Last updated: September 1, 2024
This Business Associate Agreement (“BAA”) is entered into effective this _ day of ____, 202_ (“Effective Date”) by and between (“Covered Entity”) and Untitled Technology, LLC. (“Business Associate”) (each a “Party” and collectively, the “Parties”).
WHEREAS, Business Associate performs certain services for or on behalf of Covered Entity, and in performing said services, Business Associate creates, receives, maintains, or transmits Protected Health Information ("PHI");
WHEREAS, the Parties intend to protect the privacy and provide for the security of the PHI Disclosed (as defined below) by Covered Entity to Business Associate, or created, received, maintained, or transmitted by Business Associate, when providing services. Such PHI will be protected in compliance with the Health Insurance Portability and Accountability Act ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act (Public Law 111-005) (the "HITECH Act") and its implementing regulations and guidance issued by the Secretary of the U.S. Department of Health and Human Services ("Secretary") (collectively, the "HIPAA Regulations"); and
WHEREAS, Covered Entity is required under the HIPAA Regulations to enter into a Business Associate Agreement that meets certain requirements with respect to the Use (as defined below) and Disclosure of PHI, which are met by this BAA. Accordingly, to the extent Business Associate is functioning as a "business associate" as defined in the HIPAA Regulations, Business Associate agrees to comply with this BAA.
In consideration of the Recitals and for other good and valuable consideration, the receipt and adequacy of which is hereby acknowledged, the Parties agree as follows:
The following terms shall have the respective meanings set forth below. Capitalized terms used in this BAA and not otherwise defined shall have the meanings ascribed to them in the HIPAA Regulations.
1.1. "Breach" shall have the meaning given to such term under 45 C.F.R. § 164.402.
1.2. "Designated Record Set" shall have the meaning given to such term under 45 C.F.R. § 164.501.
1.3. "Disclose" and "Disclosure" mean, with respect to PHI, the release, transfer, provision of access to, or divulging in any other manner of PHI outside of Business Associate or to other than members of its workforce, as set forth in 45 C.F.R. § 160.103.
1.4. "Electronic PHI" or "e-PHI" means PHI that is transmitted or maintained in electronic media, as set forth in 45 C.F.R. § 160.103.
1.5. "Protected Health Information" and "PHI" mean any information, whether oral or recorded in any form or medium, provided by Covered Entity to Business Associate, that: (a) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual; (b) identifies the individual (or for which there is a reasonable basis for believing that the information can be used to identify the individual); and (c) shall have the meaning given to such term under 45 C.F.R. § 160.103. Protected Health Information includes e-PHI.
1.6. "Required by Law" shall have the meaning given to such term under 45 C.F.R. § 164.103.
1.7. "Security Incident" shall have the meaning given to such term under 45 C.F.R. § 164.304.
1.8. "Services" shall mean the services or functions performed by Business Associate for or on behalf of Covered Entity pursuant to any service agreement(s) between Covered Entity and Business Associate which may be in effect now or from time to time ("Underlying Agreement"), or, if no such agreement is in effect, the services or functions performed by Business Associate that constitute a "business associate" relationship, as set forth in 45 C.F.R. § 160.103.
1.9. "Unsecured PHI" shall have the meaning given to such term under 42 U.S.C. § 17932(h), 45 C.F.R. § 164.402, and guidance issued pursuant to the HITECH Act including, but not limited to the guidance issued on April 17, 2009 and published in 74 Federal Register 19006 (April 27, 2009) by the Secretary.
1.10. "Use" or "Uses" mean, with respect to PHI, the sharing, employment, application, utilization, examination or analysis of such PHI within Business Associate's internal operations, as set forth in 45 C.F.R. § 160.103.