BUSINESS ASSOCIATE AGREEMENT

Vendor Fill-In and Print Template

Change in Entropy Hypnotherapy

Use this template when a vendor or service provider will create, receive, maintain, or transmit protected health information on behalf of Change in Entropy Hypnotherapy. Complete all blank fields, attach the underlying service agreement if applicable, and have business/legal counsel review before signature.

 

Covered Entity	Change in Entropy Hypnotherapy
Covered Entity Address	2862 Change Street, Unit A, Los Alamos, NM 87544
Vendor / Business Associate	____________________________________________
Vendor Address	____________________________________________
Primary Services	____________________________________________
Effective Date	____________________________________________

 

Template note: This form is a practical template built around current HIPAA business associate contract requirements. It should be tailored to the specific vendor, services, data flows, and any state-law or contracting requirements.

 

 

Agreement

This Business Associate Agreement (“Agreement”) is entered into by and between Change in Entropy Hypnotherapy (“Covered Entity”) and ____________________________________________ (“Business Associate”) effective as of ____________________________.

1. Purpose. The parties are entering into this Agreement because Business Associate will perform services for Covered Entity that may involve access to protected health information (PHI). This Agreement is intended to satisfy the HIPAA business associate contract requirements and should be read together with any master services agreement, statement of work, or order form between the parties.
2. Definitions. Capitalized terms not otherwise defined in this Agreement have the same meaning as in the HIPAA Rules, including Breach, Designated Record Set, Disclosure, Individual, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
3. Services. Business Associate will provide the following services for Covered Entity: ____________________________________________. Business Associate may create, receive, maintain, or transmit PHI only as necessary to perform those services and as otherwise permitted by this Agreement or required by law.

Business Associate Obligations

4. Permitted Uses and Disclosures. Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement, the underlying service arrangement, or as required by law. Business Associate shall limit uses, disclosures, and requests for PHI to the minimum necessary consistent with Covered Entity’s policies and the HIPAA Rules.
5. Safeguards. Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards to protect PHI and shall comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI. Safeguards should be appropriate to the nature of the services, systems, and data involved.
6. Incident and Breach Reporting. Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted by this Agreement, any Breach of Unsecured Protected Health Information, and any Security Incident of which it becomes aware. Unless a shorter period is stated below, Business Associate shall provide notice without unreasonable delay and no later than _____ calendar days after discovery. Attach any more detailed breach-notification obligations if needed.
7. Subcontractors. If Business Associate uses any subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate, Business Associate shall ensure the subcontractor agrees in writing to the same restrictions, conditions, and requirements that apply to Business Associate with respect to PHI.
8. Access, Amendment, and Accounting Support. To the extent Business Associate maintains PHI in a Designated Record Set or otherwise supports Covered Entity’s HIPAA obligations, Business Associate shall make PHI available for access, amendment, and accounting of disclosures in the time and manner reasonably requested by Covered Entity and required by law.
9. HHS Access. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created, maintained, or received by Business Associate on behalf of, Covered Entity available to the Secretary of HHS for purposes of determining compliance with the HIPAA Rules.
10. Compliance When Performing Covered Entity Functions. If and to the extent Business Associate is delegated any obligation of Covered Entity under the HIPAA Privacy Rule, Business Associate shall comply with the requirements of Subpart E of 45 CFR Part 164 that apply to the performance of that obligation.
11. No Impermissible Use. Business Associate may not use or disclose PHI in a manner that would violate the HIPAA Privacy Rule if done by Covered Entity, except to the limited extent this Agreement expressly allows use or disclosure for Business Associate’s proper management and administration or to carry out Business Associate’s legal responsibilities.

Optional and Business-Specific Terms

12. Management and Administration. Business Associate may use PHI for its proper management and administration and may disclose PHI for such purposes only if required by law or if Business Associate obtains reasonable assurances from the recipient that the information will remain confidential and be used or further disclosed only as required by law or for the purpose for which it was disclosed, and that the recipient will notify Business Associate of any breach of confidentiality of which it becomes aware. Check here if this clause applies: [ ] Applies  [  ] Does not apply
13. Data Aggregation / De-Identification. If authorized by Covered Entity, Business Associate may perform data aggregation services and/or de-identify PHI in accordance with 45 CFR 164.514. Any specific limitations or approved purposes should be stated here: ____________________________________________.
14. Cross-Border Storage / Remote Access. Business Associate shall not store PHI outside the United States or allow remote access to PHI from outside the United States unless Covered Entity has given prior written approval. Check here if approved: [ ] Approved  [  ] Not approved  Details: _________________________________.

