Add to collection(s) Add to saved
  1. Social Science
  2. Law

BUSINESS ASSOCIATE AGREEMENT

advertisement 
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“Agreement”), effective ___________
(“Effective Date”) is entered into by and between _____ (“Covered Entity”) and
_____ (“Business Associate”).
RECITALS
Whereas, the U.S. Department of Health and Human Services issued
regulations on “Standards for Privacy of Individually Identifiable Health
Information,” (the “Privacy Standards”) and the Health Insurance Reform:
Security Standards (the “Security Standards”) which comprise 45 C.F.R. Parts
160 and 164, promulgated pursuant to the Health Insurance Portability and
Accountability Act of 1996 (“HIPAA”); and
Whereas, _____ is a “Covered Entity” and _____ is a “Business Associate”
within the meaning of the Privacy and Security Standards; and
Whereas, _____ (Business Associate) acknowledges that Business Associate is
required by law, pursuant to the HITECH Act, to comply with the HIPAA Security
Rule (45 C.F.R. 164.302 through 164.318) and the use and disclosure provisions
of the HIPAA Privacy Rule (45 C.F.R. 162.502, 162.504).
Whereas, the parties hereto desire to enter into this Agreement to memorialize
their obligations with respect to PHI pursuant to the requirements of the Privacy
and Security Standards.
Whereas, the obligations herein shall continue in effect so long as Business
Associate uses, discloses, creates or otherwise possesses any PHI created or
received on behalf of Covered Entity and until all PHI created or received by
Business Associate on behalf of Covered entity is destroyed or returned to
Covered Entity pursuant to Paragraph 4.4 herein.
Whereas, _____ (Business Associate) has entered into, and may in the future
enter into, one or more agreements (the “Underlying Agreements(s)”) with
(Covered Entity) which may be periodically updated, that require Business
Associate to perform certain services for or on behalf of Covered Entity, which
may require the use and/or disclosure of Individually Identifiable Health
Information; and
Now, Therefore, in consideration of the mutual promises and agreements set
forth below and in order to comply with all legal requirements for the protections
of this information, the parties hereto agree as follows:
Page 2 of 10
1.0 GENERAL PROVISIONS
1.1 Effect. This Agreement supplements, modifies and amends the Underlying
Agreement and all written agreements made by or between the parties regarding
the disclosure of PHI by Covered Entity to Business Associate, or the creation or
receipt of PHI by Business Associate on behalf of Covered Entity. The terms and
provisions of this Agreement shall supersede any other conflicting or inconsistent
terms and provisions in the Underlying Agreement between the parties, including
all exhibits or other attachments thereto and all documents incorporated therein
by reference.
1.2 Interpretation. Any ambiguity in this Agreement shall be construed in favor
of a meaning that permits both parties to comply with HIPAA and HITECH, as the
case may be.
1.3 Amendment. _____ (Business Associate) and _____ (Covered Entity) agree
to amend this Agreement to the extent necessary to allow Covered Entity to
comply with the Privacy and Security Standards as promulgated, or as may be
amended by the Secretary. This Agreement may be modified or amended only
by the Parties in writing.
1.4 HITECH Act. In addition, the parties acknowledge and agree that the
HITECH Act, found in Title XIII of the American Recovery and Reinvestment Act
of 2009, Public Law 111-005, imposes new requirements with respect to privacy,
security, and breach notification and contemplates that such requirements shall
be implemented by regulations to be adopted by HHS.
The provisions of the HITECH Act and the HITECH Business Associate
Provisions are hereby incorporated by reference into this Agreement as if set
forth in this Addendum in their entirety. Notwithstanding anything to the contrary,
the HITECH Business Associate Provisions will be effective: (a) with respect to
any security breach notification provision, September 23, 2009; and (b) with
respect to the other HITECH Business Associate Provisions, February 17, 2010
or such subsequent date as may be specified in the HITECH Act or applicable
final regulations.
1.5 HIPAA/HITECH Updates. Business Associate and Covered Entity further
agree that, to the extent the HIPAA Privacy and Security Standards or the
HITECH Act and any implementing regulations are amended by the Secretary or
Congress, any such amendments shall be automatically incorporated by
reference into this Agreement, unless Carle is notified otherwise in writing by
Business Associate.
