Business Associate Agreement
The Company and each person or entity (each, a “Business Associate”) entering into an Affiliation Agreement with the Company (the “Covered Entity”) agree that, in order to comply with the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder (“HIPAA”), and as described in the American Recovery and Reinvestment Act of 2009 (“ARRA”)HIPAA, to the following requirements and obligations, and otherwise to comply in all respects with HIPPA (the “Agreement”):
1. Obligations of Business Associate
1.1 Permitted Uses and Disclosures of PHI. Business Associate shall use and disclose any Protected Health Information (as defined in 45 CFR 164.501 and limited to the information created or received by Business Associate from or on behalf of Covered Entity (“PHI”) it may receive from Covered Entity only to perform the Services and carry out the obligations of Business Associate under the Agreement, and in accordance with applicable federal and state laws, including but not limited to HIPAA. Business Associate may also use or disclose PHI for the proper management and administration of the Business Associate, for data aggregation services, or to carry out its legal responsibilities if such disclosure is required by law or if (i) the Business Associate obtains reasonable assurances from the person or entity to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed, and (ii) the person or entity agrees to notify the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. Business Associate shall not use or further disclose PHI other than permitted or required by this Agreement or as otherwise required by law.
1.2 Safeguards. Business Associate shall implement and use appropriate administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI and prevent the use or disclosure of PHI other that as set forth in this Agreement or as permitted or required by law. Business Associate agrees to notify Covered Entity in the event of any breach of unsecured PHI held by or under the control of Business Associate, including the identity of the affected individual(s).
1.3 Reporting Disclosures of PHI. In the event Business Associate, its agents, employees or contractors use or disclose PHI in violation of this Agreement, Business Associate shall report such use or disclosure to Covered Entity as soon as Business Associate becomes aware of such violation, including the circumstances surrounding the use or disclosure and a description of the PHI inappropriately used or disclosed. Business Associate shall report to Covered Entity any security incident of which it becomes aware.
1.4 Mitigation of Harmful Effects. Business Associate shall establish procedures for mitigating harmful effects of any improper use or disclosure of PHI that Business Associate reports to Covered Entity.
1.5 Third Party Agreements. Business Associate shall require all of its subcontractors and agents that receive, use or have access to PHI under this Agreement to agree in writing to adhere to the same restrictions and conditions applicable to the use or disclosure of such PHI as required herein.
1.6 Access to Information. Within ten (10) business days of a request by Covered Entity for access to PHI about an individual contained in a Designated Record Set (as defined in 45 C.F.R. 164.501) in Business Associate’s possession, Business Associate shall make available to Covered Entity such PHI for so long as such information is maintained in the Designated Record Set by Business Associate. In the event any individual requests access to his or her own PHI directly from Business Associate, Business Associate shall forward such request for access to PHI Covered Entity upon receipt of same. Business Associate shall reasonably cooperate with Covered Entity to provide an individual, at Covered Entity’s written direction, with access to the individual’s PHI in Business Associate’s possession within ten (10) business days of Business Associate’s receipt of written instructions for same from Covered Entity. Any denials of access to PHI requested shall be the responsibility of Covered Entity.
1.7 Amendment of PHI. Business Associate agrees to make PHI in a Designated Record Set available for amendment and to incorporate any appropriate amendments at the direction of and in the time and manner designated by Covered Entity. Business Associate further agrees to forward any request for amendment of PHI made by an individual to Covered Entity upon receipt of such request, and take no action on such request until directed by Covered Entity.
1.8 Accounting of Disclosures. Business Associate agrees to document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528 and to provide Covered Entity with an accounting of such disclosures in the time and manner designated by Covered Entity. Business Associate further agrees to forward any request for an accounting of disclosures of PHI made by an individual to Covered Entity upon receipt of such request. To the extent Business Associate maintains PHI in an electronic health record, Business Associate agrees to account for all disclosures of such PHI upon the request of an individual for a period of at least three (3) years prior to such request (but no earlier than the effective date of this Agreement), as required by ARRA; such accounting shall be directly to the individual if requested by Covered Entity.
