Our AI assistant will guide you through documenting your current process — takes about 5 minutes.
Required for Healthcare & Dentalcare clients. Please read the full agreement, check all acknowledgments, and sign to continue.
This HIPAA Business Associate Agreement ("Agreement") is entered into as of [Effective Date] ("Effective Date") by and between [Covered Entity Name], a Covered Entity as defined under HIPAA ("Covered Entity"), and AI Genie Solutions, LLC, a Florida limited liability company ("Business Associate").
WHEREAS, Business Associate provides certain automation, AI assistant, and workflow services to Covered Entity that involve the use and/or disclosure of Protected Health Information ("PHI"); WHEREAS, Covered Entity is a "covered entity" as defined in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the regulations promulgated thereunder; WHEREAS, Business Associate is a "business associate" as defined in HIPAA and the HIPAA Rules; and WHEREAS, Covered Entity is required under HIPAA to obtain satisfactory assurances that Business Associate will appropriately safeguard PHI it receives, creates, maintains, or transmits on behalf of Covered Entity.
NOW, THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:
1.1 "HIPAA Rules" means, collectively, the Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule at 45 C.F.R. Parts 160 and 164. 1.2 "Business Associate" has the meaning set forth at 45 C.F.R. § 160.103. 1.3 "Covered Entity" has the meaning set forth at 45 C.F.R. § 160.103. 1.4 "Protected Health Information" or "PHI" has the meaning set forth at 45 C.F.R. § 160.103, and includes all individually identifiable health information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity, in any form or medium. 1.5 "Electronic Protected Health Information" or "ePHI" means PHI transmitted or maintained in electronic media, as defined at 45 C.F.R. § 160.103. 1.6 "Breach" has the meaning set forth at 45 C.F.R. § 164.402. 1.7 "Unsecured PHI" has the meaning set forth at 45 C.F.R. § 164.402. 1.8 "Security Incident" has the meaning set forth at 45 C.F.R. § 164.304. 1.9 "Secretary" means the Secretary of HHS or the Secretary's designee. 1.10 Capitalized terms used but not otherwise defined herein shall have the meanings given to them in the HIPAA Rules.
2.1 Permitted Use and Disclosure. Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement, as permitted or required by applicable law, or as otherwise authorized in writing by Covered Entity.
2.2 Safeguards. Business Associate shall use appropriate administrative, physical, and technical safeguards, including a risk analysis and risk management program, access controls, and workforce security measures, to prevent the use or disclosure of PHI other than as provided for by this Agreement. With respect to ePHI, Business Associate shall comply with the applicable requirements of the Security Rule at 45 C.F.R. Part 164, Subpart C.
2.3 Mitigation. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate or its employees, agents, or subcontractors in violation of this Agreement or the HIPAA Rules.
2.4 Reporting of Breaches and Security Incidents. Business Associate shall report to Covered Entity any Breach of Unsecured PHI in accordance with 45 C.F.R. § 164.410 and any Security Incident that results in unauthorized access, use, or disclosure of PHI. Such report shall be made without unreasonable delay and in no case later than 30 calendar days after discovery of the Breach or Security Incident. The report shall include, to the extent available, the information required by 45 C.F.R. § 164.410(c), and any additional information reasonably requested by Covered Entity.
2.5 Subcontractors and Agents. Business Associate shall ensure that any subcontractor, agent, or other third party to whom it provides PHI on behalf of Covered Entity agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such PHI, including compliance with the applicable provisions of the HIPAA Rules.
2.6 Access to PHI. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make such PHI available to Covered Entity, or, at Covered Entity's direction, to the individual who is the subject of the PHI, to meet Covered Entity's obligations under 45 C.F.R. § 164.524, within the time frames required by the HIPAA Rules.
2.7 Amendment of PHI. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate shall make such PHI available for amendment and shall incorporate any amendments as directed by Covered Entity in accordance with 45 C.F.R. § 164.526.
2.8 Accounting of Disclosures. Business Associate shall maintain and, within a reasonable time following Covered Entity's written request, provide to Covered Entity such information as is necessary to permit Covered Entity to provide an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.
2.9 Internal Practices, Books, and Records. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining Covered Entity's compliance with the HIPAA Rules. To the extent permitted by law, Business Associate shall promptly notify Covered Entity of any such request.
2.10 Compliance with Law. Business Associate shall comply with the HIPAA Rules and any other applicable federal or state laws and regulations governing the privacy or security of PHI, including any amendments to HIPAA or such laws that affect Business Associate's obligations under this Agreement.
3.1 HIPAA Privacy Training. Business Associate shall provide training on the requirements of the HIPAA Privacy Rule and on Business Associate's related policies and procedures to all members of its workforce who create, receive, maintain, or transmit PHI on behalf of Business Associate, in accordance with 45 C.F.R. § 164.530(b)(1). Business Associate shall document that the training has been provided.
