Skip to main content
The NCI Community Hub will be retiring in May 2024. For more information please visit the NCIHub Retirement Page:https://ncihub.cancer.gov/groups/ncihubshutdown/overview
close

Business Associate Agreement Template

BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement is entered into by and between <Name of Institution> and Purdue University (“Business Associate”) (each “Party”, collectively   “Parties”).

The Parties have, or desire to enter into, a business relationship by which the Business Associate receives, uses and/or discloses PHI (“PHI”) in its performance of the services to <Name of Institution>.  This Agreement sets forth the obligations and agreements of the Parties relating to compliance with HIPAA Laws (defined below).  This Agreement applies to all PHI created or received by Business Associate from <Name of Institution> or from another person or entity on behalf of <Name of Institution> , and governs how such PHI may be used or disclosed.

 The Parties hereby agree as follows:

            1.         PERMITTED USES AND DISCLOSURES OF PHI

            1.1       Business Associate shall be permitted to use and/or disclose PHI created or received on behalf of <Name of Institution> for all purposes necessary to provide the services and to perform its obligations for <Name of Institution>, provided that said use and/or disclosure complies with the requirements of this agreement and HIPAA Laws.  Business Associate agrees  that the requirements of the HIPAA Laws apply to Business Associate and to Business Associate’s subcontractors and agents to the same extent that they apply to a covered entity under HIPAA.  Any uses or disclosures of PHI by Business Associate or its subcontractors or agents must be limited, to the extent practicable, to the Limited Data Set or, if needed to accomplish the purposes of this Agreement, to the minimum necessary to accomplish the intended purpose of such use or disclosure.

            1.2       Subject to paragraph 1.1, Business Associate may use PHI created or received by Business Associate from or on behalf of <Name of Institution> any, if necessary, for the proper management and administration of Business Associate and to fulfill any current or future legal responsibilities of Business Associate.

            1.3       Subject to paragraph 1.1, Business Associate may disclose PHI created or received by Business Associate on behalf of <Name of Institution> if necessary, for the proper management and administration of Business Associate and to fulfill any current or future legal responsibilities of Business Associate, provided:

1.3.1    The disclosure is Required by Law, or

1.3.2    Business Associate obtains satisfactory assurances from the person or entity to whom the PHI is disclosed that (i) the PHI will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person or entity; and (ii) the Business Associate will be notified of any instances of which the person is aware in which the confidentiality of the information is breached.

1.3.3    Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI of an individual unless Business Associate has obtained from the individual a valid authorization that includes specification of whether the PHI can be further exchanged for remuneration by the Business Associate.

2.         RESPONSIBILITIES OF BUSINESS ASSOCIATE WITH RESPECT TO PHI

2.1       Business Associate agrees not to use or disclose PHI except as expressly permitted by this Agreement, HIPAA Laws, or as Required by Law.

2.2       Business Associate hereby agrees to maintain the security and privacy of all PHI in a manner consistent with HIPAA Laws, and Business Associate further agrees to use appropriate safeguards and security procedures to prevent use or disclosure of PHI not permitted by this Agreement.

2.3       Business Associate shall require all of its subcontractors and agents that receive or use, or have access to, PHI under this Agreement to comply with HIPAA Laws and to agree, in writing, to adhere to the same restrictions and conditions on the use or disclosure of PHI that apply to the Business Associate pursuant to this Agreement.

2.4.      Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528.   

2.5.      Business Associate agrees to report to <Name of Institution> any unauthorized use or disclosure of PHI by Business Associate or its workforce, agents or subcontractors and the remedial action taken or proposed to be taken with respect to such use or disclosure in accordance with the specific provisions of Section 2.9. 

2.6       Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from <Name of Institution>, or created or received by Business Associate on behalf of <Name of Institution>, available to the Secretary of the United States Department of Health and Human Services, if requested for purposes of determining <Name of Institution> compliance with HIPAA.

2.7.      Upon receipt of a written request and in the time and manner designated by the <Name of Institution>, Business Associate shall allow a person who is the subject of PHI, such person’s legal representative, or <Name of Institution> to have access to and to copy such person’s PHI maintained by Business Associate in a Designated Record Set in order to meet the requirements under 45 CFR §164.524 if a Business Associate has PHI in a Designated Record Set. Business Associate shall provide PHI in the format requested by such person, legal representative, or practitioner unless it is not readily producible in such format, in which case Business Associate will produce the material in a mutually agreeable format.  If no format is feasible or agreeable, it shall be produced in standard hard copy format.  Business Associate acknowledges that HITECH requires <Name of Institution> and Business Associate to provide electronic health records to the individual in electronic format, and Business Associate agrees that to the extent applicable, Business Associate will produce any PHI in electronic format in a manner requested by <Name of Institution> or by the individual who has made the request.

2.8       Within ten (10) days of a written request by <Name of Institution>, Business Associate shall make available to <Name of Institution> PHI received from or on behalf of <Name of Institution> for amendment in accordance with 45 C.F.R. § 164.526.  Business Associate further agrees to make such amendment to PHI as directed by <Name of Institution> within thirty (30) days of a written request by Company.

