Business Associate Agreement Sample Letter

[Option 2 – Refer to an underlying service contract, for example.B. “to the extent necessary to provide the services defined in the service agreement.”] (a) counterparties. “counterparty” generally has the same meaning as the term “counterparty” in 45 CFR 160.103 and means in relation to the party to this Agreement [insert counterparty name]. (d) survival. The counterparty`s obligations under this Section shall apply even after the termination of this Agreement. (e) [optional] Counterparties may use protected health information for the proper management and management of the counterparty or to fulfil the counterparty`s legal obligations. 2.7 Subcontractors. The counterparty shall require its subcontractors to offer a reasonable guarantee, demonstrated by a written agreement, of compliance with the same obligations, restrictions and conditions of confidentiality and security with respect to the PHI and ePHI that apply to the counterparty through this BAA. The counterparty may disclose PHI to other counterparties of the covered entity, without the need for the written agreement described above. In practice, business partners must train their staff in HIPAA rules. Documentation of these trainings can help prevent HIPC infringements and avoid allegations of intentional negligence. A lawyer can help design training modules and explain how to follow the end of training programs. [In addition to other permitted purposes, the parties should indicate whether the counterparty has the right to use protected health information to identify the information referred to in CFR 164.514(a)-(c).

The parties may also wish to indicate how the counterparty will anonymize the information and the uses and disclosures of anonymous information authorized by the counterparty.] Words or phrases in parentheses are designed either as an optional language or as instructions for users of these examples. In order to maintain HIPC compliance, all covered companies and counterparties must comply with HIPC data protection standards as well as security and breach notification rules. Like covered companies, counterparties must implement these security measures in accordance with the HIPC security rule. Recitals can help to explain the relationship between BAA and the underlying agreements between the parties. Consider asking a lawyer to verify the accuracy of the recitals and any underlying agreements. [Optional] The entity concerned shall not require counterparties to use or disclose protected health information in a manner that would not be permitted by Subsection E of 45 CFR Part 164 if the covered unit did so. [Insert an exception if the counterparty uses or discloses protected health information for data aggregation or management, as well as the counterparty`s legal responsibilities and the agreement contains provisions relating to data aggregation or management.] This form applies only to the agreement between a counterparty and a covered entity. Counterparties must subscribe to separate BAAs with their subcontractors.

A lawyer may modify this form to meet the subcontractor`s baa requirements, or design a separate subcontractor BAA. It is only an exemplary language and the use of these examples is not necessary to comply with hipC rules. The language may be changed to more accurately reflect the commercial agreements between a covered entity and a counterparty or counterparty and a subcontractor. In addition, those provisions, or other similar provisions, may be included in a service provision agreement between a covered entity and a counterparty or counterparty or subcontractor, or may be included in a separate counterparty agreement. These provisions apply only to the concepts and requirements set out in the HIPC rules on data protection, security, breach notification and law enforcement, and may not be sufficient on their own to result in a binding contract under State law. . . .