Business Associate Agreement
WHEREAS, Covered Entity is subject to the federal Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. §§ 1320d – 1320d-8 (“HIPAA”), as amended from time to time, and is required to safeguard individually identifiable health information the Covered Entity creates, receives, maintains or transmits (hereinafter “protected health information” or “PHI”) in accordance with the requirements HIPAA establishes and also the requirements set forth in the Health Information Technology for Economic and Clinical Health Act and any regulations promulgated there under (the “HITECH Act”); and
WHEREAS, Covered Entity desires to engage the services of Business Associate to perform certain tasks on behalf of Covered Entity which may involve the use or disclosure of PHI created, received, maintained or transmitted by Covered Entity and/or other Business Associates of Covered Entity; and
WHEREAS, Business Associate desires to perform the designated services on behalf of Covered Entity
NOW THEREFORE, for and in consideration of the mutual premises, conditions and covenants herein contained, the parties hereto agree as follows:
The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
Other capitalized terms shall have the meaning ascribed to them in the context in which they first appear.
a. Regulations. Terms used, but not otherwise defined, in the Agreement shall have the same meaning as those terms in the federal Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Part 160, subpart A and Part 164, subparts A and E (the “Privacy Rule”); the federal Security Standards, 45 C.F.R. Part 160, subpart A and Part 164, subparts A and C (the “Security Standards”); and 45 C.F.R. Part 160, subpart A and Part 164, subpart D (the “Breach Notification Rule”), and as each may be amended from time to time. Collectively, the Privacy, Security and Breach Notification Rules are referred to as the “HIPAA Rules.”
b. Business Associate. “Business Associate” shall generally have the same meaning as the term “Business Associate” at 45 CFR 160.103.
c. Covered Entity. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103.
d. Electronic Protected Health Information. “Electronic Protected Health Information” or “EPHI” shall have the same meaning as the term “Electronic Protected Health Information” in 45 C.F.R. 160.103, and shall refer to PHI that Covered Entity, or Business Associate on behalf of Covered Entity, transmits or maintains in electronic media.
e. HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
f. Individual. “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. 164.502(g).
g. Protected Health Information. “Protected Health Information” or “PHI” as used in this Agreement means (subject to the definition at 45 C.F.R. § 160.103) Individually Identifiable Health Information that Business Associate creates, receives, maintains or transmits on behalf of Covered Entity. This Agreement is intended to comply with the requirements for Business Associate agreements under the HIPAA Rules and is to be construed to achieve compliance with those requirements
h. Underlying Services Agreement. “Underlying Services Agreement” shall mean the agreement between the Parties hereto setting forth the scope of the services Covered Entity has engaged Business Associate to provide on Covered Entity’s behalf.
i. Unsecured Protected Health Information. “Unsecured Protected Health Information” or “Unsecured PHI” shall mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance, as set forth as 45 C.F.R. 164.402.
2. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
a. Stated Purposes. Business Associate is permitted to use and/or disclose PHI as necessary to perform the services specified in the underlying services agreement between the parties (the “Stated Purposes”) and is otherwise prohibited from using or disclosing PHI provided or made available by Covered Entity for any purpose other than as expressly permitted or required by this Agreement.
b. Other Permitted Uses And Disclosures. In addition to the Stated Purposes for which Business Associate may use or disclose PHI, Business Associate may use or disclose PHI provided or made available from Covered Entity for the proper management and administration of Business Associate or to carry out legal responsibilities of Business Associate. Notwithstanding the foregoing, such a use and disclosure is permitted provided that:
c. The disclosure is Required By Law; or
d. Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that it will be held confidentially and used or further disclosed only as Required By Law or for the purposes for which it was disclosed to the person; the person will use appropriate safeguards to prevent use or disclosure of the PHI; and the person immediately notifies the Business Associate of any instance of which it is aware in which the confidentiality of the information has been breached
e. Minimum Necessary. Business Associate agrees to make uses and disclosures and requests of PHI consistent with Covered Entity’s minimum necessary policies and procedures, such policies and procedures to be provided to Business Associate by Covered Entity concurrent with the execution of the Agreement.
f. Data Aggregation. Business Associate may use or disclose PHI to provide data aggregation services, as that term is defined by 45 C.F.R. 164.501, relating to the health care operations of Covered Entity.
3. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
a. Limits On Use And Further Disclosure Established By Agreement or By Law. Business Associate hereby agrees that the PHI provided or made available by Covered Entity shall not be further used or disclosed other than as permitted or required by the Agreement or as Required By Law. Business Associate shall comply with the provisions of this Agreement related to the privacy and security of PHI and all present and future provisions of the HIPAA Rules that are applicable to Covered Entity and/or Business Associate. To the extent Business Associate is to carry out any of Covered Entity’s obligation under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation.
b. Appropriate Safeguards. Business Associate will establish and maintain appropriate safeguards to prevent any use or disclosure of the PHI, other than as provided for by this Agreement and comply with the Security Rule with respect to electronic PHI.
c. Reports Of Improper Use Or Disclosure. Business Associate hereby agrees that it shall report to Covered Entity within thirty (30) days of discovery any use or disclosure of PHI not provided for or allowed by this Agreement. This provision shall apply to Breaches of Unsecured PHI, as those terms are defined at 45 C.F.R. § 164.402. Business Associate’s notice shall include the applicable elements as set forth at 45 C.F.R. §164.410(c) when Breaches of Unsecured PHI occur.
d. Subcontractors. In accordance with 45 C.F.R. 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate hereby agrees to enter into written agreements with any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate, and the terms of such agreements shall incorporate the applicable restrictions, conditions, and requirements that apply to Business Associate with respect to such information as set forth herein.
e. Right of Access to Information. Business Associate hereby agrees to make available and provide a right of access to PHI by an Individual. This right of access shall conform with and meet the requirements set forth at 45 C.F.R. § 164.524. The obligations of Business Associate in this paragraph apply only to PHI in Designated Record Sets in Business Associate’s possession or control as such term is defined at 45 C.F.R. § 164.501.
f. Amendment and Incorporation of Amendments. Business Associate agrees to make PHI available for amendment and to incorporate any amendments to PHI in accordance with 45 C.F.R. 164.526, which describes the requirements applicable to an Individual’s request for an amendment to the PHI relating to the Individual. The obligations of Business Associate in this paragraph apply only to PHI in Designated Record Sets in Business Associate’s possession or control as such term is defined at 45 C.F.R. § 164.501.
g. Provide Accounting. Business Associate agrees to make PHI and information related to the disclosures available as required to provide an accounting of disclosures in accordance with 45 C.F.R. 164.528, which describes the requirements applicable to an Individual’s request for an accounting of disclosures of PHI relating to the Individual. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting. In addition, as required by the HITECH Act, effective on such date as the Secretary may specify, if Business Associate uses electronic health records, as defined at 42 U.S.C. § 17931, Business Associate will record disclosures through electronic health records for treatment, payment and health care operations purposes, if any, in accordance with the specifications established by the Secretary.
h. Access to Books and Records. Business Associate hereby agrees to make its internal practices, books, and records relating to the use or disclosure of PHI received from, or created or received by Business Associate on behalf of the Covered Entity, available to the Secretary of the Department of Health and Human Services (“HHS”), or the Secretary’s designee, for purposes of determining Covered Entity’s compliance with its obligations under HIPAA.
i. Mitigation Procedures. Business Associate agrees to have procedures in place for mitigating, to the maximum extent practicable, any deleterious effect from the use or disclosure of PHI in a manner contrary to this Agreement or the Privacy Rule.
j. Prohibition on Remuneration for PHI. Unless as exception applies, as set forth at 42 U.S.C. § 17935(d)(2), in no event may Business Associate directly or indirectly receive remuneration in exchange for any PHI of an Individual unless Covered Entity obtains from the Individual a valid authorization that includes a specification of whether the PHI can be further exchanged for remuneration by the entity receiving PHI of that Individual. This prohibition does not apply to remuneration Business Associate receives from the Covered Entity for activities that the Business Associate undertakes on behalf of and at the specific request of the Covered Entity pursuant to this Agreement.
4. OBLIGATIONS OF COVERED ENTITY
a. Restrictions in Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity under 45 C.F.R. 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
b. Changes in Permission by Individuals. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
c. Agreed-Upon Restrictions. Covered Entity shall notify Business Associate of any restrictions on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
d. Permissible Requests. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by the Covered Entity, except that Business Associate may use or disclose PHI for the management and administration and legal responsibilities of the Business Associate as specified herein.
