BUSINESS ASSOCIATE AGREEMENT



THIS BUSINESS ASSOCIATE AGREEMENT 
(“BAA”) is by and between the DELAWARE 
DEPARTMENT OF HEALTH AND SOCIAL 
SERVICES ("Client" or “Covered Entity”), and 
[Proper Business Associate name here] 
(“Business Associate”). This Agreement is an 
addendum to [Contract No. 35-10-01-10-02 or 
MOU Name here] (“Agreement”) between the 
parties.

WHEREAS, the Privacy and Security Rules 
promulgated under the Health Insurance Portability 
and Accountability Act of 1996 (HIPAA) require 
that a covered entity and its business associate agree 
to certain specified terms and conditions regarding 
the treatment and protection of Protected Health 
Information (“PHI”) and Electronic Protected 
Health Care Information (“EPHI”); and

WHEREAS, Client has contracted with [Proper 
Business Associate name here] to provide 
products and/or services under the Agreement and 
during the course of [Proper Business Associate 
name here] providing such products and/or 
services, Client may provide [Proper Business 
Associate name here] with PHI or EPHI in order 
for [Proper Business Associate name here] to 
perform its duties and responsibilities.

NOW, THEREFORE, in consideration of the 
premises and of the mutual covenants and 
agreements herein contained, the parties hereby 
covenant and agree to modify the Service 
Agreement as follows: 

1.	Definitions

Terms used, but not otherwise defined, in this 
BAA shall have the same meaning as those 
terms in the Privacy and Security Rules.  
Capitalized terms used herein and not otherwise 
defined shall have the following meanings:

Business Associate means [Proper Business 
Associate name here].

Covered Entity means Client or the client of 
Client who is a health plan, health care 
clearinghouse, or a health care provider.
Designated Record Set has the meaning in 45 
CFR § 164.501.
Electronic media has the meaning in 45 CFR § 
160.103, which is:

a.	Electronic storage media including memory 
devices in computers (hard drives) and any 
removable/transportable digital memory 
medium, such as magnetic tape or disk, 
optical disk, or digital memory card; or

b.	Transmission media used to exchange 
information already in electronic storage 
media.  Transmission media include, for 
example, the internet (wide-open), extranet 
(using internet technology to link a business 
with information accessible only to 
collaborating parties), leased lines, dial-up 
lines, private networks, and the physical 
movement of removable/transportable 
electronic storage media.  Certain 
transmissions, including of paper, via 
facsimile, and of voice, via telephone, are 
not considered to be transmissions via 
electronic media, because the information 
being exchanged did not exist in electronic 
form before the transmission.

Electronic Protected Health Care Information or 
“EPHI” has the meaning in 45 CFR § 160.103, 
and is limited to the information created or 
received by Business Associate from or on 
behalf of Covered Entity.

Protected Health Information or “PHI” has the 
meaning in 45 CFR § 164.501, and is limited to 
the information created or received by Business 
Associate from or on behalf of Covered Entity.

Required By Law has the meaning in 45 CFR § 
164.501. 

Secretary means the Secretary of the 
Department of Health and Human Services or 
designee.

Security Incident has the meaning in 45 CFR § 
164.304, which is:  the attempted or successful 
unauthorized access, use, disclosure, 
modification, or destruction of information or 
interference with system operations in an 
information system.

2.	Obligations and Activities of Business 
Associate

Business Associate will:

a.	Not use or disclose PHI other than as 
permitted or required by the Service 
Agreement or this BAA.

b.	Use appropriate safeguards to prevent use 
or disclosure of the PHI other than as 
provided for by this BAA which include 
but are not limited to administrative, 
physical and technical safeguards that 
reasonably and appropriately protect the 
confidentiality, integrity and availability of 
the EPHI that it creates, receives, maintains 
or transmits on behalf of Covered Entity.

c.	Mitigate, to the extent practicable, any 
harmful effect that is known to Business 
Associate of a use or disclosure of PHI by 
Business Associate in violation of the 
requirements of this BAA.

d.	Report to Covered Entity any use or 
disclosure of the PHI not provided for by 
this BAA of which it becomes aware.

