HIPAA Compliance Program, Compliance Office 210-567-2014, Compliance Line 1-877-507-7317
 

Sample Business Associate Agreement Provisions

 

NOTE: all agreements/contracts must be reviewed by the Office of Legal Affairs. The Office of Legal Affairs may be contracted at (210) 567-2020 to assist you with any questions. Also, the Privacy Officer can assist with any questions at (210) 567-2014. Additionally, all signed agreements/contracts must be maintained by the Purchasing Department.


Download: Microsoft Word .doc file or Acrobat Reader .pdf file of this document.


This Business Associate Agreement (the “Agreement”), is made as of the ___ day of ________________, 20__ (the “Effective Date”), by and between Business Associate and Covered Entity (collectively the “Parties”) to comply with privacy standards adopted by the U.S. Department of Health and Human Services as they may be amended from time to time, 45 C.F.R. parts 160 and 164 (“the Privacy Rule”) and security standards adopted by the U.S. Department of Health and Human Services as they may be amended from time to time, 45 C.F.R. parts 160, 162 and 164, subpart C (“the Security Rule”), and the Health Information Technology for Economic and Clinical Health (HITECH) Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 and regulations promulgated there under and any applicable state confidentiality laws.

RECITALS

WHEREAS, Business Associate provides [describe services Business Associate provides] to or on behalf of Covered Entity;

WHEREAS, in connection with these services, Covered Entity discloses to Business Associate certain protected health information that is subject to protection under the HIPAA Rules; and

WHEREAS, the HIPAA Rules require that Covered Entity receive adequate assurances that Business Associate will comply with certain obligations with respect to the PHI received in the course of providing services to or on behalf of Covered Entity.

NOW THEREFORE, in consideration of the mutual promises and covenants herein, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows:

top of page

A. Definitions. Terms used herein, but not otherwise defined, shall have meaning ascribed by the Privacy Rule and the Security Rule.

  1. Breach. “Breach” shall mean the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.
  2. Business Associate. "Business Associate" shall mean [insert name of Business Associate].
  3. Covered Entity. "Covered Entity" shall mean The UT Health Science Center at San Antonio.
  4. Designated Record Set. "Designated Record Set" shall mean a group of records maintained by or for a Covered Entity that is: (i) the medical records and billing records about Individuals maintained by or for a covered health care provider; (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) used, in whole or in part, by or for the covered entity to make decisions about Individuals. For purposes of this definition, the term "record" means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.
  5. HIPAA Rules. The Privacy Rule and the Security Rule and amendments codified and promulgated by the HITECH Act are referred to collectively herein as "HIPAA Rules."
  6. Individual. "Individual" shall mean the person who is the subject of the protected health information.
  7. Protected Health Information ("PHI"). "Protected Health Information" or PHI shall mean individually identifiable health information that is transmitted or maintained in any form or medium.
  8. Required by Law. "Required by Law" shall mean a mandate contained in law that compels a use or disclosure of PHI.
  9. Secretary. "Secretary" shall mean the Secretary of the Department of Health and Human Services or his or her Designee.
  10. Sensitive Personal Information. “Sensitive Personal Information” shall mean an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted: a) social security number; driver’s license number or government-issued identification number; or account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account; or b) information that identifies an individual and relates to: the physical or mental health or condition of the individual; the provision of health care to the individual; or payment for the provision of health care to the individual.
  11. Unsecured PHI. “Unsecured PHI” shall mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law 111-5 on the HHS Web site.

B. Purposes for which PHI May Be Disclosed to Business Associate. In connection with the services provided by Business Associate to or on behalf of Covered Entity described in this Agreement, Covered Entity may disclose PHI to Business Associate for the purposes of [describe purpose of disclosure, which will relate directly to the services provided by Business Associate to Covered Entity, e.g., claims processing, audit, design of computer system, etc.].

C. Obligations of Covered Entity. If deemed applicable by Covered Entity, Covered Entity shall:

  1. provide Business Associate a copy of its Notice of Privacy Practices ("Notice") produced by Covered Entity in accordance with 45 C.F.R. 164.520 as well as any changes to such Notice;
  2. provide Business Associate with any changes in, or revocation of, authorizations by Individuals relating to the use and/or disclosure of PHI, if such changes affect Business Associate's permitted or required uses and/or disclosures;
  3. notify Business Associate of any restriction to the use and/or disclosure of PHI to which Covered Entity has agreed in accordance with 45 C.F.R. 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI;

  4. not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy rule if done by the Covered entity;
  5. notify Business Associate of any amendment to PHI to which Covered Entity has agreed that affects a Designated Record Set maintained by Business Associate;
  6. if Business Associate maintains a Designated Record Set, provide Business Associate with a copy of its policies and procedures related to an Individual's right to: access PHI; request an amendment to PHI; request confidential communications of PHI; or request an accounting of disclosures of PHI; and,
  7. notify individuals of breach. [Depending how we negotiate contract if the Covered Entity or the Business Associate will notify individual of breach. If Business Associate notifies (need Privacy Officer’s approval, also need the form of the notice, evaluation of harm, and who will be responsible for the cost.]

D. Obligations of Business Associate. Business Associate agrees to comply with applicable federal and state confidentiality and security laws, specifically the provisions of the HIPAA Rules applicable to business associates, including:

  1. Use and Disclosure of PHI. Except as otherwise permitted by this Agreement or applicable law, Business Associate shall not use or disclose PHI except as necessary to provide  Services described above to or on behalf of Covered Entity, and shall not use or disclose PHI that would violate the HIPAA Rules if used or disclosed by Covered Entity.  Also, knowing that there are certain restrictions on disclosure of PHI.  Provided, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities.  Business Associate shall in such cases:

    (a) provide information and training to members of its workforce using or disclosing PHI regarding the confidentiality requirements of the HIPAA Rules and this Agreement;

    (b) obtain reasonable assurances from the person or entity to whom the PHI is disclosed that: (a) the PHI will be held confidential and further used and disclosed only as Required by Law or for the purpose for which it was disclosed to the person or entity; and (b) the person or entity will notify Business Associate of any instances of which it is aware in which confidentiality of the PHI has been breached; and

    (c) agree to notify the designated Privacy Officer of Covered Entity of any instances of which it is aware in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules.

  2. Data Aggregation. In the event that Business Associate works for more than one Covered Entity, Business Associate is permitted to use and disclose PHI for data aggregation purposes, however, only in order to analyze data for permitted health care operations, and only to the extent that such use is permitted under the HIPAA Rules.
  3. De-identified Information. Business Associate may use and disclose de-identified health information if  written approval from the Covered Entity is obtained, and the PHI is de-identified in compliance with the HIPAA Rules.  Moreover, Business Associate shall review and comply with the requirements defined under Section E. of this Agreement.
  4. Safeguards.

    (a) Business Associate shall maintain appropriate safeguards to ensure that PHI is not used or disclosed other than as provided by this Agreement or as Required by Law.  Business Associate shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any paper or electronic PHI it creates, receives, maintains, or transmits on behalf of Covered Entity.

    (b) Business Associate shall assure that all PHI be secured when accessed by Business Associate’s employees, agents or subcontractor.  Any access to PHI by Business Associate’s employees, agents or subcontractors shall be limited to legitimate business needs while working with PHI.  Any personnel changes by Business Associate, eliminating the legitimate business needs for employees, agents or contractors access to PHI – either by revision of duties or termination – shall be immediately reported to Covered Entity.  Such reporting shall be made no later than the third business day after the personnel change becomes effective.
  5. Minimum Necessary. Business Associate shall  ensure that all uses and disclosures of PHI are subject to the principle of “minimum necessary use and disclosure,” i.e., that only PHI that is the minimum necessary to accomplish the intended purpose of the use, disclosure, or request is used or disclosed; and, the use of limited data sets when possible.
  6. Disclosure to Agents and Subcontractors. If Business Associate discloses PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, to agents, including a subcontractor, Business Associate shall require the agent or subcontractor to agree to the same restrictions and conditions as apply to Business Associate under this Agreement. Business Associate shall ensure that any agent, including a subcontractor, agrees to implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of the paper or electronic PHI that it creates, receives, maintains, or transmits on behalf of the Covered Entity. Business Associate shall be liable to Covered Entity for any acts, failures or omissions of the agent or subcontractor in providing the services as if they were Business Associate's own acts, failures or omissions, to the extent permitted by law. Business Associate further expressly warrants that its agents or subcontractors will be specifically advised of, and will comply in all respects with, the terms of this Agreement.
  7. Individual Rights Regarding Designated Record Sets. If Business Associate maintains a Designated Record Set on behalf of Covered Entity Business Associate agrees as follows:

