Name of Physician or Professional Corporation:
(If Professional Corporation, please include a list of member physicians when
returning the signed copy of this Agreement)
HIPAA Business Associate Agreement
This Business Associate Agreement (“Agreement”) is entered into between Greater
Macomb PHO (“Corporation”) and the above listed physician or Professional
Corporation (hereinafter referred to as “Physician”);
WHEREAS, Corporation and Physician have entered into an Affiliation Agreement and
have entered or intend to enter into various Participation Agreements with third party
payors or other health care related programs;
WHEREAS, Corporation and Physician agree that in order for Corporation to provide
services set forth in the Affiliation Agreement or as set forth in current or future
Participation Agreements, Corporation may be required to access or use information
related to Physician’s Services, which may include Protected Health Information (PHI) as
that term is defined by the HIPAA Privacy Rule at 42 CFR 160.101 et. seq. or Electronic
Protected Health Information (EPHI) as defined by the HIPAA Security Rule at 42 CFR
160.103 (because EPHI is a subset of PHI, all references to Protected Health Information
or PHI in this Agreement shall include EPHI if applicable);
WHEREAS, Physician is subject to the Privacy Rule (45 CFR Parts 160 and 164) and the
Security Rule (45 CFR 162) promulgated by the United States Department of Health and
Human Services pursuant to the Health Insurance Portability and Accountability Act of
1996 (HIPAA), Public Law 104-191;
WHEREAS, the Parties agree to the following:
1. Definitions. Terms used, but not otherwise defined, in this Agreement, shall have
the same meaning as those terms in 45 CFR 160.103 and 164.501.
2. Obligations and Activities of Corporation
(a) Corporation agrees to not use or further disclose Protected Health Information
other than as permitted or required to perform services for Physician or as
Required By Law.
(b) Corporation agrees to use appropriate safeguards to prevent use or disclosure
of the Protected Health Information other than as necessary to provide services to
(c) Corporation agrees to mitigate, to the extent practicable, any harmful effect
that is known to Corporation of a use or disclosure of Protected Health
Information by Corporation in violation of the requirements of this Agreement.
(d) Corporation agrees to report to Physician any use or disclosure of the
Protected Health Information not provided for by this Agreement of which it
(e) Corporation agrees to ensure that any agent, including a subcontractor, to
whom it provides Protected Health Information or Electronic Protected Health
Information received from, or created or received by Corporation on behalf of
Physician agrees to the same restrictions and conditions that apply through this
Agreement to Corporation with respect to such information.
(f) Subject to Section 4(d) below, Corporation agrees to provide access, at the
request of Physician, to Protected Health Information in a Designated Record Set,
as necessary to allow Physician to meet the requirements under 45 CFR 164.524.
(g) Subject to Section (4)(d) below, Corporation agrees to make any
amendment(s) to Protected Health Information in a Designated Record Set that
the Physician directs or agrees as necessary for compliance with 45 CFR 164.526.
(h) Corporation agrees to make internal practices, books, and records relating to
the use and disclosure of Protected Health Information received from, or created
or received by Corporation on behalf of, Physician available to the Physician, or
at the request of the Physician to the Secretary, within a reasonable time of such
request for purposes of the Secretary determining Physician's compliance with the
(i) If Corporation is required to make a disclosure of information because of a
legal requirement, it will track such a disclosure and will provide information to
Physician that would be necessary for Physician to respond to a request by an
Individual for an accounting of disclosures of Protected Health Information in
accordance with 45 CFR 164.528.
(j) Corporation shall report any Breach of Unsecured Protected Health
Information to Physician in compliance with 45 CFR §164.410.
(k) Corporation agrees to implement administrative, physical, and technical
safeguards that reasonably and appropriately protect the confidentiality, integrity,
and availability of the electronic Protected Health Information that it creates,
receives, maintains, or transmits on behalf of the Physician in accordance with the
45 CFR 164.306 (the HIPAA Security standards).
(m) Corporation agrees to alert Physician of any Security Incident of which it
3. Permitted Uses and Disclosures by Corporation
(a) Except as otherwise limited in this Agreement, Corporation may use or
disclose Protected Health Information to perform functions, activities, or services
for, or on behalf of, Physician as requested by Physician provided that such use or
disclosure would not violate the Privacy Rule if done by Physician.
(b) Except as otherwise limited in this Agreement, Corporation may disclose
Protected Health Information for the proper management and administration of
the Corporation or to carry out the legal responsibilities of the Corporation,
provided that disclosures are required by law, or Corporation obtains reasonable
assurances from the person to whom the information is disclosed that it will
remain confidential and used or further disclosed only as required by law or for
the purpose for which it was disclosed to the person, and the person notifies the
Corporation of any instances of which it is aware in which the confidentiality of
the information has been breached.
(c) Except as otherwise limited in this Agreement, Corporation may use Protected
Health Information to provide Data Aggregation services to Physician as
permitted by 45 CFR 164.504(e)(2)(i)(B).
(d) Corporation may use Protected Health Information to report violations of law
to appropriate Federal and State authorities, consistent with 45 CFR
4. Obligations of Physician
(a) Physician shall notify Corporation of any limitation(s) in its Notice of Privacy
Practices to the extent that such limitation may affect Corporation’s use or
disclosure of Protected Health Information.
(b) Physician shall provide Corporation with any changes in, or revocation of,
permission by Individual to use or disclose Protected Health Information, if such
changes affect Corporation's permitted or required uses and disclosures.
(c) Physician shall notify Corporation of any restriction to the use or disclosure of
Protected Health Information that Physician has agreed to in accordance with 45
CFR 164.522, to the extent that such restriction may affect Corporation’s use or
disclosure of Protected Health Information.
(d) Physician shall provide Corporation with copies of records that are part of a
Designated Record Set, rather than providing original records, unless both Parties
agree that it is necessary for Corporation to have the original record. Physician
shall have the responsibility for providing Individuals with Access and
Amendment as set forth in Paragraphs 2 (e), (f), and (g) of these agreements,
unless Corporation is in custody of the original record of the Designated Record
5. Permissible Requests by Physician
Except as otherwise permitted by this Agreement, Physician shall not request
Corporation to use or disclose Protected Health Information in any manner that
would not be permissible under the Privacy Rule if done by Physician.
6. Term and Termination
(a) Term. The Term of this Agreement shall be effective as of the date signed by
(b) Termination. Either party may terminate this Agreement at any time in the
event of a material breach of this Agreement by the other party.
(c) Continued Safeguard of Information. Because of the nature of Corporation’s
Services, the parties mutually agree that immediate return or destruction of the
information is infeasible. Corporation will extend the protections of this
Agreement for as long as the information is maintained and will limit further uses
and disclosures to those purposes that make the return or destruction of the
information infeasible. This provision shall survive termination of this
Agreement. When the information is no longer needed by Corporation, the
information will be destroyed.
(a) No Third Party Beneficiary Rights. Nothing express or implied in this
Agreement is intended to give, nor shall anything herein give any person other
than the Parties and the respective successors or assigns of the Parties, any rights,
remedies, obligations, or liabilities whatsoever.
(b) Regulatory References. A reference in this Agreement to a section in the
Privacy Rule means the section as in effect or as amended, and for which
compliance is required.
(c) Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a
meaning that permits Physician to comply with the HIPAA Privacy and/or
AGREED TO ON BEHALF AGREED TO ON BEHALF
OF PHYSICIAN, OF CORPORATION
By: ___________________________ By: ______________________
Print Name: ____________________ Print Name: ________________
Its: ___________________________ Its: _______________________
Dated: ________________________ Dated: _____________________