Business Associate Agreement (BAA)

Business Associate Agreement (BAA)​

Term. This BAA shall remain in effect for the duration of the relationship between the VENDOR and BUSINESS ASSOCIATE, including but not limited to written contracts, verbal agreements and/or undefined business dealings and/or other agreements not specified, and shall apply to all of the Services and/or Supplies delivered by the Business Associate pursuant to this BAA. Notwithstanding Section 9 of this agreement.

HIPAA Assurances. In the event Business Associate creates, receives, maintains, or otherwise is exposed to personally identifiable or aggregate patient or other medical information defined as Protected Health Information (“PHI”) in the Health Insurance Portability and Accountability Act of 1996 or its relevant regulations (“HIPAA”) and otherwise meets the definition of Business Associate as defined in the HIPAA Privacy Standards (45 CFR Parts 160 and 164), Business Associate shall:

2.1. Recognize that HITECH (the Health Information Technology for Economic and Clinical Health Act of 2009) and the regulations thereunder (including 45 C.F.R. Sections 164.308, 164.310, 164.312, and 164.316), apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity;

2.2. Not use or further disclose the PHI, except as permitted by law;

2.3. Not use or further disclose the PHI in a manner that had Insert Clinic Name done so, would violate the requirements of HIPAA;

2.4. Use appropriate safeguards (including implementing administrative, physical, and technical safeguards for electronic PHI) to protect the confidentiality, integrity, and availability of and to prevent the use or disclosure of the PHI other than as provided for by this BAA;

2.5. Comply with each applicable requirement of 45 C.F.R. Part 162 if the Business Associate conducts Standard Transactions for or on behalf of the Covered Entity;

2.6. Report promptly to Insert Clinic Name any security incident or other use or disclosure of PHI not provided for by this BAA of which Business Associate becomes aware;

2.7. Ensure that any subcontractors or agents who receive or are exposed to PHI (whether in electronic or other format) are explained the Business Associate obligations under this paragraph and agree to the same restrictions and conditions;

2.8. Make available PHI in accordance with the individual’s rights as required under the HIPAA regulations;

2.9. Account for PHI disclosures for up to the past six (6) years as requested by Covered Entity, which shall include:

2.9.1. dates of disclosure,

2.9.2. names of the entities or persons who received the PHI,

2.9.3. a brief description of the PHI disclosed, and

2.9.4. a brief statement of the purpose and basis of such disclosure;

2.10. Make its internal practices, books, and records that relate to the use and disclosure of PHI available to the U.S. Secretary of Health and Human Services for purposes of determining Customer’s compliance with HIPAA; and

Termination. Upon Breach of Provisions. Notwithstanding any other provision of this BAA, Covered Entity may immediately terminate this BAA if it determines that Business Associate breaches any term in this BAA. Alternatively, Covered Entity may give written notice to Business Associate in the event of a breach and give Business Associate five (5) business days to cure such breach. Covered Entity shall also have the option to immediately stop all further disclosures of PHI to Business Associate if Covered Entity reasonably determines that Business Associate has breached its obligations under this BAA. In the event that termination of this BAA and the BAA is not feasible, Business Associate hereby acknowledges that the Covered Entity shall be required to report the breach to the Secretary of the U.S. Department of Health and Human Services.

Return or Destruction of Protected Health Information upon Termination. Upon the termination of this BAA, unless otherwise directed by Business Associate the Covered Entity, shall either return or destroy all PHI received from the Covered Entity or created or received by Covered Entity on behalf of the Business Associate in which the Covered Entity maintains in any form. Covered Entity shall not retain any copies of such PHI.

4.1. Notwithstanding the foregoing, in the event that Covered Entity determines that returning or destroying the Protected Health Information is infeasible upon termination of this BAA, Covered Entity shall upon request, provide to Business Associate notification of the condition that makes return or destruction infeasible. To the extent that it is not feasible for Covered Entity to return or destroy such PHI, the terms and provisions of this BAA shall survive such termination or expiration and such PHI shall be used or disclosed solely as permitted by law for so long as Covered Entity maintains such Protected Health Information.

De-Identified Data. Notwithstanding the provisions of this BAA, Business Associate and its subcontractors may disclose non-personally identifiable information provided that the disclosed information does not include a key or other mechanism that would enable the information to be identified.
6. Agreement. Business Associate and Covered Entity agree to amend this Agreement to the extent necessary to allow either party to comply with the Privacy Standards, the Standards for Electronic Transactions, the Security Standards, or other relevant state or federal laws or regulations created or amended to protect the privacy of patient information. All such amendments shall be made in a writing signed by both parties.

Interpretation. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits Covered Entity to comply with the then most current version of HIPAA and the HIPAA privacy regulations.

Definitions. Capitalized terms used in this BAA shall have the meanings assigned to them as outlined in HIPAA and its related regulations.

Survival. The obligations imposed by this BAA shall survive any expiration or termination of Agreement.

Vista Medical Billing LLC Logo
Phone: (720) 389-5995
admin@vistabillingservices.com
MON-THUR 08:00 - 4:00 MST
2851 S. Parker Rd. Ste 1-0730 Aurora, CO 80014

Contact Us