HIPAA Resources

HIPAA Home

HIPAA Message Board

Privacy Regulations

Security Regulations

Transactions & Code Sets

All Regulations By Topic


HIPAA Self Assessment
and Compliance Guides

Media Guide

Training Q & A

HIPAA Links & Preemption

Contacts

 

SAMPLE BUSINESS ASSOCIATE AGREEMENT AND HHS DESCRIPTION AND COMMENTARY
As Contained in the HHS Final HIPAA Privacy Rules

Sample Business Associate Contract as Amended August 2002


HHS Statement of Intent

The Department provides these sample business associate contract provisions in response to numerous requests for guidance. This is only sample language. These provisions are designed to help covered entities more easily comply with the business associate contract requirements of the Privacy Rule. However, use of these sample provisions is not required for compliance with the Privacy Rule. The language may be amended to more accurately reflect business arrangements between the covered entity and the business associate.

These or similar provisions may be incorporated into an agreement for the provision of services between the entities or they may be incorporated into a separate business associate agreement. These provisions only address concepts and requirements set forth in the Privacy Rule and alone are not sufficient to result in a binding contract under State law. They do not include many formalities and substantive provisions that are required or typically included in a valid contract. Reliance on this sample is not sufficient for compliance with State law and does not replace consultation with a lawyer or negotiations between the parties to the contract.

Furthermore, a covered entity may want to include other provisions that are related to the Privacy Rule but that are not required by the Privacy Rule. For example, a covered entity may want to add provisions in a business associate contract in order for the covered entity to be able to rely on the business associate to help the covered entity meet its obligations under the Privacy Rule. In addition, there may be permissible uses or disclosures by a business associate that are not specifically addressed in these sample provisions, for example having a business associate create a limited data set. These and other types of issues will need to be worked out between the parties.

Sample Business Associate Contract Provisions

Definitions (alternative approaches)

Catch-all definition:

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the Privacy Rule.

Examples of specific definitions:

  1. Business Associate. “Business Associate” shall mean [Insert Name of Business Associate].

  2. Covered Entity. “Covered Entity” shall mean [Insert Name of Covered Entity].

  3. Individual. “Individual” shall have the same meaning as the term “individual” in 45 CFR § 164.501 and shall include persons who qualify as a personal representative in accordance with 45 CFR § 164.502(g).

  4. Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.

  5. Protected Health Information. “Protected Health Information” shall have the same meaning as the term “protected health information” in 45 CFR § 164.501, limited to the information created or received by Business Associate from or on behalf of Covered Entity.

  6. Required By Law. “Required By Law” shall have the same meaning as the term “required by law” in 45 CFR § 164.501.

  7. Secretary. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his designee.

Obligations and Activities of Business Associate

  1. Business Associate agrees to not use or disclose Protected Health Information other than as permitted or required by the Agreement or as Required By Law.

  2. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement.

  3. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement. [This provision may be included if it is appropriate for the Covered Entity to pass on its duty to mitigate damages to a Business Associate.]

  4. Business Associate agrees to report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement of which it becomes aware.

  5. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.

  6. Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner [Insert negotiated terms], to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR § 164.524. [Not necessary if business associate does not have protected health information in a designated record set.]

  7. Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 at the request of Covered Entity or an Individual, and in the time and manner [Insert negotiated terms]. [Not necessary if business associate does not have protected health information in a designated record set.]

  8. Business Associate agrees to make internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available [to the Covered Entity, or] to the Secretary, in a time and manner [Insert negotiated terms] or designated by the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule.

  9. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528.

  10. Business Associate agrees to provide to Covered Entity or an Individual, in time and manner [Insert negotiated terms], information collected in accordance with Section [Insert Section Number in Contract Where Provision (i) Appears] of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528.