1.6 Definitions. Capitalized terms used herein without definition shall have the
respective meanings assigned to such terms in 45 C.F.R. Parts 160, 163, and
164 and the HITECH Act.
Page 3 of 10
2.0 OBLIGATIONS OF BUSINESS ASSOCIATE
2.1 Use and Disclosure of Protected Health Information. Business Associate
may use, possess, or disclose PHI only as required to satisfy its obligations
under the Underlying Agreement, as permitted herein, or as required by law, but
shall not otherwise use or disclose any PHI. In the event that Business
Associate may disclose PHI to subcontractors as part of the services provided
under the Underlying Agreement, Business Associate shall ensure that its
directors, officers, employees, contractors and agents do not use, possess, or
disclose PHI received from Covered Entity in any manner that would constitute a
violation of the Privacy and Security Standards if used by Covered Entity, except
that Business Associate may use PHI (i) for Business Associate’s proper
management and administrative services, (ii) to carry out the legal
responsibilities of Business Associate, (iii) to provide data aggregation services
relating to the health care operations of Covered Entity if required under the
Underlying Agreement, or (iv) de-identify any and all PHI, provided that Business
Associate de-identifies the PHI in accordance with the Privacy Rule, (v) to report
violations of the law to law enforcement, subject to 45 C.F.R. 164.512(f).
2.2 Safeguards against Misuse of Information. Business Associate shall use
reasonable and appropriate safeguards to prevent the use or disclosure of PHI
other than pursuant to the terms and conditions of this Agreement. Further,
Business Associate shall implement administrative, physical, and technical
safeguards that reasonably and appropriately protect the confidentiality, integrity,
and availability of any electronic PHI (ePHI) that it creates, receives, maintains,
or transmits on behalf of Covered Entity as applicable, and in accordance with
the requirements of the Privacy and Security Standards and all other applicable
law.
2.3 Reporting of Disclosures of Protected Health Information. Business
Associate shall report to Covered Entity within five (5) business days any use or
disclosure of PHI in violation of this Agreement of which it becomes aware and
the remedial action taken or proposed to be taken with respect to such use or
disclosure and account for such disclosure.
2.4 Agreements by Third Parties. Business Associate shall obtain and
maintain a written agreement with each agent or subcontractor that has or will
have access to PHI, which is received from, or created by Business Associate on
behalf of Covered Entity, pursuant to which agreement such agent or
subcontractor agrees to be bound by the same restrictions and conditions that
apply to Business Associate pursuant to this Agreement with respect to such
PHI.
Business Associate shall take appropriate disciplinary action against any
member of its workforce who uses or discloses PHI in violation of this Contract
and applicable law.
Page 4 of 10
In the event of a breach of PHI, Business Associate understands Business
Associate is required by law to provide Covered Entity a report including patient
name, contact information, nature/cause of the breach, PHI breached, and the
date or period of time during which the breach occurred. Business Associate
understands that such a report must be provided to Covered Entity within five (5)
business days from the date of the breach or the date the breach should have
been known to have occurred. Business Associate is responsible for any and all
costs related to notification of individuals or next of kin (if the individual is
deceased) of any security or privacy breach reported by Business Associate to
Covered Entity.
2.5 Access to Information. Business Associate shall not maintain PHI in a
Designated Record Set and, thus, 45 C.F.R. section 164.504(e) (2) (ii) (E)
regarding providing individuals access to PHI shall not be applicable. Any
request to access PHI made to Business Associate shall be referred to Covered
Entity. Within seven (7) business days of a written request by Covered Entity,
Business Associate shall allow a person who is the subject of PHI, such as a
person’s legal representative, or Covered Entity, to have access to and to copy
such person’s PHI maintained by Business Associate. Business Associate shall
provide PHI in the format requested by such person, legal representative, or
Covered Entity unless it is not readily producible in such format, in which case, it
shall be produced in standard hard copy format.
2.6 Availability of Protected Health Information for Amendment.
Business Associate shall not maintain PHI in a Designated Record Set and, thus,
45 C.F.R. sections 164.504(e) (2) (ii) (F) regarding making PHI available for
amendment and incorporating any amendments made by an Individual shall not
be applicable. Any request to amend PHI made to Business Associate shall be
referred to Covered Entity. To the extent that Covered Entity grants an
amendment to PHI, which it previously provided to Business Associate and upon
which Business Associate relied in providing services to Covered Entity, then
Covered Entity shall provide such Amended PHI to Business Associate, and
Business Associate shall take such action as may be necessary to satisfy its
obligations under the Underlying Agreement(s).
