DISTRICT 19 COMMUNITY SERVICES BOARD
Business Associate Agreement
GENERAL CONDITIONS
THIS BUSINESS ASSOCIATE AGREEMENT (“Agreement”) is effective as of ______by District 19 Community Services Board (hereinafter referred to as “Covered Entity”), with an office at
20 West Bank Street, Petersburg, VA 23803 and ______ (hereinafter referred to as “Business Associate _______ Covered Entity and Business Associate are collectively referred to hereinafter as the “Parties,” or individually as a “Party”).
This Agreement constitutes a non-exclusive agreement between Covered Entity, which provides mental health, intellectual disability, and substance abuse services, and Business Associate named above. Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information (“PHI”) to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Memorandum of Agreement between District 19 Community Services Board and ______ provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity or the minimum necessary policies and procedures of Covered Entity.
Covered Entity and Business Associate, as those terms are defined in 45 C.F.R. § 160.103 of the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”), promulgated by the U.S. Department of Health and Human Services (“HHS”) under the Health Insurance Portability and Accountability Act (“HIPAA”), 45 C.F.R. Parts 160 & 164, and the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), have entered into this Business Associate Agreement to comply with the requirements of the Privacy Rule, and HITECH Act, as well as to satisfy our duty to protect the confidentiality and integrity of PHI as required by other federal or state law, Department policy, professional ethics, and accreditation requirements.
NOW THEREFORE, the Parties, intending to be legally bound, agree as follows:
I. Definitions.
As used in this Agreement, the terms below will have the following meanings:
A. “Individual” shall have the same meaning as the term “individual” in 45 CFR § 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502 (g).
B. “Protected Health Information” shall have the same meaning as the term “protected health information” in 45 CFR § 164.501.
C. “Required by Law” shall have the same meaning as the term “required by law” in 45 CFR § 164.501.
D. “Security Incident” shall mean the attempted or successful unauthorized use, disclosure or destruction of information or interference with system operations in an information system.
II. Term. The term of this Agreement shall commence upon execution by both parties, and shall continue until terminated as provided hereunder.
III. Notices.
All Notifications required under this Agreement should be sent through first class mail to:
Jennifer Jones
Privacy Officer
District 19 Community Services Board
20 West Bank St., Suite 7
Petersburg, VA 23803
IV. Responsibilities of Business Associate.
A. Use and Disclosure of PHI:
1. Business Associate shall not use PHI other than as expressly permitted by this Agreement, or as required by law.
2. Business Associate may use and disclose PHI, including disclosures to third-parties, where necessary to perform Designated Functions on behalf of Covered Entity.
3. Business Associate may use PHI in its possession for its own proper administration and to fulfill any present or future legal responsibilities.
4. Business Associate may disclose PHI in its possession, including disclosures to third-parties, for its own proper management and administration and to fulfill any present or future legal responsibilities if:
a) The disclosure is required by law; or
b) Business Associate receives reasonable assurance from the person to whom the PHI is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person.
B. Disclosure to Third-Parties: In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, the Business Associate shall ensure that any agents and subcontractors to whom it provides PHI received from Covered Entity (or created or received by Business Associate on behalf of Covered Entity) agree in writing to the same restrictions, terms, and conditions relating to PHI that apply to Business Associate in this Agreement.
C. Use and Disclosure Within Workforce:
1. Business Associate shall implement and maintain appropriate safeguards to prevent the use and disclosure of PHI, other than as provided in this Agreement. Upon reasonable request, Business Associate shall give Covered Entity access for inspection and copying to Business Associate’s facilities used for the maintenance or processing of PHI, and to its books, records, practices, policies and procedures concerning the use and disclosure of PHI, for the purpose of determining Business Associate’s compliance with this Agreement.
2. Business Associate must have a confidentiality agreement in place with individuals of its workforce who have access to PHI. Issuing and maintaining these confidentiality agreements will be the responsibility of Business Associate. Business Associate shall not permit any member of its workforce to use or disclose PHI except those persons who have received privacy training in PHI and who have signed an agreement to hold the information in confidence.
D. Disclosure to HHS: Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from Covered Entity (or created or received by Business Associate on behalf of Covered Entity) available to the Secretary of HHS, or his or her designee, for purposes of determining Covered Entity’s compliance with the Privacy Rule. Business Associate shall provide Covered Entity with copies of any information it has made available to HHS under this section of this Agreement.
E. Access and Amendment to PHI:
1. Right of Access. Upon written request from Covered Entity, Business Associate shall make an individual’s PHI available to Covered Entity within fifteen (15) days of an individual’s request for such information as notified by Covered Entity. [Optional: PHI shall be provided in PDF format as follows: removable storage media; i.e., USB/thumb/flash drive, re-writeable DVD, etc.]
