{"id":8003,"date":"2024-12-26T01:27:49","date_gmt":"2024-12-26T06:27:49","guid":{"rendered":"https:\/\/www.medicalofficeforce.com\/?page_id=8003"},"modified":"2025-07-02T02:04:19","modified_gmt":"2025-07-02T06:04:19","slug":"business-associate-agreement","status":"publish","type":"page","link":"https:\/\/www.medicalofficeforce.com\/es\/business-associate-agreement\/","title":{"rendered":"Business Associate Agreement"},"content":{"rendered":"<div data-elementor-type=\"wp-page\" data-elementor-id=\"8003\" class=\"elementor elementor-8003\">\n\t\t\t\t<div class=\"elementor-element elementor-element-b81d579 e-flex e-con-boxed wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no wpr-equal-height-no e-con e-parent\" data-id=\"b81d579\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-ed8251e elementor-widget elementor-widget-html\" data-id=\"ed8251e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"html.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<style>\n    body{\n        background:#fff !important;\n    }\n<\/style>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-90abfca elementor-widget elementor-widget-heading\" data-id=\"90abfca\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h1 class=\"elementor-heading-title elementor-size-default\">BUSINESS ASSOCIATE AGREEMENT\n\n<\/h1>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-e00faef e-flex e-con-boxed wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no wpr-equal-height-no e-con e-parent\" data-id=\"e00faef\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-49ce1c2 elementor-widget elementor-widget-heading\" data-id=\"49ce1c2\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">1. Section 1.  Definitions.\n\n\n<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-69efdc8 elementor-widget elementor-widget-text-editor\" data-id=\"69efdc8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>1.01<\/strong> <span style=\"font-weight: 400;\">This Business Associate Agreement (\u201c<\/span><b>BAA<\/b><span style=\"font-weight: 400;\">\u201d) is intended to ensure that Business Associate will establish and implement appropriate safeguards for the Protected Health Information (\u201c<\/span><b>PHI<\/b><span style=\"font-weight: 400;\">\u201d) (as defined under the HIPAA Rules) that Business Associate may receive, create, maintain, use, or disclose in connection with the functions, activities, and services that Business Associate performs for Covered Entity. The functions, activities, and services that Business Associate performs for Covered Entity are defined in the Independent Contractor Agreement (the \u201c<\/span><b>Underlying Agreement<\/b><span style=\"font-weight: 400;\">\u201d).<\/span><\/p><p><strong>1.02<\/strong> <span style=\"font-weight: 400;\">Pursuant to changes required under the Health Information Technology for Economic and Clinical Health Act of 2009 (the \u201c<\/span><b>HITECH Act<\/b><span style=\"font-weight: 400;\">\u201d) and under the American Recovery and Reinvestment Act of 2009 (\u201c<\/span><b>ARRA<\/b><span style=\"font-weight: 400;\">\u201d), this BAA also reflects federal breach notification requirements imposed on Business Associate when \u201cUnsecured PHI\u201d (as defined under the HIPAA Rules) is acquired by an unauthorized party, and the expanded privacy and security provisions imposed on business associates.<\/span><\/p><p><strong>1.03<\/strong> <span style=\"font-weight: 400;\">Unless the context clearly indicates otherwise, the following terms in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, disclosure, Electronic Media, Electronic Protected Health Information (ePHI), Health Care Operations, individual, Minimum Necessary, Notice of Privacy Practices, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured PHI, and use.<\/span><\/p><p><strong>1.04<\/strong> <span style=\"font-weight: 400;\">A reference in this BAA to the Privacy Rule means the Privacy Rule, in conformity with the regulations at 45 C.F.R. Parts 160-164 (the \u201c<\/span><b>Privacy Rule<\/b><span style=\"font-weight: 400;\">\u201d) as interpreted under applicable regulations and guidance of general application published by HHS, including all amendments thereto for which compliance is required, as amended by the HITECH Act, ARRA, and the HIPAA Rules.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-e76b46e e-flex e-con-boxed wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no wpr-equal-height-no e-con e-parent\" data-id=\"e76b46e\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-17d4bdc elementor-widget elementor-widget-heading\" data-id=\"17d4bdc\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Section 2.  General Obligations of Business Associate.\n\n<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-75462ab elementor-widget elementor-widget-text-editor\" data-id=\"75462ab\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>2.01<\/strong> <span style=\"font-weight: 400;\">Business Associate agrees not to use or disclose PHI, other than as permitted or required by this BAA or as Required by Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI.<\/span><\/p><p><strong>2.02<\/strong> <span style=\"font-weight: 400;\">Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by the BAA.<\/span><\/p><p><strong>2.03<\/strong> <span style=\"font-weight: 400;\">Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA\u2019s requirements or that would otherwise cause a Breach of Unsecured PHI.<\/span><\/p><p>\u00a0<\/p><p><strong>2.04 <\/strong><span style=\"font-weight: 400;\">The Business Associate agrees to the following breach notification requirements:<\/span><\/p><p style=\"padding-left: 40px;\"><span style=\"font-weight: 400;\">(a)\u00a0\u00a0Business Associate agrees to report to Covered Entity any Breach of Unsecured PHI not provided for by the BAA of which it becomes aware within forty-five (45) calendar days of \u201cdiscovery\u201d within the meaning of the HITECH Act. Such notice shall include the identification of each individual whose Unsecured PHI has been or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. In addition, Business Associate shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. \u00a7 164.404(c) at the time of notification or promptly thereafter as information becomes available. Business Associate\u2019s notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of Section 13400 of Subtitle D (Privacy) of ARRA, the HIPAA Rules, and related guidance issued by the Secretary or the delegate of the Secretary from time to time.