HIPAA Business Associate Addendum (Template) (US)
Template Version: v1.0
Status: Draft
1. Definitions
Terms have the meanings given in HIPAA and its implementing regulations.
2. Permitted uses and disclosures
Business Associate may use or disclose PHI to perform services for Covered Entity as described in the Agreement, and for proper management and administration, as permitted by HIPAA and this BAA.
3. Safeguards
Business Associate will implement appropriate safeguards and comply with the HIPAA Security Rule for electronic PHI.
4. Breach and incident reporting
Business Associate will report breaches of unsecured PHI and security incidents to Covered Entity without unreasonable delay and no later than 10, and provide information reasonably necessary for Covered Entity reporting obligations.
5. Subcontractors
Business Associate will ensure any subcontractor that creates, receives, maintains, or transmits PHI agrees to restrictions and conditions that apply to Business Associate.
6. Access, amendment, accounting
Business Associate will assist Covered Entity with access, amendment, and accounting of disclosures as required under HIPAA, to the extent applicable to the services.
7. Termination
Covered Entity may terminate this BAA if it determines Business Associate has violated a material term and cure is not possible.
8. Return or destruction
Upon termination, Business Associate will return or destroy PHI where feasible, consistent with the Agreement and legal retention requirements.
9. Regulatory references
Parties should confirm alignment with 45 CFR 164.504(e) and related provisions.