e.	Ensure that any agent, including a 
subcontractor, to whom it provides PHI 
received from or created or received by 
Business Associate on behalf of Covered 
Entity agrees to the same restrictions and 
conditions that apply through this BAA to 
Business Associate with respect to such 
information. Business Associate will ensure 
that any agent, including a subcontractor, to 
whom it provides EPHI agrees to 
implement reasonable and appropriate 
safeguards to protect it

f.	Provide reasonable access to PHI to 
Covered Entity, at the request of Covered 
Entity, in a Designated Record Set in order 
for Covered Entity to meet its requirements 
in 45 CFR § 164.524.  This provision is 
applicable only if the Business Associate 
maintains PHI in a Designated Record Set.

g.	Make any amendment(s) to PHI in a 
Designated Record Set that the Covered 
Entity directs or agrees to pursuant to 45 
CFR § 164.526 at the request of Covered 
Entity. This provision is applicable only if 
the Business Associate maintains PHI in a 
Designated Record Set.

h.	Make internal practices, books, and records, 
including policies and procedures and PHI, 
relating to the use and disclosure of PHI 
received from, or created or received by 
Business Associate on behalf of Covered 
Entity, reasonably available to the Secretary 
with prior notice and during normal 
business hours, for purposes of the 
Secretary determining Covered Entity’s 
compliance with the Privacy Rule. 

i.	Document disclosures of PHI and 
information related to such disclosures and 
provide Covered Entity with such 
information, at Covered Entity’s request, as 
is required for Covered Entity to respond to 
a request by an Individual for an accounting 
of disclosures of PHI in accordance with 45 
CFR § 164.528.  Business Associate is 
entitled to assume that any disclosure that is 
directed by Covered Entity is a disclosure 
for treatment, payment, or health care 
operations purposes or otherwise a 
disclosure that does not require an 
accounting as set forth in 45 C.F.R. 
164.528.  If Covered Entity directs 
Business Associate to make a disclosure 
that requires an accounting by Business 
Associate, Covered Entity will notify 
Business Associate that such disclosure 
requires an accounting.  Failure of Covered 
Entity to notify Business Associate will 
relieve Business Associate of the 
requirement to account for such disclosure.
j.	Business Associate may charge a 
reasonable fee for its services in connection 
with the access, amendment or accounting 
of PHI as contemplated under this BAA.

k.	Upon the date of signature of the 
Agreement, report to Covered Entity any 
Security Incident of EPHI of which 
Business Associate becomes aware, in the 
following time and manner:

(i)	any actual, successful Security Incident 
will be reported to Covered Entity in 
writing, within five (5) business days of 
the date on which Business Associate 
becomes aware of such actual 
successful Security Incident, and

(ii)	any attempted, unsuccessful Security 
Incident of which Business Associate 
becomes aware, will be reported to 
Covered Entity in writing, on a 
reasonable basis at the written request 
of Covered Entity, but in no event more 
often than on a quarterly basis.  If the 
Security Rule is amended to remove the 
requirement to report unsuccessful 
Security Incidents, this subsection (ii) 
shall no longer apply, as of the 
effective date of the amendment of the 
Security Rule.

3.	Permitted Uses and Disclosures by Business 
Associate

Business Associate may use or disclose PHI to 
perform functions, activities, or services for, or 
on behalf of, Covered Entity as specified in the 
Agreement provided that such use or disclosure 
would not violate the Privacy Rule if done by 
Covered Entity.  Business Associate may use 
PHI as necessary for the proper management 
and administration of Business Associate or to 
carry out the legal responsibilities of Business 
Associate.  Business Associate may disclose 
PHI if:  (i) the disclosure is required by law; or 
(ii) the Business Associate obtains reasonable 
assurances from the person to whom the PHI is 
disclosed that it will be held confidentially and 
used or further disclosed only as required by 
law or for the purpose for which it was 
disclosed to the person and the person notifies 
the Business Associate of any instance of which 
it is aware in which the confidentiality of the 
PHI has been breached.

