This HIPAA Business Associate Agreement (“Agreement”) is a legally binding contract between Sandata Technologies, LLC, a Delaware limited liability company having its principal place of business at 26 Harbor Park Drive, Port Washington, New York 11050 (“Business Associate”) and the “Covered Entity” as identified in any Sales Order entered into by the Covered Entity for Business Associate’s Products and Services. These terms can be found at www.sandata.com/baa. The Business Associate and the Covered Entity are hereinafter individually referred to as “Party” or collectively as “Parties.” Capitalized terms used herein and not otherwise defined shall have the meaning set forth in the Subscription Agreement between Business Associate and Covered Entity.
WHEREAS, Covered Entity has contracted with Business Associate to provide Products and Services to the Covered Entity and the Covered Entity is required by law to enter into this Agreement with Business Associate; and
WHEREAS, the Parties wish to disclose to each other certain information pursuant to the terms of the Subscription Agreement, some of which may constitute Protected Health Information; and
WHEREAS, the purpose of this Agreement is to satisfy certain obligations under the Federal Health Insurance Portability and Accountability Act of 1996 and its related regulations (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009 and related regulations promulgated by the Secretary (the “HITECH Act”). These provisions of the HITECH Act and the regulations applicable to Business Associate are collectively referred to as the “HITECH BA Provisions.”
NOW, THEREFORE, in consideration of the mutual promises below, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows:
- Interpretation of this Agreement. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the Parties to comply with HIPAA.
- Definitions. All capitalized terms used herein and not further defined below shall have the meanings set forth in the HIPAA Regulations (as such term is defined below).
(a) Administrative Safeguards. “Administrative Safeguards” shall have the same meaning as the term “administrative safeguards” in 45 C.F.R. § 164.304.
(b) Electronic Protected Health Information (EPHI). “Electronic Protected Health Information” shall have the same meaning as the term “electronic protected health information” in 45 C.F.R. § 160.103, limited to the information created, received, maintained or transmitted by Business Associate on behalf of Covered Entity pursuant to the Subscription Agreement.
(c) HIPAA Regulations. “HIPAA Regulations” are those regulations codified under Parts 160, 162 and-164 of Title 45 of the Code of Federal Regulations (C.F.R.) relating to privacy and security of PHI, including specifically the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. part 160 and part 164, subparts A and E (the “Privacy Rule”) and the Health Insurance Reform: Security Standards at 45 C.F.R. parts 160, 162, and 164 (the “Security Rule”) without limitation any amendments or successor statutes, rules or regulations to the Privacy Rule and Security Rule.
(d) Individual. “Individual” shall mean the person who is the subject of the PHI, and has the same meaning as the term “individual” as defined by 45 C.F.R. 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. 164.502(g).
(e) Minimum Necessary. “Minimum Necessary” shall mean the principle that PHI should only be used and disclosed to the extent needed for the purpose of the Use or Disclosure in accordance with 45 C.F.R. 164.502(b).
(f) Protected Health Information (PHI) “Protected Health Information” shall have the same meaning as the term “protected health information” in 45 CFR § 160.103, limited to, but only to the extent such regulatory definition includes, the information created, received, and/or retained by Business Associate from or on behalf of Covered Entity pursuant to the Subscription Agreement.
(g) Physical Safeguards. “Physical Safeguards” shall have the same meaning as the term “physical safeguards” in 45 C.F.R. § 164.304.
(h) Security Incident. “Security Incident” shall have the same meaning as the term “security incident” in 45 C.F.R. § 164.304.
(i) Technical Safeguards. “Technical Safeguards” shall have the same meaning as the term “technical safeguards” in 45 C.F.R. § 164.304.
(j) Treatment, Payment, and Health Care Operations. “Treatment,” “Payment” and “Health Care Operations” shall have the same meanings given under 45 CFR Section 164.501
- Obligations of Covered Entity
(a) Covered Entity shall provide the Business Associate with any changes in, or revocation of, permission by the individual to use or disclose PHI, if such changes affect Business Associate’s permitted or required uses and disclosures.
