HIPAA Compliance
This Business Associate Agreement ("BAA") governs the handling of Protected Health Information shared between MAIS Consulting and its business partners in compliance with HIPAA.
Legal Notice: This page presents the standard terms of MAIS Consulting's Business Associate Agreement. A fully executed, signed BAA is required before any Protected Health Information may be shared. To request a signed BAA, contact our Privacy Officer.
Under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act ("HITECH"), a Business Associate Agreement is a written contract between a HIPAA Covered Entity and a Business Associate — any person or organization that performs functions or activities on behalf of a Covered Entity that involve the use or disclosure of Protected Health Information ("PHI").
MAIS Consulting may act as either a Covered Entity or a Business Associate depending on the nature of the engagement. In either capacity, MAIS Consulting requires a fully executed BAA before any PHI is exchanged.
This Agreement is entered into between MAIS Consulting ("Business Associate" or "Covered Entity," as applicable) and the contracting party ("Covered Entity" or "Business Associate," as applicable), collectively referred to as the "Parties."
Protected Health Information (PHI)
Any individually identifiable health information transmitted or maintained in any form or medium that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual, as defined in 45 C.F.R. § 160.103.
Electronic PHI (ePHI)
PHI that is created, received, maintained, or transmitted in electronic form, as defined in 45 C.F.R. § 160.103.
Covered Entity
A health plan, health care clearinghouse, or health care provider who transmits any health information in electronic form in connection with a transaction covered under HIPAA, as defined in 45 C.F.R. § 160.103.
Business Associate
A person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a Covered Entity, as defined in 45 C.F.R. § 160.103.
Breach
The acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 C.F.R. § 164.402.
Security Incident
The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system, as defined in 45 C.F.R. § 164.304.
Business Associate may use or disclose PHI only as necessary to perform the services described in the underlying services agreement between the Parties, and only in the following circumstances:
Business Associate shall not use or disclose PHI in a manner that would violate the requirements of the HIPAA Privacy Rule if done by Covered Entity, except as permitted under this Agreement.
Use Limitations
Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement or as required by law.
Safeguards
Business Associate shall use appropriate administrative, physical, and technical safeguards, and comply with the HIPAA Security Rule with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by this Agreement.
Subcontractors
Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement.
Breach Notification
Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement, including breaches of unsecured PHI as required by 45 C.F.R. § 164.410, without unreasonable delay and in no case later than 60 days after discovery.
Individual Rights
Business Associate shall make available PHI in a designated record set to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 C.F.R. § 164.524 and shall make available PHI for amendment and incorporate any amendments to PHI in accordance with 45 C.F.R. § 164.526.
Accounting of Disclosures
Business Associate shall maintain and make available the information required to provide an accounting of disclosures to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 C.F.R. § 164.528.
HHS Access
Business Associate shall make its internal practices, books, and records available to the Secretary of HHS for purposes of determining compliance with the HIPAA Rules.
Return or Destruction of PHI
Upon termination of this Agreement, Business Associate shall, if feasible, return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to the PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible.
Covered Entity shall:
Term. This Agreement shall be effective as of the date it is executed by both Parties and shall remain in effect until terminated as provided herein or until the underlying services agreement between the Parties is terminated.
Termination for Cause. Upon either Party's knowledge of a material breach by the other Party, the non-breaching Party shall provide written notice of the breach and an opportunity to cure. If the breaching Party does not cure the breach within a reasonable time period specified in the notice, the non-breaching Party may terminate this Agreement.
Effect of Termination. Upon termination of this Agreement for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to the PHI and limit further uses and disclosures to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
Survival. The obligations of Business Associate under this Section shall survive the termination of this Agreement.
Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended, and for which compliance is required.
Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the HIPAA Rules and the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191.
Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the HIPAA Rules.
No Third-Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
Governing Law. This Agreement shall be governed by and construed in accordance with applicable federal law, including HIPAA and HITECH, and the laws of the state in which MAIS Consulting is domiciled, without regard to conflicts of law principles.
Entire Agreement. This Agreement, together with the underlying services agreement, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior agreements, understandings, negotiations, and discussions, whether oral or written, between the Parties relating to the subject matter hereof.
To obtain a fully executed Business Associate Agreement with MAIS Consulting, please contact our Privacy Officer. We will review your request and provide a signed BAA within 5 business days.
Request BAA via EmailHIPAA Privacy Policy
Review our full Notice of Privacy Practices