HIPAA Compliance Agreement
Agreement governing the handling of Protected Health Information (PHI) in connection with newsletter and email communication services.
1. Purpose
This Agreement is entered into in connection with newsletter and email marketing services provided by Business Associate on behalf of the Covered Entity. In performing these services, Business Associate may have access to Protected Health Information (“PHI”) as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
2. Permitted Use of PHI
Business Associate agrees to use PHI solely for the purpose of performing contracted services for Covered Entity and for no other purpose. PHI shall not be used for Business Associate’s own marketing, business development, or personal use.
3. Safeguards
Business Associate agrees to implement reasonable administrative, technical, and physical safeguards to protect PHI from unauthorized access, disclosure, alteration, or destruction. Access to PHI shall be limited to the minimum necessary to perform agreed services.
4. Third-Party Services
If Business Associate utilizes third-party platforms to deliver email communications, Business Associate agrees to ensure such platforms provide HIPAA-compliant services and execute appropriate Business Associate Agreements where required.
5. Breach Notification
Business Associate shall notify Covered Entity without unreasonable delay upon discovery of any unauthorized access, disclosure, or breach of PHI.
6. Return or Destruction of PHI
Upon termination of services, Business Associate agrees to return or securely destroy all PHI in its possession unless retention is required by law.
7. Term
This Agreement shall remain in effect for the duration of services provided by Business Associate and shall survive termination to the extent required by HIPAA.
8. Ownership
All PHI remains the sole property of the Covered Entity. Nothing in this Agreement transfers ownership or rights to Business Associate.