💡 Plain English Explanation

When a company (the "Business Associate") handles Protected Health Information on behalf of a healthcare provider, health plan, or healthcare clearinghouse (the "Covered Entity"), HIPAA requires a Business Associate Agreement (BAA). This clause establishes the legal framework for how PHI will be handled, safeguarded, and reported in case of breach.

Think of this clause as creating a chain of responsibility. The Covered Entity is directly responsible to patients and regulators for protecting their health information. When they share PHI with a business associate, this clause extends those obligations down the chain, ensuring the business associate is equally bound to protect the data.

Key elements that must be addressed:

Why This Clause Matters

For the Covered Entity: Without a proper BAA, you cannot legally share PHI with a business associate. Even with a BAA in place, you remain responsible for ensuring your business associates comply with HIPAA. A well-drafted clause protects you by clearly establishing the business associate's obligations and your right to audit compliance.

For the Business Associate: This clause defines the scope of your legal obligations. HIPAA violations can result in civil penalties ranging from $100 to $50,000 per violation (with an annual maximum of $1.5 million per violation category) and criminal penalties up to $250,000 and 10 years imprisonment for wrongful disclosure. Understanding your obligations is essential for proper compliance.

For Enforcement Purposes: The Office for Civil Rights (OCR) actively investigates HIPAA violations. Having a comprehensive BAA clause demonstrates good faith compliance efforts and can be critical in defending against enforcement actions.

📄 Clause Versions

Balanced Version: Meets HIPAA requirements while providing reasonable terms for both parties. Includes standard breach notification timelines and audit rights with appropriate notice provisions. 
HIPAA BUSINESS ASSOCIATE PROVISIONS

1. Obligations of Business Associate. The Business Associate agrees to:

(a) Use and disclose PHI only as permitted or required by this Agreement or as required by law;

(b) Implement appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI, including compliance with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C);

(c) Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement, including any Security Incident or Breach of Unsecured PHI, within thirty (30) days of discovery;

(d) Ensure that any subcontractors who create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions and conditions that apply to Business Associate;

(e) Make available PHI to Covered Entity or individuals as necessary to satisfy Covered Entity's obligations under 45 C.F.R. Section 164.524 (access rights) within fifteen (15) business days of request;

(f) Make PHI available for amendment and incorporate amendments as directed by Covered Entity pursuant to 45 C.F.R. Section 164.526;

(g) Maintain and make available documentation required to provide an accounting of disclosures pursuant to 45 C.F.R. Section 164.528;

(h) Make internal practices, books, and records relating to PHI available to the Secretary of HHS for purposes of determining compliance; and

(i) Upon termination, return or destroy all PHI received from Covered Entity, or created or received on behalf of Covered Entity, that Business Associate still maintains. If return or destruction is not feasible, extend protections of this Agreement indefinitely.

2. Permitted Uses and Disclosures. Business Associate may use and disclose PHI:

(a) As necessary to perform services under the underlying service agreement;
(b) For Business Associate's proper management and administration; and
(c) To provide Data Aggregation services relating to the health care operations of Covered Entity.

3. Term and Termination. The provisions of this section shall survive termination of the Agreement for so long as Business Associate retains any PHI.
Disclosing Party Favor (Covered Entity): Enhanced protections including shorter breach notification timelines, broad audit rights, indemnification, and specific security requirements. Use when the Covered Entity needs maximum control and protection. 
HIPAA BUSINESS ASSOCIATE PROVISIONS

1. Obligations of Business Associate. The Business Associate shall:

(a) Use PHI solely and exclusively for the purposes expressly authorized by this Agreement and shall not use or disclose PHI for any other purpose, including but not limited to marketing, fundraising, or research, without prior written consent of Covered Entity;

(b) Implement and maintain a comprehensive information security program including administrative, physical, and technical safeguards that meet or exceed:
    (i) All requirements of the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C);
    (ii) Industry best practices as defined by NIST Cybersecurity Framework;
    (iii) SOC 2 Type II certification for systems handling PHI; and
    (iv) Annual penetration testing by qualified third parties;