<\/span><\/p><p style=\"padding-left: 40px;\"><span style=\"font-weight: 400;\">(b)\u00a0\u00a0Business Associate agrees to provide notification of any Breach of Unsecured PHI of which it becomes aware, as required under 45 C.F.R. \u00a7 164.410, and any Security Incident of which it becomes aware, in violation of this BAA to individuals, the media (as defined under the HITECH Act), the Secretary, and\/or any other parties as required under HIPAA, the HITECH Act, ARRA, and the HIPAA Rules, subject to the prior review and written approval by Covered Entity of the content of such notification.<\/span><\/p><p><strong>2.05<\/strong> <span style=\"font-weight: 400;\">Business Associate agrees, in accordance with 45 C.F.R. \u00a7\u00a7 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.<\/span><\/p><p><strong>2.06 <\/strong><span style=\"font-weight: 400;\">Business Associate agrees to make available PHI in a Designated Record Set to the Covered Entity as necessary to satisfy Covered Entity\u2019s obligations under 45 C.F.R. \u00a7 164.524.<\/span><\/p><p style=\"padding-left: 40px;\"><span style=\"font-weight: 400;\">(a)\u00a0\u00a0Business Associate agrees to comply with an individual\u2019s request to restrict the disclosure of their personal PHI in a manner consistent with 45 C.F.R. \u00a7 164.522, except where such use, disclosure, or request is required or permitted under applicable law.<\/span><\/p><p style=\"padding-left: 40px;\"><span style=\"font-weight: 400;\">(b)\u00a0\u00a0Business Associate agrees that when requesting, using, or disclosing PHI in accordance with 45 C.F.R. \u00a7 164.502(b)(1) that such request, use, or disclosure shall be to the minimum extent necessary, including the use of a \u201climited data set\u201d as defined in 45 C.F.R. \u00a7 164.514(e)(2), to accomplish the intended purpose of such request, use, or disclosure, as interpreted under related guidance issued by the Secretary from time to time.<\/span><\/p><p><strong>2.07<\/strong> <span style=\"font-weight: 400;\">Business Associate agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. \u00a7 164.526 or take other measures as necessary to satisfy Covered Entity\u2019s obligations under 45 C.F.R. \u00a7 164.526.<\/span><\/p><p><strong>2.08 <\/strong><span style=\"font-weight: 400;\">Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity\u2019s obligations under 45 C.F.R. \u00a7 164.528.<\/span><\/p><p><strong>2.09 <\/strong><span style=\"font-weight: 400;\">Business Associate agrees to make its internal practices, books, and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to Covered Entity (or the Secretary) for the purpose of Covered Entity or the Secretary determining compliance with the Privacy Rule (as defined in <\/span><a href=\"https:\/\/docs.google.com\/document\/d\/11owixGdLKnuyMEbT4PaZvOzKfgjqaqOt\/edit#bookmark=kix.w8hsghyucdiv\"><span style=\"font-weight: 400;\">Section 8<\/span><\/a><span style=\"font-weight: 400;\">).<\/span><\/p><p><strong>2.10 <\/strong><span style=\"font-weight: 400;\">To the extent that Business Associate is to carry out one or more of Covered Entity\u2019s obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).<\/span><\/p><p><strong>2.11 <\/strong><span style=\"font-weight: 400;\">Business Associate agrees to account for the following disclosures:<\/span><\/p><p style=\"padding-left: 40px;\"><span style=\"font-weight: 400;\">(a)\u00a0\u00a0Business Associate agrees to maintain and document disclosures of PHI and Breaches of Unsecured PHI and any information relating to the disclosure of PHI and Breach of Unsecured PHI in a manner as would be required for Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.<\/span><\/p><p style=\"padding-left: 40px;\"><span style=\"font-weight: 400;\">(b)\u00a0\u00a0Business Associate agrees to provide to Covered Entity, or to an individual at Covered Entity\u2019s request, information collected in accordance with this <\/span><a href=\"https:\/\/docs.google.com\/document\/d\/18TH0IHAIVI7qyrv9th5FJR_J-oEjawyi\/edit#bookmark=id.4f1mdlm\"><span style=\"font-weight: 400;\">Section 2.11<\/span><\/a><span style=\"font-weight: 400;\">, to permit Covered Entity to respond to a request by an individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.<\/span><\/p><p style=\"padding-left: 40px;\"><span style=\"font-weight: 400;\">(c)\u00a0\u00a0Business Associate agrees to account for any disclosure of PHI used or maintained as an Electronic Health Record (as defined in <\/span><a href=\"https:\/\/docs.google.com\/document\/d\/18TH0IHAIVI7qyrv9th5FJR_J-oEjawyi\/edit#bookmark=id.2u6wntf\"><span style=\"font-weight: 400;\">Section 5<\/span><\/a><span style=\"font-weight: 400;\">) (\u201c<\/span><b>EHR<\/b><span style=\"font-weight: 400;\">\u201d) in a manner consistent with 45 C.F.R. \u00a7 164.528 and related guidance issued by the Secretary from time to time; provided that an individual shall have the right to receive an accounting of disclosures of EHR by the Business Associate made on behalf of the Covered Entity only during the three (3) years prior to the date on which the accounting is requested from Covered Entity.