BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement ("Agreement"), effective on this the ____ day of ______________, ____, ("Effective Date"), is entered into by and between ________________ (the "Business Associate") and ________________________________ Health Department, with an address at _________________________, __________________, KY, (the "Covered Entity") (each a "Party" and collectively the "Parties").

The Business Associate is a _____________________. The Covered Entity is a _(local/district)_ health department contracted by the Department for Public Health of the Commonwealth of Kentucky, in accordance with KRS Chapter 211, to share the responsibility with the Department for Public Health to implement and administer the public health laws of the Commonwealth.

The Parties entered into a __________ Contract _________ (the "Contract") on the ___ day of ____________, ______, under which the Business Associate may use and/or disclose Protected Health Information in its performance of the Services described in the Contract. This Agreement sets forth the terms and conditions pursuant to which Protected Health Information that is provided by Covered Entity to Business Associate, or created or received by the Business Associate from or on behalf of the Covered Entity, will be handled between the Business Associate and the Covered Entity and with third parties during the term of their Contract and after its termination. The Parties agree as follows:

WITNESSETH:

WHEREAS, Sections 261 through 264 of the federal Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, known as "the Administrative Simplification provisions," direct the Department of Health and Human Services to develop standards to protect the security, confidentiality and integrity of health information; and

WHEREAS, pursuant to the Administrative Simplification provisions, the Secretary of Health and Human Services has issued regulations modifying 45 CFR Parts 160 and 164 (the "HIPAA Privacy Rule"); and

WHEREAS, the Parties wish to enter into or have entered into an arrangement whereby the Business Associate will provide certain services to the Covered Entity, and, pursuant to such arrangement, Business Associate may be considered a "business associate" of the Covered Entity as defined in the HIPAA Privacy Rule; and

WHEREAS, Business Associate may have access to Protected Health Information (as defined below) in fulfilling its responsibilities under such arrangement; and

WHEREAS, Business Associate agrees to collect and destroy any and all recyclable material produced by the Covered Entity, and is to assume responsibility for these documents upon receipt; and

THEREFORE, in consideration of the Parties&rsquo continuing obligations under the Contract, the Parties agree to the provisions of this Agreement in order to address the requirements of the HIPAA Privacy Rule and to protect the interests of both Parties.

  1. DEFINITIONS

    1. Business Associate. "Business Associate" shall generally have the same meaning as the term "business associate" at 45 CFR 160.103, and in reference to the party to this agreement, shall mean [Insert Name of Business Associate].

    2. Covered Entity. "Covered Entity" shall generally have the same meaning as the term "covered entity" at 45 CFR 160.103, and in reference to the party to this agreement shall mean [Insert Name of Covered Entity]


  1. PERMITTED USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION

    1. Services. Pursuant to the Contract, Business Associate provides services ("Services") for the Covered Entity that involve the use and/or disclosure of Protected Health Information. Except as otherwise specified herein, the Business Associate may make any and all uses of Protected Health Information necessary to perform its obligations under the Contract, , provided that such use would not violate the Privacy and Security Regulations if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity. All other uses not authorized by this Agreement are prohibited. Moreover, Business Associate may disclose Protected Health Information for the purposes authorized by this Agreement only, (i) to its employees, subcontractors and agents, in accordance with Section 3.1(e), (ii) as directed by the Covered Entity, or (iii) as otherwise permitted by the terms of this Agreement including, but not limited to, Section 2.2(b) below, provided that such disclosure would not violate the Privacy or Security Regulations if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity.


    1. Business Activities of the Business Associate. Unless otherwise limited herein, the Business Associate may:

  1. Use the Protected Health Information in its possession for its proper management and administration and to fulfill any present or future legal responsibilities of the Business Associate provided that such uses are permitted under state and federal confidentiality laws.


  1. Disclose the Protected Health Information in its possession to third parties for the purpose of its proper management and administration or to fulfill any present or future legal responsibilities of the Business Associate, provided that the Business Associate represents to the Covered Entity, in writing, that (i) the disclosures are Required by Law, as that phrase is defined in 45 CFR §164.501 or (ii) the Business Associate has received from the third party written assurances regarding its confidential handling of such Protected Health Information as required under 45 CFR §164.504(e)(4), and the third party agrees in writing to notify Business Associate of any instances of which it becomes aware that the confidentiality of the information has been breached.

