Business Associate Agreement
WHEREAS, the parties have entered into a Service Agreement, as defined herein, under which Business Associate provides certain services to Covered Entity;
WHEREAS, the Service Agreement requires that Covered Entity provide Business Associate with access to certain Protected Health Information and Electronic Protected Health Information, each as defined herein;
WHEREAS, the parties acknowledge that Covered Entity is considered a ‘covered entity’ subject to the HIPAA Rules, as defined herein;
WHEREAS, the parties agree that the terms of this Agreement are intended to coordinate with and be interpreted to apply in addition to the terms of the Service Agreement and, in the event of any conflict or inconsistency with such other provisions, the provisions of this Agreement must control to the extent provided in Section VIII.B.;
NOW, THEREFORE, in consideration of the mutual promises set forth in this Business Associate Agreement and for other good and valuable consideration, the parties hereby agree as follows:
The following terms are defined as set forth below. Any terms used but not otherwise defined in this Agreement have the definitions set forth in the HIPAA Rules and the Health Information Technology for Economic and Clinical Health Act ("HITECH") found in Title XIII of the American Recovery and Reinvestment Act of 2009, Public Law 111-005 and any regulations promulgated thereunder.
A. Agreement. “Agreement” shall mean this Business Associate Agreement.
B. Breach. “Breach” shall have the meaning set forth in 45 CFR § 164.402.
C. Designated Record Set. “Designated Record Set” shall have the same meaning as the term “designated record set” in 45 CFR § 164.501.
D. Electronic Protected Health Information. “Electronic Protected Health Information” or “EPHI” shall have the meaning set forth in 45 CFR § 160.103.
E. Federal Tax Information. “Federal Tax Information” or “FTI” shall mean information protected by Tax Information Security Guidelines for Federal, State, and Local Agencies (26 U.S.C. § 6103 and Publication 1075).
F. HITECH. “HITECH” shall mean Subtitle D of the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009 and codified at 42 U.S.C. §§ 17921–17954, and any references in this Agreement to HITECH shall be deemed to include all associated existing and future implementing regulations, when and as each is effective.
G. HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
H. Individual. “Individual” shall have the same meaning as the term “individual” in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
I Privacy Incident. “Privacy Incident” shall mean a violation of an information privacy provision of any applicable state and federal law, statute, regulation, rule, or standard, including those listed in this Agreement.
J. Protected Health Information. “Protected Health Information” or “PHI” shall have the same meaning as the term “Protected Health Information” in 45 CFR § 160.103.
K. Protected Information. “Protected Information” shall mean EPHI and/or PHI provided by Covered Entity to Business Associate or created or received by Business Associate on Covered Entity’s behalf.
L. Required by Law. “Required by Law” shall have the same meaning as the term “required by law” in 45 CFR § 164.103.
M. Security Incident. "Security Incident" means an attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with the system operations in an information system. 45 CFR §164.304.
N. Service Agreement. “Service Agreement” shall mean the agreement(s) between Business Associate and Covered Entity under which Business Associate provides certain services to Covered Entity and Covered Entity provides PHI to Business Associate.
O. Social Security Administration Data. “Social Security Administration Data” or “SSA Data” shall mean information protected by section 1106 of the Social Security Act.
P. Unsecured Protected Health Information. “Unsecured Protected Health Information” shall have the meaning set forth in 45 CFR Section 164.402.
II. Obligations and Activities of Business Associate
A. Business Associate agrees not to use or disclose Protected Information other than as permitted or required by this Agreement or as Required by Law. Business Associate will not use or disclose Protected Information in a manner that would violate the HIPAA Rules if done by the Covered Entity.
B. Business Associate agrees to develop, implement, maintain, and use safeguards appropriate to its size and complexity and comply with the Security Rule at Subpart C of 45 C.F.R. Part 164, with respect to EPHI to prevent use or disclosure of the Protected Information other than as provided for by this Agreement.
C. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate that results from a use or disclosure of Protected Information not permitted by this Agreement or federal or state laws and regulations, including a Privacy Incident, Security Incident, or Breach. Mitigation may include, but is not limited to, notifying and providing credit monitoring to affected individuals.
