Sample Business Associate Agreement

Instructions

This document is for use with any business associates who handle patient information as described in "Guidance for psychologists on "Red Flag Rules" compliance" and as described in Section E of the Sample Red Flag Program. If you do not have an existing business associate contract with such entities, use Title and Intro A. If you do have a business associate contract, use Title and Intro B. Please use only one of the options and delete the option that you do not use on your signed document.

Title and Intro A

Sample Red Flag Agreement for Business Associates

This Agreement is made between [name of psychology practice] (Practice) and [name of bus assoc] (Business Associate). The parties are agreeing to take such action as is necessary to comply with the requirements of the Red Flags Rules. The purpose of this Agreement is to make the Practice compliant with the requirements of the Red Flag Rules (12 CFR Section 681.2, (b)(10) and (e)(4)) that the Practice ensure that the activities of the Business Associate will be conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.

Title and Intro B

Sample Addendum to Business Associates Contract

This is an Addendum to the Business Associates Contract is made between [Name of psychology practice] (Practice) and [Name of business associate] (Business Associate) dated [insert date of original Business Associate Contract]. The Parties are agreeing to take such action as is necessary to comply with the requirements of the Red Flag Rules (12 CFR 681). The purpose of this Addendum is to make the Practice compliant with the Red Flag Rules requirements (12 CFR Section 681.2, (b)(10) and (e)(4)) that the Practice have in place a Business Associate contract that will ensure that the activities of the Business Associate will be conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.

A. Business Associate shall be alert to and act on evidence of fraud

Business Associate shall be alert to suspicious activity such as:

  • Identification documents that appear altered or forged 

  • Information provided by client is inconsistent, for example, information on one form of identification submitted is different from information on another form of identification (such as age, address, occupation) 

  • Suspicious change of address notice (for example a move from an expensive to an inexpensive neighborhood) 

  • Evidence that your paper or electronic records may have been compromised, for example, you
    discover that a Staff member accessed patient files without authorization, or that locked patient
    files have been broken into

Business Associate shall act upon suspicious activities or evidence of identity theft as appropriate by notifying Practice as follows:

  • Notifying the Practice of suspicious activity 

  • Investigating any suspicious activity that may have occurred within Business Associate’s operation, for example, unauthorized access by Business Associate’s employees.

  • Taking corrective action to the extent that suspicious activity appears to have occurred within
    Business Associate’s operation

  • Changing passwords on electronic record accounts that may have been compromised

  • Notifying Practice where it appears that Practice or its patients may have been victims of identity theft

B. Business Associate will ensure that its staff is trained on implementing this agreement/addendum

Business Associate’s management and employees will be trained in the implementation of these policies.

Business Associate’s management and employees will be given a copy of this policy to read and initial.

BUSINESS ASSOCIATE PRACTICE
   
Signature  Signature 
Print Name and Title Print Name and Title
Date  Date 

PLEASE NOTE: Legal issues are complex and highly fact-specific and require legal expertise that cannot be provided by any single document. In addition, laws change over time and vary by jurisdiction. The information in this document should not be used as a substitute for obtaining personal legal advice and consultation prior to making decisions regarding individual circumstances.