HIPAA Compliance Program, Compliance Office 210-567-2014, Compliance Line 1-877-507-7317
 

Sample Business Associate Agreement for Attorneys

 

NOTE: The Office of Legal Affairs recommends this agreement/contract state what"protected health information" (PHI) will be shared among the entities, and include a specific statement of how PHI will be used, how it will be transmitted and to whom. All agreements/contracts must be reviewed by the Office of Legal Affairs. The Office of Legal Affairs may be contacted at (210) 567-2020 to assist you with any questions.


Download: Microsoft Word .doc file or Acrobat Reader .pdf file of this document.


This Business Associate Agreement (this "Agreement"), is made as of the ___ day of ________________, 20___   (the "Effective Date"), by and between ______________ ("Business Associate") and _____________________ ("Covered Entity") (collectively the "Parties").

RECITALS

WHEREAS, Business Associate provides legal services to Covered Entity pursuant to a separate engagement letter;

WHEREAS, in connection with these services, Covered Entity may disclose to Business Associate certain Protected Health Information ("PHI") that is subject to protection under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), and regulations promulgated pursuant to that act;

WHEREAS, HIPAA requires that Covered Entity receive adequate assurances that Business Associate will comply with certain obligations with respect to the PHI received in the course of providing services to or on behalf of Covered Entity; and

WHEREAS, the purpose of this Agreement is to comply with the requirements of HIPAA.

NOW, THEREFORE, in consideration of the mutual promises and covenants herein, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows:

top of page

A. Definitions. Terms used herein, but not otherwise defined, shall have meaning ascribed by 45 C.F.R. parts 160 and 164.

  1. Business Associate. "Business Associate" shall mean [insert name of attorney].
  2. Covered Entity. "Covered Entity" shall mean [insert name of Covered Entity].
  3. Designated Record Set. "Designated Record Set" shall mean a group of records maintained by or for a covered entity, as defined by HIPAA, that is: (i) the medical records and billing records about Individuals maintained by or for a covered health care provider; (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) used, in whole or in part, by or for the covered entity to make decisions about Individuals. For purposes of this definition, the term "record" means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity.
  4. Individual. "Individual" shall mean the person who is the subject of the Protected Health Information.
  5. Privacy Rule. "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. parts 160 and 164, subparts A and E, as amended.
  6. Protected Health Information ("PHI"). "Protected Health Information" shall mean individually identifiable health information that is transmitted or maintained in any form or medium.
  7. Required by Law. "Required by Law" shall mean a mandate contained in law that compels a use or disclosure of PHI.
  8. Secretary. "Secretary" shall mean the Secretary of the Department of Health and Human Services or his or her Designee.
  9. Security Rule. "Security Rule" shall mean the final rule adopting standards for the security of electronic protected health information as required by the Administrative Simplification title of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). See 45 C.F.R. Parts 160, 162, and 164, 68 Fed.Reg. 8334 et seq. (Feb. 20, 2003).

B. Purposes for which PHI May Be Disclosed to Business Associate. In connection with the services provided by Business Associate to or on behalf of Covered Entity described in this Agreement, Covered Entity may disclose PHI to Business Associate for the purposes of providing legal counsel, defending or prosecuting litigation on behalf of Covered Entity, assisting with regulatory requirements, accreditation, certification licensure, or operational issues, and any other legal services provided to Covered Entity.

C. Obligations of Covered Entity. If deemed applicable by Covered Entity, Covered Entity shall:

  1. provide Business Associate a copy of its Notice of Privacy Practices ("Notice") produced by Covered Entity in accordance with 45 C.F.R. 164.520 as well as any changes to such notice;
  2. provide Business Associate with any changes in, or revocation of, authorizations by Individuals relating to the use and/or disclosure of PHI, if such changes affect Business Associate's permitted or required uses and/or disclosures;
  3. notify Business Associate of any restriction to the use and/or disclosure of PHI to which Covered Entity has agreed in accordance with 45 C.F.R. 164.522;
  4. notify Business Associate of any amendment to PHI to which Covered Entity has agreed that affects a Designated Record Set maintained by Business Associate; and
  5. if Business Associate maintains a Designated Record Set, provide Business Associate with a copy of its policies and procedures related to an Individual's right to: access PHI; request an amendment to PHI; request confidential communications of PHI; or request an accounting of disclosures of PHI.
top of page

D. Obligations of Business Associate. Business Associate agrees to comply with the provisions of Privacy Rule applicable to "business associates" (as defined by the Privacy Rule), including:

  1. Use and Disclosure of PHI. Except as otherwise permitted by this Agreement or applicable law, Business Associate shall not use or disclose PHI except as necessary, in its sole discretion, to provide legal services to or on behalf of Covered Entity, and shall not use or disclose PHI that would violate the Privacy Rule if used or disclosed by Covered Entity.
  2. Use for Management and Administration of Business Associate. Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities. Business Associate shall in such cases:

    (a) provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements of the Privacy Rule and this Agreement; and

    (b) obtain reasonable assurances from the person or entity to whom the PHI is disclosed that: (a) the PHI will be held confidential and further used and disclosed only as Required by Law or for the purpose for which it was disclosed to the person or entity; and (b) the person or entity will notify Business Associate of any instances of which it is aware in which confidentiality of the PHI has been breached.