Permitted Uses and Disclosures by Business Associate

General Use and Disclosure Provisions [(a) and (b) are alternative approaches]

  1. Specify purposes:

    Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information on behalf of, or to provide services to, Covered Entity for the following purposes, if such use or disclosure of Protected Health Information would not violate the Privacy Rule if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity:

    [List Purposes].

  2. Refer to underlying services agreement:

    Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in [Insert Name of Services Agreement], provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity.

Specific Use and Disclosure Provisions [only necessary if parties wish to allow Business Associate to engage in such activities]

  1. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.

  2. Except as otherwise limited in this Agreement, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

  3. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 42 CFR § 164.504(e)(2)(i)(B).

  4. Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with § 164.502(j)(1).

Obligations of Covered Entity

Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions [provisions dependent on business arrangement]

  1. Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR § 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of Protected Health Information.

  2. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information.

  3. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of Protected Health Information.

Permissible Requests by Covered Entity

Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity. [Include an exception if the Business Associate will use or disclose protected health information for, and the contract includes provisions for, data aggregation or management and administrative activities of Business Associate].

Term and Termination

  1. Term. The Term of this Agreement shall be effective as of [Insert Effective Date], and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section. [Term may differ.]

  2. Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Business Associate, Covered Entity shall either:

    1. Provide an opportunity for Business Associate to cure the breach or end the violation and terminate this Agreement [and the _________ Agreement/ sections ____ of the ______________ Agreement] if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity;

    2. Immediately terminate this Agreement [and the _________ Agreement/ sections ____ of the ______________ Agreement] if Business Associate has breached a material term of this Agreement and cure is not possible; or

    3. If neither termination nor cure are feasible, Covered Entity shall report the violation to the Secretary.

    [Bracketed language in this provision may be necessary if there is an underlying services agreement. Also, opportunity to cure is permitted, but not required by the Privacy Rule.]

  3. Effect of Termination.

    1. Except as provided in paragraph (2) of this section, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information.

    2. In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon [Insert negotiated terms] that return or destruction of Protected Health Information is infeasible, Business Associate shall
      extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information.

Miscellaneous

  1. Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended.

  2. Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy Rule and the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191.

  3. Survival. The respective rights and obligations of Business Associate under Section [Insert Section Number Related to “Effect of Termination”] of this Agreement shall survive the termination of this Agreement.

  4. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the Privacy Rule.

HHS Description of August 2002 Revisions
Appendix: Sample Business Associate Contract

March 2002 NPRM. In response to requests for guidance, the Department provided sample language for business associate contracts. The provisions were provided as an appendix to the preamble and were intended to serve as guidance for covered entities to assist in compliance with the business associate provisions of the Privacy Rule. The proposal was not a model contract, but rather was sample language that could be included in a contract.

HHS Explanation of Final Modifications
Appendix: Sample Business Associate Contract

This Rule continues to include sample business associate contract provisions as an appendix to the preamble, because the majority of commenters that addressed this subject found these provisions to be helpful guidance in their compliance efforts with the business associate contract requirements in the Privacy Rule.

The Department has made several changes to the language originally proposed in response to comment. Although these are only sample provisions, the changes, which are described below, should help to clear up some confusion.

First, the Department has changed the name from "model language" to "sample language" to clarify that the provisions are merely sample clauses, and that none are required to be in a business associate contract so long as the contract meets the requirements of the regulation. The sample language continues to indicate, using square brackets, those instances in which a provision or phrase in a provision applies only in certain circumstances or is optional.

The Department has made three modifications in the Obligations and Activities of the Business Associate provisions. First, there are modifications to clarify that the parties can negotiate appropriate terms regarding the time and manner of providing access to protected health information in a designated record set, providing information to account for disclosures of protected health information, and for making amendments to protected health information in a designated record set. Although the language clarifies that the terms are to be negotiated by the Parties, the agreement must permit the covered entity to
comply with its obligations under the Privacy Rule.