  1. RESPONSIBILITIES OF THE PARTIES WITH RESPECT TO PROTECTED HEALTH INFORMATION

    1. Responsibilities of the Business Associate. With regard to its use and/or disclosure of Protected Health Information, the Business Associate hereby agrees to do the following:

  1. Shall use and disclose the Protected Health Information only in the amount minimally necessary to perform the services of the Contract, provided that such use or disclosure would not violate the Privacy and Security Regulations if done by the Covered Entity.


  1. Shall immediately report to the designated Privacy Officer of the Covered Entity, in writing, any use and/or disclosure of the Protected Health Information that is not permitted or required by this Agreement of which Business Associate.


  1. Establish procedures for mitigating, to the greatest extent possible, any deleterious effects from any improper use and/or disclosure of Protected Health Information that the Business Associate reports to the Covered Entity.


  1. Use appropriate administrative, technical and physical safeguards to maintain the privacy and security of the Protected Health Information and to prevent uses and/or disclosures of such Protected Health Information other than as provided for in this Agreement.


  1. Require all of its subcontractors and agents that receive or use, or have access to, Protected Health Information under this Agreement to agree, in writing, to adhere to the same restrictions and conditions on the use and/or disclosure of Protected Health Information that apply to the Business Associate pursuant to this Agreement.


  1. Make available all records, books, agreements, policies and procedures relating to the use and/or disclosure of Protected Health Information to the Secretary of Health and Human Services for purposes of determining the Covered Entity&rsquos compliance with the Privacy Regulation.


  1. Upon prior written request, make available during normal business hours at Business Associate&rsquos offices all records, books, agreements, policies and procedures relating to the use and/or disclosure of Protected Health Information to the Covered Entity to determine the Business Associate&rsquos compliance with the terms of this Agreement.

  1. Upon Covered Entity&rsquos request, Business Associate shall provide to Covered Entity an accounting of each Disclosure of PHI made by Business Associate or its employees, agents, representatives, or subcontractors. Business Associate shall implement a process that allows for an accounting to be collected and maintained for any Disclosure of PHI for which Covered Entity is required to maintain. The information shall be sufficient to satisfy Covered Entity&rsquos obligations under 45 CFR §164.528. Business Associate shall include in the accounting: (a) the date of the Disclosure; (b) the name, and address if known, of the entity or person who received the PHI; (c) a brief description of the PHI disclosed; and (d) a brief statement of the purpose of the Disclosure. For each Disclosure that requires an accounting under this section, Business Associate shall document the information specified in (a) through (d), above, and shall securely retain this documentation for six (6) years from the date of the Disclosure. To the extent that Business Associate maintains PHI in an electronic health record, Business Associate shall maintain an accounting of Disclosure for treatment, payment, and health care operations purposes for three (3) years from the date of Disclosure. Notwithstanding anything to the contrary, this requirement shall become effective upon either of the following: (a) on or after January 1, 2014, if Business Associate acquired electronic health record before January 1, 2009; or (b) on or after January 1, 2011 if Business Associate acquired an electronic health record after January 1, 2009, or such later date as determined by the Secretary.

  1. Subject to Section 5.5 below, return to the Covered Entity or destroy, at the termination of this Agreement, the Protected Health Information in its possession and retain no copies (which for purposes of this Agreement shall mean without limitation the destruction of all backup tapes).

  1. Disclose to its subcontractors, agents, or other third parties, and request from the Covered Entity, only the minimum Protected Health Information necessary to perform or fulfill a specific function required or permitted hereunder.

  1. Business Associate agrees to immediately report to the Covered Entity any security incident involving the attempted or successful unauthorized access, use, disclosure, modification, or destruction of Covered Entity&rsquos electronic Protected Health Information or interference with systems operations in an information system that involves Covered Entity&rsquos electronic Protected Health Information. An attempted unauthorized access, for purposes of reporting to the Covered Entity, means any attempted unauthorized access that prompts Business Associate to investigate the attempt, or review or change its current security measures. The parties acknowledge that the foregoing does not require Business Associate to report attempted unauthorized access that results in Business Associate: (i) investigating but merely reviewing and/or noting the attempt, but rather requires notification only when such attempted unauthorized access results in Business Associate conducting a material and full-scale investigation (a "Material Attempt"); and (ii) continuously reviewing, updating and modifying its security measures to guard against unauthorized access to its systems, but rather requires notification only when a Material Attempt results in significant modifications to Business Associate&rsquos security measures in order to prevent such Material Attempt in the future.