  3. Disclosures of Non-Permitted Uses or Disclosures. Business Associate agrees to notify the designated Privacy Officer of Covered Entity of any instances of which it is aware in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the Privacy Rule.
  4. De-identified Information. Business Associate may use and disclose de-identified health information, if (i) the use is disclosed to Covered Entity and permitted by Covered Entity in its sole discretion and (ii) the de-identification is in compliance with 45 C.F.R. §164.502(d), and the de-identified health information meets the standard and implementation specifications for de- identification under 45 C.F.R. §164.514(a) and (b).
  5. Safeguards. Business Associate shall maintain appropriate safeguards to ensure that PHI is not used or disclosed other than as provided by this Agreement or as Required by Law.
  6. Minimum Necessary. Business Associate shall use reasonable efforts to use and disclose PHI only to the extent reasonably necessary to accomplish the intended purpose of such PHI. .
  7. Disclosure to Agents and Subcontractors. If Business Associate discloses PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, to agents, expert witnesses, consultants, or subcontractors, Business Associate shall require such persons to agree to the same restrictions and conditions as apply to Business Associate under this Agreement.

  8. Individual Rights Regarding Designated Record Sets. Covered Entity shall maintain the original Designated Record Set and, therefore, it is not anticipated that Business Associate will maintain any records subject to an Individual's right to access and copy records. When notified by Covered Entity, Business Associate shall make amendments or corrections to PHI as instructed by Covered Entity. Covered Entity shall be solely responsible to the Individual for accepting or rejecting an amendment requested by the Individual. If Business Associate maintains a Designated Record Set on behalf of Covered Entity, Business Associate agrees as follows:

    (a) Individual Right to Copy or Inspection. Business Associate agrees it will permit an Individual to inspect or copy PHI about the Individual in that set as directed by Covered Entity to meet the requirements of 45 C.F.R. § 164.524. Under the Privacy Rule, Covered Entity is required to take action on such requests as soon as possible, but not later than 30 days following receipt of the request. Business Associate agrees to make reasonable efforts to assist Covered Entity in meeting this deadline. The information shall be provided in the form or format requested if it is readily producible in such form or format; or in summary, if the Individual has agreed in advance to accept the information in summary form. A reasonable, cost-based fee for copying health information may be charged. If Covered Entity maintains the requested records, Covered Entity, rather than Business Associate shall permit access according to its policies and procedures implementing the Privacy Rule.

    (b) Individual Right to Amendment. Business Associate agrees to make amendments to PHI at the request and direction of Covered Entity pursuant to 45 C.F.R. 164.526. Business Associate agrees that it will accommodate an Individual's request to amend his/her PHI only in conjunction with a determination by Covered Entity that the amendment is appropriate according to 45 C.F.R. 164.526.

  9. Accounting of Disclosures. Business Associate agrees to maintain documentation of the information required to provide an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.538, and to make this information available to Covered Entity upon Covered Entity's request, in order to allow Covered Entity to respond to an Individual's request for accounting of disclosures. Such accounting is limited to disclosures that were made in the six (6) years prior to the request (not including disclosures prior to the compliance date of the Privacy Rule) and shall be provided for as long as Business Associate maintains the PHI.

  10. Internal Practices and Policies and Procedures. Except as otherwise specified herein, Business Associate shall make available its internal practices and policies and procedures relating to the use and disclosure of PHI received from or on behalf of Covered Entity to the Secretary or his or her agents for the purpose of determining Covered Entity's compliance with the Privacy Rule. Records requested that are not protected by an applicable legal privilege will be made available in the time and manner specified by Covered Entity or the Secretary. If it is necessary for Business Associate to invoke and defend the attorney-client privilege, Covered Entity shall agree to pay the cost for such defense.

  11. Notice of Privacy Practices. If Covered Entity's Notice of Privacy Practices ("Notice") specifically affects Business Associate's use or disclosure of PHI, Covered Entity shall inform Business Associate of the specific limitations. Business Associate shall abide by the limitations of Covered Entity's Notice that affect its use or disclosure of PHI of which it has been specifically informed. Any use or disclosure permitted by this Agreement may be amended by changes to Covered Entity's Notice if Covered Entity specifically informs Business Associate of the amendment; provided, however, that the amended Notice shall not affect permitted uses and disclosures on which Business Associate relied prior to receiving notice of such amended Notice.

  12. Withdrawal of Authorization. If the use or disclosure of PHI in this Agreement is based upon an Individual's specific authorization for the use or disclosure of his or her PHI, and the Individual revokes such authorization, the effective date of such authorization has expired, or such authorization is found to be defective in any manner that renders it invalid, Business Associate shall, if it has notice of such revocation, expiration, or. invalidity, cease the use and disclosure of the Individual's PHI except to the extent it has relied on such use or disclosure, or if an exception under the Privacy Rule expressly applies.