<\/span><\/p><p style=\"padding-left: 40px;\"><span style=\"font-weight: 400;\">(d)\u00a0\u00a0In the case of an EHR that the Business Associate acquired on behalf of the Covered Entity as of January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after January 1, 2014. In the case of an EHR that the Business Associate acquires on behalf of the Covered Entity after January 1, 2009, paragraph (c) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after the later of January 1, 2011, or the date that it acquires the EHR<\/span><\/p><p><strong>2.12<\/strong> <span style=\"font-weight: 400;\">Business Associate agrees to comply with the \u201cProhibition on Sale of Electronic Health Records or Protected Health Information,\u201d as provided in Section 13405(d) of Subtitle D (Privacy) of ARRA, and the \u201cConditions on Certain Contacts as Part of Health Care Operations,\u201d as provided in Section 13406 of Subtitle D (Privacy) of ARRA and related guidance issued by the Secretary from time to time.<\/span><\/p><p><strong>2.13<\/strong> <span style=\"font-weight: 400;\">Business Associate acknowledges that, effective on the Effective Date of this BAA, it shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. \u00a7 1320d-5 and 1320d-6, as amended, for failure to comply with any of the use and disclosure requirements of this BAA and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-3d6eb30 e-flex e-con-boxed wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no wpr-equal-height-no e-con e-parent\" data-id=\"3d6eb30\" data-element_type=\"container\" data-e-type=\"container\" id=\"section3\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-35094b7 elementor-widget elementor-widget-heading\" data-id=\"35094b7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Section 3.  Permitted Uses and Disclosures by Business Associate.\n<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6fe89bd elementor-widget elementor-widget-text-editor\" data-id=\"6fe89bd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>3.01 <\/strong><span style=\"font-weight: 400;\">General Uses and Disclosures<\/span><span style=\"font-weight: 400;\">. Business Associate agrees to receive, create, use, or disclose PHI only in a manner that is consistent with this BAA, the Privacy Rule, or Security Rule (as defined in <\/span><a href=\"https:\/\/docs.google.com\/document\/d\/18TH0IHAIVI7qyrv9th5FJR_J-oEjawyi\/edit#bookmark=id.2u6wntf\"><span style=\"font-weight: 400;\">Section 5<\/span><\/a><span style=\"font-weight: 400;\">) and only in connection with providing services to Covered Entity; provided that the use or disclosure would not violate the Privacy Rule, including 45 C.F.R. \u00a7 164.504(e), if the use or disclosure would be done by Covered Entity. For example, the use and disclosure of PHI will be permitted for \u201ctreatment, payment, and health care operations,\u201d in accordance with the Privacy Rule.<\/span><\/p><p><strong>3.02 <\/strong><span style=\"font-weight: 400;\">Business Associate may use or disclose PHI as Required by Law.<\/span><\/p><p><strong>3.03 <\/strong><span style=\"font-weight: 400;\">Business Associate agrees to make uses and disclosures and requests for PHI consistent with Covered Entity\u2019s Minimum Necessary policies and procedures.<\/span><\/p><p><strong>3.04 <\/strong><span style=\"font-weight: 400;\">Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by the Covered Entity.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-f926749 e-flex e-con-boxed wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no wpr-equal-height-no e-con e-parent\" data-id=\"f926749\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-7ad58b8 elementor-widget elementor-widget-heading\" data-id=\"7ad58b8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Section 4.  Obligations of Covered Entity.\n\n<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-89ebf61 elementor-widget elementor-widget-text-editor\" data-id=\"89ebf61\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>4.01 <\/strong><span style=\"font-weight: 400;\">Covered Entity shall:<\/span><\/p><p style=\"padding-left: 40px;\"><span style=\"font-weight: 400;\">(a)\u00a0\u00a0Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. \u00a7 164.522, to the extent that such restriction may affect Business Associate\u2019s use or disclosure of PHI under this BAA.<\/span><\/p><p style=\"padding-left: 40px;\"><span style=\"font-weight: 400;\">(b)\u00a0\u00a0Notify Business Associate of any changes in or revocation of permission by an individual to use or disclose PHI, if such change or revocation may affect Business Associate\u2019s permitted or required uses and disclosures of PHI under this BAA.<\/span><\/p><p><strong>4.02 <\/strong><span style=\"font-weight: 400;\">Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy and Security Rule if done by Covered Entity, except as provided under <\/span><a href=\"https:\/\/www.medicalofficeforce.com\/es\/business-associate-agreement\/#section3\"><span style=\"font-weight: 400;\">Section 3<\/span><\/a><span style=\"font-weight: 400;\"> of this BAA.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-8398704 e-flex e-con-boxed wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no wpr-equal-height-no e-con e-parent\" data-id=\"8398704\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-7c5469a elementor-widget elementor-widget-heading\" data-id=\"7c5469a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">\nSection 5.  Compliance with Security Rule.\n\n<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-722f751 elementor-widget elementor-widget-text-editor\" data-id=\"722f751\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>5.01 <\/strong><span style=\"font-weight: 400;\">Effective April 20, 2005, Business Associate shall comply with the HIPAA Security Rule, which shall mean the Standards for Security of Electronic Protected Health Information at 45 C.F.R. Part 160 and Subparts A and C of Part 164, as amended by ARRA and the HITECH Act. The term \u201c<\/span><b>Electronic Health Record<\/b><span style=\"font-weight: 400;\">\u201d or \u201c<\/span><b>EHR<\/b><span style=\"font-weight: 400;\">\u201d as used in this BAA shall mean an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.