HIPAA Privacy Agreement Form for
Business Associate Contract

Purchase Price: $11.99	(Credit Cards & Paypal Accepted)
Features of this Product or

Click here for more information about our
copyrighted, online questionnaire process.

General Purpose. This agreement is intended to fufil the requirement contained in the final regulations issued by the Department of Health and Human Services ("HHS") in implementation of the Health Insurance Portability and Accountability Act ("HIPAA") that each health care provider covered by the act obtain a written contract with other entities that utilize Protected Health Information ("PHI") obtained from the health care provider (called "Business Associates" in the HHS privacy regulations). The current rule requires covered health providers to obtain contracts from their Business Associates no later than April 14, 2003.

HITECH Act. The "Health Information Technology for Economic and Clinical Health Act" ("HITECH Act") was signed into law on February 17, 2009 and takes effect February 17, 2010. It expands HIPAA privacy and security regulations. The two most important changes in the HITECH Act for business associates of HIPAA covered entities are (a) requirement that business associates comply directly with Security Rule provisions directing implementation of administrative, physical and technical safeguards for electronic protected health information and (b) expanded breach notification rules for both covered entities and their business associates. See ABA article.

Note: This agreement is intended to work as a "side agreement" or collateral agreement--to an existing or pending contract with a Business Associate--that deals solely with HIPAA privacy issues. The form substantially tracts the suggested language issued by the Department of Health and Human Services as guidance: Sample Business Associate Contract from HHS.

Who is a "Covered Entity" under HIPAA? Health plans, health care clearinghouses, and health care providers who engage in an "electronic transaction" (i.e., generally meaning the transmission of any health information in electronic form but see below for complete definition) are "Covered Entities" under HIPAA. Please note that health care providers who do not submit electronic transactions of health care information may still become Covered Entities under this rule when another entity, such as a billing service or a hospital, transmits a standard electronic transactions on their behalf. Please also note that health plans and health care clearinghouses do not need to enter into an "electronic transaction" involving PHI before they can be defined as a "covered entity". Only a health care provider must engage in an "electronic transaction" involving PHI before it becomes a "covered entity".

Therefore, if a medical practice engages in any electronic transaction described above (even only one transaction), then the Privacy Rule of the HIPAA regulations applies to this medical practice. This is the case even if the medical practice uses another entity, such as a billing service or hospital, to transmit an electronic transaction described above. Even though coverage under HIPAA is triggered by use of electronic transactions, the HIPAA Privacy Rule applies to individually identifiable health information in any form, including oral, written and electronic communications.

Who is a "Business Associate" under HIPAA? A Business Associate is a person or entity who provides certain functions, activities, or services for or to a covered entity, involving the use and/or disclosure of PHI. A Business Associate is not a member of the health care provider, health plan, or other covered entity's workforce. A health care provider, health plan, or other covered entity can also be a business associate to another covered entity. The rule includes exceptions. The business associate requirements do not apply to covered entities who disclose PHI to providers for treatment purposes - for example, information exchanges between a hospital and physicians with admitting privileges at the hospital.

For more extensive information regarding the HIPAA privacy regulations relative to "Business Associate" contracts, please visit the library section of our site: The HIPAA Privacy Rule: "Business Associates" of "Covered Entities".