    (a) Individual Right to Copy or Inspection. Business Associate agrees that if it maintains a Designated Record Set for Covered Entity that is not maintained by Covered Entity, it will permit an Individual to inspect or copy PHI about the Individual in that set as directed by Covered Entity to meet the requirements of 45 C.F.R. § 164.524.  If the PHI is in electronic format, the Individual shall have a right to obtain a copy of such information in electronic format and, if the Individual chooses, to direct that an electronic copy be transmitted directly to an entity or person designated by the individual in accordance with HITECH section 13405 (c).  Under the Privacy Rule, Covered Entity is required to take action on such requests as soon as possible, but not later than 30 days following receipt of the request.  Business Associate agrees to make reasonable efforts to assist Covered Entity in meeting this deadline.  The information shall be provided in the form or format requested if it is readily producible in such form or format; or in summary, if the Individual has agreed in advance to accept the information in summary form.  A reasonable, cost-based fee for copying health information may be charged.  If Covered Entity maintains the requested records, Covered Entity, rather than Business Associate shall permit access according to its policies and procedures implementing the Privacy Rule.

    (b) Individual Right to Amendment. Business Associate agrees, if it maintains PHI in a Designated Record Set, to make amendments to PHI at the request and direction of Covered Entity pursuant to 45 C.F.R. 164.526.  If Business Associate maintains a record in a Designated Record Set that is not also maintained by Covered Entity, Business Associate agrees that it will accommodate an Individual’s request to amend PHI only in conjunction with a determination by Covered Entity that the amendment is appropriate according to 45 C.F.R. § 164.526.

    (c) Accounting of Disclosures. Business Associate agrees to maintain documentation of the information required to provide an accounting of disclosures of PHI, whether PHI is paper or electronic format, in accordance with 45 C.F.R. § 164.528 and HITECH Sub Title D Title VI Section 13405 (c), and to make this information available to Covered Entity upon Covered Entity’s request, in order to allow Covered Entity to respond to an Individual’s request for accounting of disclosures.  Under the Privacy Rule, Covered Entity is required to take action on such requests as soon as possible but not later than 60 days following receipt of the request.  Business Associate agrees to use its best efforts to assist Covered Entity in meeting this deadline but not later than 45 days following receipt of the request.  Such accounting must be provided without cost to the individual or Covered Entity if it is the first accounting requested by an individual within any 12 month period; however, a reasonable, cost-based fee may be charged for subsequent accountings if Business Associate informs the individual in advance of the fee and is afforded an opportunity to withdraw or modify the request.  Such accounting is limited to disclosures that were made in the six (6) years prior to the request (not including disclosures prior to the compliance date of the Privacy Rule) and shall be provided for as long as Business Associate maintains the PHI.