D. Business Associate agrees to report to Covered Entity the following:
- Unauthorized Use or Disclosure of Protected Information. Any actual or suspected use or disclosure of Protected Information not provided for or permitted by this Agreement, including any Privacy Incident, Security Incident, or Breach, within three (3) days of the date on which Business Associate first becomes aware of the unauthorized use, disclosure, Privacy Incident, or Security Incident. In addition to its other obligations under this Agreement, Business Associate will take prompt action to mitigate any harmful effect of any Security Incident or use or disclosure of Protected Information not permitted under this Agreement. Business Associate will provide any and all information reasonably requested by Covered Entity with regard to any such unauthorized use or disclosure of Protected Information, and will otherwise cooperate with requests and instructions received from Covered Entity regarding activities related to investigation, containment, mitigation, and eradication of conditions that led to, or resulted from, the unauthorized use or disclosure of Protected Information. Business Associate will, as soon as possible but not later than twenty-four (24) hours after a request from Covered Entity, provide Covered Entity with any reports or information requested by Covered Entity related to an investigation of an unauthorized use or disclosure of Protected Information. Business Associate will document actions taken under this Section D.1 and provide such documentation to Covered Entity upon request. If Covered Entity determines that the incident constitutes a Breach of Unsecured Protected Health Information, Business Associate shall comply with Section II.K.2 of this Agreement. Notwithstanding the foregoing, the Parties acknowledge and agree that Business Associate need not report all attempted but unsuccessful Security Incidents to Covered Entity and that this Agreement constitutes notice to Covered Entity that such unsuccessful Security Incidents occur periodically. Unsuccessful Security Incidents include, but are not limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service, and any combination of the above, so long as such incidents do not result in actual unauthorized access, use, or disclosure of Protected Information.
- Privacy Rights Violations. Business Associate will report within three (3) business days, in writing, all actual or suspected violations of an individual’s privacy rights as they involve Protected Information created, received, maintained, or transmitted by Business Associate or its agents on behalf of Covered Entity. Business Associate shall provide information requested by Covered Entity and shall otherwise cooperate with Covered Entity’s investigation or mitigation efforts.
- Federal Tax Information. Business Associate will immediately report, in writing, all actual or suspected unauthorized uses or disclosures of FTI to Covered Entity. Business Associate shall provide information requested by Covered Entity and shall otherwise cooperate with Covered Entity’s investigation or mitigation efforts.
- Social Security Administration Data. Business Associate will immediately report, in writing, all actual or suspected unauthorized uses or disclosures of SSA data to Covered Entity. Business Associate shall provide information requested by Covered Entity and shall otherwise cooperate with Covered Entity’s investigation or mitigation efforts.
E. Business Associate agrees to ensure that any agent, including a subcontractor, that creates, receives, maintains, or transmits Protected Information on behalf of the Business Associate agrees in writing to the agrees restrictions, requirements, and conditions with respect to such information that are at least as restrictive as those that apply through this Agreement to Business Associate, and to enforce those restrictions and conditions against such agent or subcontractor. Notwithstanding anything else in this Agreement that may be construed to the contrary. Business Associate agrees that it will not permit any subcontractor that is located outside of the United States to create, receive, maintain, or transmit any Protected Information without first securing prior written approval from the Covered Entity.
F. Business Associate agrees to provide access, at the request of an Individual or Covered Entity, and in the time and manner specified by the Individual or Covered Entity, to Protected Information to the Individual or Covered Entity, in accordance with 45 CFR § 164.524.
G. Within five (5) business days, Business Associate will forward to Covered Entity any request to make any amendment to PHI. Following such notice, and upon the direction or approval of Covered Entity, Business Associate agrees to make PHI available for amendment and incorporate any amendments to PHI in accordance with 45 CFR § 164.526.
H. Business Associate agrees to respond to a request from an Individual or Covered Entity for an Accounting of Disclosures of an Individual’s Protected Information, in accordance with 45 CFR § 164.528. Additionally, notwithstanding any provision in this Agreement to the contrary, Business Associate agrees to retain all Protected Information throughout the term of this Agreement and shall continue to maintain the information required to provide an Accounting of Disclosures for a period of six years after termination of this Agreement.
