RECITALS
WHEREAS, Covered Entity has contracted with Business Associate to provide Products and Services to the Covered Entity and the Covered Entity is required by law to enter into this Agreement with Business Associate; and
WHEREAS, the Parties wish to disclose to each other certain information pursuant to the terms of the Underlying Agreement, some of which may constitute Protected Health Information; and
WHEREAS, the purpose of this Agreement is to satisfy certain obligations under the Federal Health Insurance Portability and Accountability Act of 1996, as may be amended before or after the effective date of this Agreement, and its related regulations (“HIPAA”).
NOW, THEREFORE, in consideration of the mutual promises below, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows:
- Interpretation of this Agreement. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the Parties to comply with HIPAA.
- Definitions. All capitalized terms used herein and not further defined below shall have the meanings set forth in the HIPAA Regulations (as such term is defined below).
(a) Administrative Safeguards. “Administrative Safeguards” shall have the same meaning as the term “administrative safeguards” in 45 C.F.R. § 164.304.
(b) HIPAA Regulations. “HIPAA Regulations” are those regulations codified under Parts 160, 162 and-164 of Title 45 of the Code of Federal Regulations (C.F.R.) relating to privacy and security of PHI, including specifically the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. part 160 and part 164, subparts A and E (the “Privacy Rule”) and the Health Insurance Reform: Security Standards at 45 C.F.R. parts 160, 162, and 164 (the “Security Rule”) without limitation any amendments or successor statutes, rules or regulations to the Privacy Rule and Security Rule.
(c) Individual. “Individual” shall mean the person who is the subject of the PHI, and has the same meaning as the term “individual” as defined by 45 C.F.R. 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. 164.502(g).
(d) Minimum Necessary. “Minimum Necessary” shall mean the principle that PHI should only be used and disclosed to the extent needed for the purpose of the Use or Disclosure in accordance with 45 C.F.R. 164.502(b).
(e) Protected Health Information (PHI) “Protected Health Information” shall have the same meaning as the term “protected health information” in 45 CFR § 160.103, limited to, but only to the extent such regulatory definition includes, the information created, received, and/or retained by Business Associate from or on behalf of Covered Entity pursuant to the Underlying Agreement.
(f) Physical Safeguards. “Physical Safeguards” shall have the same meaning as the term “physical safeguards” in 45 C.F.R. § 164.304.
(g) Security Incident. “Security Incident” shall have the same meaning as the term “security incident” in 45 C.F.R. § 164.304.
(h) Technical Safeguards. “Technical Safeguards” shall have the same meaning as the term “technical safeguards” in 45 C.F.R. § 164.304.
(i) Treatment, Payment, and Health Care Operations. “Treatment,” “Payment” and “Health Care Operations” shall have the same meanings given under 45 CFR Section 164.501
3. Obligations of Covered Entity.
(a) Covered Entity shall provide the Business Associate with any changes in, or revocation of, permission by the individual to use or disclose PHI, if such changes affect Business Associate’s permitted or required uses and disclosures.
(b) Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that the Covered Entity has agreed to in accordance with 45 CFR §164.522.
(c) Covered Entity shall not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under 45 CFR §164.520 if done by Covered Entity, except for those Uses or Disclosures for Data Aggregation or management and administrative activities of Business Associate.
(d) Covered Entity shall use reasonable and appropriate safeguards to maintain and ensure the confidentiality, privacy and security of the PHI transmitted to or received from the Business Associate.
(e) Covered Entity shall provide the Business Associate with the Notice of Privacy Practices it produces in accordance with 45 CFR §164.520, as well as any material changes to such notice.
(f) Covered Entity shall notify Business Associate of any limitation(s) in the Notice of Privacy Practices of Covered Entity under 45 CFR §164.520, to the extent such limitation may affect Business Associate’s use or disclosure of PHI.
4. Obligations of Business Associate.
(a) Business Associate will establish and maintain appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information to prevent any Use or Disclosure of PHI, other than as provided for by this Agreement or as required by law. In accordance with 45 CFR §164.502 (e)(1)(ii) and 164.308(b)(2), if applicable Business Associate shall ensure that any subcontractors that create, receive, maintain or transmit protected health information on behalf of the Business Associate agree in writing to the same terms, conditions, restrictions and requirements that apply to Business Associate with respect to such information.
(b) Covered Entity shall not delegate to Business Associate the determination and processing of an Individual member’s request for amendments to his or her PHI in a Designated Record Set. Business Associate shall promptly forward all requests for amendments to PHI to Covered Entity upon receipt. Covered Entity will make the final determination to grant or deny amendments and complete all required processing. Business Associate hereby agrees to make amendments to PHI in a Designated Record Set as and when approved by Covered Entity so as to permit Covered Entity to timely comply with the requirements of 45 C.F.R. 164.526.
(c) Covered Entity shall not delegate to Business Associate the determination and processing of Individual member requests for an accounting of Disclosures of PHI. Business Associate shall promptly forward all requests for an accounting of Disclosures of PHI to Covered Entity upon receipt. Covered Entity will complete all required processing in connection with such request. Business Associate hereby agrees to promptly make available information collected relating to applicable accountings of PHI Disclosures to Covered Entity, so as to permit Covered Entity to timely respond to a request by an Individual for an accounting of Disclosures of Protected Health in accordance with 45 C.F.R. 164.528
(d) Covered Entity shall not delegate to Business Associate the determination and processing of an Individual’s request for access to his or her PHI in a Designated Record Set. Business Associate shall promptly forward all requests for access to PHI to Covered Entity upon receipt. Covered Entity will make the final determination to grant or deny access to PHI in a Designated Record Set and complete all required processing in connection with such access. Business Associate hereby agrees to promptly make available PHI in a Designated Record Set to Covered Entity so as to permit Covered Entity to timely comply with the requirements of 45 C.F.R. 164.524.