  8. Internal Practices, Policies and Procedures. Except as otherwise specified herein, Business Associate shall make available its internal practices, policies and procedures relating to the use and disclosure of PHI, received from or on behalf of Covered Entity to the Secretary or his or her agents for the purpose of determining Covered Entity's compliance with the HIPAA Rules, or any other health oversight agency, or to Covered Entity. Records requested that are not protected by an applicable legal privilege will be made available in the time and manner specified by Covered Entity or the Secretary.
  9. Notice of Privacy Practices. Business Associate shall abide by the limitations of Covered Entity’s Notice of which it has knowledge. Any use or disclosure permitted by this Agreement may be amended by changes to Covered Entity’s Notice; provided, however, that the amended Notice shall not affect permitted uses and disclosures on which Business Associate relied prior to receiving notice of such amended Notice.
  10. Withdrawal of Authorization. If the use or disclosure of PHI in this Agreement is based upon an Individual's specific authorization for the use or disclosure of his or her PHI, and the Individual revokes such authorization, the effective date of such authorization has expired, or such authorization is found to be defective in any manner that renders it invalid, Business Associate shall, if it has notice of such revocation, expiration, or invalidity, cease the use and disclosure of the Individual's PHI except to the extent it has relied on such use or disclosure, or if an exception under the Privacy Rule expressly applies.
  11. Knowledge of HIPAA Rules. Business Associate agrees to review and understand the HIPAA Rules as it applies to Business Associate, and to comply with the applicable requirements of the HIPAA Rule, as well as any applicable amendments.
  12. Information Breach Notification for PHI. Business Associate expressly recognizes that Covered Entity has certain reporting and disclosure obligations to the Secretary and the Individual in case of a security breach of unsecured PHI.  Where Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses or discloses unsecured paper or electronic PHI, Business Associate immediately following the discovery of a breach of such information, shall notify Covered Entity of such breach.  Initial notification of the breach does not need to be in compliance with Sub Title D Title IV Section 13402 of the HITECH Act; however, Business Associate must provide Covered Entity with all information necessary for Covered Entity to comply with Sub Title D Title IV Section 13402 of the HITECH Act without reasonable delay, and in no case later than 30 days following the discovery of the breach.  Business Associate shall be liable for the costs associated with such breach if caused by the Business Associate’s negligent or willful acts or omissions, or the negligent or willful acts or omissions of Business Associate’s agents, officers, employees or subcontractors.
  13. Breach Notification to Individuals. Business Associate’s duty to notify covered entity of any breach does not permit Business Associate to notify those individuals whose PHI has been breached by Business Associate without the express written permission of Covered Entity to do so. Any and all notification to those individuals whose PHI has been breached shall be made under the direction, review and control of Covered Entity. The Business Associate will notify the Privacy Officer via telephone with follow-up in writing to include; name of individuals whose PHI was breached, information breached, date of breach, form of breach, etc. The cost of the notification will be paid by the Business Associate. [Include language if UT will provide notifications.]
  14. Information Breach Notification for Other Sensitive Personal Information. In addition to the reporting under Section D.11, Business Associate shall notify Covered Entity of any breach of computerized sensitive personal information to assure Covered Entity’s compliance with the notification requirements of Title 11, Subtitle B, Chapter 521, Subchapter A, Section 521.053, Texas Business & Commerce Code. Accordingly, Business Associate shall be liable for all costs associated with any breach caused by Business Associate’s negligent or willful acts or omissions, or those negligent or willful acts or omissions of Business Associate’s agents, officers, employees or subcontractors.

E. Permitted Uses and Disclosures by Business Associates. Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in this Business Associates Agreement or in a Master Services Agreement, provided that such use or disclosure would not violate the HIPAA Rules if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity. Also, Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with the HIPAA Rules.

  1. Use. Business Associate will not, and will ensure that its directors, officers, employees, contractors and other agents do not, use PHI other than as permitted or required by Business Associate to perform the Services or as required by law, but in no event in any manner that would constitute a violation of the Privacy Standards or Security Standards if used by Covered Entity.

  2. Disclosure. Business Associate will not, and will ensure that its directors, officers, employees, contractors, and other agents do not, disclose PHI other than as permitted pursuant to this arrangement or as required by law, but in no event disclose PHI in any manner that would constitute a violation of the Privacy Standards or Security Standards if disclosed by Covered Entity.

  3. Business Associate acknowledges and agrees that Covered Entity owns all right, title, and interest in and to all PHI, and that such right, title, and interest will be vested in Covered Entity.  Neither Business Associate nor any of its employees, agents, consultants or assigns will have any rights in any of the PHI, except as expressly set forth above.  Business Associate represents, warrants, and covenants that it will not compile and/or distribute analyses to third parties using any PHI without Covered Entity’s express written consent.

F. Application of Security and Privacy Provisions to Business Associate.

  1. Security Measures. Sections 164.308, 164.310, 164.312 and 164.316 of Title 45 of the Code of Federal Regulations dealing with the administrative, physical and technical safeguards as well as policies, procedures and documentation requirements that apply to Covered Entity shall in the same manner apply to Business Associate. Any additional security requirements contained in Sub Title D of Title IV of the HITECH Act that apply to Covered Entity shall also apply to Business Associate. Pursuant to the foregoing requirements in this section, the Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the paper or electronic PHI that it creates, has access to, or transmits. Business Associate will also ensure that any agent, including a subcontractor, to whom it provides such information, agrees to implement reasonable and appropriate safeguards to protect such information. Business Associate will ensure that PHI contained in portable devices or removable media is encrypted.
  2. Annual Guidance. For the first year beginning after the date of the enactment of the HITECH Act and annually thereafter, the secretary shall annually issue guidance on the most effective and appropriate technical safeguards for use in carrying out the sections referred to in subsection (a) and the security standards in subpart C of part 164 of title 45, Code of Federal Regulations. Business Associate shall, at their own cost and effort, monitor the issuance of such guidance and comply accordingly.
  3. Privacy Provisions. The enhanced HIPAA privacy requirements including but not necessarily limited to accounting for certain PHI disclosures for treatment, restrictions on the sale of PHI, restrictions on marketing and fundraising communications, payment and health care operations contained Subtitle D of the HITECH Act that apply to the Covered entity shall equally apply to the Business Associate.
  4. Application of Civil and Criminal Penalties. If Business Associate violates any security or privacy provision specified in subparagraphs (1) and (2) above, sections 1176 and 1177 of the Social Security Act (42 U,S.C, 1320d-5, 1320d-5) shall apply to Business Associate with respect to such violation in the same manner that such sections apply to Covered Entity if it violates such provisions.

