SAMPLE HIPAA COMPLIANCE
LANGUAGE
FOR BUSINESS ASSOCIATE
AGREEMENTS/ADDENDUMS
I.
OBLIGATIONS OF VENDOR/CONSULTANT
Section 1.1 Use and Disclosure of Protected Health Information. For the purposes of compliance with the Privacy Standards of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Vendor’s/Consultant’s relationship with [covered entity] shall be considered that of “Business Associate”. As used hereunder, the terms “Business Associate”, “Protected Health Information”, “use” and “disclosure” shall have the meanings ascribed to them in 45 CFR Section 164.101 and 164.501.
Vendor/Consultant agrees to conduct its business with [covered entity] in accordance with all applicable laws and regulations, including HIPAA and the regulations promulgated thereunder. Vendor/Consultant further agrees to comply with all polices and procedures adopted by [covered entity] related to use and disclosure of Protected Health Information.
Disclosure by [covered entity] to Vendor/Consultant of any Protected Health Information will be made for the sole purpose of helping the [covered entity] carry out its healthcare functions and to allow Vendor/Consultant to complete its contractual obligations to [covered entity]. Protected Health Information will not be used or disclosed by Vendor/Consultant other than as permitted by this Agreement/Addendum or applicable law. Vendor/Consultant may not use any Protected Health Information for any of its purposes or activities not related to the Agreement/Addendum. Vendor/Consultant represents and warrants that it will use Protected Health Information only to complete its obligations pursuant to this Agreement/Addendum, and as may otherwise be required by law.
Section 1.2 Safeguards Against Misuse of Information. Vendor/Consultant covenants, represents and warrants that it will safeguard and protect all Protected Health Information from use and/or disclosure other than as provided by this Agreement/Addendum, and that upon Vendor’s/Consultant’s learning of any misuse or improper disclosure of such Protected Health Information, Vendor/Consultant will take immediate steps to stop such impermissible use or disclosure and to prevent further dissemination and misuse of such Protected Health Information.
Section 1.3 Reporting of Disclosures of Protected Health Information. Vendor/Consultant further represents and warrants that it will immediately [within # of days?] report to [covered entity] and/or its Compliance Officer any use or disclosure of Protected Health Information not provided for by this Agreement/Addendum of which it becomes aware.
Section 1.4 Agreements by Third Parties. Vendor/Consultant covenants, represents and warrants that its agents, including any subcontractor(s) to whom it may provide Protected Health Information received from, or received or created by Vendor/Consultant on behalf of [covered entity], agree to the same restrictions and conditions that apply to Vendor/Consultant with respect to such Protected Health Information. Vendor/Consultant further agrees it will incorporate in any and all agreement(s) with subcontractor(s) a provision naming [covered entity] as an intended third party beneficiary with respect to the enforcement of, and right to benefit from, the subcontractor’s covenants regarding the use and disclosure of Protected Health Information.
Section 1.5 Access to Information. Vendor/Consultant agrees to make available Protected Health Information within [# days] of a request by the [covered entity]. If any individual requests access to Protected Health Information directly from Vendor/Consultant, Vendor/Consultant shall provide such information to the [covered entity]. Any denials of access to the Protected Health Information shall be decided solely by the [covered entity].
Section 1.6 Availability of Books and Records. Vendor/Consultant agrees to make its internal practices, books, and records relating to the use and disclosure of Protected Health Information available to the Secretary of the Department of Health and Human Services for purposes of determining [covered entity’s] compliance with HIPAA.
Section 1.7 Availability of Protected Health Information for Amendment. Vendor/Consultant agrees to provide to [covered entity] an individual’s Protected Health Information for amendment within [# days] of a receipt of a request from [covered entity]. Vendor/Consultant further agrees to incorporate any such amendments to the Protected Health Information in accordance with the requirements of 45 C.F.R. §164.526.
Section 1.8 Accounting of Disclosures. Vendor/Consultant agrees to make available to [covered entity] any information in Vendor’s/Consultant’s possession that is required for the [covered entity] to make the accounting in accordance with the requirements of 45 C.F.R. §164.528. Within [# days] of receipt of notice by Vendor/Consultant from [covered entity] that it has received a request for an accounting of disclosures of Protected Health Information, other than that related to treatment, operation, health care operators and not relating to disclosures made earlier than six (6) years prior to the date on which the accounting was requested, Vendor/Consultant shall make available such information. If any individual requests an accounting directly to the Vendor/Consultant, Vendor/Consultant shall, within [# days] forward such request to the [covered entity].
II.
TERMINATION OF AGREEMENT
Section 2.1 Termination Upon Breach. This Agreement/Addendum and any other contractual agreement with Vendor/Consultant may be terminated by [covered entity] upon [# days] notice to Vendor/Consultant in the event Vendor/Consultant breaches any provision contained in this Agreement/Addendum and such breach is not cured within such [# days] period; provided however, that in the event such termination is not feasible, in the [covered entity’s] sole discretion, Vendor/Consultant hereby acknowledges that [covered entity] shall have the right report the breach to the Secretary of Health and Human Services.
Section 2.2 Return/Destruction of Protected Health Information. Vendor/Consultant agrees that upon termination of this Agreement/Addendum, Vendor/Consultant shall return or destroy all Protected Health Information received from, or received or created by Vendor/Consultant on behalf of [covered entity], and Vendor/Consultant agrees that it will not maintain copies of such Protected Health Information in any form. The provisions of this Agreement/Addendum regarding uses and disclosures of Protected Health Information shall continue beyond termination of this Agreement/Addendum.
Section 2.3 Right to Cure. At the expense of Vendor/Consultant, [covered entity] shall have the right to cure any breach of Vendor’s/Consultant’s obligations under this Agreement/Addendum. Vendor/Consultant agrees to cooperate and comply with the efforts by the [covered entity] to cure any such breach.
III.
MISCELLANEOUS
Section 3.1 Effect. This Agreement/Addendum, including all exhibits or other attachments thereto, constitutes the final, complete and exclusive understanding between the parties with respect to the subject matter of this Agreement/Addendum and supercedes any prior or contemporaneous agreement.
Section 3.2 Amendment. No modification, amendment, or waiver of any provision of this Agreement/Addendum will be effective unless in writing and signed by the party to be charged. Vendor/Consultant and [covered entity] agree to amend this Agreement/Addendum to the extent necessary to permit either party to comply with the Privacy Standards (the “Standards”). Vendor/Consultant agrees to comply with all such Standards and amend this Agreement/Addendum to incorporate any material required by the Standards.
Section 3.3 Indemnification. Vendor/Consultant hereby agrees to indemnify and hold [covered entity] harmless from and against all liability and costs, including attorneys’ fees, created by a breach of this Agreement/Addendum by Vendor/Consultant, its agents and
subcontractors.