I. Upon a request to disclose Protected Information, Business Associate will notify Covered Entity of the request and coordinate the appropriate response with Covered Entity. If Business Associate discloses Protected Information after coordination of a response with Covered Entity, it will document the authority used to authorize the disclosure, the information disclosed, the name of the receiving party, and the date of disclosure.
J. Upon reasonable notice, Business Associate agrees to make Protected Information and books and records relating to the use and disclosure of Protected Information available to Covered Entity or to the Secretary of the Department of Health and Human Services, or his designee, (the “Secretary”) at Covered Entity’s reasonable expense in the time and manner specified by Covered Entity or the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Health Insurance Portability and Accountability Act (Pub. L. No. 104-191) and its implementing regulations, as may be modified or amended from time to time (“HIPAA”). Business Associate will notify the Covered Entity regarding any Protected Information that the Business Associate provides to the Secretary concurrently with providing such Protected Information to the Secretary, and upon the Covered Entity’s request, the Business Associate will provide the Covered Entity with a copy of all documents furnished to the Secretary.
K. Compliance with HITECH.
- Security Provisions. Business Associate will comply with the security requirements referenced in 42 U.S.C. § 17931, including the requirements of 45 CFR §§ 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) and 164.316 (Policies and procedures and documentation requirements).
- Notification in the Case of Breach. Business Associate will, report to the Covered Entity any Breach of Unsecured Protected Health Information by the Business Associate or any of its officers, directors, employees, subcontractors or agents. All notifications required under this section will be made by the Business Associate without unreasonable delay in no event later than three (3) business days of discovery of a Breach (unless Business Associate is informed of a documented law enforcement delay under 45 CFR § 164.412, in which case Business Associate shall promptly inform Covered Entity of such delay and shall comply with the timing requirements of the delay). Business Associate will use the standard at 45 C.F.R. § 164.410(a) to determine when the Breach is treated as discovered. All notifications will comply with Business Associate's obligations under and include the information specified in, 45 C.F.R. § 164.410 and include any other available information that Covered Entity is required to include in its notification to individuals pursuant to 45 C.F.R. § 164.494(c). In the event of a Breach that is caused by the acts or omissions of the Business Associate, its subcontractors, officers, directors, employees or agents. The Business Associate will cooperate with the Covered Entity to notify (i) individuals whose Unsecured PHI has been, or is reasonably believed by Business Associate or Covered Entity to have been, accessed, acquired, used or disclosed and (ii) the media, as required pursuant to 45 C.F.R. § 164.406, if the legal requirements for media notification are triggered by the circumstances of such Breach. Business Associate will indemnify the Covered Entity for any reasonable expenses the Covered Entity incurs in notifying individuals, the media, and related expenses arising from a Breach, or costs of mitigation related thereto, caused by the Business Associate or its officers, directors, employees, subcontractors or agents. Business Associate will cooperate in the Covered Entity's Breach analysis process and procedures if requested. The Covered Entity will at all times have the final decision about the content of any notification required to be given under the HIPAA Rules.
- Privacy Provisions. In addition to the obligations set forth in Section III below, Business Associate may use and disclose Protected Information only if such use or disclosure, respectively, is in compliance with each applicable requirement of 45 CFR § 164.504(e) (Uses and disclosures: Organizational requirements: Business associate contracts) and the privacy requirements referenced in 42 U.S.C. § 17934.
- Accounting Rights for EHRs. In addition to the requirements set forth in Section II.H of this Agreement, if Business Associate or its agents or subcontractors uses or maintains Protected Information in an electronic record of health-related information created, gathered, maintained or consulted by authorized health care clinicians and staff (“EHR”), then Business Associate and its agents or subcontractors shall make available to Covered Entity the information required to provide an accounting of disclosures to enable Covered Entity to fulfill its obligations under 42 U.S.C. § 17935(c). This Section II.J.4 shall be effective as of the date 42 U.S.C. § 17935(c) applies to Covered Entity.
