If Customer has entered into an agreement for the provision of services with an DDFU entity (a “Services Agreement”) and Customer is a Covered Entity (as defined below) and uses the services set forth in the Services Agreement to transmit, store, or otherwise process Protected Health Information (“PHI”), so that such DDFU entity is acting as a Business Associate (as defined below) in relation to the same, the terms of this Business Associate Agreement (“BAA”) shall be deemed incorporated into the Services Agreement upon its execution. If there is any conflict between a provision in this BAA and a provision in the Services Agreement, this BAA will control.
I. Covered Entity and Business Associate desire to protect the privacy and security of PHI in compliance with the applicable requirements of the Health Information Portability and Accountability Act of 1996 (“HIPAA”) and the HITECH Act of 2009 (“HITECH”).
II. The Privacy Rule requires Covered Entity and Business Associate to enter into a written contract containing satisfactory assurances that the Business Associate will appropriately safeguard such PHI.
III. HITECH requires the Business Associate to have in place certain reporting procedures.
THEREFORE, in consideration of the mutual promises set forth herein, and for other good and valuable consideration, the receipt and adequacy of which is hereby acknowledged, the Parties hereby agree as follows:
Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the Privacy Rule and HITECH currently in effect or as amended from time to time. Examples of specific definitions:
1.1. “Business Associate” shall have the same meaning as “business associate” in 45 CFR § 160.103.
1.2. “Covered Entity” shall have the same meaning as “covered entity” in 45 CFR § 160.103.
1.3. ““Designated Record Set” shall have the same meaning as the term “designated record set” in 45 CFR § 164.501.
1.4. “Individual” shall have the same meaning as the term “individual” in 45 CFR § 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
1.5. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.
1.6. “Protected Health Information” or “PHI,”shall have the same meaning as the term “protected health information” in 45 CFR § 164.501, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
1.7. “Required by Law” shall have the same meaning as the term “required by law” in 45 CFR § 164.501.
1.8. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his designee.
II. Obligations and Activities of Business Associate.
2.1. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate agrees to:
2.1.1. not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law;
2.1.2. use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement;
2.1.3. appoint and authorize a Privacy Officer to monitor the Business Associate’s compliance with this Agreement and provisions of HIPAA and HITECH;
2.1.4. cooperate with Covered Entity to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement;
2.1.5. report to Covered Entity within 60 days of discovery any use or disclosure of the PHI not provided for by this Agreement of which it becomes aware, and include such detail as may be available concerning the nature of the unauthorized use or disclosure, together with any remedial steps taken by Business Associate to prevent further any disclosure or recurrence;
2.1.6. ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information;
2.1.7. make internal practices, books, and records, including policies and procedures and PHI, available to the Covered Entity or to the Secretary in a time and manner specified by Covered Entity or designated by the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule;
2.1.8. document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528; and
2.1.9. provide to Covered Entity or an Individual, in a time and manner reasonably specified by Covered Entity, information collected in accordance with Section 2.1.7. above of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.
2.2. In connection with the performance of its services, activities, and/or functions to or on behalf of Covered Entity, Business Associate may disclose information, including PHI, to other business associates of Covered Entity which have been identified by Covered Entity in writing. Likewise, Business Associate may use and disclose information, including PHI, received from other business associates of Covered Entity, as if this information was received from, or originated with, Covered Entity.
III. Permitted Uses and Disclosures by Business Associate.
3.1. General Use and Disclosure Provisions Practices and Restrictions. Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Services Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity.
3.2 Specific Use and Disclosure Provisions.
3.2.1. Except as otherwise limited in this Agreement:
A. Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate;
B. Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; and
C. Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B).
3.2.2. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(1).
IV. Obligations of Covered Entity.
4.1. Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions. To the extent that the following limitations, changes, or restrictions may affect Business Associate’s use or disclosure of PHI, Covered Entity shall notify Business Associate of any:
4.1.1. limitation(s) in its notice of privacy practices in accordance with 45 CFR § 164.520;
4.1.2. changes in, or revocation of, permission by Individual to use or disclose PHI; and
4.1.3. restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522.
4.2. Permissible Requests by Covered Entity. Except as may be set forth in Section 3.2. of this Agreement, Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
4.3. Maintaining PHI. Covered Entity shall maintain any PHI for the time periods required by applicable law including, but not limited to, the Privacy Rule.
V. Term and Termination.
5.1. Term. This Agreement shall be effective upon execution, and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in Section 5 of this Agreement.
5.2. Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Business Associate, Covered Entity shall either:
5.2.1. provide an opportunity for Business Associate to cure the breach or end the violation and terminate this Agreement and the Services Agreement if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity;
5.2.2. immediately terminate this Agreement and the Services Agreement if Business Associate has breached a material term of this Agreement and cure is not possible; or
5.2.3. if neither termination nor cure is feasible, Covered Entity shall report the violation to the Secretary.
5.3. Effect of Termination.
5.3.1. Except as provided in Section 5.3.2. of this Agreement, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI.
5.3.2. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of PHI is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
6.1. Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy Rule and the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191.
6.2. Survival. The respective rights and obligations of Business Associate under Section 5.3 of this Agreement shall survive the termination of this Agreement.
6.3. Limitation of Liability. Any claims arising under this Agreement shall be subject to the conditions and limitations set forth in the Services Agreement.
6.4. Construction with Services Agreement. The terms of the Services Agreement shall remain in full force and effect, except as amended by this Agreement. If there is a conflict between the terms of this Agreement and the terms of the Services Agreement, the terms of this Agreement shall control.
6.5. Entire Agreement. This Agreement supplements and is made a part of the Services Agreement. This Agreement, together with the Services Agreement and any and all exhibits, schedules and attachments thereto, constitutes the entire agreement between the Parties, and supersedes all other agreements, express or implied, oral or written, between the Parties related to the subject matter of the Services Agreement and this Agreement.