Business Associate Agreement (Model)

Parties

This Business Associate Agreement (“Agreement”) is entered into by and between the client identified below (“Covered Entity”) and the vendor identified below (“Business Associate”) for the purpose of ensuring compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations, including 45 C.F.R. §§ 164.308, 164.312, 164.314, 164.502(e), and 164.504(e).

Recitals

(A) The Covered Entity provides health care services or manages protected health information (“PHI”) in the course of its operations. (B) The Business Associate performs certain functions, activities, or services that involve the creation, receipt, maintenance, or transmission of PHI on behalf of the Covered Entity. (C) The parties intend to define their respective responsibilities to ensure compliance with HIPAA and the protection of PHI.

1. Definitions

All capitalized terms used but not otherwise defined herein shall have the meanings given in HIPAA and its regulations. “PHI” includes electronic protected health information (“ePHI”).

2. Permitted Uses and Disclosures

The Business Associate may use and disclose PHI solely as necessary to perform services for the Covered Entity, as described in this Agreement or as required by law. The Business Associate shall not use or disclose PHI in any manner that would violate HIPAA if done by the Covered Entity.

3. Safeguards

The Business Associate shall implement administrative, physical, and technical safeguards reasonably designed to protect the confidentiality, integrity, and availability of PHI, including but not limited to encryption, access controls, secure authentication, and periodic security audits, as required by 45 C.F.R. Part 164, Subpart C.

4. Minimum Necessary

The Business Associate shall limit the use, disclosure, and request for PHI to the minimum necessary to accomplish the intended purpose, consistent with the Minimum Necessary Standard under HIPAA.

5. Subcontractors

The Business Associate shall ensure that any subcontractor or agent who receives, maintains, or transmits PHI on its behalf agrees in writing to the same restrictions and conditions that apply to the Business Associate with respect to PHI, pursuant to 45 C.F.R. § 164.502(e)(1)(ii) and § 164.308(b)(2).

6. Reporting of Breaches and Security Incidents

The Business Associate shall report to the Covered Entity any use or disclosure of PHI not permitted by this Agreement, and any Security Incident or Breach of Unsecured PHI, without unreasonable delay and in no case later than thirty (30) calendar days after discovery. Reports shall include sufficient detail to allow the Covered Entity to comply with applicable notification obligations.

7. Access, Amendment, and Accounting

(a) Access: Upon request, the Business Associate shall make PHI in a designated record set available to the Covered Entity to enable compliance with 45 C.F.R. § 164.524. (b) Amendment: The Business Associate shall make amendments to PHI as directed by the Covered Entity pursuant to 45 C.F.R. § 164.526. (c) Accounting: The Business Associate shall document disclosures of PHI to enable the Covered Entity to provide an accounting in accordance with 45 C.F.R. § 164.528.

8. Internal Practices; Inspection

The Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining compliance with HIPAA.

9. De-identification and Data Aggregation

The Business Associate may de-identify PHI in accordance with 45 C.F.R. § 164.514 and may use such de-identified information for lawful purposes. The Business Associate may also perform data aggregation services for the Covered Entity’s health care operations in compliance with HIPAA regulations.

10. Covered Entity Obligations

The Covered Entity shall not request or require the Business Associate to use or disclose PHI in a manner that would not be permissible under HIPAA if done by the Covered Entity. The Covered Entity shall provide only the minimum necessary PHI and ensure all authorizations, consents, or notices required under HIPAA are properly obtained and maintained.

11. Term and Termination

This Agreement shall remain in effect for as long as the Business Associate provides services involving PHI on behalf of the Covered Entity. Upon termination, the Business Associate shall return or destroy all PHI, if feasible. If return or destruction is not feasible, the Business Associate shall continue to protect the PHI in accordance with this Agreement and limit further uses and disclosures to those purposes that make return or destruction infeasible.

12. Indemnification

Each party shall be responsible for its own acts, omissions, and compliance with HIPAA. Nothing in this Agreement shall be construed to require indemnification beyond that required by applicable law.

13. Miscellaneous

• Governing Law: This Agreement shall be governed by the laws of the jurisdiction where the Covered Entity is organized or operates, without regard to conflict of law principles.
• Amendment: The parties shall amend this Agreement as necessary to comply with changes in HIPAA or other applicable regulations.
• Interpretation: Any ambiguity in this Agreement shall be resolved to permit compliance with HIPAA.
• Entire Agreement: This document constitutes the entire agreement concerning the handling of PHI between the parties and supersedes any inconsistent prior terms.
• No Third-Party Beneficiaries: This Agreement confers no rights upon any third party.

---

Non-Handling Rider (Optional)

This Non-Handling Rider (“Rider”) is intended for use when a third-party vendor or service provider supports digital marketing, website management, or related services but does not access or process Protected Health Information (PHI).

1. No PHI Handling: The Vendor does not and will not create, receive, maintain, transmit, or store PHI in connection with its services. The Vendor is therefore not a Business Associate under HIPAA.
2. Form Routing: Any web or form submission mechanism implemented by the Vendor must route directly to the Covered Entity or its designated HIPAA-compliant processor. No PHI shall transit through the Vendor’s servers, email systems, or applications.
3. Logging and Analytics: The Vendor shall disable any logging or analytics that capture form field content or personally identifiable information related to PHI. Web analytics may be implemented only when they exclude such data entirely.
4. Incidental Exposure: If the Vendor inadvertently receives PHI (e.g., through misdirected communication), it shall notify the Covered Entity within two (2) business days, securely delete the material, and cooperate in evaluating any required breach notification.
5. Scope of Work: The Vendor’s services are limited to design, hosting, campaign management, or analytics configuration unrelated to PHI. The Vendor will not export, synchronize, or transmit PHI to any third party.
6. Infrastructure Disclaimer: The Vendor makes no representation that its servers or hosting environments meet HIPAA security standards unless explicitly stated in a separate executed BAA.
7. Prohibited Changes: Any modification that would route PHI through the Vendor’s systems is strictly prohibited unless a formal Business Associate Agreement is executed in advance.