Page 4 of 10
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“Agreement”), effective ___________ (“Effective Date”) is entered into by and between _____ (“Covered Entity”) and _____ (“Business Associate”).
RECITALS
Whereas, the U.S. Department of Health and Human Services issued regulations on “Standards for Privacy of Individually Identifiable Health Information,” (the “Privacy Standards”) and the Health Insurance Reform: Security Standards (the “Security Standards”) which comprise 45 C.F.R. Parts 160 and 164, promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”); and
Whereas, _____ is a “Covered Entity” and _____ is a “Business Associate” within the meaning of the Privacy and Security Standards; and
Whereas, _____ (Business Associate) acknowledges that Business Associate is required by law, pursuant to the HITECH Act, to comply with the HIPAA Security Rule (45 C.F.R. 164.302 through 164.318) and the use and disclosure provisions of the HIPAA Privacy Rule (45 C.F.R. 162.502, 162.504).
Whereas, the parties hereto desire to enter into this Agreement to memorialize their obligations with respect to PHI pursuant to the requirements of the Privacy and Security Standards.
Whereas, the obligations herein shall continue in effect so long as Business Associate uses, discloses, creates or otherwise possesses any PHI created or received on behalf of Covered Entity and until all PHI created or received by Business Associate on behalf of Covered entity is destroyed or returned to Covered Entity pursuant to Paragraph 4.4 herein.
Whereas, _____ (Business Associate) has entered into, and may in the future enter into, one or more agreements (the “Underlying Agreements(s)”) with (Covered Entity) which may be periodically updated, that require Business Associate to perform certain services for or on behalf of Covered Entity, which may require the use and/or disclosure of Individually Identifiable Health Information; and
Now, Therefore, in consideration of the mutual promises and agreements set forth below and in order to comply with all legal requirements for the protections of this information, the parties hereto agree as follows:
1.0 GENERAL PROVISIONS
1.1 Effect. This Agreement supplements, modifies and amends the Underlying Agreement and all written agreements made by or between the parties regarding the disclosure of PHI by Covered Entity to Business Associate, or the creation or receipt of PHI by Business Associate on behalf of Covered Entity. The terms and provisions of this Agreement shall supersede any other conflicting or inconsistent terms and provisions in the Underlying Agreement between the parties, including all exhibits or other attachments thereto and all documents incorporated therein by reference.
1.2 Interpretation. Any ambiguity in this Agreement shall be construed in favor of a meaning that permits both parties to comply with HIPAA and HITECH, as the case may be.
1.3 Amendment. _____ (Business Associate) and _____ (Covered Entity) agree to amend this Agreement to the extent necessary to allow Covered Entity to comply with the Privacy and Security Standards as promulgated, or as may be amended by the Secretary. This Agreement may be modified or amended only by the Parties in writing.
1.4 HITECH Act. In addition, the parties acknowledge and agree that the HITECH Act, found in Title XIII of the American Recovery and Reinvestment Act of 2009, Public Law 111-005, imposes new requirements with respect to privacy, security, and breach notification and contemplates that such requirements shall be implemented by regulations to be adopted by HHS.
The provisions of the HITECH Act and the HITECH Business Associate Provisions are hereby incorporated by reference into this Agreement as if set forth in this Addendum in their entirety. Notwithstanding anything to the contrary, the HITECH Business Associate Provisions will be effective: (a) with respect to any security breach notification provision, September 23, 2009; and (b) with respect to the other HITECH Business Associate Provisions, February 17, 2010 or such subsequent date as may be specified in the HITECH Act or applicable final regulations.
1.5 HIPAA/HITECH Updates. Business Associate and Covered Entity further agree that, to the extent the HIPAA Privacy and Security Standards or the HITECH Act and any implementing regulations are amended by the Secretary or Congress, any such amendments shall be automatically incorporated by reference into this Agreement, unless Carle is notified otherwise in writing by Business Associate.
1.6 Definitions. Capitalized terms used herein without definition shall have the
respective meanings assigned to such terms in 45 C.F.R. Parts 160, 163, and 164 and the HITECH Act.