  1. Business Associate agrees to use appropriate administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic protected health information (EPHI) that it creates, receives, maintains, or transmits on behalf of the covered entity as required by Subpart C of 45 CFR.

  1. Business Associate agrees that any EPHI it acquires, maintains or transmits will be maintained or transmitted in a manner that fits the definition of secure PHI as that term is defined by the American Recovery and Reinvestment Act of 2009 (ARRA) and any subsequent regulations or guidance from the Secretary of the Department of Health and Human Services (DHHS) promulgated under ARRA.

  1. Business Associate agrees to ensure that any agent, including a subcontractor, that creates, receives, maintains, or transmits protected health information on behalf of the business associate agrees to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information, in accordance with 45 CFR §164.502(e)(1)(ii) and 45 CFR § 164.308(b)(2).

  1. Business Associate agrees to immediately notify the Covered Entity of any breach of unsecure PHI as that term is defined in the ARRA and any subsequent regulations and/or guidance from the Secretary of DHHS. Notice of such a breach shall include the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during such breach. Business Associate further agrees to make available in a reasonable time and manner any information needed by Covered Entity to respond to individuals&rsquo inquiries regarding said breach.

  1. Business Associate agrees to report to covered entity any use or disclosure of protected health information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware

  1. Business Associate agrees to indemnify the Covered Entity for the reasonable cost to notify the individuals whose information was the subject of the breach and for any cost or damages, including attorney fees or fines, incurred by Covered Entity as a result of the breach by Business Associate, including but not limited to any identity theft related prevention or monitoring costs.

  1. Business Associate agrees to comply with any and all privacy and security provisions not otherwise specifically addressed in the Contract made applicable to Business Associate by the ARRA on the applicable effective date as designated by ARRA and any subsequent regulations promulgated under ARRA and/or guidance thereto.


  1. Business Associate agrees to make uses and disclosures and requests for protected health information consistent with the covered entity&rsquos minimum necessary policies and procedures.

    1. Responsibilities of the Covered Entity. With regard to the use and/or disclosure of Protected Health Information by the Business Associate, the Covered Entity hereby agrees:

  1. To inform the Business Associate of any changes in the form of notice of privacy practices (the "Notice") that the Covered Entity provides to individuals pursuant to 45 CFR §164.520, and provide, upon request, the Business Associate a copy of the Notice currently in use.

  1. To inform the Business Associate of any changes in, or revocation of, the authorization provided to the Covered Entity by individuals pursuant to 45 CFR §164.508.

  1. To inform the Business Associate of any opt-outs exercised by any individual from fundraising activities of the Covered Entity pursuant to 45 CFR §164.514(f).

  1. To notify the Business Associate, in writing and in a timely manner, of any arrangements permitted or required of the Covered Entity under 45 CFR § part 160 and 164 that may impact in any manner the use and/or disclosure of Protected Health Information by the Business Associate under this Agreement, including, but not limited to, restrictions on use and/or disclosure of Protected Health Information as provided for in 45 CFR §164.522 agreed to by the Covered Entity.

ADDITIONAL RESPONSIBILITIES OF THE PARTIES WITH RESPECT TO PROTECTED HEALTH INFORMATION

    1. Responsibilities of the Business Associate with Respect to Handling of Designated Record Set. In the event that Business Associate maintains Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity, in a Designated Record Set, the Business Associate hereby agrees to do the following:

  1. At the request of, and in the time and manner designated by the Covered Entity, make available Protected Health Information in a designated record set to the Covered Entity or the individual to whom such Protected Health Information relates or his or her authorized representative in order to meet a request by such individual under 45 CFR §164.524 and to satisfy the covered entity&rsquos obligations under 45 CFR §164.524.


  1. At the request of, and in the time and manner designated by the Covered Entity, make any amendment(s) to the Protected Health Information that the Covered Entity directs pursuant to 45 CFR §164.526, or take other measures as necessary to satisfy covered entity&rsquos obligations under 45 CFR §164.526.