3.2 Security Awareness and Training. Business Associate shall implement a security awareness and training program for all members of its workforce, including management, in accordance with 45 C.F.R. § 164.308(a)(5), including security reminders, protection from malicious software, log-in monitoring, and password management. Business Associate shall document that such training and related security measures have been implemented.
4.1 Services for Covered Entity. Except as otherwise limited by this Agreement or applicable law, Business Associate may use or disclose PHI only as necessary to perform automation and AI workflow services set forth in the underlying service agreement(s) between Covered Entity and Business Associate, using only the minimum necessary PHI required, consistent with 45 C.F.R. § 164.502(b).
4.2 Use for Proper Management and Administration. Business Associate may use PHI for its proper management and administration or to carry out its legal responsibilities, provided that such use is permitted by the HIPAA Rules and applicable law.
4.3 Disclosures for Proper Management and Administration. Business Associate may disclose PHI for its proper management and administration or legal responsibilities, provided that (a) the disclosures are required by law, or (b) Business Associate obtains reasonable assurances from the recipient that the PHI will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed.
4.4 De-identified Information. Business Associate may de-identify PHI in accordance with 45 C.F.R. § 164.514(a)–(c). PHI that has been properly de-identified is no longer subject to this Agreement, and Business Associate may use such information for any lawful purpose, provided that Business Associate does not attempt to re-identify the information.
4.5 Prohibited Uses and Disclosures. Business Associate shall not sell PHI or use PHI for marketing or fundraising purposes in a manner that would violate the HIPAA Rules, unless expressly authorized in writing by Covered Entity and, if required by law, by the individual whose PHI is used or disclosed.
5.1 Term. This Agreement shall become effective as of the Effective Date and shall remain in effect until terminated in accordance with this Section 5 or the termination or expiration of all underlying service agreement(s), whichever occurs first.
5.2 Termination for Cause. Covered Entity may terminate this Agreement and any related services agreement(s) immediately if it determines that Business Associate has materially breached this Agreement and Business Associate has not cured the breach within 30 days after receiving written notice specifying the nature of the breach, if the breach is reasonably capable of cure. If cure is not possible, Covered Entity may terminate immediately upon written notice.
5.3 Other Termination Rights. Business Associate may terminate this Agreement upon written notice to Covered Entity if Business Associate reasonably determines that continuing to perform under this Agreement would cause Business Associate to violate the HIPAA Rules or other applicable law and the parties are unable, after good faith negotiations, to amend this Agreement to prevent such violation.
5.4 Obligations Upon Termination. Upon termination or expiration of this Agreement for any reason, Business Associate shall, with respect to PHI received from Covered Entity or created, maintained, or received on behalf of Covered Entity: (a) retain only that PHI necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities; (b) return to Covered Entity or, if agreed to by Covered Entity, destroy all remaining PHI in any form; (c) continue to use appropriate safeguards and comply with the HIPAA Rules with respect to such PHI for as long as Business Associate retains it; and (d) not use or disclose such PHI other than for the purposes that make return or destruction infeasible, or as required by law.
5.5 Infeasibility of Return or Destruction. If Business Associate determines that returning or destroying PHI is infeasible, Business Associate shall notify Covered Entity in writing. If Covered Entity agrees, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible, for as long as Business Associate maintains such PHI.
5.6 Reporting to HHS. If Covered Entity determines that termination of this Agreement is not feasible, Covered Entity shall report the violation to the Secretary in accordance with 45 C.F.R. § 164.504(e)(1)(ii).
6.1 Amendment. The parties agree to amend this Agreement from time to time as required to comply with HIPAA, the HIPAA Rules, and any other applicable law or regulation. Any such amendment shall be in writing and signed by both parties.
6.2 Survival. The respective rights and obligations of the parties under Sections 2, 3, 4, 5.4, 5.5, and this Section 6 shall survive termination or expiration of this Agreement.
6.3 Interpretation. Any ambiguity in this Agreement shall be resolved to permit compliance with the HIPAA Rules. In the event of a conflict between the terms of this Agreement and the terms of any other agreement between the parties, this Agreement shall control with respect to the parties' obligations regarding PHI.
6.4 Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of Florida, without regard to its conflict-of-law principles, except to the extent preempted by federal law including HIPAA.
6.5 Indemnification. Business Associate shall indemnify, defend, and hold harmless Covered Entity and its directors, officers, employees, and agents from and against any and all claims, damages, fines, penalties, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to (a) Business Associate's breach of this Agreement; or (b) Business Associate's violation of the HIPAA Rules or other applicable law relating to PHI, except to the extent caused by Covered Entity's negligence or willful misconduct.
6.6 Entire Agreement. This Agreement, together with the underlying service agreement(s) between Covered Entity and Business Associate, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior or contemporaneous agreements, proposals, and communications, whether oral or written, relating to such subject matter.
6.7 Counterparts. This Agreement may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. Signatures provided by electronic or digital means shall be deemed to be original.
↑ Scroll to read the full agreement before signing