(e) Business Associate agrees to make available to the Secretary (i) Business Associate’s internal practices, books and records relating to the Use and Disclosure of PHI for the purposes of determining Covered Entity’s compliance with the Privacy Rule; and (ii) Business Associate’s policies, procedures and documentation relating to the safeguards described herein, for the purposes of determining Covered Entity’s compliance with the Security Rule.
(f) To the extent the Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
(g) Business Associate shall have procedures in place for mitigating any injurious or harmful effect from the Use or Disclosure of PHI in a manner contrary to this Agreement.
(h) Business Associate agrees that it will:
(1) Implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI;
(2) Ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it; and
(3) Promptly report to Covered Entity any use or disclosure of protected health information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410 and any Security Incident of which it becomes aware.
5. Permitted Uses and Disclosures by Business Associate.
(a) Minimum Necessary. Business Associate and its agents and subcontractors shall only request, Use and Disclose the minimum amount of PHI necessary to accomplish the purpose of the request, Use or Disclosure. The foregoing shall not be interpreted to limit or deter Business Associate’s obligations with respect to the interoperability and exchange of PHI as Required by Law, including without limitation interoperability rules promulgated by Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC).
(b) Limits on Use and Disclosure of Information. Business Associate hereby agrees that the PHI shall not be further Used or Disclosed other than as permitted or required by this Agreement, or as Required by Law.
(c) Stated Purpose for Use and Disclosure. Except as otherwise limited in this Agreement, Business Associate may Use and Disclose PHI to perform the functions, activities, obligations and services required to be performed as specified in the Underlying Agreement. Subject to section 5(b) above, Business Associate is permitted to disclose PHI received from Covered Entity for purposes of Treatment, Payment, and Health Care Operations relating to members.
(d) Data Aggregation Services. Business Associate is permitted to Use or Disclose PHI to provide “data aggregation services,” as that term is defined by 45 C.F.R. 164.501 relating to the Health Care Operations of Covered Entity and other covered entities.
(e) Management and Administration of Business Associate. Except as otherwise limited in this Agreement, Business Associate may use and/or disclose PHI for the proper management and administration of the Business Associate, or as required by Law.
(f) Provided that such de-identification is done in accordance with the requirements set forth in 45 C.F.R. § 164.514, Business Associate may de-identify PHI as permitted by applicable law, this BAA, or the underlying contract, and may retain and use copies of such de-identified information.
6. Term and Termination.
(a) Term. The Term of this Agreement shall be effective as of the Effective Date, and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is not feasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section.
(b) Termination for Cause By Covered Entity. Upon the Covered Entity’s knowledge of a material breach by Business Associate of this Agreement, the Covered Entity shall have the right to immediately terminate this Agreement.
(c) Automatic Termination. This Agreement will automatically terminate without any further action by the Parties upon the termination or expiration of the Underlying Agreement between the Parties.
(d) Effect of Termination
(1) Except as provided in paragraph (2) of this Section 7(d), upon termination of this Agreement for any reason, the Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. Business Associate shall retain no copies of the PHI except as required by any applicable statute of limitations applicable to data retention.
(2) In the event that Business Associate determines that returning or destroying the PHI is not feasible, the Business Associate shall provide in writing to Covered Entity notification of the conditions that make return or destruction infeasible. Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
7. Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended, and for which compliance is required.
8. Amendment. Upon the Applicable Effective Date of any amendment to the regulations promulgated by Health and Human Services (HHS) with respect to PHI, this Agreement shall automatically amend such that the obligations imposed on Business Associate as a Business Associate remain in compliance with such regulations. The parties agree to take such action as is necessary to amend this Business Associate Agreement from time to time as is necessary for Covered Entity or Business Associate to comply with the requirements of the HIPAA Regulations and any other privacy laws governing Protected Health Information.
9. Survival. The respective rights and obligations of Business Associate and Covered Entity under this Agreement shall survive the termination of this Agreement.
10. Choice of Law. This Agreement shall be governed and construed under the laws of the State of New York, without regard to choice of law rules.
11. Entire Agreement. This Agreement constitutes the entire agreement between the Parties with respect to the subject matter hereof, and supersedes all prior oral or written agreements, commitments or understandings with respect thereto. In the event of a conflict between the terms of this Agreement and the Underlying Agreement, the terms of this Agreement shall control. The Parties understand that no provisions of the Agreement shall apply to this Agreement unless expressly referred to herein.
12. Assignment. Either Party shall be permitted to assign its rights and interests under this Agreement to an entity that purchases the assets of the Company or merges with the company, so long as (i) the assignee agrees to be bound by all of the terms and conditions of this Agreement and (ii) the assignee operates the business as a continuation of that Party’s business.
13. State Law Preemption. Pursuant to 45 CFR Section 160.203, certain provisions of state laws relating to the privacy of PHI may supersede the applicable similar provision(s) within the HIPAA Regulations (hereinafter referred to each as a “State Law”). Business Associate shall comply with provisions of such State Laws applicable to Business Associate.
14. Notice. Any notice called for under this Agreement shall be given in accordance with the Underlying Agreement.
***END OF AGREEMENT***