outline of business associate agreement

advertisement
THIS IS AN OUTLINE ONLY
As a service to our members, MGMA Government Affairs has developed this outline of a
business associate agreement (BAA) in consultation with its Washington Counsel, Powers Pyles
Sutter & Verville, PC. The outline is based in large part on sample provisions provided by the
Department of Health and Human Services Office for Civil Rights (“OCR”) and available at
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html. At
certain points throughout the outline, direct reference is made to OCR guidance.
This outline is intended to help members understand the HIPAA requirements and optional
provisions which a medical group practice, as a “covered entity” under HIPAA, may wish to
consider when entering into a BAA with a vendor or other business associate having access to
Protected Health Information (“PHI”). In this outline, provisions required in a BAA under
HIPAA law and regulations are identified as “Required,” while those which are not are identified
as “Optional.” Failure to include a required provision may compromise the group’s or business
associate’s compliance under HIPAA and constitute grounds for enforcement action against the
group and/or the business associate.
MGMA-ACMPE does not provide individual legal advice to its members on HIPAA or other
federal regulatory matters. The privacy and security of individually identifiable health
information is a complex area of both federal and state law. Arrangements between medical
groups and others with whom they may share PHI are diverse, and a BAA suitable for one
arrangement may not be suitable for another. Members using this outline in the development or
negotiation of a BAA should be guided by legal advice from competent counsel of their own
choosing.
THIS IS AN OUTLINE ONLY
OUTLINE OF BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“Agreement”), is entered into as of the effective
date described on the Signature Page of this Agreement (the “Effective Date”) between
____________________, with an address at _________________ (“Business Associate”) and
_______________, with an address at _____________ (“Covered Entity”) (each a “Party” and
collectively the “Parties”).
Recital
The Parties have entered into a prior agreement entitled_________ dated _________ (the
“Underlying Agreement”). 1 Performance of the Underlying Agreement may involve Protected
Health Information (“PHI”) (as defined in 45 C.F.R. § 164.501) that is subject to the federal
privacy and security regulations issued pursuant to the Health Insurance Portability and
Accountability Act of 1996 (“HIPAA”) and the regulations promulgated thereunder by the
United States Department of Health and Human Services (“HHS”), codified at 45 CFR Parts 160
and 164 (commonly known as the Privacy and Security Rules), (collectively referred to herein as
the “HIPAA Rules”). The purpose of this Agreement is to set forth the obligations of the Parties
with respect to such PHI.
In consideration of the mutual promises below and the exchange of information pursuant
to this Agreement, the parties agree as follows:
I.
(Optional) Definitions.
A.
(Optional) Protected Health Information or PHI. “Protected Health Information”
or “PHI” shall have the same meaning as the term “Protected Health Information” in 45 C.F.R.
§160.103, limited to the information created or received by Business Associate on behalf of or
from Covered Entity. PHI will include PHI in electronic form (“Electronic PHI”) unless
specifically stated otherwise.
B.
(Optional) Terms used but not otherwise defined in this Agreement shall have the
same meaning as given to those terms in the Health Information Portability and Accountability
Act of 1996, as codified at 42 U.S.C. §1320d (“HIPAA”), the Health Information Technology
Act of 2009, as codified at 42 U.S.C.A. prec. §17901 (“HITECH”), and any current and future
regulations promulgated under either (HIPAA, HITECH, and any regulations collectively, the
“Law and Regulations”). (Catch-all definition)
II.
Business Associate’s Obligations.
A.
(Optional) Relationship of Parties.2 In providing these services, Business
Associate will be acting as an independent contractor and not as an employee or agent of
1
This document assumes the existence of a separate document outlining the business arrangement between the
Covered Entity and the Business Associate, thereby limiting this document to the provisions necessary to address
the Parties’ obligations under HIPAA.