Covered Entity Obligations

15. Notice of Privacy Practices and Restrictions. Covered Entity shall notify Business Associate of any limitation in Covered Entity’s Notice of Privacy Practices, any change in or revocation of an individual’s authorization, or any agreed restriction on use or disclosure of PHI, to the extent such limitation, change, revocation, or restriction may affect Business Associate’s permitted use or disclosure of PHI.
16. Permissible Requests. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, except as specifically allowed by this Agreement for Business Associate’s management and administration, legal responsibilities, data aggregation, or de-identification if those clauses are enabled.

Term and Termination

17. Term. This Agreement begins on the Effective Date and remains in effect until the earlier of: (a) termination of the underlying services arrangement, (b) the date all PHI provided under this Agreement is returned or destroyed when feasible, or (c) earlier termination in accordance with this Agreement. Underlying agreement reference: ____________________________________________.
18. Termination for Cause. Covered Entity may terminate this Agreement and any related services arrangement if Covered Entity determines Business Associate has materially violated this Agreement and Business Associate has not cured the violation within _____ calendar days after written notice, unless immediate termination is required by law or necessary to protect PHI.
19. Return or Destruction of PHI. Upon termination, Business Associate shall, if feasible, return to Covered Entity or destroy all PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, and retain no copies. If return or destruction is not feasible, Business Associate shall extend the protections of this Agreement to the retained PHI, limit further use and disclosure to the purposes that make return or destruction infeasible, and continue such protections for as long as the PHI is retained. Vendor-specific return/destruction timeline: ____________________________.
20. Survival. Business Associate’s obligations under this Agreement, including with respect to retained PHI, survive termination of this Agreement for so long as Business Associate retains PHI.

General Contract Terms

21. Order of Precedence. If there is a conflict between this Agreement and any other agreement between the parties regarding PHI, this Agreement controls to the extent necessary to comply with HIPAA.
22. No Third-Party Beneficiaries. Nothing in this Agreement is intended to create any rights in any third party, except as otherwise required by applicable law.
23. Governing Law. This Agreement shall be governed by applicable federal law and, to the extent not preempted, the laws selected by the parties in the underlying services agreement. If no such provision exists, the parties may state the governing law here: ________________________________.
24. Amendment. The parties agree to take any action necessary to amend this Agreement from time to time as needed for compliance with HIPAA, the HITECH Act, implementing regulations, or other applicable law.
25. Notices. Legal notices under this Agreement shall be delivered to the contacts listed in Appendix A unless updated by written notice.

Appendix A – Vendor Intake and Contacts

Vendor legal name	_______________________________________________________________
Trade name / DBA	_______________________________________________________________
Main business address	_______________________________________________________________
Primary privacy / security contact	_______________________________________________________________
Title / department	_______________________________________________________________
Email / phone	_______________________________________________________________
Services provided	_______________________________________________________________
Systems / platforms used	_______________________________________________________________
Will vendor access ePHI?	[  ] Yes   [  ] No   If yes, describe: __________________________________
Will vendor store ePHI?	[  ] Yes   [  ] No   Storage location(s): _____________________________
Will vendor transmit ePHI?	[  ] Yes   [  ] No   Method(s): _____________________________________
Will subcontractors be used?	[  ] Yes   [  ] No   If yes, list or attach: _________________________

 

Appendix B – PHI Categories and Security Notes

Use this page to identify the types of PHI the vendor may handle and any special instructions. Check all that apply and add details as needed.

Category	Check	Notes / Limitations
Names / contact details	[  ]	________________________________________________________
Dates of birth / demographics	[  ]	________________________________________________________
Appointment / billing data	[  ]	________________________________________________________
Clinical notes / assessments	[  ]	________________________________________________________
Audio / video / telehealth data	[  ]	________________________________________________________
Insurance or payment information	[  ]	________________________________________________________
System logs / support tickets	[  ]	________________________________________________________
Other: ____________________	[  ]	________________________________________________________

 

Additional security requirements or client-specific restrictions:

_______________________________________________________________

_______________________________________________________________

_______________________________________________________________

_______________________________________________________________

Signature Page

The undersigned certify that they are authorized to sign this Agreement on behalf of their respective organizations and agree to the terms above.

Covered Entity: Change in Entropy Hypnotherapy	Business Associate: ____________________________________________
By: ____________________________________________	By: ____________________________________________
Name / Title: ____________________________________________	Name / Title: ____________________________________________
Signature: ____________________________________________	Signature: ____________________________________________
Date: ____________________________________________	Date: ____________________________________________
Notice Contact: [email protected] | (907) 278-1180	Notice Contact: ____________________________________________

 

Review checklist before signing:  [  ] Service agreement attached  [  ] Vendor security review completed  [  ] Subcontractor list attached if applicable  [  ] Breach notice timeline completed  [  ] Return/destruction terms completed