Business Associate Agreement Template

• "Protected Health Information" (PHI) — Any individually identifiable health information created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity, in any form or medium, as defined in 45 CFR §160.103.
• "Electronic PHI" (ePHI) — PHI that is transmitted by or maintained in electronic media, as defined in 45 CFR §160.103.
• "Breach" — The acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR §164.402.
• "Security Incident" — The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
• "Subcontractor" — Any person or entity to whom Business Associate delegates a function, activity, or service involving PHI, other than as a member of Business Associate's workforce.
• "Unsecured PHI" — PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of NIST-validated encryption or destruction methods.
• "Services" — The managed IT, cybersecurity, backup, disaster recovery, and related services described in the underlying Service Agreement between the parties.

Business Associate agrees to:

• Not use or disclose PHI other than as permitted or required by this Agreement or as required by applicable law.
• Use appropriate safeguards and comply with the HIPAA Security Rule with respect to ePHI, to prevent use or disclosure of PHI other than as provided by this Agreement.
• Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement, any security incident, and any breach of unsecured PHI, in accordance with Section 5 of this Agreement.
• Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement.
• Make internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining Covered Entity's compliance with HIPAA.
• Document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosures, as provided in 45 CFR §164.528.
• Return or destroy PHI upon termination of this Agreement, retaining no copies in any form except as legally required or as described herein.

Business Associate shall implement and maintain the following safeguards in accordance with the HIPAA Security Rule (45 CFR §§164.308–164.312) and the 2025–2026 HIPAA update:

4.1 Authorized Uses. Business Associate may use or disclose PHI only to perform Services set forth in the Service Agreement or as Required by Law. No secondary use of PHI is permitted for Business Associate's own benefit.

4.2 Minimum Necessary. Business Associate shall make reasonable efforts to limit PHI access to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, consistent with 45 CFR §164.502(b).

4.3 De-identification. Business Associate may use PHI to create de-identified health information pursuant to 45 CFR §164.514(b). De-identified information is not subject to this Agreement.

4.4 Management and Administration. Business Associate may use PHI for its proper management and administration, or to carry out legal responsibilities, provided that disclosures are required by law or Business Associate obtains reasonable assurances from recipients that PHI will be kept confidential.

4.5 Prohibited Uses. Business Associate shall not:

• Use or disclose PHI in a manner that violates the HIPAA Privacy Rule.
• Sell PHI or use PHI for marketing purposes without specific written authorization.
• Use PHI to discriminate against individuals based on health conditions.
• Retain PHI after the obligations under this Agreement have terminated, except as otherwise provided herein.

5.5 Safe Harbor. A breach does not trigger notification obligations if the PHI was encrypted using NIST-validated cryptography (AES-256 at rest; TLS 1.2+ in transit) and the encryption keys were not compromised.

5.6 Security Incidents. Business Associate shall report all security incidents within 24 hours of discovery, even if such incident does not constitute a reportable breach.

6.1 Flow-Down Requirement. Business Associate shall ensure that any subcontractor (including cloud storage providers, offsite backup services, or third-party vendors) that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees to the same restrictions by entering into a written Business Associate Agreement prior to handling any PHI.

6.2 Responsibility. Business Associate remains liable for the acts and omissions of its subcontractors with respect to PHI to the same extent Business Associate would be liable if it had performed the act directly.

6.3 Subcontractor Notification. Business Associate shall notify Covered Entity in writing of any material new subcontractors that will process PHI within 10 business days of engaging such subcontractor.

Covered Entity shall:

• Notify Business Associate of any limitations in Covered Entity's Notice of Privacy Practices that may affect Business Associate's use or disclosure of PHI.
• Notify Business Associate of any changes in, or revocation of, permission by an individual to use or disclose PHI.
• Notify Business Associate of any restrictions on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by.
• Not request that Business Associate use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
• Maintain its own HIPAA policies and procedures, conduct its own risk assessments, and ensure its workforce is trained in HIPAA requirements.

8.1 Term. This Agreement shall be effective as of the Effective Date and shall continue in effect until all obligations of both parties have been met, or until terminated as provided herein.

8.2 Termination for Cause. Upon either party's knowledge of a material breach by the other party, the non-breaching party shall provide written notice. If the breach is not cured within 30 days, the non-breaching party may terminate this Agreement immediately.

8.3 Effect of Termination. Upon termination, Business Associate shall return or destroy all PHI. Business Associate shall certify in writing that all PHI has been returned or destroyed and that no copies remain in any form.

8.4 Survival. The obligations of Business Associate with respect to any PHI not returned or destroyed survive termination of this Agreement.

In addition to the general obligations set forth above, Isreal Consulting, LLC specifically commits to the following for all healthcare clients:

9.1 Encryption. All ePHI processed, stored, or transmitted by ICLLC shall be encrypted using AES-256 at rest (NIST SP 800-111) and TLS 1.2 or higher in transit. Encryption keys shall be stored separately from encrypted data, rotated annually, and rotated immediately when personnel with key access depart.

9.2 Access Controls. ICLLC shall implement role-based access controls using the principle of minimum necessary access. Access to ePHI systems shall require multi-factor authentication. Access rights reviewed quarterly and immediately revoked for terminated personnel.

9.3 Audit Logging. ICLLC shall maintain audit logs of all access to ePHI systems. Logs shall record: timestamp, user identity, data accessed, action type, and originating IP/device. Audit logs retained for a minimum of six (6) years.

9.4 Incident Response. Upon detection of a security incident, ICLLC shall: (a) isolate affected systems within 2 hours; (b) preserve forensic evidence; (c) begin investigation within 4 hours; (d) provide initial findings to Covered Entity within 24 hours. Full forensic report within 72 hours.

9.5 Vulnerability Management. Per 2026 HIPAA requirements, ICLLC conducts: (a) automated vulnerability scanning every six (6) months; (b) annual penetration testing by a certified ethical security firm; (c) annual risk assessment per §164.308(a)(1). Critical vulnerability remediation within 30 days.

9.6 Backup and Recovery. ICLLC maintains encrypted, geographically redundant backups using the 3-2-1 methodology. Backup restoration is tested annually and results documented with RTO and RPO targets.

9.7 Workforce Training. All ICLLC personnel with access to PHI systems receive annual HIPAA security awareness training. Training completion is documented and available for review.

10.1 Regulatory References. All regulatory references shall include amendments and updates, including the 2025–2026 HIPAA Security Rule update.

10.2 Entire Agreement. This Agreement, together with the underlying Service Agreement, constitutes the entire agreement between the parties with respect to HIPAA compliance and PHI protection. In the event of conflict, this Agreement shall control.

10.3 Amendment. This Agreement may only be amended by a written instrument signed by authorized representatives of both parties, with 30 days written notice.

10.4 Severability. If any provision of this Agreement is found to be unenforceable or invalid, the remaining provisions shall remain in full force and effect.

10.5 Governing Law. This Agreement shall be governed by the laws of the State where the Covered Entity's principal place of business is located, subject to applicable federal law including HIPAA.

10.6 Indemnification. Each party agrees to indemnify and hold harmless the other party from any claims, losses, damages, or fines arising from the indemnifying party's breach of this Agreement or violation of applicable law.

10.7 No Third-Party Beneficiaries. This Agreement is for the benefit of, and may only be enforced by, the parties hereto and their respective successors and assigns.