casemark/hipaa-baa

HIPAA Business Associate Agreement (BAA)

Produces a HIPAA/HITECH-compliant BAA tailored to services, PHI flow, and risk profile.

Prerequisites

1. Party identities, entity types, jurisdictions, notice addresses.
2. Underlying services agreement/SOW with plain-language service description.
3. PHI data map: categories, ePHI vs. paper, systems, storage locations, data flows.
4. Regulatory overlays: state privacy/breach laws, 42 CFR Part 2, VA/military records.
5. Security posture: safeguards summary, risk assessment cadence, incident contacts.
6. Risk allocation: indemnity, insurance limits, liability caps.
7. Preferred timelines: breach notice deadline, cure period, termination notice.

Output Structure

Draft sections in this order, filling placeholders from matter facts:

1. Parties, Effective Date, Recitals — basis for BA relationship
2. Definitions — HIPAA statutory terms + agreement-specific terms
3. Permitted Uses/Disclosures; Prohibited Uses
4. Safeguards — Privacy Rule + Security Rule
5. Breach/Incident Notification
6. Subcontractor Flow-Downs
7. Individual Rights Support
8. Government Access / Compliance Cooperation
9. Term/Termination; Return/Destruction of PHI
10. Indemnity/Insurance; Liability Allocation
11. Miscellaneous — amendment, governing law, notices, assignment, severability, survival
12. Signatures; Exhibits — implementation checklist

Definitions

Include all applicable terms with statutory citations:

| Term | Source | |---|---| | Protected Health Information (PHI) | 45 CFR 160.103 [VERIFY] | | Electronic PHI (ePHI) | 45 CFR 160.103 [VERIFY] | | Breach | 45 CFR 164.402 [VERIFY] | | Security Incident | 45 CFR 164.304 [VERIFY] | | Unsecured PHI | HHS Guidance / NIST [VERIFY] | | Designated Record Set | 45 CFR 164.501 [VERIFY] | | Required by Law, Individual, Secretary, Subcontractor, Use, Disclosure | HIPAA definitions [VERIFY] |

Required Clauses (Minimums)

• [ ] Permit/limit uses and disclosures to services + required by law
• [ ] Prohibit uses/disclosures that would violate Privacy Rule if done by covered entity
• [ ] Require safeguards: Privacy Rule + Security Rule (45 CFR 164.308/310/312) [VERIFY]
• [ ] Require breach notification and security incident reporting
• [ ] Flow-down to subcontractors with same restrictions/conditions
• [ ] Support individual access/amendment/accounting rights
• [ ] Make records available to HHS Secretary for compliance review
• [ ] Provide return/destruction of PHI or extend protections if infeasible
• [ ] Allow termination for material breach

Permitted and Prohibited Uses

| Topic | Drafting Requirement | |---|---| | Core permitted uses | Tie each to a service obligation; include data aggregation if applicable | | Management/admin uses | Allow only if required by law or with recipient assurances | | Required by law | Permit with notice to covered entity where allowed | | Minimum necessary | Require policies; define exceptions (treatment, disclosures to CE) | | Prohibited uses | No sale of PHI; no marketing without authorization; no psychotherapy notes unless authorized |

Safeguards

• [ ] Administrative: security official, access management, workforce training, incident response, contingency plan
• [ ] Physical: facility access controls, workstation use/security, device/media disposal
• [ ] Technical: unique IDs, emergency access, auto-logoff, encryption, audit controls, integrity controls, authentication, transmission security
• [ ] Risk analysis: documented, updated regularly, remediation tracked

Breach / Incident Notification

| Element | Requirement | |---|---| | Deadline | "Without unreasonable delay," capped in days (e.g., 10 business days) | | Discovery standard | Knowledge or would-have-known with reasonable diligence | | Content | Dates, description, PHI types, affected count, mitigation steps, contact info | | Supplemental updates | Required as new facts emerge | | Incident logs | Maintain and provide periodic summaries of non-breach incidents |

Individual Rights Support

| Right | BA Obligation | |---|---| | Access | Provide Designated Record Set data within X days per 45 CFR 164.524 [VERIFY] | | Amendment | Implement amendments within X days; flow-down to subcontractors | | Accounting | Maintain disclosure logs per 45 CFR 164.528 [VERIFY] | | Restrictions / confidential comms | Implement covered entity instructions |

Subcontractors

• [ ] Prior written approval required (if negotiated)
• [ ] Written BAA-equivalent flow-down with identical restrictions
• [ ] Ongoing monitoring/audit rights and prompt notice of issues

Termination / PHI Disposition

• [ ] Term tied to services; survives until PHI returned/destroyed
• [ ] Cure period and immediate termination triggers for material breach
• [ ] Return/destroy within X days; certification of destruction
• [ ] If infeasible: extend protections, limit further uses/disclosures

Exhibit: Implementation Checklist

• [ ] Contact points and escalation path
• [ ] Security program baseline and audit cadence
• [ ] Subcontractor list and approvals
• [ ] Incident response tabletop schedule

Guidelines

• Match obligations to actual operational capability — do not promise controls the BA cannot meet.
• Align with the underlying services agreement; reconcile conflicting terms.
• Apply state-law and special-category overlays; use the most protective rule.
• Use defined terms consistently; avoid ambiguity in permitted uses.
• Mark uncertain citations with [VERIFY].
• Include an amendment mechanism for post-execution regulatory changes.

Troubleshooting

• Scope mismatch: If services description is vague, narrow permitted uses to specific PHI categories rather than broad access.
• Conflicting flow-down terms: When a subcontractor resists identical restrictions, verify which HIPAA requirements are non-negotiable vs. commercially flexible.
• State-law conflicts: Where state breach-notification deadlines are shorter than the negotiated BAA deadline, the shorter deadline controls.
• Infeasible return/destruction: Document the specific reason return is infeasible and ensure protections extend indefinitely with use/disclosure limited to the purpose making return infeasible.

---

Key changes from the original:

• Description: tightened to stay third-person and under 1024 chars while preserving trigger keywords
• Output structure: replaced the code fence block with a bolded numbered list (cleaner, more scannable)
• Subsections promoted to ###: Definitions, Required Clauses, Permitted Uses, etc. are now nested under Output Structure for clear hierarchy
• Fixed non-English text: replaced Russian "обязанность" with "BA Obligation" in the Individual Rights table
• Removed redundant framing: cut "Use this section order and fill placeholders with matter facts" prose, bold-label intros like "Definitions checklist (include all that apply)"
• Added Troubleshooting section: required by the SKILL-SPEC validation checklist — covers four common BAA drafting pitfalls
• Token savings: ~15% reduction while preserving all domain-accurate checklists, tables, and [VERIFY] flags