Second, the Department has amended the sample language regarding review of business associate practices, books, and records to clarify that the contract must permit the Secretary, not the covered entity, to have access to such records, including protected health information, for purposes of determining the covered entity's compliance with the Privacy Rule. The sample language continues to include the option that parties additionally agree that the business associate shall disclose this information to the covered entity for compliance purposes to indicate that this is still an appropriate approach for this purpose. The modifications also clarify that parties can negotiate the time and manner of providing the covered entity with access to the business associate's internal practices, books, and records.

Finally, the Department has modified the sample language to clarify that business associates are only required to notify the covered entity of uses and disclosures of protected health information not provided for by the agreement of which it becomes aware in order to more closely align the sample contract provisions with the regulation text. The Department did not intend to imply a different standard than that included in the regulation.

The Department has modified the General Use and Disclosure sample language to clarify that there are two possible approaches, and that in each approach the use or disclosure of protected health information by a business associates shall be consistent with the minimum necessary policies and procedures of the covered entity.

The Department has adopted one change to the sample language under Specific Use and Disclosure that clarifies that a permitted specific use of protected health information by the business associate includes reporting violations of law to appropriate Federal and State authorities. This would permit a business associate to use or disclose protected health information in accordance with the standards in ' 164.502(j)(1). We indicate that this is optional text, not required by the Privacy Rule. Because we have included this language as sample language, we have deleted discussion of this issue in the statement preceding the sample business associate contract provisions.

Under Obligations of Covered Entity, the Department has clarified that covered entities need only notify business associates of a restriction to the use or disclosure of protected health information in its notice of privacy practices to the extent that such restriction may affect the business associates' use or disclosure of protected health information. The other provisions requiring the covered entity to notify the business associate of restrictions to the use or disclosure of protected health information remain and have been modified to include similar limiting language.

In the Term and Termination provisions, the Department has added clarifying language that indicates that if neither termination nor cure are feasible, the covered entity shall report the violation to the Secretary. We have also clarified that the parties should negotiate how they will determine whether the return or destruction of protected health information is infeasible.

Finally, the Department has clarified the miscellaneous provision regarding interpretation to clarify that ambiguities shall be resolved to permit the covered entity's compliance with the Privacy Rule.

Each entity should carefully analyze each of the sample provisions to ensure that it is appropriate given the specific business associate relationship. Some of the modifications are intended to address some commenters concerns that the sample language is weighted too heavily in favor of the covered entity. Individual parties are reminded that all contract provisions are subject to negotiation, provided that they are consistent with the requirements in the Privacy Rule. The sample language is not intended to, and cannot, substitute for responsible legal advice.

HHS Response to Comments Received - Published With the August 2002 Revisions
Appendix: Sample Business Associate Contract

The Department received a small number of comments addressing the sample business associate contract provisions. The comments fell into four general categories. Most commenters were pleased with the Department's guidance for business associate contracts and expressed appreciation for such guidance. There were some commenters that thought the language was insufficient and requested the Department create a complete model contract not just sample provisions. The third category of commenters thought the provisions went further than the requirements in the regulation and requested specific changes to the sample language. In addition, a few commenters requested that the Department withdraw the sample provisions asserting that they will eliminate the potential of negotiating or establishing a business associate contract that is tailored to the precise requirements of the particular relationship.

Comment: Several commenters noted that the sample language was missing certain required contractual elements, such as an effective date, insurance and indemnification clauses, procedures for amending the contract, as well as other provisions that may be implicated by the Privacy Rule, such as the Electronic Transactions Standards. Some of these commenters requested that the guidance be a complete model contract rather than sample contract provisions so that the covered entity would not need legal assistance.

Response: The Department intentionally did not make this guidance a complete model contract, but rather provided only those provisions specifically tied to requirements of the Privacy Rule. As stated above, this guidance does not substitute for legal advice. Other contract provisions may be dictated by State or other law or by the relationship between the parties. It is not feasible to provide sample contracts that would accommodate each situation. Parties are free to negotiate additional terms, including those that may be required by other laws or regulations.

