Atlas Legal Document
Business Associate Agreement
Standalone HIPAA Business Associate Agreement for covered entities and business associates that use Atlas to create, receive, maintain, or transmit protected health information.
1. Separate agreement and definitions
This Business Associate Agreement is a separate agreement that applies only when Atlas acts as a business associate by creating, receiving, maintaining, or transmitting protected health information for a covered entity or another business associate.
For this agreement, Atlas is the Business Associate and the organization using Atlas for a HIPAA-regulated workflow is the Covered Entity or Customer Business Associate, as applicable.
Capitalized HIPAA terms, including Business Associate, Covered Entity, Designated Record Set, Electronic Protected Health Information, Protected Health Information, Security Incident, and Unsecured Protected Health Information, have the meanings given to them under 45 CFR Parts 160 and 164.
2. Permitted and required uses and disclosures
Atlas may use or disclose Protected Health Information only as permitted or required by this agreement, the underlying services agreement, written instructions from the Covered Entity or Customer Business Associate, or as required by law.
Atlas may use and disclose Protected Health Information to perform services for the Covered Entity or Customer Business Associate, including treatment, payment, health care operations, records exchange, administrative support, platform security, and other services described in the underlying services agreement.
Atlas may use Protected Health Information for its proper management and administration, to carry out its legal responsibilities, and for data aggregation services relating to the health care operations of the Covered Entity, in each case only as permitted by HIPAA.
3. Limitations on use and disclosure
Atlas will not use or further disclose Protected Health Information other than as permitted or required by this agreement or as required by law.
Atlas will not use or disclose Protected Health Information in a manner that would violate the HIPAA Privacy Rule if done by the Covered Entity, except for uses and disclosures permitted for business associate management, administration, legal responsibilities, and data aggregation.
Atlas will make reasonable efforts to use, disclose, and request only the minimum necessary Protected Health Information for the intended purpose unless HIPAA permits or requires a different standard.
4. Safeguards and Security Rule compliance
Atlas will use appropriate administrative, physical, and technical safeguards to prevent use or disclosure of Protected Health Information other than as provided by this agreement.
With respect to Electronic Protected Health Information, Atlas will comply with the applicable requirements of Subpart C of 45 CFR Part 164.
Atlas will mitigate, to the extent practicable, harmful effects known to Atlas from a use or disclosure of Protected Health Information by Atlas that violates this agreement.
5. Subcontractors
Atlas will ensure that any subcontractor that creates, receives, maintains, or transmits Protected Health Information on behalf of Atlas agrees in writing to the same restrictions, conditions, and requirements that apply to Atlas with respect to that information.
Atlas will remain responsible for its own obligations under this agreement when using subcontractors to perform services involving Protected Health Information.
6. Reporting impermissible uses, disclosures, and breaches
Atlas will report to the Covered Entity or Customer Business Associate any use or disclosure of Protected Health Information not provided for by this agreement of which Atlas becomes aware.
Atlas will report breaches of Unsecured Protected Health Information as required by 45 CFR 164.410 and will provide information reasonably available to Atlas for the Covered Entity or Customer Business Associate to meet applicable breach-notification obligations.
Atlas will report Security Incidents involving Electronic Protected Health Information of which Atlas becomes aware. The parties may treat repeated unsuccessful security events, such as pings, scans, unsuccessful login attempts, and similar routine events, as reported through periodic or summary reporting if the underlying services agreement so provides.
7. Access, amendment, and accounting support
To the extent Atlas maintains Protected Health Information in a Designated Record Set, Atlas will make that information available as necessary for the Covered Entity to satisfy access obligations under 45 CFR 164.524.
Atlas will make Protected Health Information available for amendment and incorporate amendments as necessary for the Covered Entity to satisfy 45 CFR 164.526.
Atlas will make information available as necessary for the Covered Entity to provide an accounting of disclosures under 45 CFR 164.528.
If Atlas receives an individual rights request directly, Atlas may forward the request to the Covered Entity or Customer Business Associate unless the parties have agreed in writing that Atlas will respond directly.
8. Covered Entity responsibilities and HHS access
The Covered Entity or Customer Business Associate is responsible for notifying Atlas of any limitation in its notice of privacy practices, any restriction on use or disclosure, or any change in permission that may affect Atlas's use or disclosure of Protected Health Information.
The Covered Entity or Customer Business Associate will not request that Atlas use or disclose Protected Health Information in a manner that would be impermissible under HIPAA if done by the Covered Entity, except where HIPAA permits the request.
Atlas will make its internal practices, books, and records relating to the use and disclosure of Protected Health Information available to the U.S. Department of Health and Human Services for purposes of determining HIPAA compliance.
9. Termination and return or destruction of PHI
The Covered Entity or Customer Business Associate may terminate the underlying services agreement if Atlas violates a material term of this Business Associate Agreement and does not cure the violation within the cure period, if any, provided by the underlying services agreement.
Upon termination of the services involving Protected Health Information, Atlas will return or destroy Protected Health Information received from, or created, maintained, or received by Atlas on behalf of, the Covered Entity or Customer Business Associate, if feasible.
If return or destruction is infeasible, Atlas will extend the protections of this agreement to the retained Protected Health Information and limit further uses and disclosures to the purposes that make return or destruction infeasible.
10. Precedence for PHI terms
This Business Associate Agreement controls over conflicting terms in another agreement only with respect to the use, disclosure, safeguarding, reporting, return, or destruction of Protected Health Information and other HIPAA-required business associate obligations.
Commercial terms that do not conflict with HIPAA-required business associate obligations remain governed by the separate applicable services agreement, order form, provider agreement, or other written agreement between the parties.
This page is the canonical Atlas web copy for the current onboarding document version. If your organization needs a countersigned copy or negotiated amendment, use your normal Atlas implementation channel.