Sample Business Associate Agreement Provisions

14 May
May , 14 , 2022 Pura

As more and more businesses outsource important functions to third-party service providers, the importance of a Business Associate Agreement (BAA) cannot be overstated. A BAA is a legal document that establishes the obligations, responsibilities, and liabilities of the business and its service providers with respect to protected health information (PHI) and Electronic Protected Health Information (ePHI) under the Health Insurance Portability and Accountability Act (HIPAA). The following are some sample provisions that should be included in a BAA:

1. Definition of Terms – It is important to define key terms such as PHI, ePHI, Business Associate, Covered Entity, and others to ensure that all parties understand their responsibilities and liabilities.

2. Permitted Uses and Disclosures of PHI – The BAA should specify the permitted uses and disclosures of PHI by the Business Associate. These should be limited to the purposes for which the information was disclosed, as well as any other purposes allowed under HIPAA.

3. Confidentiality and Security – The Business Associate must agree to implement appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI.

4. Reporting Obligations – The Business Associate should agree to report any unauthorized access, use, or disclosure of PHI to the Covered Entity.

5. Access Rights – The BAA should specify the procedures for granting access to PHI, as well as any restrictions on the use or disclosure of PHI by the Business Associate.

6. Termination – The BAA should provide for the termination of the agreement by either party and specify the obligations of the parties upon termination, including the return or destruction of PHI.

7. Indemnification and Liability – The BAA should specify the indemnification and liability obligations of the parties in the event of a breach of the agreement by either party.

In conclusion, a BAA is a critical document that governs the relationship between a Covered Entity and its Business Associate. The above sample provisions should be included in any BAA to ensure that the parties understand their obligations and liabilities, and to assist in protecting PHI and ePHI from unauthorized access, use, or disclosure. So, it is important for businesses to take the time to carefully craft their BAA to protect themselves and their clients.