Sample Business Associate Agreement
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ("BAA") is entered into on [DATE], by and between:
InfluxMD Inc. ("Business Associate"), a company providing HIPAA-compliant AI chatbot services, and
[CLIENT NAME] ("Covered Entity"), a healthcare provider, health plan, or healthcare clearinghouse under HIPAA.
1. Definitions
Terms used but not otherwise defined in this BAA shall have the same meaning as those terms in the HIPAA Rules.
2. Obligations and Activities of Business Associate
Business Associate agrees to:
- Not use or disclose Protected Health Information (PHI) other than as permitted or required by this BAA or as required by law;
- Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by this BAA;
- Report to Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware, including breaches of unsecured PHI as required by 45 CFR 164.410;
- In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information;
- Make available PHI in a designated record set to the Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR 164.524;
- Make any amendment(s) to PHI in a designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity's obligations under 45 CFR 164.526;
- Maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR 164.528;
- To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s);
- Make its internal practices, books, and records available to the Secretary of the Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules.
3. Permitted Uses and Disclosures by Business Associate
- Business Associate may use or disclose PHI only as necessary to perform the services set forth in the Service Agreement between the parties;
- Business Associate may use or disclose PHI as required by law;
- Business Associate agrees to make uses and disclosures and requests for PHI consistent with Covered Entity's minimum necessary policies and procedures;
- Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity.
4. Specific Use and Disclosure Provisions for AI Chatbot Services
- Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate;
- Business Associate may use PHI to provide data aggregation services relating to the health care operations of the Covered Entity;
- Business Associate may use PHI to create de-identified health information in accordance with 45 CFR 164.514(a)-(c) for the purpose of improving its AI chatbot services;
- Business Associate shall ensure that its AI chatbot does not store or retain PHI beyond what is necessary for the immediate interaction, unless explicitly authorized by the Covered Entity.
5. Term and Termination
- Term: This BAA shall be effective as of [START DATE] and shall terminate on [END DATE] or on the date Covered Entity terminates for cause as authorized in paragraph (b) of this Section, whichever is sooner.
- Termination for Cause: Covered Entity may terminate this BAA and the Service Agreement if Covered Entity determines Business Associate has violated a material term of the BAA.
- Obligations of Business Associate Upon Termination: Upon termination of this BAA for any reason, Business Associate shall return to Covered Entity or, if agreed to by Covered Entity, destroy all PHI received from Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate.
6. Miscellaneous
- Regulatory References: A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.
- Amendment: The Parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.
- Interpretation: Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Rules.
IN WITNESS WHEREOF, the parties hereto have duly executed this BAA as of the BAA Effective Date.
InfluxMD Inc. (Business Associate)
By: ____________________________
Name: _________________________
Title: __________________________
Date: __________________________
[CLIENT NAME] (Covered Entity)
By: ____________________________
Name: _________________________
Title: __________________________
Date: __________________________