2.7 Accounting of Disclosures. Business Associate shall make disclosures of
PHI only in connection with Covered Entity’s health care operations. Business
Associate agrees to maintain a record of its disclosures of PHI, including
disclosures not made for the purposes of this Agreement, pursuant to 45 C.F.R.
section 164.504(e)(2)(ii)(G). Such record shall include the date of the disclosure,
the name and, if known, the address of the recipient of the PHI, the name of the
individual who is the subject of the PHI, a brief description of the PHI disclosed,
and the purpose of the disclosure. Business Associate shall make such record
available to an individual who is the subject of such information or Covered Entity
within thirty (30) days of a request and shall include disclosures made on or after
the date which is three (3) years prior to the request if the PHI is maintained in an
Page 5 of 10
electronic health record or six (6) years prior to the request if the PHI is
maintained in a paper health record. [45 C.F.R. 164.528, 164.530; HITECH
13405(c)].
Notwithstanding the foregoing, any request for an accounting of disclosures
made to Business Associate regarding PHI disclosures made by Business
Associate on behalf of Covered Entity should be referred to Covered Entity.
Business Associate shall not be required to maintain a record of disclosures of
PHI made:
A. For the purpose of treatment, payment, or health care operations (as
those terms are defined under HIPAA);
B. To an individual who is the subject of the PHI; and
C. Pursuant to an Authorization which is valid under HIPAA.
2.8 Availability of Books and Records. Business Associate hereby agrees to
make its internal policies and procedures, documentation required by the Privacy
and Security Standards relating to the physical, technical, and administrative
safeguards, books and records relating to the use and disclosure of PHI received
from, or created or received by Business Associate on behalf of Covered Entity
available to the Secretary of the Department of Health and Human Services for
purposes of determining Covered Entity’s compliance with the Privacy and
Security Standards.
2.9 Reporting of Security Incidents. Business Associate shall report to
Covered Entity within five (5) business days any Security Incident, with respect to
electronic PHI (ePHI) and as defined in 45 C.F.R. section 164.304, of which it
becomes aware.
2.10 Identity Theft Protection Program. Business Associate agrees to
implement an identity theft protection program, require all subcontractors with
access to PHI to implement an identity theft protection program, and make all
reasonable efforts to identify red flags that indicate identity or medical identity
theft may be occurring or has occurred. The program shall include:
A. Adoption of an identity theft protection program policy and procedure
approved by the highest authority in Business Associate’s organization
(e.g. Board of Directors, owner, partners, etc.);
B. Conduct a red flag (indicators of potential or actual identity or medical
identity theft) risk analysis;
C. Provide workforce with training regarding the program and red flags
identified;
D. Actively monitor for red flags;
E. Investigate any identified red flags and mitigate damages if appropriate;
F. Document any red flag investigation and subsequent activity;
Page 6 of 10
G. Annually review the program to determine if changes are necessary which
includes annually conducting a red flag risk analysis; and
H. Require senior management to monitor program activity.
2.11 Warranty that No PHI Has Been Used or Disclosed. Business Associate
warrants that between the initial date performance of services commenced and
the effective date of this Business Associate Agreement, no Covered Entity PHI
has been used or disclosed contrary to HIPAA and its regulations by its agents,
employees or assigns. This shall be an ongoing representation and warranty
during the term of the Agreement. Business Associate shall immediately notify
Covered Entity of any change in the status of this representation and warranty
set forth in this section. Any breach of this section shall give Covered Entity the
right to terminate the Underlying Agreement and this Agreement immediately for
cause.
2.12 Failure to Perform Obligations. In the event Business Associate fails to
perform the obligations under this Agreement, Covered Entity may, at its option:
A. Require Business Associate to submit a plan of compliance, including
monitoring by Covered Entity and reporting by Business Associate, as
Covered Entity, in its sole discretion, determines necessary to maintain
compliance with this Agreement and applicable law. Such plan shall be
incorporated into this Agreement by amendment hereto;
B. Require Business Associate to mitigate any loss occasioned by the
unauthorized disclosure or use of PHI; and
C. Immediately discontinue providing PHI to Business Associate with or
without written notice to Business Associate.