G. Term and Termination.

  1. Term. This Agreement shall be effective as of the Effective Date and shall be terminated when all PHI provided to Business Associate by Covered Entity, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity. 
  2. Termination for Cause. Upon Covered entity’s knowledge of a material breach by Business Associate, Covered Entity shall either: (a) Provide an opportunity for Business associate to cure the breach or end the violation and terminate this Agreement, whether it is in the form of a stand alone agreement or an addendum to a Master Services Agreement, if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity; or

    (b) Immediately terminate this Agreement whether it is in the form of a stand alone agreement of an addendum to a Master Services Agreement if Business associate has breached a material term of this Agreement and cure is not possible.

  3. Effect of Termination. Upon termination of this Agreement for any reason, Business Associate agrees to return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, maintained by Business Associate in any form. If Business Associate determines that the return or destruction of PHI is not feasible, Business Associate shall inform Covered Entity in writing of the reason thereof, and shall agree to extend the protections of this Agreement to such PHI and limit further uses and disclosures of the PHI to those purposes that make the return or destruction of the PHI not feasible for so long as Business Associate retains the PHI.

H. Miscellaneous.

  1. Indemnification. To the extent permitted by law, Business Associate agrees to indemnify and hold harmless Covered Entity from and against all claims, demands, liabilities, judgments or causes of action of any nature for any relief, elements of recovery or damages recognized by law (including, without limitation, attorney’s fees, defense costs, and equitable relief), for any damage or loss incurred by Covered Entity arising out of, resulting from, or attributable to any acts or omissions or other conduct of Business Associate or its agents in connection with the performance of Business Associate’s or its agents’ duties under this Agreement.  This indemnity shall apply even if Covered Entity is alleged to be solely or jointly negligent or otherwise solely or jointly at fault; provided, however, that a trier of fact finds Covered Entity not to be solely or jointly negligent or otherwise solely or jointly at fault.  This indemnity shall not be construed to limit Covered Entity’s rights, if any, to common law indemnity.

    Covered Entity shall have the option, at its sole discretion, to employ attorneys selected by it to defend any such action, the costs and expenses of which shall be the responsibility of Business Associate.  Covered Entity shall provide Business Associate with timely notice of the existence of such proceedings and such information, documents and other cooperation as reasonably necessary to assist Business Associate in establishing a defense to such action.

    These indemnities shall survive termination of this Agreement, and Covered Entity reserves the right, at its option and expense, to participate in the defense of any suit or proceeding through counsel of its own choosing.

  2. Mitigation. If Business Associate violates this Agreement or either of the HIPAA Rules, Business Associate agrees to mitigate any damage caused by such breach.
  3. Rights of Proprietary Information. Covered Entity retains any and all rights to the proprietary information, confidential information, and PHI it releases to Business Associate.
  4. Survival. The respective rights and obligations of Business Associate under Section E.3 of this Agreement shall survive the termination of this Agreement.
  5. Notices. Any notices pertaining to this Agreement shall be given in writing and shall be deemed duly given when personally delivered to a Party or a Party's authorized representative as listed below or sent by means of a reputable overnight carrier, or sent by means of certified mail, return receipt requested, postage prepaid.  A notice sent by certified mail shall be deemed given on the date of receipt or refusal of receipt.  All notices shall be addressed to the appropriate Party as follows:

    If to Covered Entity:
    ______________________________
    ______________________________
    ______________________________

    Attn: _________________________

    Phone Number: _________________

    If to Business Associate:
    ______________________________
    ______________________________
    ______________________________