  13. Electronic PHI. On or before April 21, 2005, the Covered Entity is required to comply with the requirements of the Security Rule. At least 90 days prior to the Covered Entity's implementation of the requirements under the Security Rule, it shall provide Business Associate with written notice of its intent to comply with such requirements and shall provide any specific details relating to its security policies that may apply to Business Associate (such as encryption of electronically transmitted PHI). The following provisions shall apply to Business Associate 90 days after its receipt of such notice:

    (a) Business Associate shall implement safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any electronic PHI that creates, received, maintains, or transmits on behalf of Covered Entity.

    (b) Business Associate shall ensure that any agent, including a subcontractor, agrees to implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of any electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity.

    (c) Business Associate agrees to report to Covered Entity any security incident (as defined in the Security Rules) of which Business Associate becomes aware.

E. Term and Termination.
  1. Term. This Agreement shall be effective as of the Effective Date and shall be terminated when all PHI provided to Business Associate by Covered Entity, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity.
  2. Termination for Breach. If Covered Entity determines that Business Associate has breached the requirements of this Agreement, it may terminate this Agreement on a date specified by Covered Entity.
  3. Effect of Termination. Upon termination of this Agreement for any reason, Business Associate agrees to return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, maintained by Business Associate in any form. If Business Associate determines that the return or destruction of PHI is not feasible, Business Associate shall inform Covered Entity in writing of the reason thereof, and shall agree to extend the protections of this Agreement to such PHI and limit further uses and disclosures of the PHI to those purposes that make the return or destruction of the PHI not feasible for as long as Business Associate retains the PHI.
F. Miscellaneous.
  1. No Third Party Beneficiaries. Nothing in this Agreement shall be considered or construed as conferring any right or benefit on a person not party to this Agreement nor imposing any obligations on either Party hereto to persons not a party to this Agreement.
  2. Mitigation. If Business Associate violates this Agreement or HIPAA, Business Associate agrees to attempt to mitigate any damage caused by such breach.
  3. Notices. Any notices pertaining to this Agreement shall be given in writing and shall be deemed duly given when personally delivered to a Party or a Party's authorized representative as listed below or sent by means of a reputable overnight carrier, or sent by means of certified mail, return receipt requested, postage prepaid. A notice sent by certified mail shall be deemed given on the date of receipt or refusal of receipt. All notices shall be addressed to the appropriate Party as follows:

    If to Covered Entity:
    ______________________________
    ______________________________
    ______________________________
    Attn: _________________________

    If to Business Associate:
    Privacy Officer
    ___________________
    ___________________
    ___________________

  4. Amendments. This Agreement may not be changed or modified in any manner except by an instrument in writing signed by a duly authorized officer of each of the Parties hereto. The Parties, however, agree to amend this Agreement from time to time, as necessary order to allow Covered Entity to comply with the requirements of HIPAA.
  5. Choice of Law. This Agreement and the rights and the obligations of the Parties hereunder shall be governed by and construed under the laws of the State of Texas, without regard to applicable conflict of laws principles.
  6. Assignment of Rights and Delegation of Duties. This Agreement is binding upon and inures to the benefit of the Parties hereto and their respective successors and permitted assigns. However, neither Party may assign any of its rights or delegate any of its obligations under this Agreement without the prior written consent of the other Party, which consent shall not be unreasonably withheld or delayed. Notwithstanding any provisions to the contrary, however, Covered Entity retains the right to assign or delegate any of its rights or obligations hereunder to any of its wholly owned subsidiaries, affiliates or successor companies. Assignments made in violation of this provision are null and void.
  7. No Waiver. Failure or delay on the part of either Party to exercise any right, power, privilege or remedy hereunder shall not constitute a waiver thereof. No provision of this Agreement may be waived by either Party except by a writing signed by an authorized representative of the Party making the waiver.
  8. Severability. The provisions of this Agreement shall be severable, and if any provision of this Agreement shall be held or declared to be illegal, invalid or unenforceable, the remainder of this Agreement shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein.
  9. Entire Agreement. This Agreement, together with the all Exhibits, Riders, and amendments, if applicable, which are fully completed and signed by authorized persons on behalf of both Parties from time to time while this Agreement is in effect, constitutes the entire Agreement between the Parties hereto with respect to the subject matter hereof and supersedes all previous written or oral understandings, agreements, negotiations, commitments, and any other writing and communication by or between the Parties with respect to the subject matter hereof. In the event of any inconsistencies between any provisions of this Agreement in any provisions of the Exhibits, Riders, or amendments, the provisions of this Agreement shall control.
  10. Regulatory References. A citation in this Agreement to the Code of Federal Regulations shall mean the cited section as that section may be amended from time to time.

    Agreed to:

    BUSINESS ASSOCIATE

    By:____________________________
    (Authorized Signature)

    Name:_________________________
    (Type or Print)

    Title:___________________________

    Date:___________________________

    Agreed to:

    COVERED ENTITY

    By:____________________________
    (Authorized Signature)

    Name:_________________________
    (Type or Print)

    Title:___________________________

    Date:___________________________

Copyright © Vinson & Elkins L.L.P. 2003

 
 
 
top of page