Business Associates Agreement

  1. Intent

The purpose of this Agreement is to set out the rights and responsibilities of the Parties under the Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Part 160 and 164, subparts A and E (the “Privacy Standards”), the Security Standards, 45 C.F.R. Part 160, 162 and 164 (the “Security Standards”), promulgated under the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191 (“HIPAA”), and the Health Information Technology for Economic and Clinical Health Act provisions in Title XIII of the American Recovery and Reinvestment Act (“HITECH”). Citations to the Code of Federal Regulations shall be read to include and require all subsequent, updated, amended or revised provisions relating to such regulations. The intent is to provide the protections required by the Privacy Standards, the Security Standards, and HITECH, but to retain for the Parties the greatest latitude and flexibility permitted under those standards in order to facilitate the prompt and efficient provision of services under this Agreement. The terms of this Agreement shall be interpreted and applied consistent with this intent and with the Privacy Standards, the Security Standards, and HITECH.

  1. Definitions
    • “Data Aggregation” means the combining of PHI by Business Associate with the PHI received by Business Associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.
    • “Designated Record Set” means a group of records, or any item, collection, or grouping of information that includes PHI, maintained, collected, Used, or disseminated by or for the Covered Entity that is (i) the medical records and billing records about Individuals maintained by or for a covered health care provider; (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) used, in whole or in part, by or for the Covered Entity to make decisions about Individuals.
    • “Disclose” or “Disclosure” means the release, transfer, provision of access to, or divulging in another manner, of information outside the entity holding the information.
    • “EPHI” means electronic protected health information, as defined in 45 C.F.R. §160.103.
    • “Individual” means the person who is the subject of PHI and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. §164.502(g).
    • “PHI” means “Protected Health Information” as defined in 45 C.F.R. §160.103, except that PHI shall be limited to “individually identifiable health information,” as such term is defined in 45 C.F.R. §160.103, transmitted or maintained in any form or medium, that is created or received by Business Associate from, or on behalf of, the Covered Entity, as permitted hereunder.
    • “Required By Law” means a mandate contained in law that compels an entity to make a Use or Disclosure of PHI and that is enforceable in a court of law. Required By Law includes, but is not limited to, court orders and court-ordered warrants; subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits.
    • “Secretary” means the Secretary of Health and Human Services (HHS) or any other officer or employee of HHS to whom the authority involved has been delegated.
    • “Security Incident” means a security incident, as defined in 45 C.F.R. § 164.304.
    • “Use” means the sharing, employment, application, utilization, examination, or analysis of “individually identifiable health information,” as such term is defined in 45 C.F.R. §160.103, within the entity that maintains such information.

All other terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms set forth in 45 C.F.R. Parts 160, 162 and 164.

  1. Permitted Uses and Disclosures

Except as otherwise limited in this Agreement, Business Associate may Use or Disclose PHI to perform functions, activities, or services for, or on behalf of, the Covered Entity, as specified in the underlying services agreement, and may create, receive, maintain or transmit EPHI on behalf of the Covered Entity, provided that any such action would not violate the Privacy Standards or Security Standards if done by the Covered Entity or the minimum necessary policies and procedures of the Covered Entity:

  • Except as otherwise limited in this Agreement, Business Associate may Use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate (including Disclosure to other business associates of the Covered Entity).
  • Except as otherwise limited in this Agreement, Business Associate may Use PHI to provide Data Aggregation services to the Covered Entity as permitted under 45 C.F.R. §164.504(e)(2)(i)(B) and pursuant to any agreements between the Parties evidencing their business relationship.
  • Except as otherwise limited in this Agreement, Business Associate may Disclose PHI for the proper management and administration of Business Associate, provided that Disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is Disclosed that it will remain confidential and Used or further Disclosed as Required By Law or for the purpose for which it was Disclosed to the person, and that the person will notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
  1. Permitted Requests by the Covered Entity

The Covered Entity shall not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under the Privacy Standards and Security Standards if done by the Covered Entity, except that Business Associate may use PHI in its possession (i) for Business Associate’s proper management and administrative services, or (ii) to provide Data Aggregation services to the Covered Entity, as permitted by 45 C.F.R. §164.504(e)(2)(i)(B).