    Attn: _________________________

    Phone Number: _________________

  6. Amendments. This Agreement may not be changed or modified in any manner except by an instrument in writing signed by a duly authorized officer of each of the Parties hereto.  The Parties, however, agree to amend this Agreement from time to time as necessary, in order to allow Covered Entity’s to comply with the requirements of the HIPAA Rules.
  7. Choice of Law. This Agreement and the rights and the obligations of the Parties hereunder shall be governed by and construed under the laws of the State of ______________ [Insert State], without regard to applicable conflict of laws principles.
  8. Assignment of Rights and Delegation of Duties. This Agreement is binding upon and inures to the benefit of the Parties hereto and their respective successors and permitted assigns.  However, neither Party may assign any of its rights or delegate any of its obligations under this Agreement without the prior written consent of the other Party, which consent shall not be unreasonably withheld or delayed.  Notwithstanding any provisions to the contrary, however, Covered Entity retains the right to assign or delegate any of its rights or obligations hereunder to any of its wholly owned subsidiaries, affiliates or successor companies.  Assignments made in violation of this provision are null and void.
  9. Nature of Agreement. Nothing in this Agreement shall be construed to create (i) a partnership, joint venture or other joint business relationship between the Parties or any of their affiliates, (ii) any fiduciary duty owed by one Party to another Party or any of its affiliates, or (iii) a relationship of employer and employee between the Parties.
  10. No Waiver. Failure or delay on the part of either Party to exercise any right, power, privilege or remedy hereunder shall not constitute a waiver thereof.  No provision of this Agreement may be waived by either Party except by a writing signed by an authorized representative of the Party making the waiver.
  11. Equitable Relief. Any disclosure of misappropriation of PHI by Business Associate in violation of this Agreement will cause Covered Entity irreparable harm, the amount of which may be difficult to ascertain.  Business Associate therefore agrees that Covered Entity shall have the right to apply to a court of competent jurisdiction for specific performance and/or an order restraining and enjoining Business Associate from any such further disclosure or breach, and for such other relief as Covered Entity shall deem appropriate.  Such rights are in addition to any other remedies available to Covered Entity at law or in equity.  Business Associate expressly waives the defense that a remedy in damages will be adequate, and further waives any requirement in an action for specific performance or injunction for the posting of a bond by Covered Entity.
  12. Severability. The provisions of this Agreement shall be severable, and if any provision of this Agreement shall be held or declared to be illegal, invalid or unenforceable, the remainder of this Agreement shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein.
  13. No Third Party Beneficiaries. Nothing in this Agreement shall be considered or construed as conferring any right or benefit on a person not party to this Agreement nor imposing any obligations on either Party hereto to persons not a party to this Agreement.
  14. Headings. The descriptive headings of the articles, sections, subsections, exhibits and schedules of this Agreement are inserted for convenience only, do not constitute a part of this Agreement and shall not affect in any way the meaning or interpretation of this Agreement.
  15. Entire Agreement. This Agreement, together with all Exhibits, Riders and amendments, if applicable, which are fully completed and signed by authorized persons on behalf of both Parties from time to time while this Agreement is in effect, constitutes the entire Agreement between the Parties hereto with respect to the subject matter hereof and supersedes all previous written or oral understandings, agreements, negotiations, commitments, and any other writing and communication by or between the Parties with respect to the subject matter hereof.  In the event of any inconsistencies between any provisions of this Agreement in any provisions of the Exhibits, Riders, or amendments, the provisions of this Agreement shall control.
  16. Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules and any applicable state confidentiality laws.  The provisions of this Agreement shall prevail over the provisions of any other agreement that exists between the Parties that may conflict with, or appear inconsistent with, any provision of this Agreement or the HIPAA Rules.
  17. Regulatory References. A citation in this Agreement to the Code of Federal Regulations shall mean the cited section as that section may be amended from time to time.

    Agreed to:

    BUSINESS ASSOCIATE

    By:____________________________
    (Authorized Signature)

    Name:_________________________
    (Type or Print)

    Title:___________________________

    Date:___________________________

    Agreed to:

    COVERED ENTITY

    By:____________________________
    (Authorized Signature)

    Name:_________________________
    (Type or Print)

    Title:___________________________

    Date:___________________________

 
 
 
top of page