4.	Obligations of Covered Entity 

a.	Covered Entity will notify Business 
Associate of any limitation(s) in its notice 
of privacy practices of Covered Entity in 
accordance with 45 CFR § 164.520, to the 
extent that such limitation may affect 
Business Associate’s use or disclosure of 
PHI.

b.	Covered Entity will notify Business 
Associate of any changes in, or revocation 
of, permission by an Individual to use or 
disclose PHI to the extent that such changes 
may affect Business Associate’s use or 
disclosure of PHI.

c.	Covered Entity will notify Business 
Associate of any restriction to the use or 
disclosure of PHI that Covered Entity has 
agreed to in accordance with 45 CFR § 
164.522, to the extent that such restriction 
may affect Business Associate’s use or 
disclosure of PHI.

5.	Permissible Requests by Covered Entity

Covered Entity will not ask Business Associate 
to use or disclose PHI in any manner that would 
not be permissible under the Privacy Rule if 
done by Covered Entity.  

6.	Term and Termination

a.	This BAA will be effective on the date last 
signed by the parties below.

b.	This BAA will terminate on the earlier of 
the termination of the Agreement or when 
all PHI provided by Covered Entity to 
Business Associate, or created or received 
by Business Associate on behalf of Covered 
Entity, is destroyed or returned to Covered 
Entity

c.	Upon Covered Entity’s knowledge of a 
material breach of this BAA by Business 
Associate, Covered Entity shall either:

(i)	Provide a reasonable opportunity for 
Business Associate to cure the breach 
or end the violation and terminate this 
BAA if Business Associate does not 
cure the breach or end the violation 
within the time specified by Covered 
Entity;

(ii)	Immediately terminate this BAA if 
Business Associate has breached a 
material term of this BAA and cure is 
not possible; or

(iii)	If neither termination nor cure is 
feasible, Covered Entity may report the 
violation to the Secretary.  

d.	Effect of Termination.

(i)	Except as provided in paragraph (ii) of 
this section, upon termination of this 
BAA, for any reason, Business 
Associate shall return or destroy all 
PHI received from Covered Entity, or 
created or received by Business 
Associate on behalf of Covered Entity. 
This provision shall apply to PHI that is 
in the possession of subcontractors or 
agents of Business Associate.  Business 
Associate shall retain no copies of the 
PHI.

(ii)	In the event that Business Associate 
determines that returning or destroying 
the PHI is infeasible, Business 
Associate shall provide to Covered 
Entity notification of the conditions that 
make return or destruction infeasible. 
Business Associate shall extend the 
protections of this BAA to such PHI 
and limit further uses and disclosures of 
such PHI to those purposes that make 
the return or destruction infeasible, for 
so long as Business Associate 
maintains such PHI.

7.	Miscellaneous

a.	Regulatory References.  A reference in this 
BAA to a section in the Privacy or Security 
Rules means the section as in effect or as 
amended.

b.	Amendment.  The Parties agree to negotiate 
in good faith any amendments to this BAA 
made necessary by new legislation or 
amendments to current regulations relating 
to HIPAA.

c.	Survival.  The respective rights and 
obligations of Business Associate under 
Section 6(d) of this Agreement shall 
survive the termination of this BAA.

d.	Interpretation and Integration.  Any 
ambiguity in this BAA shall be resolved to 
permit Covered Entity to comply with the 
Privacy and Security Rules.  Any ambiguity 
in this BAA and the Agreement shall be 
resolved in favor of this BAA. All other 
terms of the Agreement apply to this BAA.

e.	No Third Party Rights.  This BAA is 
entered into solely between and may be 
enforced only by Covered Entity and 
Business Associate.  This BAA shall not be 
deemed to create any rights in third parties 
or to create any obligations of Covered 
Entity or Business Associate to any third 
party.



IN WITNESS WHEREOF, and intending to be 
legally bound, the parties hereto, having been duly 
authorized, execute this BAA on the dates 
indicated:

DELAWARE DEPARTMENT OF HEALTH 
AND SOCIAL SERVICES:

Signature:	

Printed Name and Title:	

Date:	


[Proper Business Associate name here]:

Signature:	

Printed Name and Title:	

Date:	
Business Associate Agreement	Page 1