2.0 OBLIGATIONS OF BUSINESS ASSOCIATE
2.1 Use and Disclosure of Protected Health Information. Business Associate may use, possess, or disclose PHI only as required to satisfy its obligations under the Underlying Agreement, as permitted herein, or as required by law, but shall not otherwise use or disclose any PHI. In the event that Business Associate may disclose PHI to subcontractors as part of the services provided under the Underlying Agreement, Business Associate shall ensure that its directors, officers, employees, contractors and agents do not use, possess, or disclose PHI received from Covered Entity in any manner that would constitute a violation of the Privacy and Security Standards if used by Covered Entity, except that Business Associate may use PHI (i) for Business Associate’s proper management and administrative services, (ii) to carry out the legal responsibilities of Business Associate, (iii) to provide data aggregation services relating to the health care operations of Covered Entity if required under the Underlying Agreement, or (iv) de-identify any and all PHI, provided that Business Associate de-identifies the PHI in accordance with the Privacy Rule, (v) to report violations of the law to law enforcement, subject to 45 C.F.R. 164.512(f).
2.2 Safeguards against Misuse of Information. Business Associate shall use
reasonable and appropriate safeguards to prevent the use or disclosure of PHI other than pursuant to the terms and conditions of this Agreement. Further, Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any electronic PHI (ePHI) that it creates, receives, maintains, or transmits on behalf of Covered Entity as applicable, and in accordance with the requirements of the Privacy and Security Standards and all other applicable law.
2.3 Reporting of Disclosures of Protected Health Information. Business
Associate shall report to Covered Entity within five (5) business days any use or disclosure of PHI in violation of this Agreement of which it becomes aware and the remedial action taken or proposed to be taken with respect to such use or disclosure and account for such disclosure.
2.4 Agreements by Third Parties. Business Associate shall obtain and
maintain a written agreement with each agent or subcontractor that has or will have access to PHI, which is received from, or created by Business Associate on behalf of Covered Entity, pursuant to which agreement such agent or subcontractor agrees to be bound by the same restrictions and conditions that apply to Business Associate pursuant to this Agreement with respect to such PHI.
Business Associate shall take appropriate disciplinary action against any member of its workforce who uses or discloses PHI in violation of this Contract and applicable law.
In the event of a breach of PHI, Business Associate understands Business Associate is required by law to provide Covered Entity a report including patient name, contact information, nature/cause of the breach, PHI breached, and the date or period of time during which the breach occurred. Business Associate understands that such a report must be provided to Covered Entity within five (5) business days from the date of the breach or the date the breach should have been known to have occurred. Business Associate is responsible for any and all costs related to notification of individuals or next of kin (if the individual is deceased) of any security or privacy breach reported by Business Associate to Covered Entity.
2.5 Access to Information. Business Associate shall not maintain PHI in a
Designated Record Set and, thus, 45 C.F.R. section 164.504(e) (2) (ii) (E) regarding providing individuals access to PHI shall not be applicable. Any request to access PHI made to Business Associate shall be referred to Covered Entity. Within seven (7) business days of a written request by Covered Entity, Business Associate shall allow a person who is the subject of PHI, such as a person’s legal representative, or Covered Entity, to have access to and to copy such person’s PHI maintained by Business Associate. Business Associate shall provide PHI in the format requested by such person, legal representative, or Covered Entity unless it is not readily producible in such format, in which case, it shall be produced in standard hard copy format.
2.6 Availability of Protected Health Information for Amendment.
Business Associate shall not maintain PHI in a Designated Record Set and, thus, 45 C.F.R. sections 164.504(e) (2) (ii) (F) regarding making PHI available for amendment and incorporating any amendments made by an Individual shall not be applicable. Any request to amend PHI made to Business Associate shall be referred to Covered Entity. To the extent that Covered Entity grants an amendment to PHI, which it previously provided to Business Associate and upon which Business Associate relied in providing services to Covered Entity, then Covered Entity shall provide such Amended PHI to Business Associate, and Business Associate shall take such action as may be necessary to satisfy its obligations under the Underlying Agreement(s).
