These are examples of BAA provisions that may provide more protection to covered entities. They were provided by Dena Castricone, an attorney with DMC Law LLC. She noted the materials provided here are for educational purposes only and not as legal advice. Contact Castricone at dena@dmclawllc.com.
Sample Provisions – Risk Analysis
3.2 Without limiting Business Associate’s obligations under the HIPAA Rules, Business Associate agrees to perform a risk analysis to assess potential risks and vulnerabilities in its possession and develop, implement and maintain administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of any electronic PHI that is created, received, maintained or transmitted by Business Associate under this Agreement. [Dena’s note: This explicitly includes what the Business Associate is already obligated to do under the HIPAA Security Rule. Spelling it out here has a couple of advantages: (1) you can sue for breach of contract if the Business Associate doesn’t do it; and (2) it is a clear reason for termination under 9.2 below.] These measures shall be documented and be kept current, and must include, at a minimum, those measures that fulfill the requirements outlined in the HIPAA Rules, including compliance with the applicable requirements of the Security Regulations. Business Associate agrees to provide proof of compliance with section to Covered Entity upon request. [Dena’s note: Requiring proof is key.]