(b) Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that the Covered Entity has agreed to in accordance with 45 CFR §164.522.
(c) Covered Entity shall not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under 45 CFR §164.520 if done by Covered Entity, except for those Uses or Disclosures for Data Aggregation or management and administrative activities of Business Associate.
(d) Covered Entity shall use reasonable and appropriate safeguards to maintain and ensure the confidentiality, privacy and security of the PHI transmitted to or received from the Business Associate.
(e) Covered Entity shall provide the Business Associate with the Notice of Privacy Practices it produces in accordance with 45 CFR §164.520, as well as any material changes to such notice.
(f) Covered Entity shall notify Business Associate of any limitation(s) in the Notice of Privacy Practices of Covered Entity under 45 CFR §164.520, to the extent such limitation may affect Business Associate’s use or disclosure of PHI.
- Obligations of Business Associate
(a) Business Associate will establish and maintain appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information to prevent any Use or Disclosure of PHI, other than as provided for by this Agreement or as required by law. In accordance with 45 CFR §164.502 (e)(1)(ii) and 164.308(b)(2), if applicable Business Associate shall ensure that any subcontractors that create, receive, maintain or transmit protected health information on behalf of the Business Associate agree in writing to the same terms, conditions, restrictions and requirements that apply to Business Associate with respect to such information.
(b) Covered Entity shall not delegate to Business Associate the determination and processing of an Individual member’s request for amendments to his or her PHI in a Designated Record Set. Business Associate shall promptly forward all requests for amendments to PHI to Covered Entity upon receipt. Covered Entity will make the final determination to grant or deny amendments and complete all required processing. Business Associate hereby agrees to make amendments to PHI in a Designated Record Set as and when approved by Covered Entity so as to permit Covered Entity to timely comply with the requirements of 45 C.F.R. 164.526.
(c) Covered Entity shall not delegate to Business Associate the determination and processing of Individual member requests for an accounting of Disclosures of PHI. Business Associate shall promptly forward all requests for an accounting of Disclosures of PHI to Covered Entity upon receipt. Covered Entity will complete all required processing in connection with such request. Business Associate hereby agrees to promptly make available information collected relating to applicable accountings of PHI Disclosures to Covered Entity, so as to permit Covered Entity to timely respond to a request by an Individual for an accounting of Disclosures of Protected Health in accordance with 45 C.F.R. 164.528
(d) Covered Entity shall not delegate to Business Associate the determination and processing of an Individual’s request for access to his or her PHI in a Designated Record Set. Business Associate shall promptly forward all requests for access to PHI to Covered Entity upon receipt. Covered Entity will make the final determination to grant or deny access to PHI in a Designated Record Set and complete all required processing in connection with such access. Business Associate hereby agrees to promptly make available PHI in a Designated Record Set to Covered Entity so as to permit Covered Entity to timely comply with the requirements of 45 C.F.R. 164.524.
(e) Business Associate agrees to make available to the Secretary (i) Business Associate’s internal practices, books and records relating to the Use and Disclosure of PHI for the purposes of determining Covered Entity’s compliance with the Privacy Rule; and (ii) Business Associate’s policies, procedures and documentation relating to the safeguards described herein, for the purposes of determining Covered Entity’s compliance with the Security Rule.
(f) To the extent the Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
(g) Business Associate shall have procedures in place for mitigating any injurious or harmful effect from the Use or Disclosure of PHI in a manner contrary to this Appendix.
(h) Business Associate agrees that it will:
(1) Implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of EPHI;
(2) Ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it; and
(3) Report to Covered Entity any use or disclosure of protected health information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410 and any Security Incident of which it becomes aware.
- Permitted Uses and Disclosures by Business Associate
(a) Minimum Necessary. Business Associate and its agents and subcontractors shall only request, Use and Disclose the minimum amount of PHI necessary to accomplish the purpose of the request, Use or Disclosure.
(b) Limits on Use and Disclosure of Information. Business Associate hereby agrees that the PHI shall not be further Used or Disclosed other than as permitted or required by this Appendix, or as Required by Law.