<\/span><\/p><p><strong>5.02 <\/strong><span style=\"font-weight: 400;\">In accordance with the Security Rule, Business Associate agrees to:<\/span><\/p><p style=\"padding-left: 40px;\"><span style=\"font-weight: 400;\">(a)\u00a0\u00a0Implement the administrative safeguards set forth at 45 C.F.R. \u00a7 164.308, the physical safeguards set forth at 45 C.F.R. \u00a7 164.310, the technical safeguards set forth at 45 C.F.R. \u00a7 164.312, and the policies and procedures set forth at 45 C.F.R. \u00a7 164.316, to reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the Security Rule. Business Associate acknowledges that, effective on the Effective Date of this BAA, (a) the foregoing safeguards, policies, and procedures requirements shall apply to Business Associate in the same manner that such requirements apply to Covered Entity, and (b) Business Associate shall be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. \u00a7 1320d-5 and 1320d-6, as amended from time to time, for failure to comply with the safeguards, policies, and procedures requirements and any guidance issued by the Secretary from time to time with respect to such requirements;<\/span><\/p><p style=\"padding-left: 40px;\"><span style=\"font-weight: 400;\">(b)\u00a0\u00a0Require that any agent, including a Subcontractor, to whom it provides such PHI agrees to implement reasonable and appropriate safeguards to protect the PHI; and<\/span><\/p><p style=\"padding-left: 40px;\"><span style=\"font-weight: 400;\">(c)\u00a0\u00a0Report to the Covered Entity any Security Incident of which it becomes aware.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-6b59a95 e-flex e-con-boxed wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no wpr-equal-height-no e-con e-parent\" data-id=\"6b59a95\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-103b920 elementor-widget elementor-widget-heading\" data-id=\"103b920\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Section 6.  Indemnification.\n<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-534ad05 elementor-widget elementor-widget-text-editor\" data-id=\"534ad05\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>7.01 <\/strong><span style=\"font-weight: 400;\">This BAA shall be in effect as of the Effective Date of the Underlying Agreement, and shall terminate on the earlier of the date that:<\/span><\/p><p style=\"padding-left: 40px;\"><span style=\"font-weight: 400;\">(a)\u00a0\u00a0Either party terminates for cause as authorized under <\/span><a href=\"https:\/\/docs.google.com\/document\/d\/11owixGdLKnuyMEbT4PaZvOzKfgjqaqOt\/edit#bookmark=kix.qp0psufgpmtb\"><span style=\"font-weight: 400;\">Section 7.02<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p><p style=\"padding-left: 40px;\"><span style=\"font-weight: 400;\">(b)\u00a0\u00a0All of the PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity. If it is not feasible to return or destroy PHI, protections are extended in accordance with <\/span><a href=\"https:\/\/docs.google.com\/document\/d\/11owixGdLKnuyMEbT4PaZvOzKfgjqaqOt\/edit#bookmark=kix.95ypjdd1cb7d\"><span style=\"font-weight: 400;\">Section 7.03<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p><p><strong>7.02 <\/strong><span style=\"font-weight: 400;\">Upon either party\u2019s knowledge of material breach by the other party, the non-breaching party shall provide an opportunity for the breaching party to cure the breach or end the violation; or terminate the BAA. If the breaching party does not cure the breach or end the violation within a reasonable timeframe not to exceed thirty (30) days from the notification of the breach, or if a material term of the BAA has been breached and a cure is not possible, the non-breaching party may terminate this BAA and the Underlying Agreement, upon written notice to the other party.<\/span><\/p><p><strong>7.03 <\/strong><span style=\"font-weight: 400;\">Upon termination of this BAA for any reason, the parties agree that Business associate shall return to Covered Entity or, if agreed to by Covered Entity, destroy all PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, that the Business Associate still maintains in any form. The PHI shall be returned in a format that is reasonably expected to preserve its accessibility and usability. Business Associate shall retain no copies of the PHI.<\/span><\/p><p><strong>7.04 <\/strong><span style=\"font-weight: 400;\">The obligations of Business Associate under this Section 7 shall survive the termination of this BAA.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-1d0e76f e-flex e-con-boxed wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no wpr-equal-height-no e-con e-parent\" data-id=\"1d0e76f\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-82db5a0 elementor-widget elementor-widget-heading\" data-id=\"82db5a0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Section 7.  Term and Termination.<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e31d6cf elementor-widget elementor-widget-text-editor\" data-id=\"e31d6cf\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">The parties agree and acknowledge that except as set forth herein, the indemnification obligations contained under the Underlying Agreement shall govern each party\u2019s performance under this BAA.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-fd2ce12 e-flex e-con-boxed wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no wpr-equal-height-no e-con e-parent\" data-id=\"fd2ce12\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-5b4a2a5 elementor-widget elementor-widget-heading\" data-id=\"5b4a2a5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Section 8.  Miscellaneous.<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5b8181f elementor-widget elementor-widget-text-editor\" data-id=\"5b8181f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>8.01 <\/strong><span style=\"font-weight: 400;\">The parties agree to take such action as is necessary to amend this BAA to comply with the requirements of the Privacy Rule, the Security Rule, HIPAA, ARRA, the HITECH Act, the HIPAA Rules, and any other applicable law.