BUSINESS ASSOCIATE
PRIVACY AGREEMENT
This Agreement is made and entered into as of the _____ day of ______, 2010, ("Agreement") by and between the Georgia Regents University("GRU") and, ______, ("Contractor") (each a "Party" and collectively the "Parties").
WHEREAS, Contractor provides ______to GRU including services which require Contractor to have access to Protected Health Information and result in Contractor being a "business associate" under the privacy regulations in 45 Code of Federal Regulations ("CFR"), §§ 160 and 164, promulgated pursuant to of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"); and
WHEREAS, GRU and Contractor mutually desire to enter into this Agreement for the purpose of complying with the aforesaid privacy regulations;
NOW, THEREFORE, in consideration of the mutual covenants and conditions contained herein, the provision of information to Contractor by GRU, and the mutual benefits to each, the sufficiency of all of which is hereby acknowledged, the Parties agree to the following:
1. Definitions. For purposes of this Agreement the following terms shall have the following meanings:
"Covered Entity(ies)" shall mean those healthcare providers, health plans, or healthcare clearinghouses with whom GRU has entered into a Business Associate Agreement to perform services or functions on behalf of the covered entity involving PHI and includes GRU.
"Data Aggregation" shall have the meaning given that term in the Privacy Rule, including, but not limited to, 45 CFR 164.501.
"Designated Record Set" shall mean a group of records maintained by or for a covered entity that is (i) the medical records and billing records about Individuals maintained by or for covered entity, (ii) enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a Health Plan, and (iii) used, in whole or in part, by or for covered entity to make decisions about Individuals. For the purposes of this paragraph, the term “Record” means any items, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for Covered Entity.
"De-Identify" shall mean to revise Protected Health Information so that the resulting information meets the requirements in the Privacy Rule, including, but not limited to, 45 CFR 164.514 (a) and (b).
“Electronic Protected Health Information” or “Electronic PHI” shall have the meaning in 45 C.F.R. 160.103.
“HHS” shall mean the United States Department of Health and Human Services.
“Individually Identifiable Health Information” shall mean information that is a subset of health information, including demographic information, that is collected from an Individual and (1) is created or received by a covered entity or an employer; (2) relates to the past, present or future physical or mental health or condition of an Individual, the provision of healthcare to an Individual, or the past, present, or future payment for the provision of healthcare to an Individual; and (3) identifies the Individual or there is a reasonable basis to believe the information can be used to identify the Individual.
"Individual(s)" shall have the meaning as the term “individual” in 45 C.F.R. 160.103, and shall include a person who qualifies as a personal representative for the Individual in accordance with 45 CFR 164.502 (g).
“Information System” means an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications and people.
"Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR §§ 160 and 164, Subparts A and E in effect or as amended, and with which compliance is required.
"Protected Health Information (“PHI”)" shall have the meaning given that term in the Privacy Rule, including, but not limited to, 45 CFR 160.103, which is any information, whether oral or recorded in any form or medium created or received by Contractor from or behalf of GRU that: (i) relates to the past, present or future physical or mental condition of an Individual, the provision of health care to an Individual, or the past, present or future payment for the provision of health care to an Individual; and (ii) identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.
"Required by Law" shall have the meaning given that term in the Privacy Rule, including, but not limited to, 45 CFR 164.103 and 45 C.F.R. 164.512(a)..
"Secretary" shall mean the Secretary of the United States Department of Health and Human Services or the successor thereto or designee thereof for purposes of the Privacy Rule.
“Security Incident” shall have the meaning as the term “Security Incident” in 45 C.F.R. 164.304, which means the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system.
“Security Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. §§ 160 and Part 164, Subparts A, C and E, in effect or as amended, and with which compliance is required.
Any term used, but not otherwise defined, in this Agreement, shall have the same meaning as those terms have under HIPAA and the HIPAA Regulations.
2. Status of the Parties. Contractor herby acknowledges and agrees that GRU is a Covered Entity and that the Contractor is a Business Associate of GRU under HIPAA and the HIPAA Regulations.
3. Uses and Disclosure of Protected Health Information.
3.1. Services. Contractor provides GRU with services that involve the use and disclosure of PHI.
3.2 Use and Disclosure. Except as otherwise limited or prohibited in this Agreement or the Privacy Rule, Contractor may use or disclose Protected Health Information for the following purposes:
a. Contractor may use PHI for the proper management and administration of the Contractor or to carry out the legal responsibilities of the Contractor. As reasonably necessary to provide GRU the services or to comply with the requirements of this agreement;
b. Use Protected Health Information as reasonably necessary for the proper management and administration of the business of Contractor;
c. Disclose Protected Health Information for the proper management and administration of the business of Contractor if (i) such disclosure is Required by Law, or (ii) Contractor obtains reasonable written assurance from the person to whom the disclosure is made that the information will remain confidential as provided under this Agreement, that it will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to such person and that the person immediately will notify Contractor in writing of any breaches of the confidentiality of the information;
d. Contractor may use PHI to perform Data Aggregation to the extent such services or activities are authorized in writing by GRU. Under no circumstances shall Contractor disclose PHI to any other Covered Entity without the specific written permission of GRU.
4. Responsibilities of Contractor.
4.1 Prohibition. Contractor may only use or disclose PHI as permitted or required by this Agreement or as Required by Law. In no event shall Contractor use or disclose PHI that in any manner violates this Agreement, the Privacy Rule, or any applicable Federal or state laws, rules or regulations.
