Sample Language for a Business Associate Contract

TO: (name of individual and organization)

FROM: (name of practice)

As you may know, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires us to provide a Business Associates contract with any entity that provides services to our practice that involves patient health information. The purpose is to ensure that the privacy of patient data be secured.

Please review this Business Associate contract and return it to my attention, as follows:

(Name of privacy officer)

(Names and address of practice)

Obligations of Associate

a. Permitted Uses and Disclosures. Associate may use and/or disclose Protected Health Information (PHI) received by Business Associate pursuant to this Agreement.

b. Nondisclosure. Associate shall not use or further disclose practice’s PHI other than as permitted or required by this Agreement or as required by law.

c. Safeguards. Associate shall use appropriate safeguards to prevent use of disclosure of Practice’s PHI otherwise than as provided for by the Agreement. Associate shall maintain a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the Associate’s operations and the nature and scope of its activities.

d. Reporting of Disclosures. Associate shall report to Practice any use or disclosure of Practice’s PHI other than as provided for by this Agreement of which Associate becomes aware.

e. Associate’s Agents. Associate shall ensure that any agents, including subcontractors, to whom it provides PHI received from (or created or received by Associate on behalf of) Practice agree to the same restrictions and conditions that apply to Associate with respect to such PHI.

f. Availability of Information to Practice. Associate shall make available to Practice such information as Practice may require to fulfill its obligations to provide access to, provide a copy of, and account for disclosures with respect to PHI pursuant to HIPAA and the HIPAA Regulations.

g. Amendment of PHI. Associate shall make Practice’s PHI available to Practice as Practice may require to fulfill its obligations to amend PHI pursuant to HIPAA and the HIPAA Regulations. Associate shall, as directed by Practice, incorporate any amendments to Practice’s PHI into copies of such PHI maintained by Associate.

h. Internal Practices. Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from Practice (or created or received by Associate on behalf of Practice) available to Practice and to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Associate’s compliance with HIPAA and the HIPAA Regulations.

Provided by attorney Reece Hirsch of Sonnenschein Nath & Rosenthal, San Francisco