1.9 Access to Books and Records. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the Department of Health and Human Services for purposes of determining compliance with the requirements of HIPAA.
1.10 Obligations under ARRA. Business Associate acknowledges that it is subject to the security and data breach provisions of HIPAA and agrees to abide thereby. Business Associate also agrees to abide by all of the privacy provisions set forth in Title XIII, Subtitle D of ARRA, including without limitation restrictions on marketing and requirements relating to limited data sets and minimum necessary disclosures.
2. Obligations of Covered Entity
2.1 Notice of Privacy Practices. Covered Entity agrees to provide Business Associate with a copy of Covered Entity’s “Notice of Privacy Practices,” required to be provided to individuals in accordance with 45 CFR 164.520, as well as any subsequent changes to such notice.
2.2 Changes to or Restrictions on Use or Disclosure of PHI. Covered Entity will provide Business Associate with any changes to, or revocation of, permission to use or disclose PHI if such changes affect Business Associate’s permitted or required uses or disclosures. Covered Entity will further notify Business Associate of any restriction to the use or disclosure of PHI agreed to by Covered Entity in accordance with the provisions of 45 CFR 164.522, and any restriction requested by an individual which Covered Entity is required to comply with in accordance with the provisions of ARRA.
2.3 Requested Uses or Disclosures of PHI. Covered Entity shall not request Business Associate to use or disclose PHI in any manner inconsistent with state or federal law.
3. Term and Termination
3.1 Term. This Agreement shall be deemed effective as of the date of the Affiliation Agreement and shall continue in effect until all obligations of the Parties have been met, unless otherwise terminated under the terms and conditions set forth herein.
3.2 Termination for Cause. Upon Covered Entity’s knowledge of a material breach of this Agreement by Business Associate, its agents or subcontractors, this Agreement and any underlying services agreement may be immediately terminated by Covered Entity, as provided under 45 CFR 164.504(e)(2)(iii). At its option, Covered Entity may choose to (i) provide Business Associate with written notice of the existence of a material breach of this Agreement; and (ii) permit Business Associate to cure the material breach upon mutually agreeable terms. In the event Business Associate is afforded an opportunity and fails to cure the breach in accordance with such mutually agreeable terms, this Agreement and any underlying services agreement may be immediately terminated at the option of Covered Entity. In the event Covered Entity violates its obligations under HIPAA in a manner related to this Agreement, Business Associate shall provide Covered Entity with notice of such breach; if Covered Entity does not cure such breach within a reasonable period of time, Business Associate may terminate this Agreement.
3.3 Effect of Termination. Upon termination of this Agreement, Business Associate shall return or destroy all PHI created or received by Business Associate, its agents and subcontractors to the extent feasible, without retaining any copies of such PHI. If Business Associate and Covered Entity mutually agree that return or destruction of the PHI is not reasonably feasible, Business Associate agrees to extend the protections of PHI under this Agreement and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible.
4. Miscellaneous Provisions
4.1 Definitions and Interpretation. All words used herein but not defined herein shall have the meanings set out in HIPAA, and this Agreement shall be interpreted in such a fashion as to cause the parties to be in compliance with HIPAA.
4.2 Indemnification. Notwithstanding any other provision of the Agreement, Covered Entity and Business Associate agree to indemnify, defend and hold harmless each other and each other’s respective employees, directors, officers, subcontractors, agents or other members of its workforce, each of the foregoing hereinafter referred to as “indemnified party,” against all actual and direct losses suffered by the indemnified party and all liability to third parties arising from or in connection with any breach of this Agreement or of any warranty hereunder or from any negligence or wrongful acts or omissions, including failure to perform its obligations under HIPAA, by the indemnifying party or its employees, directors, officers, subcontractors, agents or other members of its workforce. Accordingly, on demand, the indemnifying party shall reimburse any indemnified party for any and all actual and direct losses, liabilities, lost profits, fines, penalties, costs or expenses (including reasonable attorneys’ fees) which may for any reason be imposed upon any indemnified party by reason of any suit, claim, action, proceeding or demand by any third party which results from the indemnifying party’s breach hereunder. The provisions of this paragraph shall survive the expiration or termination of this Agreement for any reason.