HIPAA Business Associate Agreement Template
This is a Business Associate Agreement / Contract Addendum template for the requirements of the HITECH Act of 2009 in Microsoft Word format. Use it as a starting point and customize to meet the requirements for your business associates agreements.
The HIPAA-HITECH-Omnibus Security rule standard 164.308(b)(1) Business Associate (BA) Contracts and Other Agreements states:
“(1) A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.
(2) A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit electronic protected health information on its behalf only if the business associate obtains satisfactory assurances, in accordance with § 164.314(a), that the subcontractor will appropriately safeguard the information”
The importance of a Business Associate Agreement (BAA) can be demonstrated by two examples from 2016.
First, In April 2016, an orthopedic clinic is Raleigh, NC agreed to a settlement of $750,000 with the Office for Civil Rights of the Department of Health and Human Services (OCR). This sanction was levied against the Raleigh based clinic for disclosing protected health information (PHI) to a third party without a fully executed BAA.
Our second example takes an OCR sanction a step further than a BAA. In March of 2016 a healthcare system in Minnesota agreed to a settlement of $1.55 million with the OCR for both not entering into a BAA and not properly completing a risk analysis on a third party’s vulnerabilities to exposing PHI to unauthorized viewers.
ComplyAssistant’s updated BAA is one of the free tools we offer to website visitors in order to assist in their compliance needs. Our goal is to institute a “culture of compliance” in each of our client organizations and the use of an updated BAA is an important part of the compliance evolution.
We also offer automated and managed solutions
In addition to our free BAA, ComplyAssistant also offers a full turn-key solution for assessing a CE’s BAs using our compliance management portal. See our healthcare compliance software page for further information.
Other free tools
Medical Device Security Assessment SampleFree
HIPAA Privacy and Security Proactive Audits Tool KitFree
HIPAA Facility Security Walkthrough ChecklistFree
HIPAA Privacy and Security Officer Job DescriptionsFree
Business Associate Inventory SpreadsheetFree
HIPAA-HITECH Privacy and Security Reminders for the WorkforceFree