2
This provision should only be included where the Business Associate is not acting as an agent of the Covered
Entity. It is included for the benefit of the Covered Entity to help reduce the scope of their liability under the
“agency” theory. 78 Fed. Reg. 5581. However, the contractual language alone is not enough to ensure that the
Business Associate will be determined to not be an agent of the Covered Entity.
2
THIS IS AN OUTLINE ONLY
Covered Entity. Covered Entity shall have no authority, express or implied, to commit or
obligate Business Associate in any manner whatsoever.
B.
(Required) No Permitted Use or Disclosure of PHI. Business Associate shall not
use or disclose PHI other than as permitted or required by the Agreement or as Required By
Law.
C.
(Required) Safeguards.3 Business Associate shall use appropriate safeguards, and
comply with Subpart C of 45 CFR Part 164 with respect to Electronic PHI, to prevent use or
disclosure of PHI other than as provided for by the Agreement;
D.
(Required) Notice to Covered Entity: Business Associate agrees to report to
Covered Entity any use or disclosure of PHI not provided for in the Agreement, any Security
Incident involving electronic PHI, and any Breach of Unsecured PHI as required at 45 CFR
164.410. Such report shall be provided promptly and without unreasonable delay, but no later
than [x] days after Business Associate first learns of the unauthorized use or disclosure, Security
Incident or Breach. 4
1. (Optional) (Consider adding requirements as to what information should be
included in the breach notification.)
2. (Optional) Covered Entity shall be responsible for providing notification to
individuals whose unsecured PHI has been disclosed, as well as the Secretary
and the media, as required by HIPAA Rules.
3. (Optional) The parties agree that this section satisfies any notices necessary
by Business Associate to Covered Entity of the ongoing existence and
occurrence of unsuccessful Security Incidents for which no additional notice
to Covered Entity shall be required. For purposes of this Agreement, such
unsuccessful Security Incidents include, without limitation, activity such as
pings and other broadcast attacks on Business Associate’s firewall, port scans,
unsuccessful log-on attempts, denial of service and any combination of the
above, so long as no such incident results in unauthorized access, use or
disclosure of Electronic PHI.
E.
(Required) Subcontractors.5 Business Associate agrees to ensure that any
Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate
agree to the same restrictions, conditions, and requirements that apply to the Business Associate
with respect to such information, in accordance with 45 CFR §§ 164.502(e)(1)(ii) and
164.308(b)(2).
3
A Covered Entity may wish to include specific safeguards if it feels additional protections are necessary. For
example a Covered Entity may require encryption of PHI, require specific HIPAA training provided by the Covered
Entity, or may prohibit off-shoring of PHI.
4
A Covered Entity should specify a timeframe for reporting. Federal law requires that the CE provide notification
of a breach “without unreasonable delay but in no case later than 60 calendar days after discovery.” 45 CFR
§ 164.404(b). Some state laws require stricter timeframes for reporting than those provided for under HIPAA.
5
This provision may be deleted if the Underlying Agreement does not permit the Business Associate to subcontract
its duties. As an alternative this section can be revised to note that Business Associate may only use permitted
subcontractors.
3
THIS IS AN OUTLINE ONLY
F.
(Required) Access to PHI. To the extent that Business Associate possesses an
applicable Designated Record Set, and within a reasonable amount of time of receipt of a request
from Covered Entity or Individual to access such PHI, Business Associate shall make available
such PHI, to the extent required for Covered Entity’s compliance with its obligations under 45
C.F.R. §164.524.
1. (Optional)(As noted by OCR, consider adding specificity as to how to respond
to a request such as whether and in what time and manner a Business
Associate is to act on the request for access or whether the Business Associate
will forward the Individual’s request to the Covered Entity and the specific
timeframe for the Business Associate to provide the PHI.)
G.
