. The Business Associate is directly responsible for compliance with the security provisions of HIPAA and HITECH to the same extent as the Covered Entity.
  3. Improper Disclosures: Report all unauthorized or otherwise improper disclosures of PHI, or security incident, to the Covered Entity within two days of the Business Associates knowledge of such event.
  4. Notice of Breach: Within two business days of the discovery of a breach as defined at 45 CFR §164.402 notify the Covered Entity of any breach of unsecured PHI. The notification shall include the identification of each individual whose unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such breach; a brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; a description of the types of unsecured PHI that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); any steps individuals should take to protect themselves from potential harm resulting from the breach; a brief description of what the Business Associate is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; the contact procedures of the Business Associate for individuals to ask questions or learn additional information, which shall include a toll free number, an e-mail address, Web site, or postal address; and any other information required to be provided to the individual by the Covered Entity pursuant to 45 CFR §164.404, as amended. A breach shall be treated as discovered in accordance with the terms of 45 CFR §164.410. The information shall be updated promptly and provided to the Covered Entity as requested by the Covered Entity.
  5. Mitigation: Mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement or the law.
  6. Agents: Ensure that any agent, including all of its employees, representatives, and subcontractors, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
  7. Right of Access:
  1. Make internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity available to the Covered Entity, or at the request of the Covered Entity to the Secretary of Department of Health and Human Services, within five business days of written request by the Covered Entity or the Secretary, for the purpose of determining compliance with HIPAA, HITECH, and/or this Agreement.
  2. Provide to Covered Entity, within five business days of written request by Covered Entity information collected in accordance with this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528, or to permit Covered Entity to respond to a request by an Individual for access to PHI in accordance with 45 CFR §164.524.
  1. Documentation of Disclosures: Document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528. Should an individual make a request to Covered Entity for an accounting of disclosures of his or her PHI pursuant to 45 CFR §164.528, Business Associate agrees to promptly provide an accounting, as specified under 42 United States Code (USC) §17935(c) (1) and 45 CFR §164.528, of disclosures of PHI that have been made by the Business Associate acting on behalf of the Covered Entity. The accounting shall be provided by the Business Associate to the Covered Entity or to the individual, as directed by the Covered Entity.
  2. Amendments: Make any amendments to PHI that the Covered Entity directs or agrees to pursuant to 45 CFR §164.526 at the request of Covered Entity, within five business days of written request by Covered Entity.
  3. Other: To the extent the Business Associate is to carry out one or more of the covered entity&rsquos obligations under Subpart E of 45 CFR 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligations.
  1. Permitted Uses and Disclosures by Business Associate
  1. Except as otherwise limited in this Agreement or by law, Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. The Business Associate shall limit its use and disclosure of, and requests for, PHI to the minimum necessary as determined in accordance with 42 USC §17935(b)(1).
  2. Except as otherwise limited in the Agreement or by law, Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 CFR §164.504.(e)(2)(i)(B).


  1. Term and Termination
  1. Term: This Agreement shall become effective on the Effective Date and shall continue in effect until all obligations of the parties have been met, unless terminated as provided herein or by mutual agreement of the parties
  2. Termination for Cause: Upon Covered Entity&rsquos knowledge of a material breach by Business Associate, Covered Entity shall provide an opportunity for Business Associate to cure the breach or end the violation and terminate this Agreement if Business Associate does not cure the breach or end the violation within 10 business days of receipt of written notice by the Covered Entity, or immediately terminate this Agreement if Business Associate has breached a material term of this Agreement and cure is not possible.
  3. Other Termination: This Agreement may be terminated by Covered Entity upon 30 days prior written notice to the other party, which notice shall specify the date of termination.
  4. Effect of Termination: Except as provided in paragraph B. of this Section, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI.

In the event that Business Associate determines that returning or destroying the PHI is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further disclosures of such PHI to those purposes that make return or destruction infeasible, for so long as Business Associate maintains such PHI.

  1. MISCELLANEOUS
  1. Defense and Indemnification: Business Associate shall defend, indemnify and hold harmless Covered Entity from and against all claims, liabilities, judgments, fines, assessments, penalties, awards or other expenses, of any nature whatsoever, including without limitation attorneys fees, expert witness fees, and costs of investigation, litigation, or dispute resolution, relating to or arising out of any breach of this Agreement by Business Associate, its employees, officers, agents, or sub-contractors.
  2. Reimbursement for Costs Incurred Due to Breach: Business Associate shall reimburse Covered Entity, without limitation, for all costs of investigation, dispute resolution, notification of individuals, the media, and the government, and expenses incurred in responding to any audits or other investigation relating to or arising out of a breach of unsecured PHI by the Business Associate.
  3. Regulatory References: A reference in this Agreement to a Section in the Department of Health and Human Services Privacy Regulations, CFR, Title 45, Sections 160 and 164 means the Section as in effect or as amended, and for which compliance is required.
  4. Amendment: The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the Department of Health and Human Services Privacy Regulations, CFR, Title 45, Sections 160 and 164.
  5. Notices: Whenever Covered Entity or Business Associate is required to give notice to the other party, notice shall be in writing, posted in the U.S. Mail, and deemed delivered after three business days.
  6. Survival: The obligations of the Business Associate shall survive the termination of this Agreement.
  7. Interpretation: Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the Department of Health and Human Services Privacy Regulations, CFR, Title 45, Sections 160 and 164.

FOR: Business Associate FOR: Covered Entity

Authorized Signature Authorized Signature

 

Print Name Print Name

Department Director

Print Title Print Title

Date Date

Mailing Address Mailing Address

401 Fifth Avenue, Suite 400

Seattle, WA 98104-2377

City, State, Zip + 4 City, State, Zip + 4
BAA Facts
  • Who needs a BAA?
  • What if I don't have a BAA
  • BAA Quick FAQ
  • WHY BAA?
  • Planning Your BAA
 Sample BAA
  • Simple BAA
  • Better BAA
  • Best BAA
 Office Locations:

100 Florida Ave
Tampa Fl 33615