HIPAA AgentHIPAA Agent
Deploy Your Agent
Legal Agreement

Business Associate Agreement

This BAA governs the relationship between your practice (Covered Entity) and Sentinel Health Compliance, LLC (Business Associate) under HIPAA regulations.

Business Associate Agreement

This Business Associate Agreement (“Agreement”) is entered into by and between the healthcare practice or organization identified below (“Covered Entity”) and Sentinel Health Compliance, LLC, a California limited liability company with EIN 41-3548003, located in Sacramento, CA (“Business Associate”), collectively referred to as the “Parties.”

This Agreement is made pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), and their implementing regulations at 45 CFR Parts 160 and 164 (collectively, the “HIPAA Rules”).

1. Definitions

Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the HIPAA Rules. "Protected Health Information" or "PHI" means any information, including electronic PHI ("ePHI"), that is created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity and that relates to: (a) the past, present, or future physical or mental health condition of an individual; (b) the provision of health care to an individual; or (c) the payment for the provision of health care to an individual, and that identifies the individual or could reasonably be used to identify the individual.

2. Permitted Uses and Disclosures of PHI

Business Associate may use or disclose PHI only as permitted or required by this Agreement or as required by law. Specifically, Business Associate may:

(a) Use or disclose PHI to perform functions, activities, or services for or on behalf of Covered Entity as specified in the underlying service agreement, provided that such use or disclosure would not violate the HIPAA Rules if done by Covered Entity.

(b) Use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities, provided that the disclosures are required by law or Business Associate obtains reasonable assurances from any third party that the information will be held confidentially.

(c) Use PHI to provide data aggregation services relating to the health care operations of Covered Entity, as permitted by 45 CFR 164.504(e)(2)(i)(B).

(d) De-identify PHI in accordance with 45 CFR 164.514(a)-(c) and use such de-identified data for any lawful purpose.

3. Obligations of Business Associate — Safeguards

Business Associate shall:

(a) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, as required by 45 CFR Part 164, Subpart C.

(b) Not use or disclose PHI other than as permitted or required by this Agreement or as required by law.

(c) Use appropriate safeguards and comply with the Security Rule with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this Agreement.

(d) Implement and maintain encryption of all ePHI at rest and in transit using AES-256 or equivalent standards. All systems processing PHI shall maintain audit logging, access controls, and automatic session termination.

4. Breach Notification

(a) Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including any Breach of Unsecured PHI as required by 45 CFR 164.410.

(b) Business Associate shall provide such notification without unreasonable delay and in no case later than thirty (30) calendar days after discovery of a Breach.

(c) Notification shall include: (i) identification of each individual whose Unsecured PHI has been or is reasonably believed to have been accessed, acquired, used, or disclosed; (ii) a brief description of what happened; (iii) the date of the Breach and the date of discovery; (iv) a description of the types of Unsecured PHI involved; and (v) any steps individuals should take to protect themselves.

(d) Business Associate shall mitigate, to the extent practicable, any harmful effect known to Business Associate of a use or disclosure of PHI in violation of this Agreement.

5. Subcontractors

(a) Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement, in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2).

(b) Business Associate shall enter into a written agreement with each subcontractor that handles PHI, requiring the subcontractor to comply with the applicable provisions of the HIPAA Rules.

(c) Business Associate shall maintain a current list of all subcontractors with access to PHI and shall make such list available to Covered Entity upon request.

6. Access to PHI

Business Associate shall make available PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an individual, in order to meet Covered Entity's obligations under 45 CFR 164.524. Business Associate shall respond to any such request within fifteen (15) business days.

7. Amendment of PHI

Business Associate shall make PHI available for amendment and incorporate any amendments to PHI in a Designated Record Set as directed by Covered Entity, in accordance with 45 CFR 164.526.

8. Accounting of Disclosures

Business Associate shall make available the information required to provide an accounting of disclosures in accordance with 45 CFR 164.528. Business Associate shall maintain records of all disclosures for a minimum period of six (6) years from the date of the disclosure.

9. Government Access

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules.

10. Termination

(a) Term. This Agreement shall be effective as of the date signed below and shall remain in effect for the duration of the underlying service relationship, unless earlier terminated as provided herein.

(b) Termination for Cause. Covered Entity may terminate this Agreement if Covered Entity determines that Business Associate has violated a material term of this Agreement. Covered Entity shall provide Business Associate with written notice of the violation and thirty (30) days to cure. If the violation is not cured within thirty (30) days, Covered Entity may terminate this Agreement.

(c) Effect of Termination. Upon termination, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, if feasible. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible, for so long as Business Associate maintains such PHI.

(d) Survival. The obligations of Business Associate under Sections 3, 4, and 5 shall survive the termination of this Agreement.

11. Miscellaneous

(a) Regulatory References. Any reference to a section of the HIPAA Rules shall mean the section as in effect or as amended.

