Skip Navigation
HIPAA Compliance Program, Compliance Office 210-567-2014, Compliance Line 1-800-500-0333
 

Sample Business Associate Agreement With Entities That Provide Document Copying or Destruction Services

 

NOTE: The Office of Legal Affairs recommends this agreement/contract state what"protected health information" (PHI) will be shared among the entities, and include a specific statement of how PHI will be used, how it will be transmitted and to whom. All agreements/contracts must be reviewed by the Office of Legal Affairs. The Office of Legal Affairs may be contacted at (210) 567-2020 to assist you with any questions.

Download: Microsoft Word .doc file or Acrobat Reader .pdf file of this document.

This Business Associate Agreement (the "Agreement"), is made as of the ____ day of ______, 20__ (the "Effective Date"), by and between _________________________ ("Covered Entity") and ____________________________ ("Company") (collectively the "Parties") in order to comply with the federal Standards for Privacy of Individually Identifiable Health Information, located at 45 C.F.R. parts 160 and 164 ("HIPAA" or the "Privacy Rule").

RECITALS

WHEREAS, Covered Entity desires to engage Company to provide [document destruction] or [document copying] services;

WHEREAS, in connection with these services, Company will have access to PHI that is subject to protection under the Privacy Rule; and

WHEREAS, the purpose of this Agreement is to comply with the requirements of the Privacy Rule.

NOW THEREFORE, the Parties agree as follows:

    1.1 Definitions. Terms used herein, but not otherwise defined, shall have the meaning ascribed by the Privacy Rule. 1.1.1 Designated Record Set. "Designated Record Set" shall mean a group of records maintained by or for a covered entity (as defined by the Privacy Rule), that is: (i) the medical records and billing records about individuals maintained by or for a covered health care provider; (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) used, in whole or in part, by or for a covered entity to make decisions about individuals. For purposes of this definition, the term "record" means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.

    1.1.2 Protected Health Information ("PHI"). "Protected Health Information" or "PHI" shall mean individually identifiable health information that is transmitted or maintained in any form or medium.

    1.1.3 Required by Law. "Required by Law" shall mean a mandate contained in law that compels a use or disclosure of PHI.

    1.1.4 Secretary. "Secretary" shall mean the Secretary of the Department of Health and Human Services or his or her Designee.
    top of page

    1.2 Obligations of Company. Company agrees to comply with applicable federal and state confidentiality and security laws, specifically the provisions of the Privacy Rule, including:

    1.2.1 Use and Disclosure of PHI. Except as otherwise permitted by this Agreement or applicable law, Company agrees to keep all PHI disclosed by Covered Entity to Company confidential, and agrees not to use or disclose such PHI except as necessary to provide services to Covered Entity. Provided, however, Company may use and disclose PHI as Required by Law.

    1.2.2 Disclosure to Agents and Subcontractors. Company shall not disclose PHI to any other person or entity in order to facilitate Company's provision of services under this Agreement without first receiving written authorization from Covered Entity. If, after receiving written permission from Covered Entity, Company discloses the PHI to any other person or entity in order to facilitate Company's provision of services under this Agreement, Company shall ensure that such persons or entities agree to the same restrictions and conditions as apply to Company under this Agreement.

    1.2.3 Notification. Company agrees to notify Covered Entity of any instances of which it is aware in which the confidentiality of the PHI has been breached.

    1.2.4 Safeguards. Company shall maintain appropriate safeguards to ensure that PHI is not used or disclosed other than as provided by this Agreement or as Required by Law.

    1.2.5 Individual Rights Regarding Designated Record Sets. Company agrees, upon the direction of Covered Entity, to make such Designated Record Set available to Covered Entity to allow Covered Entity to comply with its obligations regarding an individual's rights to copy or inspect PHI 45 C.F.R. § 164.524); and amend PHI (45 C.F.R. § 164.526).

    1.2.6 Accounting of Disclosures of PHI. It is not anticipated that Company will make any disclosures of PHI. However, to the extent that Company does disclose PHI, Company agrees to maintain documentation of the information required to provide an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528, and to make this information available to Covered Entity upon request.

    1.2.7 Internal Practices, Policies and Procedures. Company shall make available to Secretary its internal practices, policies and procedures relating to the use and disclosure of PHI received from Covered Entity. Company shall notify Covered Entity prior to making such records available to Secretary.

    1.3 Term and Termination.

    1.3.1 Term. This Agreement shall be effective as of the Effective Date and shall remain in effect for so long as Company receives PHI from Covered Entity or retains PHI on Company's behalf.

    1.3.2 Termination for Breach. If Company breaches any provision in this Agreement, Covered Entity may terminate this Agreement on a date specified by Covered Entity.

    1.3.3 Effect of Termination. Upon termination of this Agreement, Company agrees to return all PHI received from Covered Entity, maintained by Company in any form.

    1.4 Miscellaneous.

    1.4.1 Notices. Any notices pertaining to this Agreement shall be given in writing and shall be deemed duly given when personally delivered to a Party or a Party's authorized representative as listed below or sent by means of a reputable overnight carrier, or sent by means of certified mail, return receipt requested, postage prepaid. A notice sent by certified mail shall be deemed given on the date of receipt or refusal of receipt. All notices shall be addressed to the appropriate Party as follows:

    If to Covered Entity:
    __________________________
    __________________________
    __________________________
    __________________________

    If to Company:
    __________________________
    __________________________
    __________________________
    __________________________

    1.4.2 Nature of Agreement. Nothing in this Agreement shall be construed to create (i) a partnership, joint venture or other joint business relationship between the Parties or any of their affiliates, (ii) any fiduciary duty owed by one Party to another Party or any of its affiliates, or (iii) a relationship of employer and employee between the Parties.

    1.4.3 No Third Party Beneficiaries. Nothing in this Agreement shall be considered or construed as conferring any right or benefit on a person not party to this Agreement nor imposing any obligations on either Party hereto to persons not a party to this Agreement.
    top of page

    Agreed to:

    COMPANY

    By:____________________________
    (Authorized Signature)

    Name:_________________________
    (Type or Print)

    Title:___________________________
    Date:___________________________

    Agreed to:

    COVERED ENTITY

    By:____________________________
    (Authorized Signature)

    Name:_________________________
    (Type or Print)

    Title:___________________________
    Date:_____________________

    Copyright © Vinson & Elkins L.L.P. 2003

     
     
     
    top of page