The ADA “Sample Business Associate Agreement” in the ADA Practical Guide to HIPAA Compliance Privacy and Security Manual illustrates how a dental practice might enter into a business associate agreement with a business associate. The ADA Sample Business Associate Agreement is designed to be used as a tool for covered dental practices and their attorneys to use to develop a compliant business associate agreement between a dental practice and its business associate. Use of the ADA Sample Business Associate Agreement does not replace consultation with a lawyer or negotiations between the dental practice and business associate.
The HIPAA Privacy and Security Rules require that certain provisions be included in a compliant business associate agreement. Such provisions are included in the ADA Sample Business Associate Agreement. However, the parties to the agreement may also wish to include other provisions, such as provisions that relate to limitation of liability, indemnification, and insurance. Examples of certain optional provisions are included in brackets (“[ ]”) in the ADA Sample Business Associate Agreement.
In addition, certain other provisions may be included in a business associate agreement in compliance with applicable state law. For example, additional provisions may be necessary to create a binding contract under state law. Also, state law that is more stringent than HIPAA may require changes to the business associate agreement. A qualified attorney can help a covered dental practice develop a business associate agreement that complies with applicable federal and state law for use in a specific contractual relationship.
Some business associate agreements are styled as attachments or amendments to an underlying contract between the dental practice and the business associates, and others are stand-alone documents that may refer to an underlying agreement. The ADA Sample Business Associate Agreement is styled as a stand-alone document with a space for inserting a reference to the underlying agreement.
The business portions of the underlying contracts between covered entities and their business associates vary greatly – who does what, for whom, when, for what payment, on what terms and conditions, for how long, etc. Some contracts may be simple, others more complex. Some may be susceptible to significant negotiation, others perhaps not. Some may trigger other federal, state or local law and regulation; others may be free of such concerns.
Because the business aspects of each contract will vary, a business associate agreement is frequently drafted as an addendum to the underlying contract, or as a stand-alone agreement that refers to the underlying contract. Once the parties negotiate the business components of the contract, the addendum can be used to cover provisions required by the HIPAA Privacy and Security Rules by either incorporating the addendum directly into the contract or by reference to the addendum as an attachment to the contract. However, business associate terms may be incorporated into the underlying agreement instead.
The terms of each business associate agreement may vary depending on the nature of the contract involved, the relative bargaining positions of the parties, and so forth.