2.7 Accounting of Disclosures. Business Associate shall make disclosures of
PHI only in connection with Covered Entity’s health care operations. Business Associate agrees to maintain a record of its disclosures of PHI, including disclosures not made for the purposes of this Agreement, pursuant to 45 C.F.R. section 164.504(e)(2)(ii)(G). Such record shall include the date of the disclosure, the name and, if known, the address of the recipient of the PHI, the name of the individual who is the subject of the PHI, a brief description of the PHI disclosed, and the purpose of the disclosure. Business Associate shall make such record available to an individual who is the subject of such information or Covered Entity within thirty (30) days of a request and shall include disclosures made on or after the date which is three (3) years prior to the request if the PHI is maintained in an electronic health record or six (6) years prior to the request if the PHI is maintained in a paper health record. [45 C.F.R. 164.528, 164.530; HITECH 13405(c)].
Notwithstanding the foregoing, any request for an accounting of disclosures made to Business Associate regarding PHI disclosures made by Business Associate on behalf of Covered Entity should be referred to Covered Entity.
Business Associate shall not be required to maintain a record of disclosures of PHI made:
A. For the purpose of treatment, payment, or health care operations (as those terms are defined under HIPAA);
B. To an individual who is the subject of the PHI; and
C. Pursuant to an Authorization which is valid under HIPAA.
2.8 Availability of Books and Records. Business Associate hereby agrees to
make its internal policies and procedures, documentation required by the Privacy and Security Standards relating to the physical, technical, and administrative safeguards, books and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity available to the Secretary of the Department of Health and Human Services for purposes of determining Covered Entity’s compliance with the Privacy and Security Standards.
2.9 Reporting of Security Incidents. Business Associate shall report to
Covered Entity within five (5) business days any Security Incident, with respect to electronic PHI (ePHI) and as defined in 45 C.F.R. section 164.304, of which it becomes aware.
2.10 Identity Theft Protection Program. Business Associate agrees to implement an identity theft protection program, require all subcontractors with access to PHI to implement an identity theft protection program, and make all reasonable efforts to identify red flags that indicate identity or medical identity theft may be occurring or has occurred. The program shall include:
A. Adoption of an identity theft protection program policy and procedure approved by the highest authority in Business Associate’s organization (e.g. Board of Directors, owner, partners, etc.);
B. Conduct a red flag (indicators of potential or actual identity or medical identity theft) risk analysis;
C. Provide workforce with training regarding the program and red flags identified;
D. Actively monitor for red flags;
E. Investigate any identified red flags and mitigate damages if appropriate;
F. Document any red flag investigation and subsequent activity;
G. Annually review the program to determine if changes are necessary which includes annually conducting a red flag risk analysis; and
H. Require senior management to monitor program activity.
2.11 Warranty that No PHI Has Been Used or Disclosed. Business Associate warrants that between the initial date performance of services commenced and the effective date of this Business Associate Agreement, no Covered Entity PHI has been used or disclosed contrary to HIPAA and its regulations by its agents, employees or assigns. This shall be an ongoing representation and warranty during the term of the Agreement. Business Associate shall immediately notify Covered Entity of any change in the status of this representation and warranty set forth in this section. Any breach of this section shall give Covered Entity the right to terminate the Underlying Agreement and this Agreement immediately for cause.
2.12 Failure to Perform Obligations. In the event Business Associate fails to perform the obligations under this Agreement, Covered Entity may, at its option:
A. Require Business Associate to submit a plan of compliance, including monitoring by Covered Entity and reporting by Business Associate, as Covered Entity, in its sole discretion, determines necessary to maintain compliance with this Agreement and applicable law. Such plan shall be incorporated into this Agreement by amendment hereto;
B. Require Business Associate to mitigate any loss occasioned by the unauthorized disclosure or use of PHI; and
C. Immediately discontinue providing PHI to Business Associate with or without written notice to Business Associate.
3.0 OBLIGATIONS OF COVERED ENTITY
3.1 Covered Entity agrees, and represents and warrants to Business Associate that it will (a) obtain any consent, authorization or permission (if any) that may be required by the Privacy Rule or any other applicable federal, state, or local laws and regulations prior to furnishing to Business Associate the PHI pertaining to an individual; and (b) not furnish to Business Associate any PHI that is subject to any arrangements that may restrict or otherwise affect Business Associate’s use and/or disclosure of the PHI under this Agreement, including, but not limited to, any restrictions Covered Entity may agree to pursuant to 45 C.F.R. section 164.522.