  1. Responsibilities of the Parties with Respect to PHI and EPHI
    • Responsibilities of the Covered Entity. With regard to the Use and/or Disclosure of PHI by Business Associate, the Covered Entity hereby agrees:
      • To the extent that such limitation(s) may affect Business Associate’s Use or Disclosure of PHI, the Covered Entity shall notify Business Associate of any limitation(s) in its Notice of Privacy Practices that the Covered Entity produces in accordance with 45 C.F.R. §164.520, as well as any changes to such notice.
      • To the extent that such change(s) may affect Business Associate’s Use or Disclosure of PHI, the Covered Entity shall notify Business Associate of any changes in, or withdrawals of, the consent or authorization provided to the Covered Entity by Individuals to Use or Disclose PHI.
      • To the extent that such restriction(s) may affect Business Associate’s Use or Disclosure of PHI, the Covered Entity shall notify Business Associate of any restriction(s) to the Use or Disclosure of PHI to which the Covered Entity has agreed in accordance with 45 C.F.R. §164.522, including any restrictions which Covered Entity is required to comply with in accordance with Section 13405(a) of HITECH.
    • Responsibilities of Business Associate. With regard to its Use and/or Disclosure of PHI and EPHI, Business Associate hereby agrees to the following:
      • To not Use or Disclose PHI, other than as permitted or required by this Agreement or as Required By Law.
      • Report to the Covered Entity, in writing, any Use and/or Disclosure of the PHI that is not permitted by this Agreement and/or any Security Incident relating to EPHI of which Business Associate becomes aware within three (3) days of the discovery. However, the Parties acknowledge and agree that this section constitutes notice by Business Associate of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which notice to Covered Entity by Business Associate shall be required only upon request. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above.
      • Report to the Covered Entity any “breach” (as defined in HITECH) of unsecured PHI held by or under the control of Business Associate, including the identity of the affected individual(s) and all other relevant information, within three (3) business days of becoming aware of such breach.
      • To mitigate, to the extent practicable, any harmful effect that is known, or should be known, to Business Associate resulting from a Use or Disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
      • Use appropriate safeguards to prevent the Use or Disclosure of the PHI other than as provided for by this Agreement, and implement administrative, physical, and technical safeguards (including adoption of written policies and procedures, training and discipline of its workforce, and restrictions on access to PHI received or created by Business Associate on behalf of Covered Entity) that reasonably and appropriately protect the confidentiality, integrity, and availability of the EPHI that Business Associate creates, receives, maintains or transmits on behalf of the Covered Entity, as required by the Security Standards.
      • Ensure that all of its subcontractors and agents to whom Business Associate provides PHI received from, or created or received by Business Associate on behalf of, the Covered Entity, agree to enter into a written contract (“Contract”) which requires restrictions and conditions at least as stringent as those that apply to Business Associate pursuant to this Agreement. Moreover, Business Associate shall ensure that any and all of such subcontractors and agents to whom Business Associate provides EPHI agree in writing to implement reasonable and appropriate safeguards to protect such EPHI. In the event that Business Associate knows of a pattern or activity of a subcontractor or an agent that constitutes a material breach or violation of the subcontractor’s or agent’s obligations pursuant to the Contract, Business Associate shall take reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminate the Contract, if feasible.
      • Within fifteen (15) business days after receiving a written request by the Covered Entity for such information, provide access to all PHI maintained in a Designated Record Set in accordance with 45 C.F.R. § 164.524. To the extent that Business Associate maintains EPHI, Business Associate shall provide access within ten (10) business days after receiving a written request by the Covered Entity. To the extent that Business Associate receives a written request for such access directly from an Individual, Business Associate shall promptly notify the Covered Entity and shall reasonably cooperate with the Covered Entity in meeting the requirements under 45 C.F.R. §164.524 with respect to such Individual. Unless Business Associate receives, within three (3) days of the date of notice to the Covered Entity, a written direction from the Covered Entity to the contrary, Business Associate agrees to respond directly to the Individual and to provide access to such Individual within fifteen (15) business days of the date of the Individual’s request, unless otherwise agreed upon by the Covered Entity.