    1. Additional Responsibilities of the Covered Entity. The Covered Entity hereby agrees to do the following:

  1. Notify the Business Associate, in writing, of any Protected Health Information that Covered Entity seeks to make available to an individual pursuant to 45 CFR §164.524 and the time, manner, and form in which the Business Associate shall provide such access, if Business Associate maintains Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity, in a Designated Record Set.

  1. Notify the Business Associate, in writing, of any amendment(s) to the Protected Health Information in the possession of the Business Associate that the Business Associate shall make and inform the Business Associate of the time, form, and manner in which such amendment(s) shall be made.

  1. REPRESENTATIONS AND WARRANTIES

Mutual Representations and Warranties of the Parties. Each Party represents and warrants to the other party that it is duly organized, validly existing, and in good standing under the laws of the jurisdiction in which it is organized or licensed, it has the full power to enter into this Agreement and to perform its obligations hereunder, and that the performance by it of its obligations under this Agreement have been duly authorized by all necessary corporate or other actions and will not violate any provision of any license, corporate charter or bylaws.


  1. TERM AND TERMINATION


    1. Term. This Agreement shall become effective on the Effective Date and shall continue in effect until all obligations of the Parties have been met, unless terminated as provided in this Section 4. In addition, certain provisions and requirements of this Agreement shall survive its expiration or other termination in accordance with Section 7.3 herein.

    1. Termination by the Covered Entity. As provided for under 45 C.F.R. §164.504(e)(2)(iii), the Covered Entity may immediately terminate this Agreement and any related agreements if the Covered Entity makes the determination that the Business Associate has breached a material term of this Agreement. Alternatively, the Covered Entity may choose to: (i) provide the Business Associate with 30 days written notice of the existence of an alleged material breach; and (ii) afford the Business Associate an opportunity to cure said alleged material breach upon mutually agreeable terms. Nonetheless, in the event that mutually agreeable terms cannot be achieved within 30 days, Business Associate must cure said breach to the satisfaction of the Covered Entity within 30 days. Failure to cure in the manner set forth in this paragraph is grounds for the immediate termination of this Agreement.

    1. Termination by Business Associate. If the Business Associate makes the determination that a material condition of performance has changed under the Contract or this Agreement, or that the Covered Entity has breached a material term of this Agreement, Business Associate may provide thirty (30) days notice of its intention to terminate this Agreement. Business Associate agrees, however, to cooperate with Covered Entity to find a mutually satisfactory resolution to the matter prior to terminating and further agrees that, notwithstanding this provision, it shall not terminate this Agreement so long as the Contract is in effect.


    1. Automatic Termination. This Agreement will automatically terminate without any further action of the Parties upon the termination or expiration of the Contract.


    1. Effect of Termination. Upon the event of termination pursuant to this Section 5, Business Associate agrees to return or destroy all Protected Health Information pursuant to 45 C.F.R. §164.504(e)(2)(I), if it is feasible to do so. Prior to doing so, the Business Associate further agrees to recover any Protected Health Information in the possession of its subcontractors or agents. If the Business Associate determines that it is not feasible to return or destroy said Protected Health Information, the Business Associate will notify the Covered Entity in writing. Upon mutual agreement of the Parties that the return or destruction is not feasible, Business Associate further agrees to extend any and all protections, limitations and restrictions contained in this Agreement to the Business Associate&rsquos use and/or disclosure of any Protected Health Information retained after the termination of this Agreement, and to limit any further uses and/or disclosures to the purposes that make the return or destruction of the Protected Health Information infeasible. If it is infeasible for the Business Associate to obtain, from a subcontractor or agent any Protected Health Information in the possession of the subcontractor or agent, the Business Associate must provide a written explanation to the Covered Entity and require the subcontractors and agents to agree to extend any and all protections, limitations and restrictions contained in this Agreement to the subcontractors&rsquo and/or agents&rsquo use and/or disclosure of any Protected Health Information retained after the termination of this Agreement, and to limit any further uses and/or disclosures to the purposes that make the return or destruction of the Protected Health Information infeasible.