3.0 OBLIGATIONS OF COVERED ENTITY
3.1 Covered Entity agrees, and represents and warrants to Business Associate
that it will (a) obtain any consent, authorization or permission (if any) that may be
required by the Privacy Rule or any other applicable federal, state, or local laws
and regulations prior to furnishing to Business Associate the PHI pertaining to an
individual; and (b) not furnish to Business Associate any PHI that is subject to
any arrangements that may restrict or otherwise affect Business Associate’s use
and/or disclosure of the PHI under this Agreement, including, but not limited to,
any restrictions Covered Entity may agree to pursuant to 45 C.F.R. section
164.522.
3.2 Covered Entity agrees to timely notify Business Associate, in writing, of any
arrangements between Covered Entity and the Individual that is the subject of
PHI that may impact in any manner the Use and/or Disclosure of that PHI by
Business Associate under this Agreement.
Page 7 of 10
3.3 Covered Entity shall not request Business Associate to use or disclose PHI in
any manner that would not be permissible under HIPAA if done directly by
Covered Entity.
3.4 Covered Entity represents that, to the extent Covered Entity provides PHI to
Business Associate, such PHI is the minimum necessary PHI for the
accomplishment of Business Associate’s purpose. Business Associate similarly
represents that Business Associate will not request more PHI than is necessary
to accomplish Business Associate’s legitimate business purpose.
4.0 TERM AND TERMINATION
4.1 Term. This Agreement shall become effective on the Effective Date and,
shall remain in effect throughout the term of the Underlying Agreement unless
otherwise terminated as provided herein.
4.2 Termination Upon Breach of Provisions Applicable to Protected Health
Information. Any other provision of the Underlying Agreement notwithstanding,
this Agreement and the Underlying Agreement may be terminated by Covered
Entity upon thirty (30) days written notice to Business Associate in the event that
Business Associate breaches any material provision contained in this Agreement
and such breach is not cured within such thirty (30) day period. The Business
Associate’s failure to cure shall be grounds for immediate termination of this
Agreement. Covered Entity agrees that any and all notices provided pursuant to
this paragraph 3.2 shall contain a detailed description of the material breach
allegedly committed by Business Associate, which sets forth all the specific facts
necessary for Business Associate to evaluate and cure such alleged breach. In
the event of termination of the Underlying Agreement pursuant to this paragraph
3.2, Business Associate agrees to adjust the fees specified in the Underlying
Agreement and will only charge Covered Entity for the services provided up to
and including the date of termination. Covered Entity’s remedies under this
Agreement are cumulative, and the exercise of any remedy shall not preclude the
exercise of any other.
4.3 Termination without Cause. Either party may terminate this Agreement
without cause or penalty after the expiration date or termination of the Underlying
Agreement upon thirty (30) days prior written notice.
4.4 Effect of Termination. Upon termination of this Agreement, Business
Associate shall either return, or with advance approval of Covered Entity, destroy
all PHI received from Covered Entity or created or received by Business
Associate on behalf of Covered Entity and which Business Associate still
maintains in any form. Business Associate shall not retain any copies of such
PHI. Notwithstanding the foregoing, the parties acknowledge that it may not be
feasible to return or destroy PHI maintained in Business Associate’s aggregated
databases and applications. Accordingly, the terms and provisions of this
Page 8 of 10
Agreement shall survive termination and such PHI shall be used or disclosed
solely for such purpose or purposes which prevented the return or destruction of
such PHI.
5.0 INDEMNIFICATION
5.1 Parties agree to indemnify, defend, and hold harmless each other, and each
other’s respective officers, directors, employees, agents, sucessors, and assigns
(each of the foregoing hereinafter referred to as “Indemnified Party”) harmless,
from and against any and all actual and direct losses, claims, actions, demands,
liabilities, damages, costs, and expenses (including costs of judgments,
settlements, court costs and reasonable attorneys’ fees actually incurred)
(collectively, “Information Disclosure Claims”) suffered by the Indemnified Party
and all liability to third parties arising from or related to any act, or failure to act,
of the other party resulting in: (i) the use or disclosure of Individually Identifiable
Information (including PHI) in violation of the terms of this Addendum or
applicable law, and (ii) whether in oral, paper, or electronic media, any HIPAA
Breach of unsecured PHI and/or State Breach of Individually Identifiable
Information, subject to any damage disclaimer and/or limitation of liability set out
in any of the business arrangements or Underlying Contract(s). Notwithstanding
the above, nothing in this Addendum shall require the other party to indemnify an
Indemnified Party for an Information Disclosure Claim to the extent such
Information Disclosure Claim arises from any act, or failure to act, of the
Indemnified Party.
