Business Associate Agreement (BAA)
Effective Date: August 26, 2024
This Business Associate Agreement (“Agreement”) is entered into by and between Therapy Insights Practice (“Covered Entity”) and all clients and clinicians and vendors (“Business Associate”) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), to ensure the protection of Protected Health Information (PHI) handled by Business Associate on behalf of Covered Entity.
1. Definitions
Protected Health Information (PHI): Shall have the same meaning as defined in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
2. Obligations and Activities of Business Associate
Business Associate agrees to:
Not use or disclose PHI other than as permitted or required by this Agreement or as required by law.
Use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent unauthorized use or disclosure of PHI.
Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement, including breaches of unsecured PHI as required by 45 CFR § 164.410, and any security incident of which it becomes aware.
Ensure that any subcontractors who create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information.
Make PHI available to Covered Entity as necessary to fulfill the obligations under 45 CFR § 164.524, and for amendment requests under 45 CFR § 164.526.
Make internal practices, books, and records related to the use and disclosure of PHI available to the Secretary of the Department of Health and Human Services for purposes of determining Covered Entity’s compliance with HIPAA.
Document disclosures of PHI and related information to comply with 45 CFR § 164.528 and provide an accounting of such disclosures to Covered Entity or the individual when requested.
3. Permitted Uses and Disclosures by Business Associate
Business Associate may use or disclose PHI only as necessary to perform the services specified in any Service Agreement with the Covered Entity.
Business Associate may use or disclose PHI as required by law.
Business Associate agrees to follow Covered Entity’s minimum necessary policies when using or disclosing PHI.
Business Associate may use PHI for its proper management and administration, or to carry out legal responsibilities, provided that such disclosures are either required by law or Business Associate obtains reasonable assurances from the recipient to protect the confidentiality of the information.
4. Term and Termination
Term: This Agreement is effective as of August 26, 2024, and shall remain in effect until all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is returned, destroyed, or otherwise protected as required under this Agreement.
Termination for Cause: Covered Entity may terminate this Agreement upon becoming aware of a material breach by Business Associate. Covered Entity shall provide an opportunity for Business Associate to cure the breach, or terminate the Agreement if the breach is not cured within the time specified by Covered Entity.
Effect of Termination:
Upon termination, Business Associate shall return or destroy all PHI received from Covered Entity, or created on behalf of Covered Entity. If return or destruction is not feasible, Business Associate shall extend protections to such PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible, for as long as Business Associate maintains the PHI.
5. Miscellaneous
Regulatory References: References to HIPAA, the HIPAA Regulations, or the HITECH Act in this Agreement refer to the respective sections as currently in effect or as amended.
Amendment: The Parties agree to amend this Agreement as necessary to ensure compliance with changes to the HIPAA Regulations or other applicable laws.
Interpretation: Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the HIPAA Regulations.
IN WITNESS WHEREOF, the parties have duly executed this Business Associate Agreement as of the day and year first above written.
Covered Entity:
Therapy Insights Practice, LLC
330 W. 38th Street, Suite 705
New York, NY 10018