Comment: Some commenters requested that use of the sample business associate contract language create a safe harbor for an entity that adopts them.

Response: The sample business associate contract provisions are not a safe harbor. Rather, the sample language is intended to provide guidance and assist covered entities in the effort required to enter into a business associate agreement. Use of the sample provisions or similar provisions, where appropriate, would be considered strong evidence of compliance with the business associate contract provisions of the Privacy Rule. However, contracts will necessarily vary based on State law and the relationship between the covered entity and the business associate.

Comment: Some commenters were concerned that the sample provision permitting a covered entity to have access to the practices, books, and records of the business associate would impose an audit requirement on the covered entity.

Response: The sample business associate contract provisions do not impose any additional requirements on covered entities. Only the regulation imposes requirements. Therefore, the inclusion of the provision that the business associate shall allow the covered entity access to the business associate practices, books, and records does not indicate that the Privacy Rule imposes an audit requirement on the covered entity. We have stated numerous times that the Privacy Rule does not require covered entities to monitor the activities of their business associates.

Comment: One commenter noted that the business associate should not be required, under the contract, to mitigate damages resulting from a violation.

Response: We disagree. In order for a covered entity to be able to act as it is required to under the Privacy Rule when a business associate is holding protected health information, the covered entity must require the same activities of the business associate through the contract.

Comment: One commenter noted that the Privacy Rule does not explicitly direct that a covered entity provide its notice of privacy practices to its business associates.

Response: We agree and have modified the language in the sample provision accordingly. However, in order for the business associate to act consistently with the privacy practices of the covered entity, which is required by the Privacy Rule, the parties may find it necessary to require disclosure of these policies. To the extent that parties can craft an alternate approach, they are free to do so.

Comment: One commenter indicated that traditional contract terms such as "term" and "termination" should not be included in the sample language if the Department's intention is to address only those terms required by the Rule.

Response: Because termination of the business associate agreement is specifically addressed in the Privacy Rule, we have retained these provisions in the sample language. As with all other provisions, parties are free to negotiate alternative Term and Termination provisions that meet their unique situations and concerns, provided that they meet the requirements of the Privacy Rule.

Comment: Another commenter indicated that the sample language should not require the return or destruction of protected health information in the possession of subcontractors or agents of the business associate.

Response: We have retained this language as this is consistent with the Privacy Rule. Section 164.504(e)(2)(ii)(D) requires that the business associate contract include a provision that the business associate ensures that any agents, including subcontractors, agree to the same restrictions and conditions as the business associate. Generally, the contract must require the business associate to return or destroy protected health information; therefore, the contract also must require the business associate to have agents and subcontractors to do the same. This is reflected in the sample contract language.

Comment: One commenter requested that the sample language include a provision that the covered entity may impose monetary damages on a business associate for violation of its privacy policies.

Response: We have not included such a provision because the Privacy Rule does not address this issue. The Privacy Rule would not prohibit a monetary damages provision from being included in the contract. This, again, is a matter to be negotiated between covered entities and their business associates.

Comment: One commenter suggested that specific references to sections in the Rule be deleted and either replaced by a general statement that the contract shall be interpreted in a manner consistent with the Rule or supplemented with clarifying language with examples.

Response: We believe that using section reference is a valid and expeditious approach as it incorporates changes as modifications are made to the Privacy Rule. A business associate contract may take a different approach than using section references to the Privacy Rule.

Comment: One commenter asked that the sample business associate contract provisions be included in the Rule rather than published as an appendix to the preamble so that it will be in the Code of Federal Regulations.

Response: We have published the sample business associate contract provisions as an appendix to the preamble because they are meant as guidance. The sample language shall be available on the Office for Civil Rights web site at www.hhs.gov/ocr/hipaa; and may be updated or revised as necessary.