6.0 MISCELLANEOUS
6.1 Survival. The rights, duties, and obligations of the Parties and the terms and
provisions of this Agreement that, by their nature, are intended to survive
termination, cancellation, completion, or expiration of the Agreement (collectively
“Surviving Provisions”) shall survive and continue as valid and enforceable rights,
duties, and obligations for six years.
6.2 Independent Contractor. The relationship between the Parties shall at all
times be that of independent contractors. No provision of this Agreement is
intended to or shall be construed to render one Party an agent, employee,
partner, or servant of the other Party. Neither Party shall represent to any third
party that it is authorized to enter into any contract for or on behalf of the other
Party. Neither Party shall execute any contract for or on behalf of the other nor
attempt to bind the other to any obligation. Each Party shall be soley responsible
for compensating its employees or contractors who perform services hereunder
and making all tax withholdings, including paying such payroll and other
employment related taxes as required by U.S. or foreign laws. Each Party will
defend, indemnify, and hold the other party harmless from the same.
Page 9 of 10
6.3 Assignment. Neither this Agreement, nor the rights or obligations created
by this Agreement, may be assigned or delegated, in whole or in part, whether
voluntarily, by operation of law or otherwise, without the prior written consent of
the other Party.
6.4 Notices. Any notices required to be given under this Agreement shall be
given in writing and shall be delivered in person, by certified mail with postage
prepaid and return receipt requested, by facsimile, or by commercial overnight
courier that guarantees next-day delivery and provides a receipt, and such
notices shall be addressed as follows:
To Business Associate:
[Business Associate Name, Address, Phone/Fax numbers, Contact Person]
To CF’s Privacy Officer:
Carle Foundation
611 West Park Street
Urbana, Illinois 61801
Attn: Privacy Official
Phone: 217-278-8606
Fax: 217-328-2675
6.5 Warranty of Non-Exclusion. At all times during the term of this Agreement,
each Party agrees that he/she/it is not currently and shall not be excluded,
debarred, or otherwise ineligible to participate in the federal health care programs
as defined in 42 U.S.C. section 1320a-7b(f) (the “federal health care programs”);
(ii) has not been convicted of a criminal offense related to the provision of health
care items or services and has not been excluded, debarred, or otherwise
declared ineligible to participate in the federal health care programs; and (iii) is
not under investigation or otherwise aware of any circumstances that may result
in the Party being excluded from participation in the federal health care
programs. This will be an ongoing covenant during the term of the Agreement.
Each Party shall immediately notify the other Party of any change in the status of
the covenant set forth in this paragraph. Any breach of this paragraph shall give
the non-breaching Party the right to terminate the Agreement immediately for
cause.
6.6 Severability. If any provision of this Agreement shall be found to be illegal,
invalid, or unenforceable, the remaining provisions of this Agreement shall not be
affected thereby and shall remain in full force and effect.
Page 10 of 10
INTENDING TO BE LEGALLY BOUND, the parties hereto have caused this Agreement to be
executed by their duty authorized representative.
[Covered Entity]
[Street Address]
[Business Associate]
[Street Address]
Signature: ____________________
Signature: ____________________
Name: ________________________
Name: ________________________
Title: _________________________
Title: _________________________
Date: _________________________
Date: _________________________
jah/102010
Related documents
Associate Marketing Evaluation Form
Associate Marketing Evaluation Form
CW Associate Member Application Form
CW Associate Member Application Form
HIPAA Factsheet
HIPAA Factsheet
Task Force on General Education Committee Members
Task Force on General Education Committee Members
BAA Model Response Letter (Modify information as indicated in the
BAA Model Response Letter (Modify information as indicated in the
Physician Associate MSC Physician Associate Studies Expression
Physician Associate MSC Physician Associate Studies Expression
Based on a study of 14000 Phi Theta Kappa members
Based on a study of 14000 Phi Theta Kappa members
Personnel Policy - Associate Evaluation Process
Personnel Policy - Associate Evaluation Process
Please click here to the membership application in “”
Please click here to the membership application in “”
Download
advertisement