<\/span><\/p><p><strong>8.02 <\/strong><span style=\"font-weight: 400;\">The respective rights and obligations of Business Associate under <\/span><a href=\"https:\/\/docs.google.com\/document\/d\/11owixGdLKnuyMEbT4PaZvOzKfgjqaqOt\/edit#bookmark=kix.n4wjhydu8cy\"><span style=\"font-weight: 400;\">Section 6<\/span><\/a><span style=\"font-weight: 400;\"> and <\/span><a href=\"https:\/\/docs.google.com\/document\/d\/18TH0IHAIVI7qyrv9th5FJR_J-oEjawyi\/edit#bookmark=id.3tbugp1\"><span style=\"font-weight: 400;\">Section 7<\/span><\/a><span style=\"font-weight: 400;\"> of this BAA shall survive the termination of this BAA.<\/span><\/p><p><strong>8.03 <\/strong><span style=\"font-weight: 400;\">This BAA shall be interpreted in the following manner:<\/span><\/p><p style=\"padding-left: 40px;\"><span style=\"font-weight: 400;\">(a)\u00a0\u00a0Any ambiguity shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules.<\/span><\/p><p style=\"padding-left: 40px;\"><span style=\"font-weight: 400;\">(b)\u00a0\u00a0Any inconsistency between the BAA\u2019s provisions and the HIPAA Rules, including all amendments, as interpreted by the HHS, a court, or another regulatory agency with authority over the Parties, shall be interpreted according to the interpretation of the HHS, the court, or the regulatory agency.<\/span><\/p><p style=\"padding-left: 40px;\"><span style=\"font-weight: 400;\">(c)\u00a0\u00a0Any provision of this BAA that differs from those required by the HIPAA Rules, but is nonetheless permitted by the HIPAA Rules, shall be adhered to as stated in this BAA.<\/span><\/p><p><strong>8.04 <\/strong><span style=\"font-weight: 400;\">This BAA constitutes the entire agreement between the parties related to the subject matter of this BAA, except to the extent that the Underlying Agreement imposes more stringent requirements related to the use and protection of PHI upon Business Associate. This BAA supersedes all prior negotiations, discussions, representations, or proposals, whether oral or written. This BAA may not be modified unless done so in writing and signed by a duly authorized representative of both parties. If any provision of this BAA, or part thereof, is found to be invalid, the remaining provisions shall remain in effect.<\/span><\/p><p><strong>8.05 <\/strong><span style=\"font-weight: 400;\">This BAA will be binding on the successors and assigns of the Covered Entity and the Business Associate. However, this BAA may not be assigned, in whole or in part, without the written consent of the other party. Any attempted assignment in violation of this provision shall be null and void.<\/span><\/p><p><strong>8.06 <\/strong><span style=\"font-weight: 400;\">This BAA may be executed in two or more counterparts, each of which shall be deemed an original.<\/span><\/p><p><strong>8.07 <\/strong><span style=\"font-weight: 400;\">Except to the extent preempted by federal law, this BAA shall be governed by and construed in accordance with the same internal laws as that of the Underlying Agreement.<\/span><\/p><p><br \/><br \/><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"<p>BUSINESS ASSOCIATE AGREEMENT 1. Section 1. Definitions. 1.01 This Business Associate Agreement (\u201cBAA\u201d) is intended to ensure that Business Associate will establish and implement appropriate safeguards for the Protected Health Information (\u201cPHI\u201d) (as defined under the HIPAA Rules) that Business Associate may receive, create, maintain, use, or disclose in connection with the functions, activities, and services that Business Associate performs for Covered Entity. The functions, activities, and services that Business Associate performs for Covered Entity are defined in the Independent Contractor Agreement (the \u201cUnderlying Agreement\u201d). 1.02 Pursuant to changes required under the Health Information Technology for Economic and Clinical Health Act of 2009 (the \u201cHITECH Act\u201d) and under the American Recovery and Reinvestment Act of 2009 (\u201cARRA\u201d), this BAA also reflects federal breach notification requirements imposed on Business Associate when \u201cUnsecured PHI\u201d (as defined under the HIPAA Rules) is acquired by an unauthorized party, and the expanded privacy and security provisions imposed on business associates. 1.03 Unless the context clearly indicates otherwise, the following terms in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, disclosure, Electronic Media, Electronic Protected Health Information (ePHI), Health Care Operations, individual, Minimum Necessary, Notice of Privacy Practices, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured PHI, and use. 1.04 A reference in this BAA to the Privacy Rule means the Privacy Rule, in conformity with the regulations at 45 C.F.R. Parts 160-164 (the \u201cPrivacy Rule\u201d) as interpreted under applicable regulations and guidance of general application published by HHS, including all amendments thereto for which compliance is required, as amended by the HITECH Act, ARRA, and the HIPAA Rules. Section 2. General Obligations of Business Associate. 2.01 Business Associate agrees not to use or disclose PHI, other than as permitted or required by this BAA or as Required by Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI. 2.02 Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by the BAA. 2.03 Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA\u2019s requirements or that would otherwise cause a Breach of Unsecured PHI. \u00a0 2.04 The Business Associate agrees to the following breach notification requirements: (a)\u00a0\u00a0Business Associate agrees to report to Covered Entity any Breach of Unsecured PHI not provided for by the BAA of which it becomes aware within forty-five (45) calendar days of \u201cdiscovery\u201d within the meaning of the HITECH Act. Such notice shall include the identification of each individual whose Unsecured PHI has been or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. In addition, Business Associate shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. \u00a7 164.404(c) at the time of notification or promptly thereafter as information becomes available. Business Associate\u2019s notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of Section 13400 of Subtitle D (Privacy) of ARRA, the HIPAA Rules, and related guidance issued by the Secretary or the delegate of the Secretary from time to time. (b)\u00a0\u00a0Business Associate agrees to provide notification of any Breach of Unsecured PHI of which it becomes aware, as required under 45 C.F.R. \u00a7 164.410, and any Security Incident of which it becomes aware, in violation of this BAA to individuals, the media (as defined under the HITECH Act), the Secretary, and\/or any other parties as required under HIPAA, the HITECH Act, ARRA, and the HIPAA Rules, subject to the prior review and written approval by Covered Entity of the content of such notification. 