www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.htmlsearchsecurity.techtarget.com/definition/business-associatewww.mwe.com/en/thought-leadership/publications/2013/02/new-hipaa-regulations-affect-business-associates__www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html It is only an exemplary language and the use of these examples is not necessary to comply with HIPAA rules. The language may be changed to more accurately reflect the commercial agreements between a covered entity and a counterparty or counterparty and a subcontractor. In addition, those provisions, or other similar provisions, may be included in a service provision agreement between a covered entity and a counterparty or counterparty or subcontractor, or may be included in a separate counterparty agreement. These provisions apply only to the concepts and requirements set out in the HIPC rules on data protection, security, breach notification and law enforcement, and may not be sufficient on their own to result in a binding contract under state law. They do not contain many formalities and material provisions necessary or typically contained in a valid contract. The invocation of this sample may not be sufficient to comply with the law of the State and does not replace consultation with a lawyer or negotiation between the parties. In the event that PHI is called under the responsibility of the counterparty by persons who are not entitled to consult the information, the counterparty is required to inform the entity concerned of the infringement and possibly to send notifications to persons whose IHP has been compromised. The timing and responsibilities of notifications should be set out in the agreement. While it may seem reasonable to have a short period of time to report a violation, remember that the BA may not be aware of the violation until a few days after the event. [The agreement could also provide that the counterparty could, in the event of termination, transmit the protected health information to another counterparty of the covered entity and/or add conditions relating to the obligations of a counterparty, obtain or insure protected health information produced, received or maintained by subcontractors.] Direct employees of this organization do not need to sign a BAA, as they are part of your organization and are not considered business partners. This means that they are still covered by HIPAA laws. As an employer, you are responsible for training your employees on how to maintain the integrity and sanctity of protected health information. In the event of termination of this Agreement for any reason, the counterparty shall return to the covered entity any protected health information obtained by the covered entity or established, maintained or received by a counterparty on behalf of the covered entity [or, if approved by the covered entity], the person with whom it still maintains in any form.
. . .