- Access to Protected Information. In addition to the requirements set forth in Section II.G of this Agreement, if Business Associate or its agents or subcontractors uses or maintains Protected Information in an EHR, then promptly after receipt of a request from Covered Entity, Business Associate shall make a copy of such Protected Information available to Covered Entity in an electronic format in order to enable Covered Entity to fulfill its obligations under 42 U.S.C. § 17935. This Section II.J.5 shall be effective as of the date 42 U.S.C. § 17935 applies to Covered Entity.
- Minimum Necessary. The Business Associate and its subcontractors, if any, will only request, use, and disclose the minimum amount of Protected Information necessary to accomplish the intended purpose of the request, use or disclosure.
- Regulations. Business Associate will comply with any and all privacy and security regulations issued pursuant to HITECH and applicable to Business Associate as and when those regulations are effective.
L. To the extent that the Business Associate is to carry out one or more of the Covered Entity's obligations under Subpart E of 45 CFR Part 164, the Business Associate will comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligations.
M. Business Associate acknowledges that it is subject to the Data Practices Act and agrees to comply with applicable Data Practices Act requirements as if it were a government agency.
III. Permitted Uses and Disclosures by Business Associate
A. Except as otherwise limited in this Agreement, for purposes of the services provided as part of the Service Agreement, the Business Associate may use or disclose Protected Information solely to perform functions, activities, or services for, or on behalf of the Covered Entity, provided that such use or disclosure would not violate the HIPAA Rules if done by Covered Entity.
B. Except as otherwise limited in this Agreement, Business Associate may use Protected Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate as provided in 45 CFR § 164.504(e)(4).
C. Except as otherwise limited in this Agreement, Business Associate may disclose Protected Information for the proper management and administration of Business Associate, provided that disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential as provided pursuant to this Agreement and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
D. Except as otherwise limited in this Agreement, Business Associate may use Protected Information to provide data aggregation services to Covered Entity as permitted by 42 CFR § 164.504(e)(2)(i)(B).
E. Business Associate may use Protected Information to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(1).
F. Business Associate may use or disclose Protected Information as Required by Law.
IV. Obligations of Covered Entity
A. Covered Entity shall provide Business Associate with a copy of its current notice of privacy practices.
B. Covered Entity shall notify Business Associate of any changes in Covered Entity’s notice of privacy practices that may affect Business Associate’s use or disclosure of Protected Information. Business Associate shall have a reasonable period of time to act on such notices.
C. Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose Protected Information if such changes affect Business Associate’s permitted or required uses and disclosures thereof. Business Associate shall have a reasonable period of time to act on such notice.
D. Covered Entity shall not request Business Associate to use or disclose Protected Information in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity unless Business Associate will use or disclose Protected Information for data aggregation or management and administrative activities of Business Associate.
V. Term and Termination
A. Term. Except as otherwise specified herein, this Agreement shall be effective as of the date the Service Agreement between the parties has been signed by both parties and shall terminate when all Protected Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Information, protections are extended to such information, in accordance with the termination provisions in this Section.
B. Termination for Cause. Notwithstanding any contrary termination provision of any other agreement between the Parties, the Covered Entity is authorized to terminate this Agreement and the Service Agreement if the Covered Entity determines that the Business Associate has violated a material term of this Agreement. Upon Covered Entity’s knowledge of a material breach of this Agreement by Business Associate, the Covered Entity will provide written notice of such breach to the Business Associate and provide the Business Associate with an opportunity to cure the breach or end the violation. If the Business Associate does not cure the breach or end the violation within the time specified by the Covered Entity then the Covered Entity may immediately terminate this Agreement, or the Covered Entity may immediately terminate this Agreement if the Business Associate Agent has breached a material term of this Agreement and the Covered Entity determines that a cure is not possible.
C. Effect of Termination.
- Except as provided in paragraph (2) of this Section, upon termination of this Agreement for any reason, Business Associate shall return or destroy all Protected Information received from Covered Entity or created, maintained, or received by Business Associate on behalf of Covered Entity. This provision shall apply to Protected Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Information.