2.05 Business Associate agrees, in accordance with 45 C.F.R. \u00a7\u00a7 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information. 2.06 Business Associate agrees to make available PHI in a Designated Record Set to the Covered Entity as necessary to satisfy Covered Entity\u2019s obligations under 45 C.F.R. \u00a7 164.524. (a)\u00a0\u00a0Business Associate agrees to comply with an individual\u2019s request to restrict the disclosure of their personal PHI in a manner consistent with 45 C.F.R. \u00a7 164.522, except where such use, disclosure, or request is required or permitted under applicable law. (b)\u00a0\u00a0Business Associate agrees that when requesting, using, or disclosing PHI in accordance with 45 C.F.R. \u00a7 164.502(b)(1) that such request, use, or disclosure shall be to the minimum extent necessary, including the use of a \u201climited data set\u201d as defined in 45 C.F.R. \u00a7 164.514(e)(2), to accomplish the intended purpose of such request, use, or disclosure, as interpreted under related guidance issued by the Secretary from time to time. 2.07 Business Associate agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. \u00a7 164.526 or take other measures as necessary to satisfy Covered Entity\u2019s obligations under 45 C.F.R. \u00a7 164.526. 2.08 Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity\u2019s obligations under 45 C.F.R. \u00a7 164.528. 2.09 Business Associate agrees to make its internal practices, books, and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to Covered Entity (or the &hellip; <a href=\"https:\/\/www.medicalofficeforce.com\/es\/business-associate-agreement\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Business Associate Agreement<\/span><\/a><\/p>","protected":false},"author":208464285,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"elementor_header_footer","meta":{"footnotes":""},"class_list":["post-8003","page","type-page","status-publish","hentry"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Business Associate Agreement - Medical Office Force<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.medicalofficeforce.com\/es\/business-associate-agreement\/\" \/>\n<meta property=\"og:locale\" content=\"es_MX\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Business Associate Agreement - Medical Office Force\" \/>\n<meta property=\"og:description\" content=\"BUSINESS ASSOCIATE AGREEMENT 1. Section 1. Definitions. 1.01 This Business Associate Agreement (\u201cBAA\u201d) is intended to ensure that Business Associate will establish and implement appropriate safeguards for the Protected Health Information (\u201cPHI\u201d) (as defined under the HIPAA Rules) that Business Associate may receive, create, maintain, use, or disclose in connection with the functions, activities, and services that Business Associate performs for Covered Entity. The functions, activities, and services that Business Associate performs for Covered Entity are defined in the Independent Contractor Agreement (the \u201cUnderlying Agreement\u201d). 1.02 Pursuant to changes required under the Health Information Technology for Economic and Clinical Health Act of 2009 (the \u201cHITECH Act\u201d) and under the American Recovery and Reinvestment Act of 2009 (\u201cARRA\u201d), this BAA also reflects federal breach notification requirements imposed on Business Associate when \u201cUnsecured PHI\u201d (as defined under the HIPAA Rules) is acquired by an unauthorized party, and the expanded privacy and security provisions imposed on business associates. 1.03 Unless the context clearly indicates otherwise, the following terms in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, disclosure, Electronic Media, Electronic Protected Health Information (ePHI), Health Care Operations, individual, Minimum Necessary, Notice of Privacy Practices, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured PHI, and use. 1.04 A reference in this BAA to the Privacy Rule means the Privacy Rule, in conformity with the regulations at 45 C.F.R. Parts 160-164 (the \u201cPrivacy Rule\u201d) as interpreted under applicable regulations and guidance of general application published by HHS, including all amendments thereto for which compliance is required, as amended by the HITECH Act, ARRA, and the HIPAA Rules. Section 2. General Obligations of Business Associate. 2.01 Business Associate agrees not to use or disclose PHI, other than as permitted or required by this BAA or as Required by Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI. 2.02 Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by the BAA. 2.03 Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA\u2019s requirements or that would otherwise cause a Breach of Unsecured PHI. \u00a0 2.04 The Business Associate agrees to the following breach notification requirements: (a)\u00a0\u00a0Business Associate agrees to report to Covered Entity any Breach of Unsecured PHI not provided for by the BAA of which it becomes aware within forty-five (45) calendar days of \u201cdiscovery\u201d within the meaning of the HITECH Act. Such notice shall include the identification of each individual whose Unsecured PHI has been or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. In addition, Business Associate shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. \u00a7 164.404(c) at the time of notification or promptly thereafter as information becomes available. Business Associate\u2019s notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of Section 13400 of Subtitle D (Privacy) of ARRA, the HIPAA Rules, and related guidance issued by the Secretary or the delegate of the Secretary from time to time. (b)\u00a0\u00a0Business Associate agrees to provide notification of any Breach of Unsecured PHI of which it becomes aware, as required under 45 C.F.R. \u00a7 164.410, and any Security Incident of which it becomes aware, in violation of this BAA to individuals, the media (as defined under the HITECH Act), the Secretary, and\/or any other parties as required under HIPAA, the HITECH Act, ARRA, and the HIPAA Rules, subject to the prior review and written approval by Covered Entity of the content of such notification. 