(c) Stated Purpose for Use and Disclosure. Except as otherwise limited in this Agreement, Business Associate may Use and Disclose PHI to perform the functions, activities, obligations and services required to be performed as specified in the Subscription Agreement. Subject to section 5(b) above, Business Associate is permitted to disclose PHI received from Covered Entity for purposes of Treatment, Payment, and Health Care Operations relating to members.
(d) Data Aggregation Services. Business Associate is permitted to Use or Disclose PHI to provide “data aggregation services,” as that term is defined by 45 C.F.R. 164.501 relating to the Health Care Operations of Covered Entity.
(e) Management and Administration of Business Associate. Except as otherwise limited in this Agreement, Business Associate may use and/or disclose PHI for the proper management and administration of the Business Associate, or as required by Law.
- HITECH Act Compliance
The HITECH BA Provisions shall apply commencing on February 17, 2010, or such other date as may be specified in the applicable regulations, whichever is later (“Applicable Effective Date”). Business Associate hereby acknowledges and agrees that, to the extent it is functioning as a Business Associate of Covered Entity, it will comply with the HITECH BA Provisions and with the obligations of a Business Associate as prescribed by HIPAA and the HITECH Act commencing on the Applicable Effective Date of each such provision. Business Associate and Covered Entity further agree that the provisions of HIPAA and the HITECH Act that apply to business associates and that are required to be incorporated by reference in a business associate agreement are incorporated into this Agreement between Business Associate and Covered Entity as if set forth in this Agreement in their entirety and are effective as of the Applicable Effective Date.
- Term and Termination
(a) Term. The Term of this Agreement shall be effective as of the Effective Date, and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is not feasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section.
(b) Termination for Cause By Covered Entity. Upon the Covered Entity’s knowledge of a material breach by Business Associate of this Agreement, the Covered Entity shall have the right to immediately terminate this Agreement.
(c) Automatic Termination. This Agreement will automatically terminate without any further action by the Parties upon the termination or expiration of the Subscription Agreement between the Parties.
(d) Effect of Termination
(1) Except as provided in paragraph (2) of this Section 7(d), upon termination of this Agreement for any reason, the Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. Business Associate shall retain no copies of the PHI except as required by any applicable statute of limitations applicable to data retention.
(2) In the event that Business Associate determines that returning or destroying the PHI is not feasible, the Business Associate shall provide in writing to Covered Entity notification of the conditions that make return or destruction infeasible. Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
- Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended, and for which compliance is required.
- Automatic Amendment. Upon the Applicable Effective Date of any amendment to the regulations promulgated by Health and Human Services (HHS) with respect to PHI, this Agreement shall automatically amend such that the obligations imposed on Business Associate as a Business Associate remain in compliance with such regulations.
- Survival. The respective rights and obligations of Business Associate and Covered Entity under this Agreement shall survive the termination of this Agreement.
- Choice of Law. This Agreement shall be governed and construed under the laws of the State of New York, without regard to choice of law rules.
- Entire Agreement. This Agreement constitutes the entire agreement between the Parties with respect to the subject matter hereof, and supersedes all prior oral or written agreements, commitments or understandings with respect thereto. In the event of a conflict between the terms of this Agreement and the Subscription Agreement, the terms of this Agreement shall control. The Parties understand that no provisions of the Subscription Agreement shall apply to this Agreement unless expressly referred to herein.
- Assignment. Either Party shall be permitted to assign its rights and interests under this Agreement to an entity that purchases the assets of the Company or merges with the company, so long as (i) the assignee agrees to be bound by all of the terms and conditions of this Agreement and (ii) the assignee operates the business as a continuation of that Party’s business.
- State Law Preemption. Pursuant to 45 CFR Section 160.203, certain provisions of state laws relating to the privacy of PHI may supersede the applicable similar provision(s) within the HIPAA Regulations (hereinafter referred to each as a “State Law”). Business Associate shall comply with provisions of such State Laws applicable to Business Associate.
- Notice. Any notice called for under this Agreement shall be given in accordance with the Subscription Agreement.
***END OF AGREEMENT***