5. ACKNOWLEDGMENT OF OBLIGATIONS
a. Business Associate acknowledges that it is directly subject to HIPAA, as amended by the HITECH Act, including, but not limited to, Sections 164.308, 164.310, 164.312 and Section 164.316, as well as the enforcement and penalty provisions HIPAA provides, as they may be amended from time to time. See 42 U.S.C. §§ 17931, 17934. Business Associate agrees that it will (a) comply with all applicable provisions of HIPAA, as amended by the HITECH Act and as it may be further amended from time to time; and (b) not act in any way to interfere with or hinder Covered Entity’s ability to comply with HIPAA, as amended by the HITECH Act and as it may be further amended from time to time.
6. BREACH REPORTING
a. In the event that either Party has knowledge of a material breach of this Agreement by the other Party, the non-breaching Party may immediately terminate this Agreement.
b. Alternatively, in the event that either Party has knowledge of a material breach of this Agreement by the other Party and cure is possible, the non-breaching Party may provide a reasonable opportunity for the breaching Party to cure the breach or end the violation. If the breaching Party does not cure the breach or end the violation within the time specified by non-breaching Party, the non-breaching Party may terminate this Agreement.
c. In the event that either Party has knowledge of a material breach of this Agreement by the other Party and cure is not possible, the non-breaching Party shall terminate the portion of the service being perform that is affected by the breach.
a. This Agreement may be terminated by either Party in accordance with this agreement or by Covered Entity upon forty-five (45) days’ written notice.
b. Upon termination of this Agreement for any reason, if feasible, Business Associate will return or destroy all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity that Business Associate still maintains in any form and retain no copies of such information. If such return or destruction is not feasible, Business Associate will extend the protections of this Agreement to the information retained and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. This paragraph shall survive the termination of this Agreement.
c. Survival. The obligations of Business Associate under this Section shall survive the termination of this Agreement.
a. Amendment. This Agreement cannot be amended except by mutual written agreement of Covered Entity and Business Associate.
b. Amendment for Compliance. In the event that any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of the Agreement will remain in full force and effect. In addition, in the event Covered Entity believes in good faith that any provision of the Agreement fails to comply with the then-current requirements of the applicable HIPAA regulations, Covered Entity shall notify Business Associate in writing. For a period of up to thirty (30) days, the Parties shall address in good faith such concern and shall amend the terms of this Agreement, if necessary, to bring it into compliance. If after such thirty-day period this Agreement fails to comply with the HIPAA regulations with respect to the concern(s) raised pursuant to this paragraph, Covered Entity has the right to terminate this Agreement upon thirty (30) days’ written notice to Business Associate.
c. Binding Nature and Assignment. This Agreement shall be binding on the Parties hereto and their successors and assigns, but neither Party may assign this Agreement without the prior written consent of the other, which consent shall not be unreasonably withheld.
d. Notices. Whenever under this Agreement one Party is required to give notice to the other, such notice shall be deemed given if mailed by First Class United States mail, postage prepaid, and addressed as follows:
e. Force Majeure. Business Associate shall be excused from performance under this Agreement for any period Business Associate is prevented from performing any services pursuant hereto, in whole or in part, as a result of an Act of God, war, civil disturbance, court order, labor dispute or other cause beyond its reasonable control, and such nonperformance shall not be grounds for termination, except that Business Associate’s inability to perform will not be excused in the event that Business Associate failed to implement a reasonable disaster recovery plan prior to experiencing the event and invoking this provision.
f. No Third Party Beneficiaries. The Parties have not created and do not intend to create by this Agreement any third party rights under this Agreement.
g. Severability. If any provision of this Agreement, or any other agreement, document, or writing pursuant to or in connection with this Agreement, is found to be wholly or partially invalid or unenforceable; the remainder of this Agreement is unaffected.
h. Waiver. No term or provision of this Agreement shall be deemed waived and no breach excused unless such waiver or excuse of breach is in writing, signed by the Party against who such waiver or excuse is claimed.
i. Entire Agreement. This Business Associate Agreement consists of this document, and constitutes the entire agreement between the Parties with respect to the subject matter hereof. There are no understandings or agreements relating to this Agreement which are not fully expressed herein and no change, waiver or discharge of obligations arising under this Agreement shall be valid unless in writing and executed by the Party against whom such change, waiver or discharge is sought to be enforced.
j. This Business Associate Agreement supersedes any and all previous signed Business Associate Agreements between both parties. The terms and conditions of this Business Associate Agreement will replace all previously agreed to PHI storage, handling, reporting, destruction and notification requirements.