212-481-4040
Apply Now

HIPAA Business Associate Agreement

HIPAA Business Associate Agreement

If Customer is a Covered Entity or a Business Associate and includes Protected Health Information in Customer Data, FastTrack Data, or Professional Services Data, this HIPAA Business Associate Agreement (“BAA”) is incorporated upon execution of an agreement (“Agreement”) that incorporates the Microsoft Products and Services Data Protection Addendum.

If there is any conflict between a provision in this BAA and a provision in the Agreement, this BAA will control.

1. Definitions

Except as otherwise defined in this BAA, capitalized terms shall have the definitions set forth in HIPAA, and if not defined by HIPAA, such terms shall have the definitions set forth in the Agreement.

  • Breach Notification Rule – means the Breach Notification for Unsecured Protected Health Information Final Rule.
  • Business Associate – has the same meaning as in 45 CFR § 160.103.
  • Covered Entity – has the same meaning as in 45 CFR § 160.103.
  • Customer – means Customer and its Affiliates.
  • FastTrack Data – all data provided to Microsoft for FastTrack Services.
  • FastTrack Services – onboarding and migration services for Microsoft services.
  • HIPAA – includes Privacy Rule, Security Rule, Breach Notification Rule, and HITECH Act.
  • Protected Health Information – PHI as defined in HIPAA.
  • Security Rule – standards for protecting electronic PHI.

2. Permitted Uses and Disclosures of Protected Health Information

  • Performance of the Agreement
    • Microsoft may use and disclose PHI as required to perform services under the Agreement.
    • Such use must comply with HIPAA requirements.
  • Management and Legal Responsibilities
    • Microsoft may use PHI for internal management or legal obligations.
    • Disclosure is allowed only if:
      • Required by law; or
      • Recipient agrees to confidentiality and proper handling.

3. Responsibilities of the Parties

Microsoft’s Responsibilities

  • Limitations on Use
    • PHI cannot be used outside agreed purposes.
    • No marketing or sale of PHI.
    • Only minimum necessary data should be used.
  • Safeguards
    • Implement security measures.
    • Comply with HIPAA Security Rule.
  • Reporting
    • Report unauthorized use or disclosure.
    • Report breaches within 72 hours.
    • Notify customer of security incidents.
  • Subcontractors
    • Must follow same HIPAA standards.
    • Microsoft remains responsible for them.
  • Access and Amendments
    • Provide access to PHI if required.
    • Allow amendments within 15 days.
  • Accounting of Disclosures
    • Provide records of disclosures within 30 days.

Customer Responsibilities

  • Must not request illegal use of PHI.
  • Responsible for own security safeguards.
  • Must not include PHI in:
    • Support tickets
    • Public forums
    • Address books
  • Must properly configure systems handling PHI.

4. Applicability of BAA

This BAA applies to Microsoft services that handle PHI. Customer must not process PHI until the BAA is active.

5. Term and Termination

  • Term
    • Valid until agreement ends or is terminated.
  • Termination for Breach
    • Either party may terminate for violation.
    • 30-day period may be given to fix issues.
  • Data Handling After Termination
    • PHI must be returned or destroyed.
    • If not possible, it must remain protected.

6. Miscellaneous

  • Interpretation – must comply with HIPAA laws.
  • Amendments – only in written signed form.
  • No Third-Party Rights – agreement applies only to parties involved.
  • Severability – invalid clauses do not affect the rest.
  • No Agency Relationship – Microsoft is not acting as Customer’s agent.