2.05 Business Associate agrees, in accordance with 45 C.F.R. \u00a7\u00a7 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information. 2.06 Business Associate agrees to make available PHI in a Designated Record Set to the Covered Entity as necessary to satisfy Covered Entity\u2019s obligations under 45 C.F.R. \u00a7 164.524. (a)\u00a0\u00a0Business Associate agrees to comply with an individual\u2019s request to restrict the disclosure of their personal PHI in a manner consistent with 45 C.F.R. \u00a7 164.522, except where such use, disclosure, or request is required or permitted under applicable law. (b)\u00a0\u00a0Business Associate agrees that when requesting, using, or disclosing PHI in accordance with 45 C.F.R. \u00a7 164.502(b)(1) that such request, use, or disclosure shall be to the minimum extent necessary, including the use of a \u201climited data set\u201d as defined in 45 C.F.R. \u00a7 164.514(e)(2), to accomplish the intended purpose of such request, use, or disclosure, as interpreted under related guidance issued by the Secretary from time to time. 2.07 Business Associate agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. \u00a7 164.526 or take other measures as necessary to satisfy Covered Entity\u2019s obligations under 45 C.F.R. \u00a7 164.526. 2.08 Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity\u2019s obligations under 45 C.F.R. \u00a7 164.528. 2.09 Business Associate agrees to make its internal practices, books, and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to Covered Entity (or the &hellip; Continue reading Business Associate Agreement\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.medicalofficeforce.com\/es\/business-associate-agreement\/\" \/>\n<meta property=\"og:site_name\" content=\"Medical Office Force\" \/>\n<meta property=\"article:modified_time\" content=\"2025-07-02T06:04:19+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Tiempo de lectura\" \/>\n\t<meta name=\"twitter:data1\" content=\"13 minutos\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.medicalofficeforce.com\\\/business-associate-agreement\\\/\",\"url\":\"https:\\\/\\\/www.medicalofficeforce.com\\\/business-associate-agreement\\\/\",\"name\":\"Business Associate Agreement - Medical Office Force\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.medicalofficeforce.com\\\/#website\"},\"datePublished\":\"2024-12-26T06:27:49+00:00\",\"dateModified\":\"2025-07-02T06:04:19+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.medicalofficeforce.com\\\/business-associate-agreement\\\/#breadcrumb\"},\"inLanguage\":\"es\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.medicalofficeforce.com\\\/business-associate-agreement\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.medicalofficeforce.com\\\/business-associate-agreement\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.medicalofficeforce.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Business Associate Agreement\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.medicalofficeforce.com\\\/#website\",\"url\":\"https:\\\/\\\/www.medicalofficeforce.com\\\/\",\"name\":\"Medical Office Force\",\"description\":\"Optimizing Healthcare Finance\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.medicalofficeforce.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"es\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Business Associate Agreement - Medical Office Force","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.medicalofficeforce.com\/es\/business-associate-agreement\/","og_locale":"es_MX","og_type":"article","og_title":"Business Associate Agreement - Medical Office Force","og_description":"BUSINESS ASSOCIATE AGREEMENT 1. Section 1. Definitions. 1.01 This Business Associate Agreement (\u201cBAA\u201d) is intended to ensure that Business Associate will establish and implement appropriate safeguards for the Protected Health Information (\u201cPHI\u201d) (as defined under the HIPAA Rules) that Business Associate may receive, create, maintain, use, or disclose in connection with the functions, activities, and services that Business Associate performs for Covered Entity. The functions, activities, and services that Business Associate performs for Covered Entity are defined in the Independent Contractor Agreement (the \u201cUnderlying Agreement\u201d). 1.02 Pursuant to changes required under the Health Information Technology for Economic and Clinical Health Act of 2009 (the \u201cHITECH Act\u201d) and under the American Recovery and Reinvestment Act of 2009 (\u201cARRA\u201d), this BAA also reflects federal breach notification requirements imposed on Business Associate when \u201cUnsecured PHI\u201d (as defined under the HIPAA Rules) is acquired by an unauthorized party, and the expanded privacy and security provisions imposed on business associates. 1.03 Unless the context clearly indicates otherwise, the following terms in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, disclosure, Electronic Media, Electronic Protected Health Information (ePHI), Health Care Operations, individual, Minimum Necessary, Notice of Privacy Practices, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured PHI, and use. 1.04 A reference in this BAA to the Privacy Rule means the Privacy Rule, in conformity with the regulations at 45 C.F.R. Parts 160-164 (the \u201cPrivacy Rule\u201d) as interpreted under applicable regulations and guidance of general application published by HHS, including all amendments thereto for which compliance is required, as amended by the HITECH Act, ARRA, and the HIPAA Rules. Section 2. General Obligations of Business Associate. 