2. Right of Amendment. Upon written request from Covered Entity, Business Associate shall make PHI available to Covered Entity for amendment and correction within thirty (30) days of notification by Covered Entity, and shall incorporate any amendments or corrections to PHI in a designated record set, as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526.
F. Accounting of Disclosures: At the request of Covered Entity, Business Associate shall produce an accounting of any disclosures of PHI it makes (including the date made, the name of the person or organization receiving the PHI, the recipient’s address, if known, a description of the PHI disclosed, and the reason for the disclosure). Business Associate shall, within thirty (30) days of Covered Entity’s request, make the accounting available to Covered Entity, as needed for Covered Entity to provide a proper accounting of disclosures to its consumers, as required by 45 C.F.R. 164.528.
G. Reporting Violations: Within thirty (30) days of discovery, Business Associate shall report to Privacy Officer of Covered Entity any use or disclosure of PHI made in violation of this Agreement or any law. Business Associate shall implement and maintain sanctions for any employee, subcontractor, or agent who violates the requirements in this Agreement or the HIPAA privacy regulations. Business Associate shall take steps to mitigate any harmful effects of any such violation of this Agreement.
H. Reporting Noncompliance. The Business Associate shall report to the Covered Entity any Security Incident, or other use or disclosure of PHI not expressly provided for by this Agreement, within twentyfour (24) hours of the Business Associate’s discovery of such use or disclosure.
V. Termination. Covered Entity may immediately terminate this Agreement if Covered Entity determines that Business Associate has violated a material term of this Agreement. This Agreement may also be terminated by either party with not less than thirty (30) days prior written notice to the other party, which notice shall specify the effective date of the termination; provided, however, that any termination shall not affect the respective obligations or rights of the parties arising under any Documents or otherwise under this Agreement before the effective date of termination. Within thirty (30) days of expiration or earlier termination of this Agreement, Business Associate shall return or destroy all PHI received from Covered Entity (or created or received by Business Associate on behalf of Covered Entity) that Business Associate still maintains in any form and retain no copies of such PHI. Business Associate shall provide a written certification that all such PHI has been returned or destroyed, whichever is deemed appropriate. If such return or destruction is infeasible, Business Associate shall use such PHI only for purposes that make such return or destruction infeasible and the provisions of this Agreement shall survive with respect to such PHI.
VI. Modifications or Waiver. This Agreement may not be modified, nor shall any provision be waived or amended, except in a writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.
VII. Amendment. Upon the enactment of any law or regulation affecting the use or disclosure of PHI, or the publication of any decision of a court of the United States or of this state relating to any such law, or the publication of any interpretive policy or opinion of any governmental agency charged with the enforcement of any such law or regulation, Covered Entity may, by written notice to Business Associate, amend this Agreement in such manner as Covered Entity determines necessary to comply with such law or regulation. If Business Associate disagrees with any such amendment, it shall so notify Covered Entity in writing within thirty (30) days of Covered Entity’s notice. If the parties are unable to agree on an amendment within thirty (30) days thereafter, either of them may terminate this Agreement by written notice to the other.
Business Associate Agreement Revised 8/2013
Page 1 of 5
Business Associate Agreement Revised 8/2013
Page 1 of 5
VIII. Governing Law Venue. This relationship shall be governed by federal law and the laws of the Commonwealth of Virginia. Exclusive venue for any dispute arising hereunder shall be resolved in the courts of ______, Virginia.
IX. Severability. If any clause or provision herein shall be judged invalid or unenforceable by a court of competent jurisdiction or by operation of any applicable law, the validity of any other clause or provision shall not be affected and the remainder of this document between the parties shall remain in full force and effect. Each of the provisions shall be enforceable independent of any other provision and independent of any other claim or cause of action.
X. Indemnification. The Business Associate hereby agrees to indemnify and hold the Covered Entity, and any employees, officers, representatives, or agents of the Covered EntityGuardsmark, harmless from and against any and all liability and costs, including attorneys’ fees, created by a breach of this Agreement by the Business Associate, its agent or subcontractors.
XI. Interpretation: Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the Covered Entity to comply with the HIPAA Rules.
XII. No Third-Party Beneficiaries. This Agreement is solely between and for the benefit of the Parties hereto. This Agreement is in no way intended to confer any rights, benefits, or obligations to or on any third party.
EACH PARTY has caused this Agreement to be properly executed on its behalf as of the date first above written.
For: District 19 Community Services Board
______Date:______
Joseph E. Hubbard, C.P.A – Executive Director
For: ______
______Date:______
Business Associate – Title
Business Associate Agreement Revised 8/2013
Page 1 of 5