  1. CONFIDENTIALITY

Confidentiality Obligations. In the course of performing under this Agreement, each Party may receive, be exposed to or acquire Confidential Information including but not limited to, all information, data, reports, records, summaries, tables and studies, whether written or oral, fixed in hard copy or contained in any computer data base or computer readable form, as well as any information identified as confidential ("Confidential Information") of the other Party. For purposes of this Agreement, "Confidential Information" shall not include Protected Health Information, the security of which is the subject of this Agreement and is provided for elsewhere. The Parties, including their employees, agents or representatives (a) shall not disclose to any third party the Confidential Information of the other Party except as otherwise permitted by this Agreement or as required by law, (b) only permit use of such Confidential Information by employees, agents and representatives having a need to know in connection with performance under this Agreement, and (c) advise each of their employees, agents, and representatives of their obligations to keep such Confidential Information confidential. This provision shall not apply to Confidential Information: (i) after it becomes publicly available through no fault of either Party; (ii) which is later publicly released by either Party in writing; (iii) which is lawfully obtained from third parties without restriction; or (iv) which can be shown to be previously known or developed by either Party independently of the other Party.

  1. MISCELLANEOUS

    1. Covered Entity. For purposes of this Agreement, Covered Entity shall include all entities covered by the notice of privacy practices (or privacy notice).

    1. Business Associate. For purposes of this Agreement, Business Associate shall include the named Business Associate herein. However, in the event that the Business Associate is otherwise a hybrid entity under the Privacy Regulation, that entity may appropriately designate a health care component of the entity, pursuant to 45 C.F.R. §164.504(a), as the Business Associate for purposes of this Agreement.

    1. Survival. The respective rights and obligations of Business Associate and Covered Entity under the provisions of Sections 5.5, and Section 3.1 solely with respect to Protected Health Information Business Associate retains in accordance with Sections 3.1 and 5.5 because it is not feasible to return or destroy such Protected Health Information, shall survive termination of this Agreement.

    1. Amendments; Waiver. This Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.

    1. No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.

    1. Notices. Any notices to be given hereunder to a Party shall be made via U.S. Mail or express courier to such Party&rsquos address given below, and/or (other than for the delivery of fees) via facsimile to the facsimile telephone numbers listed below.

If to Business Associate, to:

______________________________

Attention:

Phone:

Fax:


With a copy (which shall not constitute notice) to:

______________________________

Attention:

Phone:

Fax:

If to Covered Entity, to:

______________________________

Attention:

Phone:

Fax:


With a copy (which shall not constitute notice) to:


___________

_________________

___________

_____

Attention: _____

Phone: _____

Fax: ___________

With a copy (which shall not constitute notice) to:


__________________

__________________

Phone:

Fax:

Each Party named above may change its address and that of its representative for notice by the giving of notice thereof in the manner hereinabove provided.


    1. Counterparts; Facsimiles. This Agreement may be executed in any number of counterparts, each of which shall be deemed an original. Facsimile copies hereof shall be deemed to be originals.

    1. Disputes. If any controversy, dispute or claim arises between the Parties with respect to this Agreement, the Parties shall make good faith efforts to resolve such matters informally.

  1. DEFINITIONS


    1. Designated Record Set. Designated Record Set shall have the meaning set out in its definition at 45 CFR §164.501, as such provision is currently drafted and as it is subsequently updated, amended, or revised.

    1. Health Care Operations. Health Care Operations shall have the meaning set out in its definition at 45 CFR §164.501, as such provision is currently drafted and as it is subsequently updated, amended, or revised.

    1. Privacy Officer. Privacy Officer shall mean the privacy official referred to in 45 CFR §164.530(a)(1) as such provision is currently drafted and as it is subsequently updated, amended, or revised.

    1. Protected Health Information. Protected Health Information shall have the meaning as set out in its definition at 45 CFR §164.501, as such provision is currently drafted and as it is subsequently updated, amended, or revised.

IN WITNESS WHEREOF, each of the undersigned has caused this Agreement to be duly executed in its name and on its behalf effective as of this the ____ day of ______________, _____.

COVERED ENTITY

 

By: _____________________________

________________________________

Printed Name

________________________________

Printed Title

________________________________

Date

BUSINESS ASSOCIATE


By: _____________________________



________________________________

Printed Name


________________________________

Printed Title


________________________________

Date

12Last Updated: 4/8/2019
BAA Facts
  • Who needs a BAA?
  • What if I don't have a BAA
  • BAA Quick FAQ
  • WHY BAA?
  • Planning Your BAA
 Sample BAA
  • Simple BAA
  • Better BAA
  • Best BAA
 Office Locations:

100 Florida Ave
Tampa Fl 33615