2.01 Business Associate agrees not to use or disclose PHI, other than as permitted or required by this BAA or as Required by Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI. 2.02 Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by the BAA. 2.03 Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA\u2019s requirements or that would otherwise cause a Breach of Unsecured PHI. \u00a0 2.04 The Business Associate agrees to the following breach notification requirements: (a)\u00a0\u00a0Business Associate agrees to report to Covered Entity any Breach of Unsecured PHI not provided for by the BAA of which it becomes aware within forty-five (45) calendar days of \u201cdiscovery\u201d within the meaning of the HITECH Act. Such notice shall include the identification of each individual whose Unsecured PHI has been or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. In addition, Business Associate shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. \u00a7 164.404(c) at the time of notification or promptly thereafter as information becomes available. Business Associate\u2019s notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of Section 13400 of Subtitle D (Privacy) of ARRA, the HIPAA Rules, and related guidance issued by the Secretary or the delegate of the Secretary from time to time. (b)\u00a0\u00a0Business Associate agrees to provide notification of any Breach of Unsecured PHI of which it becomes aware, as required under 45 C.F.R. \u00a7 164.410, and any Security Incident of which it becomes aware, in violation of this BAA to individuals, the media (as defined under the HITECH Act), the Secretary, and\/or any other parties as required under HIPAA, the HITECH Act, ARRA, and the HIPAA Rules, subject to the prior review and written approval by Covered Entity of the content of such notification. 2.05 Business Associate agrees, in accordance with 45 C.F.R. \u00a7\u00a7 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information. 2.06 Business Associate agrees to make available PHI in a Designated Record Set to the Covered Entity as necessary to satisfy Covered Entity\u2019s obligations under 45 C.F.R. \u00a7 164.524. (a)\u00a0\u00a0Business Associate agrees to comply with an individual\u2019s request to restrict the disclosure of their personal PHI in a manner consistent with 45 C.F.R. \u00a7 164.522, except where such use, disclosure, or request is required or permitted under applicable law. (b)\u00a0\u00a0Business Associate agrees that when requesting, using, or disclosing PHI in accordance with 45 C.F.R. \u00a7 164.502(b)(1) that such request, use, or disclosure shall be to the minimum extent necessary, including the use of a \u201climited data set\u201d as defined in 45 C.F.R. \u00a7 164.514(e)(2), to accomplish the intended purpose of such request, use, or disclosure, as interpreted under related guidance issued by the Secretary from time to time. 2.07 Business Associate agrees to make any amendments to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 C.F.R. \u00a7 164.526 or take other measures as necessary to satisfy Covered Entity\u2019s obligations under 45 C.F.R. \u00a7 164.526. 2.08 Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity\u2019s obligations under 45 C.F.R. \u00a7 164.528. 2.09 Business Associate agrees to make its internal practices, books, and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to Covered Entity (or the &hellip; Continue reading Business Associate Agreement","og_url":"https:\/\/www.medicalofficeforce.com\/es\/business-associate-agreement\/","og_site_name":"Medical Office Force","article_modified_time":"2025-07-02T06:04:19+00:00","twitter_card":"summary_large_image","twitter_misc":{"Tiempo de lectura":"13 minutos"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.medicalofficeforce.com\/business-associate-agreement\/","url":"https:\/\/www.medicalofficeforce.com\/business-associate-agreement\/","name":"Business Associate Agreement - Medical Office Force","isPartOf":{"@id":"https:\/\/www.medicalofficeforce.com\/#website"},"datePublished":"2024-12-26T06:27:49+00:00","dateModified":"2025-07-02T06:04:19+00:00","breadcrumb":{"@id":"https:\/\/www.medicalofficeforce.com\/business-associate-agreement\/#breadcrumb"},"inLanguage":"es","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.medicalofficeforce.com\/business-associate-agreement\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.medicalofficeforce.com\/business-associate-agreement\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.medicalofficeforce.com\/"},{"@type":"ListItem","position":2,"name":"Business Associate Agreement"}]},{"@type":"WebSite","@id":"https:\/\/www.medicalofficeforce.com\/#website","url":"https:\/\/www.medicalofficeforce.com\/","name":"Medical Office Force","description":"Optimizing Healthcare Finance","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.medicalofficeforce.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"es"}]}},"_links":{"self":[{"href":"https:\/\/www.medicalofficeforce.com\/es\/wp-json\/wp\/v2\/pages\/8003","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.medicalofficeforce.com\/es\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.medicalofficeforce.com\/es\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.medicalofficeforce.com\/es\/wp-json\/wp\/v2\/users\/208464285"}],"replies":[{"embeddable":true,"href":"https:\/\/www.medicalofficeforce.com\/es\/wp-json\/wp\/v2\/comments?post=8003"}],"version-history":[{"count":0,"href":"https:\/\/www.medicalofficeforce.com\/es\/wp-json\/wp\/v2\/pages\/8003\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.medicalofficeforce.com\/es\/wp-json\/wp\/v2\/media?parent=8003"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}