HIPAA Business Associate Agreement

# HIPAA Business Associate Agreement **Effective Date:** ___________ This Business Associate Agreement ("Agreement") is entered into by and between: **Covered Entity:** ___________ ("Covered Entity") **Business Associate:** ___________ ("Business Associate") This Agreement is entered into pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), and the regulations promulgated thereunder at 45 C.F.R. Parts 160 and 164 (collectively, the "HIPAA Rules"). ## 1. Definitions (a) **Protected Health Information ("PHI")** shall have the same meaning as defined in 45 C.F.R. Section 160.103, limited to the information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity. (b) **Electronic Protected Health Information ("ePHI")** shall have the same meaning as defined in 45 C.F.R. Section 160.103. (c) **Breach** shall have the same meaning as defined in 45 C.F.R. Section 164.402. (d) **Security Incident** shall have the same meaning as defined in 45 C.F.R. Section 164.304. (e) All other capitalized terms used but not otherwise defined herein shall have the meanings set forth in the HIPAA Rules. ## 2. Services Provided **Description of Services:** ___________ **Type of PHI Involved:** ___________ ## 3. Obligations of Business Associate Business Associate agrees to: (a) Not use or disclose PHI other than as permitted or required by this Agreement or as required by law. (b) Use appropriate administrative, physical, and technical safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this Agreement. (c) Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including Breaches of Unsecured PHI as required by 45 C.F.R. Section 164.410, and any Security Incident of which it becomes aware.