Page History

...

ATTACHMENT 1 
Is a Person or Entity a "Business Associate" and 
Required to Enter Into a Written Business Associate Contract?

lucidchart
Image Added

ATTACHMENT 2 
Examples of Potential Business Associates 
(This is not an all-inclusive list, nor is every arrangement listed necessarily a business associate. Use the attached flowchart and policy and procedure to analyze whether the relationship is a business associate relationship under HIPPA. Contact Legal Management at 2-4705 for assistance in the analysis.)

...

ATTACHMENT 2 (continued) 
Examples of Potential Business Associates

...

...

This Business Associate Agreement ("BAA") is entered into between RowanSOM - [Name of School/Department/Unit]("Rowan University"), a body corporate and politic of the State of New Jersey having its principal administrative offices at 40 East Laurel Road, UEC Bldg. Suite # 1031, Stratford, NJ 08084 (hereinafter referred to as "Covered Entity") and [Name and Address of Contracting Party] (hereinafter referred to as "Business Associate") (the "Covered Entity" and "Business Associate" hereinafter collectively referred to as the "Parties"). Any conflict between the terms of this BAA and the Underlying Agreement between the Parties shall be governed by the terms of this BAA. 
WHEREAS, in connection with the Underlying Agreement the Business Associate provides services to Covered Entity and Covered Entity discloses to Business Associate certain Protected Health Information that is subject to protection under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act (Title XIII of the American Recovery and Reinvestment Act of 2009) (the "HITECH Act"), and regulations promulgated by the U.S. Department of Health and Human Services (the "HHS") (hereinafter the "HIPAA Regulations" and the "HITECH Regulations," respectively) and/or applicable state and/or local laws and regulations; and 
WHEREAS, for good and lawful consideration and with acknowledgment of the mutual promises, set forth in the Underlying Agreement and herein, the Parties, intending to be legally bound, hereby agree as follows: 

I.     Definitions  [1]

...

A. Breach means the unauthorized acquisition, access, use, or disclosure of protected health information ("PHI") which compromises the security or privacy of such information in violation of HIPAA, the HITECH Act,

...

the HIPAA Regulations, and/or the HITECH

...

An expanded definition of the following terms, as well as the definition of other relevant terms are availableon RowanSOM website at https://www.rowan.edu/compliance. Terms used in this Business Associate Agreement but not otherwise defined shall have the meaning ascribed to those terms in HIPAA, the HITECH Act, and any current and future regulations promulgated under HIPAA and/or the HITECH Act. See 45 C.F.R. 160.103, 164.402 and 164.501.

...

Regulations, except when the covered entity demonstrates that there is a low probability that the PHI has been compromised. The term "Breach" does not include:  

1. Any unintentional acquisition, access, or use of PHI by an employee or person acting under the authority of a Covered Entity or Business Associate if:
   1. Such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or person, respectively, with the Covered Entity or Business Associate; and 
   2. Does not result in further unauthorized use or disclosure; or
2. Any inadvertent disclosure by a person who is otherwise authorized to access PHI at a Covered Entity or Business Associate to another, similarly authorized person at the same Covered Entity, Business Associate or organized health care arrangement in which the Covered
3. Any unintentional acquisition, access, or use of PHI by an employee or person acting under the authority of a Covered Entity or Business Associate if:
   1. Such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or person, respectively, with the Covered Entity or Business Associate; and 
   2. Does not result in further unauthorized use or disclosure; or
4. Any inadvertent disclosure by a person who is otherwise authorized to access PHI at a Covered Entity or Business Associate to another, similarly authorized person at the same Covered Entity, Business Associate or organized health care arrangement in which the Covered Entity participate and such information received as a result of such disclosure is not further used or disclosed in an impermissible manner.

...

...