(b) Amendment. This Agreement may not be amended except by a written instrument signed by both Parties.

(c) Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the HIPAA Rules.

(d) Governing Law. This Agreement shall be governed by federal law, including HIPAA and the HITECH Act, and to the extent not preempted, the laws of the State of California.

1. Definitions

Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the HIPAA Rules. “Protected Health Information” or “PHI” means any information, including electronic PHI (“ePHI”), that is created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity and that relates to: (a) the past, present, or future physical or mental health condition of an individual; (b) the provision of health care to an individual; or (c) the payment for the provision of health care to an individual, and that identifies the individual or could reasonably be used to identify the individual.

2. Permitted Uses and Disclosures of PHI

Business Associate may use or disclose PHI only as permitted or required by this Agreement or as required by law. Specifically, Business Associate may:

(a) Use or disclose PHI to perform functions, activities, or services for or on behalf of Covered Entity as specified in the underlying service agreement, provided that such use or disclosure would not violate the HIPAA Rules if done by Covered Entity.

(b) Use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities, provided that the disclosures are required by law or Business Associate obtains reasonable assurances from any third party that the information will be held confidentially.

(c) Use PHI to provide data aggregation services relating to the health care operations of Covered Entity, as permitted by 45 CFR 164.504(e)(2)(i)(B).

(d) De-identify PHI in accordance with 45 CFR 164.514(a)-(c) and use such de-identified data for any lawful purpose.

3. Obligations of Business Associate — Safeguards

Business Associate shall:

(a) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI, as required by 45 CFR Part 164, Subpart C.

(b) Not use or disclose PHI other than as permitted or required by this Agreement or as required by law.

(c) Use appropriate safeguards and comply with the Security Rule with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this Agreement.

(d) Implement and maintain encryption of all ePHI at rest and in transit using AES-256 or equivalent standards. All systems processing PHI shall maintain audit logging, access controls, and automatic session termination.

4. Breach Notification

(a) Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including any Breach of Unsecured PHI as required by 45 CFR 164.410.

(b) Business Associate shall provide such notification without unreasonable delay and in no case later than thirty (30) calendar days after discovery of a Breach.

(c) Notification shall include: (i) identification of each individual whose Unsecured PHI has been or is reasonably believed to have been accessed, acquired, used, or disclosed; (ii) a brief description of what happened; (iii) the date of the Breach and the date of discovery; (iv) a description of the types of Unsecured PHI involved; and (v) any steps individuals should take to protect themselves.

(d) Business Associate shall mitigate, to the extent practicable, any harmful effect known to Business Associate of a use or disclosure of PHI in violation of this Agreement.

5. Subcontractors

(a) Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement, in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2).

(b) Business Associate shall enter into a written agreement with each subcontractor that handles PHI, requiring the subcontractor to comply with the applicable provisions of the HIPAA Rules.

(c) Business Associate shall maintain a current list of all subcontractors with access to PHI and shall make such list available to Covered Entity upon request.

6. Access to PHI

Business Associate shall make available PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an individual, in order to meet Covered Entity’s obligations under 45 CFR 164.524. Business Associate shall respond to any such request within fifteen (15) business days.

7. Amendment of PHI

Business Associate shall make PHI available for amendment and incorporate any amendments to PHI in a Designated Record Set as directed by Covered Entity, in accordance with 45 CFR 164.526.

8. Accounting of Disclosures

Business Associate shall make available the information required to provide an accounting of disclosures in accordance with 45 CFR 164.528. Business Associate shall maintain records of all disclosures for a minimum period of six (6) years from the date of the disclosure.

9. Government Access

Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules.

10. Termination

(a) Term. This Agreement shall be effective as of the date signed below and shall remain in effect for the duration of the underlying service relationship, unless earlier terminated as provided herein.

(b) Termination for Cause. Covered Entity may terminate this Agreement if Covered Entity determines that Business Associate has violated a material term of this Agreement. Covered Entity shall provide Business Associate with written notice of the violation and thirty (30) days to cure. If the violation is not cured within thirty (30) days, Covered Entity may terminate this Agreement.

(c) Effect of Termination. Upon termination, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, if feasible. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible, for so long as Business Associate maintains such PHI.

(d) Survival. The obligations of Business Associate under Sections 3, 4, and 5 shall survive the termination of this Agreement.

11. Miscellaneous

(a) Regulatory References. Any reference to a section of the HIPAA Rules shall mean the section as in effect or as amended.

(b) Amendment. This Agreement may not be amended except by a written instrument signed by both Parties.

(c) Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the HIPAA Rules.

(d) Governing Law. This Agreement shall be governed by federal law, including HIPAA and the HITECH Act, and to the extent not preempted, the laws of the State of California.

Execute This Agreement

Complete the fields below to generate your signed BAA for download.