4.2 Safeguards. Contractor shall implement and use appropriate safeguards as are necessary to prevent the use, disclosure or loss of PHI other than as permitted by this Agreement. Contractor agrees to implement and use written policies and procedures and a security program, including administrative, technical and physical safeguards as defined by the HIPAA Security Rule and the technical guidance provided by the Department of Heath and Human Services (HHS), to protect against the use, disclosure or loss of PHI by Contractor's employees, agents or subcontractors in breach or violation of this Agreement, Privacy Rule, or any applicable Federal or state laws, rules, or regulations. Upon request, Contractor shall make its policies, procedures and security programs available to GRU for review. If GRU determines that Contractor's policies, procedures, and security programs are not sufficient to accomplish the objectives set forth hereinabove in this Section 4.2, GRU may require Contractor to revise those policies, procedures, and security programs. If Contractor declines to do so within thirty (30) days, GRU may terminate this Agreement upon giving Contractor five (5) days written notice.
4.3 Reporting. Contractor shall report to GRU in writing any use or disclosure of PHI not permitted by this Agreement or applicable law within two (2) business days of learning of such use or disclosure.
4.4 Mitigation. Contractor shall have procedures in place to mitigate, to the maximum extent practicable, any harmful effect known to Contractor resulting from the use or disclosure of PHI in breach or violation of the provisions of this Agreement.
4.5 Agents and Subcontractors. Contractor shall not disclose PHI to any agent or subcontractor of Contractor except with the prior written consent of GRU. Contractor shall ensure that each of its affiliates, agents, and subcontractors that have access to, receive, or use PHI agrees in writing to the same restrictions and conditions in this Agreement that apply to Contractor concerning the use or disclosure of PHI.
4.6 Sanctions. Contractor shall have and apply appropriate sanctions against any employee, subcontractor or agent who uses or discloses GRU’s PHI in violation of this Agreement or applicable law.
4.7 Access to PHI.
a. Contractor, upon request, shall provide GRU, in such time, manner, and form as designated by GRU, any PHI received from GRU or created or received by Contractor on behalf of GRU that is in the possession of Contractor, or its agents or subcontractors, including PHI that exists or may be provided in a Designated Record Set.
b. If an Individual requests access to PHI from Contractor, Contractor shall forward the request to GRU within two (2) business days of Contractor's receipt of the request. The decision on the request and any disclosure in response thereto shall be the responsibility of GRU. Contractor promptly shall assist GRU with any disclosure as requested by GRU.
4.8 Amendment of PHI.
a. Contractor upon request by GRU promptly shall amend PHI or a Designated Record Set that is maintained by Contractor in accordance with the directions from GRU.
b. If an Individual requests that Contractor amend PHI or a Designated Record Set, Contractor shall forward the request to GRU within two (2) business days of Contractor's receipt of the request. The decision on the request shall be the responsibility of GRU. Contractor promptly shall assist GRU with any amendment as requested by GRU.
4.9 Accounting of Disclosures.
a. Contractor shall document all disclosures of PHI made by it in a manner that provides all of the information required by the HIPAA Privacy and Security Rule and any additional requirements related to accounting of disclosures promulgated in accordance with the American Recovery and Reinvestment Act of 2009 (ARRA). Upon request by GRU, Contractor promptly shall make available to GRU all information relating to disclosures of PHI as would be needed by GRU to respond to a request by an Individual for an accounting of such disclosures in accordance with the applicable regulations. The information provided to GRU by Contractor shall include, but not be limited to, the following: (i) the date of each disclosure of PHI; (ii) the name and address of the person who received PHI; (iii) a brief description of the disclosed PHI; and (iv) a brief statement of the purpose of the disclosure that reasonably informs the Individual of the basis for the disclosure or a copy of the written request or authorization for the disclosure.
b. If an Individual requests an accounting directly to Contractor, Contractor shall forward the request to GRU within two (2) business days of Contractor's receipt of the request. GRU shall be responsible for preparing and delivering any such accounting. Contractor shall assist GRU as set forth in this Section.
c. Contractor shall furnish GRU information collected or maintained in accordance with this Section in such time, manner, and form as designated by GRU.
d. Contractor shall implement and use a record-keeping system that enables it to comply effectively and efficiently with the requirements of this Section 4.9. The system must maintain and allow access to the information described in this Section 4.9 for a period of at least six (6) years prior to the date of the request for such information from GRU or an Individual, but not before the Compliance Date.
4.10 Availability of Records. Upon request, Contractor shall make its internal practices, books, agreements, records, policies, procedures and any similar information or documents relating to the use or disclosure of PHI available to GRU or to the Secretary, or the designee of the Secretary, in such time, manner, and form as designated by GRU or Secretary. Contractor shall notify GRU of any such request from the Secretary immediately upon receipt of the request and provide GRU with a copy of the request. Contractor and GRU shall work together in responding to any request from the Secretary.
4.11 Minimum Necessary. Contractor shall request, use, and disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure. Contractor shall comply with the minimum necessary guidance provided by HHS and the amended HIPAA regulations Contractor shall implement and use policies and procedures to effect the provisions of this Section 4.11 in a manner consistent with 45 C.F.R. 164.502(b).
4.12 Report Breach. Contractor agrees to report to GRU any use or disclosure of the PHI not provided for by this Agreement or any Security Incident of which it becomes aware. Upon discovery of a breach of the security of PHI or a Security Incident, Contractor shall notify GRU immediately by telephone call plus e-mail or fax to the address and numbers identified below in the “Notice” Section 10.8, unless such notification must be delayed by request of law enforcement, in which case Contractor will notify GRU in accordance with 45 CFR 164.412. Contractor shall cooperate with GRU in complying with the notification requirements set forth by Federal and State laws. Upon discovery of the breach or Security Incident, Contractor shall also immediately take the following action: