Sample Business Associate Agreement
Instructions
Title and Intro A
Sample Red Flag Agreement for Business Associates
This Agreement is made between [name of psychology practice] (Practice) and [name of bus assoc] (Business Associate). The parties are agreeing to take such action as is necessary to comply with the requirements of the Red Flags Rules. The purpose of this Agreement is to make the Practice compliant with the requirements of the Red Flag Rules (12 CFR Section 681.2, (b)(10) and (e)(4)) that the Practice ensure that the activities of the Business Associate will be conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.
Title and Intro B
Sample Addendum to Business Associates Contract
This is an Addendum to the Business Associates Contract is made between [Name of psychology practice] (Practice) and [Name of business associate] (Business Associate) dated [insert date of original Business Associate Contract]. The Parties are agreeing to take such action as is necessary to comply with the requirements of the Red Flag Rules (12 CFR 681). The purpose of this Addendum is to make the Practice compliant with the Red Flag Rules requirements (12 CFR Section 681.2, (b)(10) and (e)(4)) that the Practice have in place a Business Associate contract that will ensure that the activities of the Business Associate will be conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.
A. Business Associate shall be alert to and act on evidence of fraud
Business Associate shall be alert to suspicious activity such as:
Identification documents that appear altered or forged
Information provided by client is inconsistent, for example, information on one form of identification submitted is different from information on another form of identification (such as age, address, occupation)
Suspicious change of address notice (for example a move from an expensive to an inexpensive neighborhood)
Evidence that your paper or electronic records may have been compromised, for example, you
discover that a Staff member accessed patient files without authorization, or that locked patient
files have been broken into
Business Associate shall act upon suspicious activities or evidence of identity theft as appropriate by notifying Practice as follows:
Notifying the Practice of suspicious activity
Investigating any suspicious activity that may have occurred within Business Associate’s operation, for example, unauthorized access by Business Associate’s employees.
Taking corrective action to the extent that suspicious activity appears to have occurred within
Business Associate’s operationChanging passwords on electronic record accounts that may have been compromised
Notifying Practice where it appears that Practice or its patients may have been victims of identity theft
B. Business Associate will ensure that its staff is trained on implementing this agreement/addendum
Business Associate’s management and employees will be trained in the implementation of these policies.
Business Associate’s management and employees will be given a copy of this policy to read and initial.
| BUSINESS ASSOCIATE | PRACTICE |
| Signature | Signature |
| Print Name and Title | Print Name and Title |
| Date | Date |
PLEASE NOTE: Legal issues are complex and highly fact-specific and require legal expertise that cannot be provided by any single document. In addition, laws change over time and vary by jurisdiction. The information in this document should not be used as a substitute for obtaining personal legal advice and consultation prior to making decisions regarding individual circumstances.
