HIPAA Business Affiliate Agreement

1. Definitions

Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms defined in HIPAA, including, but not limited to, "Business Affiliate," "Covered Entity," "Protected Health Information" ("PHI"), "Electronic Protected Health Information" ("ePHI"), and "Breach."

Business Affiliate

A "Business Affiliate" is any person or entity that performs functions or activities on behalf of, or provides services to, a Covered Entity that involve the use or disclosure of Protected Health Information (PHI). Examples include third-party billing companies, cloud storage providers, or IT service providers who handle PHI.

Covered Entity

A "Covered Entity" refers to health plans, healthcare clearinghouses, and healthcare providers who transmit any health information in electronic form in connection with transactions covered by HIPAA. These entities are directly responsible for protecting the privacy and security of patient information.

Protected Health Information (PHI)

"PHI" is any information, whether oral or recorded in any form, that is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse, and relates to the past, present, or future physical or mental health condition of an individual, the provision of healthcare, or payment for healthcare. PHI can include names, addresses, birthdates, Social Security numbers, and medical records.

Electronic Protected Health Information (ePHI)

"ePHI" is any PHI that is created, stored, transmitted, or received electronically. This includes digital records, emails containing patient data, and electronic billing information. ePHI is subject to additional security requirements under the HIPAA Security Rule.

Breach

A "Breach" refers to the impermissible use or disclosure of PHI that compromises its security or privacy, unless the Covered Entity or Business Affiliate can demonstrate a low probability that the PHI has been compromised based on a risk assessment. Examples include data theft or loss of unencrypted devices containing PHI.

2. Obligations and Activities of Business Affiliate a. Use and Disclosure of PHI: The Business Affiliate may only use or disclose PHI as necessary to perform services outlined in the Professional Provider Agreement or as required by law, but not in a manner that violates HIPAA regulations.

b. Safeguards: The Business Affiliate agrees to use appropriate administrative, physical, and technical safeguards to prevent the use or disclosure of PHI other than as provided by this Agreement, including compliance with HIPAA’s Security Rule (45 CFR Part 164 Subpart C) for ePHI.

c. Mitigation: The Business Affiliate shall mitigate, to the extent practicable, any harmful effect that is known to the Business Affiliate of a use or disclosure of PHI by the Business Affiliate in violation of this Agreement.

d. Reporting: The Business Affiliate agrees to report to the Covered Entity any use or disclosure of PHI not provided for by this Agreement, including breaches of unsecured PHI, in compliance with 45 CFR 164.410.

e. Subcontractors: The Business Affiliate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Affiliate agree to the same restrictions and conditions that apply to the Business Affiliate under this Agreement.

f. Access to PHI: The Business Affiliate agrees to provide access to PHI in a designated record set, as necessary, to fulfil the Covered Entity’s obligations under 45 CFR 164.524.

g. Amendments to PHI: The Business Affiliate agrees to make any amendments to PHI in a designated record set as directed by the Covered Entity, pursuant to 45 CFR 164.526.

h. Accounting of Disclosures: The Business Affiliate agrees to document and make available an accounting of disclosures of PHI as required under 45 CFR 164.528.

i. Compliance with Law: The Business Affiliate shall comply with the requirements of the HIPAA Rules that apply to business associates, including any amendments to HIPAA or other laws that affect this Agreement.

3. Permitted Uses and Disclosures by Business Affiliate The Business Affiliate may:

a. Use or disclose PHI to perform tits duties under the Professional Provider Agreement, provided that such use or disclosure would not violate HIPAA if done by the Covered Entity. b. Use PHI for the proper management and administration of the Business Affiliate or to carry out the legal responsibilities of the Business Affiliate, provided that disclosures are required by law or the Business Affiliate obtains reasonable assurances from the recipient that the PHI will remain confidential and used only for its intended purpose. c. Use PHI to provide data aggregation services relating to the health care operations of the Covered Entity.

4. Term and Termination

a. Term: This Agreement shall remain in effect until the termination of the Professional Provider Agreement or as otherwise provided by law.

b. Termination for Cause: The Covered Entity may terminate this Agreement if the Business Affiliate materially breaches this Agreement.

c. Obligations Upon Termination: Upon termination, the Business Affiliate shall return or destroy all PHI received from, or created on behalf of, the Covered Entity. If return or destruction is not feasible, the Business Affiliate shall extend the protections of this Agreement to the PHI and limit further use and disclosures to those purposes that make return or destruction infeasible.

5. Miscellaneous a. Amendment: This Agreement may only be amended in writing, signed by both parties. b. Survival: The obligations of the Business Affiliate under this Agreement shall survive the termination of this Agreement with respect to PHI that cannot feasibly be returned or destroyed. c. Interpretation: Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.