      • Within fifteen (15) business days after receiving a written request by the Covered Entity for amendment(s) to PHI maintained in a Designated Record Set, make such amendment(s) to such PHI in accordance with 45 C.F.R. §164.526. To the extent Business Associate receives a written request for such amendment(s) directly from an Individual, Business Associate shall promptly notify the Covered Entity and shall reasonably cooperate with the Covered Entity in meeting the requirements under 45 C.F.R. §164.526 with respect to such Individual. Unless Business Associate receives, within three (3) days of the date of such notice to the Covered Entity, a written direction from the Covered Entity to the contrary, Business Associate agrees to respond directly to the Individual and make any such proper amendment(s) within fifteen (15) business days of the date of the Individual’s request for such amendment(s), unless otherwise agreed upon by the Covered Entity.
      • Within ten (10) business days after receiving a written request by the Covered Entity for such information, or such shorter period as required by the Secretary, make internal practices, books, and records, including policies and procedures, relating to the Use and Disclosure of PHI received from, or created or received by Business Associate on behalf of, the Covered Entity, available to the Covered Entity or the Secretary, for purposes of the Secretary determining the Covered Entity’s compliance with the Privacy Standards. To the extent Business Associate receives a written request for such information directly from the Secretary, Business Associate shall promptly notify the Covered Entity and shall reasonably cooperate with the Covered Entity in complying with the Secretary’s request(s).
      • To document such Disclosures of PHI and information related to such Disclosures as would be required for the Covered Entity to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 C.F.R. §164.528 and Section 13405(c) of HITECH.
      • Within fifteen (15) business days after receiving a written request by the Covered Entity for such information, to provide to the Covered Entity information collected in accordance with paragraph (10) above, to permit the Covered Entity to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 C.F.R. §164.528. To the extent Business Associate receives a written request for such information directly from an Individual, Business Associate shall promptly notify the Covered Entity and shall reasonably cooperate with the Covered Entity in meeting the requirements under 45 C.F.R. §164.528 with respect to such Individual. Unless Business Associate receives, within three (3) days of the date of such notice to the Covered Entity, a written direction from the Covered Entity to the contrary, Business Associate agrees to respond directly to the Individual and provide such accounting within thirty (30) business days of the date of the Individual’s request, unless otherwise agreed upon by the Covered Entity.
      • To the extent that Business Associate carries out Covered Entity’s obligations pursuant to 45 C.F.R. §164.504, Business Associate shall comply with the Privacy Standards that apply to Covered Entity in the performance of such obligations.
  • To otherwise abide by the provisions of the Privacy Standards and the Security Standards, as such are made applicable to Business Associate by the operation of HITECH, including without limitation restrictions on marketing and requirements relating to limited data sets and minimum necessary disclosures.
  1. Terms and Termination of Contract
    • Term. This Agreement shall become effective on the Effective Date and shall terminate when all PHI provided by the Covered Entity to Business Associate, or created or received by Business Associate on behalf of the Covered Entity, is destroyed or returned to the Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with paragraph (d) of this Section 6.
    • Termination for Cause by Covered Entity. Upon the Covered Entity’s knowledge of a material breach of this Agreement by Business Associate, the Covered Entity may, in its sole discretion:
      • Notify Business Associate of the breach and provide Business Associate sixty (60) days from the date of notice to cure the breach or end the violation, and thereafter terminate this Agreement, if Business Associate does not cure the breach or end the violation within such sixty (60) day period; or
      • Immediately terminate this Agreement, if Business Associate has breached a material term of this Agreement and Business Associate and the Covered Entity mutually agree that cure is not possible.
    • Termination for Cause by Business Associate. Upon Business Associate’s knowledge of a material breach of this Agreement by the Covered Entity, Business Associate may, in its sole discretion:
      • Notify Covered Entity of the breach and provide Covered Entity sixty (60) days from the date of notice to cure the breach or end the violation, and thereafter terminate this Agreement, if Covered Entity does not cure the breach or end the violation within such sixty (60) day period; or
      • Immediately terminate this Agreement, if Covered Entity has breached a material term of this Agreement and Business Associate and the Covered Entity mutually agree that cure is not possible.
    • Return of PHI.
      • Except as provided in paragraph (2) below, upon termination of this Agreement, Business Associate shall return or destroy all PHI then in its possession which was received from, created or received by Business Associate on behalf of the Covered Entity. Business Associate shall retain no copies of the PHI. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate.
      • In the event that Business Associate determines that returning or destroying PHI is not feasible, Business Associate shall extend the protections of this Agreement to the PHI and limit further Use and Disclosure to those purposes that make the return or destruction infeasible for so long as Business Associate maintains such PHI.
  1. Miscellaneous
    • Amendments; Waiver. This Agreement contains the entire Agreement between the Parties and supersedes all other understandings and agreements, oral or written, between the Parties regarding privacy of PHI and security of EPHI. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is required for the Covered Entity to comply with the requirements of the Privacy Standards, the Security Standards, and HIPAA. This Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.
    • Indemnification. Business Associate will protect, indemnify and save Covered Entity and its officers, directors, agents and employees harmless from and against any and all losses, including attorney’s fees, fines, penalties or breach remediation costs that are incurred, imposed or asserted against Covered Entity by reason of any breach by Business Associate of its obligations under this Agreement, HIPAA, or HITECH.
    • No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and their respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.
    • Regulatory Reference. A reference in this Agreement to a section in the Privacy Standards, the Security Standards or to a section of the Code of Federal Regulations means the section as in effect or as amended, and for which compliance is required.
    • Survival. The respective rights and obligations of the Parties under Sections 6(d) and 7, of this Agreement shall survive the termination of this Agreement.
    • Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the Covered Entity to comply with the Privacy Standards and the Security Standards. When a section of the Agreement calls for Business Associate to respond to a request from the Covered Entity in conjunction with a regulation specifically cited in the section, Business Associate may rely on the Covered Entity’s request as verification by the Covered Entity that the request is made in compliance with the regulation. Business Associate is not responsible for confirming that the Covered Entity’s request is made in compliance with the specific regulation.
    • Governing Law. The relationship of the Parties hereto and all claims arising out of or related to that relationship, including, but not limited to, the construction and interpretation of any written agreements, including this Agreement, will be governed by HIPAA, and HITECH.
    • Construction. Where the context of the Agreement requires, the singular shall include the plural and the masculine gender shall include the feminine. Headings or titles of sections are for general information only and this Agreement shall not be construed by reference to such titles.
    • Binding Agreement. This Agreement shall be binding upon and inure to the benefit of the Parties hereto and their respective successors and permitted assigns. If any provision of this Agreement is held invalid or unenforceable, such invalidity or unenforceability shall not affect any other provision, and this Agreement shall be construed and enforced as if such provision had not been included.
    • Assignment. Business Associate will not assign or transfer, either by operation of law or otherwise, this Agreement or any of Business Associate’s rights or obligations under it without obtaining the prior written consent of the Covered Entity. Any change in control of fifty percent (50%) or more of the ownership of Business Associate will be deemed to be an assignment of this Agreement to a new entity. The Covered Entity may assign this Agreement, in whole or in part, to a successor entity or to any current or subsequently formed affiliate of Covered Entity.
    • Counterparts/Signatures. This Agreement may be executed in any one or more counterparts, each of which shall be deemed an original, and all of which shall constitute the entire binding agreement. Any signature delivered by electronic mail or facsimile will be treated for all purposes as an original.