(c) Report to Covered Entity any suspected or confirmed Security Incident, Breach, or unauthorized access to PHI within twenty-four (24) hours of discovery, including:
    (i) Identification of each individual whose PHI was or may have been accessed;
    (ii) Description of the nature and extent of the PHI involved;
    (iii) Actions taken to investigate and mitigate; and
    (iv) Proposed corrective actions to prevent future incidents;

(d) Bear all costs associated with breach notification, credit monitoring, identity theft protection, regulatory fines, and any remediation required as a result of a breach caused by Business Associate;

(e) Maintain cyber liability insurance with minimum coverage of $5,000,000 per occurrence and $10,000,000 aggregate, naming Covered Entity as additional insured;

(f) Permit Covered Entity to conduct audits of Business Associate's security practices upon five (5) business days' notice, and immediately upon notice in the event of a suspected breach;

(g) Ensure all workforce members with access to PHI complete HIPAA training annually and sign confidentiality agreements;

(h) Not engage any subcontractor to handle PHI without prior written approval of Covered Entity; and

(i) Indemnify, defend, and hold harmless Covered Entity from any claims, damages, penalties, or expenses arising from Business Associate's violation of HIPAA or breach of this Agreement.

2. Termination Rights. Covered Entity may immediately terminate this Agreement if:
(a) Business Associate breaches any material term of this section;
(b) Business Associate fails to cure any violation within fifteen (15) days of notice; or
(c) Covered Entity determines that Business Associate's practices pose an unreasonable risk to PHI.

3. Return of PHI. Upon termination or request by Covered Entity, Business Associate shall return all PHI within fifteen (15) days and provide written certification of destruction of all copies.
Receiving Party Favor (Business Associate): Meets minimum HIPAA requirements while providing reasonable operational flexibility. Includes longer cure periods, limitations on audit scope, and balanced risk allocation. 
HIPAA BUSINESS ASSOCIATE PROVISIONS

1. Obligations of Business Associate. The Business Associate agrees to:

(a) Use and disclose PHI only as permitted by this Agreement, as required by law, or as authorized in writing by Covered Entity, provided that such use or disclosure would not violate HIPAA if done by Covered Entity;

(b) Implement reasonable and appropriate safeguards to protect PHI, taking into account:
    (i) The size, complexity, and capabilities of Business Associate;
    (ii) Business Associate's technical infrastructure and security capabilities;
    (iii) The costs of security measures; and
    (iv) The probability and criticality of potential risks to PHI;

(c) Report to Covered Entity any Breach of Unsecured PHI (as defined in 45 C.F.R. Section 164.402) within sixty (60) days of discovery. For purposes of this provision, "discovery" means the date on which Business Associate's privacy or security officer has actual knowledge of the Breach;

(d) Ensure that subcontractors who handle PHI agree to substantially similar restrictions, provided that Business Associate shall not be liable for the acts or omissions of subcontractors beyond Business Associate's negligent selection or supervision;

(e) Make PHI available for access, amendment, and accounting as required by HIPAA, within thirty (30) days of Covered Entity's written request;

(f) Cooperate with Covered Entity's reasonable compliance efforts.

2. Limitations on Obligations.

(a) Business Associate's obligations under this section shall be limited to PHI that Business Associate actually receives from Covered Entity or creates on behalf of Covered Entity;

(b) Business Associate shall not be required to implement safeguards that exceed those required by the HIPAA Security Rule;

(c) Covered Entity's audit rights shall be limited to one (1) audit per calendar year upon thirty (30) days' written notice, during normal business hours, and at Covered Entity's expense;

(d) Business Associate shall not be liable for unauthorized disclosures resulting from:
    (i) Covered Entity's failure to provide accurate or complete information;
    (ii) Actions of Covered Entity's workforce or agents; or
    (iii) Force majeure events beyond Business Associate's reasonable control.

3. Mutual Cooperation. Both parties agree to cooperate in good faith to address any HIPAA compliance issues and to amend this Agreement as necessary to comply with changes in HIPAA regulations.

4. Limitation of Liability. In no event shall Business Associate's liability under this section exceed the fees paid by Covered Entity under this Agreement during the twelve (12) months preceding the claim, except for claims arising from Business Associate's gross negligence or willful misconduct.

💬 Key Considerations