- In the event that Business Associate determines that returning or destroying Protected Information is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon the mutual agreement of Covered Entity and Business Associate that return or destruction of Protected Information is infeasible, Business Associate shall extend the protections of this Agreement to such Protected Information and limit further uses and disclosures of such Protected Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Information.
VI. Electronic Data Interchange
To the extent that Business Associate performs any standard transaction electronically on behalf of the Covered Entity, Business Associate will do so in accordance with the requirements of HIPAA and the standards for Electronic Transactions at 45 CFR § 162 (the “Transactions Rule”). In particular, Business Associate will:
A. Conduct, as a standard transaction, using electronic media, a transaction which must be conducted as a standard transaction by Covered Entity;
B. Comply with the applicable requirements of the Transactions Rule; and
C. Require its subcontractors and agents to comply with the applicable requirements of the Transactions Rule.
VII. Representations and Warranties
Business Associates represents and warrants that:
A. It will have performed and will continue to perform periodically appropriate review of the administrative and operational capabilities of Business Associate to meet its responsibilities in conformity with the provisions of this Agreement.
B. Business Associate will perform its obligations under this Agreement with the care, skill, prudence and diligence that a prudent vendor in its business, under similar circumstances then prevailing, acting in a like capacity and familiar with such matters, would use in the course of its business.
C. Business Associate will accept full responsibility and liability for the performance of all affiliated or subcontracted vendors, which Business Associate may use in performing the services required under this Agreement.
D. Business Associate is in compliance with the Security Rule and the provisions of the Privacy Rule that apply to the Business Associate.
VIII. General Provisions
A. A specific waiver by either party of any provision of this Agreement on any particular occasion and for any reason will not be deemed to be a continuing or automatic waiver of the same or any other provision in the future nor will they prohibit enforcement by either party of any liabilities or obligations on any other occasions.
B. In the event of any conflict between the terms of this Agreement and the terms of the Service Agreement, the terms of this Agreement shall govern to the extent necessary for the parties to comply with the HIPAA Rules. In all other instances of conflict, the Service Agreement shall govern.
C. Any approvals required by either party to this Agreement, shall not be unreasonably withheld.
D. It is mutually agreed that neither party shall be responsible for damage caused by delay or failure to perform hereunder, when such delay or failure is due to government regulation, war, terrorism, Act of God, fire, flood, disaster, civil disorder, strike, or labor disruption or other cause that is beyond the control of the party that has failed to perform, that makes it illegal or impossible to perform this Agreement or any of its terms.
E. This Agreement is intended to bind only the parties hereto and their corporate successors, and may not be otherwise assigned by either party without the express written consent of the other.
F. This Agreement constitutes the entire Agreement between the parties concerning the subject herein and supersedes all prior oral or written agreements between the parties on same.
G. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.
H. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the HIPAA Rules and any other applicable law relating to the security or confidentiality of Protected Information. If the Covered Entity believes in good faith that any provision of the Agreement fails to comply with the then-current requirements of the HIPAA Rules and other applicable law, the Covered Entity will notify the Business Associate in writing. For a period of up to thirty (30) days, the parties will address in good faith such concern and will amend the terms of this Agreement if necessary to bring it into compliance. If after such thirty (30) day period the Covered Entity believes that this Agreement fails to comply with the HIPAA Rules and other applicable law, then the Covered Entity has the right to terminate this Agreement upon written notice to the Business Associate.
I. The respective rights and obligations of Business Associate under Article V(C) of this Agreement shall survive the termination of this Agreement.
J. Any ambiguity in this Agreement shall be resolved to permit Covered Entity and Business Associate to comply with the HIPAA Rules and any other applicable law relating to the security or confidentiality of Protected Information.
L. Nothing in this Agreement shall be construed to create any third party beneficiary rights in any person, including any participant or beneficiary of Covered Entity.
M. Business Associate is not the agent of Covered Entity and the Covered Entity does not control, supervise, or instruct the Business Associate or any subcontractors. The parties are independent contractors and nothing in this Agreement will be deemed to make them partners or joint venturers or make the Business Agent an agent of the Covered Entity.
N. In the event that any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Agreement will remain in full force and effect.