2.9       Business Associate shall implement appropriate administrative, physical and technical safeguards in order to preserve the confidentiality, integrity and availability of all PHI and to prevent any unauthorized use or disclosure of PHI, or any successful breach or security incident involving said PHI.   Business Associate shall further:

    2.9.1    Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of any electronic PHI that it creates, receives, maintains, or transmits on behalf of <Name of Institution>, as required by 45 C.F.R. § 164.314 of the Security Regulations.

    2.9.2    Require all of its subcontractors and agents that receive, use or have access to PHI to implement reasonable and appropriate security safeguards to protect it from unauthorized use or disclosure, and to report any improper use or disclosure of PHI.

    2.9.3Report to the <Name of Institution> any security incident involving PHI of which Business Associate becomes aware as soon as reasonably practicable.

 

3.         OBLIGATIONS OF <Name of Institution>

 3.1       <Name of Institution> shall notify Business Associate of any limitation(s) in its notice of privacy practices of <Name of Institution> in accordance with 45 CFR §164.520, to the extent that such limitation may affect a Business Associate's use or disclosure of PHI.

  3.2       <Name of Institution> shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect a Business Associate's use or disclosure of PHI.

  3.3       <Name of Institution> shall notify Business Associate of any restriction to the use or disclosure of PHI that <Name of Institution> has agreed to  the extent that such restriction may affect a Business Associate's use or disclosure of PHI.

  3.4       <Name of Institution> shall use reasonable and appropriate safeguards to maintain and ensure the confidentiality, privacy, and security of the PHI transmitted to or received from the Business Associate.

4.         TERM AND TERMINATION

4.1       This Agreement shall commence as of the date first signed below, and the obligations set forth in this Agreement shall continue in effect as long as Business Associate uses, discloses, creates, receives or otherwise possesses any PHI created or received from or on behalf of <Name of Institution> and until all such PHI is destroyed or returned to <Name of Institution> pursuant to the terms of this Agreement.

4.2       <Name of Institution> may immediately terminate this Agreement if <Name of Institution> determines that the Business Associate has breached a material term of this Agreement.  Alternatively, <Name of Institution> may choose to: (i) provide Business Associate an opportunity to cure said alleged material breach to the satisfaction of <Name of Institution>.  Business Associate’s failure to cure shall be grounds for immediate termination of this Agreement.

4.3       Upon termination of this Agreement, Business Associate shall return or destroy, by rendering the PHI unusable, unreadable or undecipherable or beyond the ability to recover, all PHI received from <Name of Institution>, or created or received by Business Associate on behalf of <Name of Institution> and that Business Associate maintains in any form, and Business Associate shall retain no copies of such information.  If Business Associate determines that return or destruction of PHI is not feasible, Business Associate shall continue to maintain the security and privacy of such PHI in a manner consistent with the obligations of this Agreement and as required by applicable law, and shall limit further use of the information to those purposes that make the return or destruction of the information infeasible.  The duties hereunder to maintain the security and privacy of PHI shall survive the termination of this Agreement.

5.         AMENDMENT TO AGREEMENT

The Parties agree to take such action necessary to amend this Agreement from time to time as is necessary for <Name of Institution> to comply with all  laws and regulations bearing on the subject matter of this Agreement.

6.         NO THIRD PARTY BENEFICIARIES

Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or permitted assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.

7.         GOVERNING LAW

  This Agreement shall be governed by, and construed in accordance with Federal law.

8.         LIMITATION OF LIABILITY

NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY FOR ANY INCIDENTAL, CONSEQUENTIAL, SPECIAL, OR PUNITIVE DAMAGES OF ANY KIND OR NATURE, WHETHER SUCH LIABILITY IS ASSERTED ON THE BASIS OF CONTRACT, TORT (INCLUDING NEGLIGENCE OR STRICT LIABILITY), OR OTHERWISE, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGES.

9.         DEFINITIONS

9.1       HIPAA Laws.  “HIPAA Laws” for purposes of this Agreement shall mean the Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Parts 160 and 164, and the Security Regulations (45 C.F.R. Parts 160, 162, and 164), promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health (“HITECH”), the Omnibus Rule of 2013 (“Omnibus Rule”), and the Indiana statutes governing social security numbers, I.C. 4-1-10-1 et. seq. and I.C. 4-1-11-1 et. seq.

 

9.2       Limited Data Set.  "Limited Data Set" shall have the meaning set out in 45 C.F.R. § 164.514 (e)(2), as amended from time to time.

 

9.3       PHI.  "PHI" shall have the meaning set out in 45 C.F.R. §160.103, as amended or revised from time to time.  The term shall also include any social security numbers provided or made available to Business Associate.

 

9.4       Required by Law.  "Required by Law" shall have the meaning set forth in 45 C.F.R. §164.103, as amended or revised from time to time.

 

 <INSTITUTION NAME>                                                                            PURDUE UNIVERSITY

                                                                                                                    BUSINESS ASSOCIATE

By: __________________________________                                                 By:_____________________________

Print Name:___________________________                                                  Print Name:______________________

Print Title:____________________________                                                   Print Title:_______________________

Date: ________________________________                                                   Date:___________________________

                                   

 

Version Date 10/09/15

Download a Word template here