(Required) Amendment of PHI. To the extent that Business Associate possesses
an applicable Designated Record Set, and within a reasonable amount of time of receipt of a
request from Covered Entity or Individual, Business Associate shall make any amendment(s) to
such PHI as directed or agreed to by the Covered Entity pursuant to 45 CFR § 164.526, or take
other measures as necessary to satisfy covered entity’s obligations under 45 CFR § 164.526
1. (Optional)(As noted by OCR, consider adding specificity as to how to respond
to a request such as whether and in what time and manner a Business
Associate is to act on the request for amendment or whether the Business
Associate will forward the Individual’s request to the Covered Entity and the
specific timeframe for the BA to amend the PHI.)
H.
(Required) Accounting. Business Associate shall document and make available
such disclosures of PHI as would be required for Covered Entity to respond to a request by an
Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528.
1. (Optional)(As noted by OCR, consider adding specificity as to how to respond
to a request such as whether and in what time and manner a Business
Associate is to act on the request for accounting or whether the Business
Associate will forward the Individual’s request to the Covered Entity and the
specific timeframe for the BA to provide the information.)
I.
(Required) Compliance with Covered Entity Obligations. To the extent the
Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E
of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that
apply to the Covered Entity in the performance of such obligation(s).
J.
(Required) Availability of Compliance Records. Business Associate shall make
its internal practices, books, and records available to the Secretary for purposes of determining
compliance with the HIPAA Rules. (Optional) Notwithstanding this provision, no attorneyclient or other applicable legal privilege will be deemed waived by Covered Entity as a result of
complying with such a request. (Optional) Business Associate shall promptly provide Covered
Entity with a copy of any PHI that Business Associate provides pursuant to any governmental
inquiry.
K.
(Optional) Mitigation. Business Associate shall mitigate, to the extent practicable
and at its cost, any harmful effects from any use or disclosure of PHI by Business Associate not
permitted by this Agreement, regardless of Business Associate’s fault or negligence. All such
efforts shall be subject to the Covered Entity’s prior written approval.
4
THIS IS AN OUTLINE ONLY
L.
(Optional) Prohibition on Certain Uses and Disclosures. Business Associate shall
not use or disclose PHI for any purpose other than as specifically permitted by this Agreement.
Specifically, but without limitation, Business Associate shall not use or disclose PHI for
fundraising or marketing purposes, and shall not directly or indirectly receive remuneration in
exchange for PHI (which does not affect payment from Covered Entity for Business Associate’s
services). 6
III.
Permitted Use and Disclosure of PHI. (Required)
A.
Business Associate may only use or disclose PHI :
1. (Alternative 1) (Provide a specific list of permissible uses);
2. (or Alternative 2) As necessary to perform its obligations and functions under
the Underlying Agreement;
B.
C.
(Optional) Business Associate may use or disclose PHI as Required By Law;
(Optional) Business Associate may use PHI to create de-identified information
consistent with the standards of 45 C.F.R. §164.514(a)-(c). (As OCR notes, “the
parties also may wish to specify the manner in which the business associate will
de-identify the information and the permitted uses and disclosures by the business
associate of the de-identified information.”)
D.
(Optional) Business Associate agrees to make uses and disclosures and requests
for PHI
1. (Alternative 1) consistent with Covered Entity’s minimum necessary policies
and procedures
2. (or Alternative 2) subject to the following minimum necessary requirements:
(Include specific minimum necessary provisions that are consistent with the
Covered Entity’s minimum necessary policies and procedures.)
E.
(Required) Business Associate may not use or disclose PHI in a manner that
would violate Subpart E of 45 CFR Part 164 if done by Covered Entity, (Optional) except for the
specific uses and disclosures set forth below (only include if allowing one of the uses and
disclosures in (1)-(3)):
1. (Optional) For the proper management and administration of Business
Associate or to carry out its legal responsibilities;
2. (Optional) For the proper management and administration of Business
Associate or to carry out the legal responsibilities of the Business Associate,
provided the disclosures are Required By Law, or Business Associate obtains
reasonable assurances from the person to whom the information is disclosed
that the information will remain confidential and will be used or further
disclosed only as Required By Law or for the purposes for which it was
disclosed to the person, and the person notifies Business Associate of any
instances of which it is aware in which the confidentiality of the information
has been breached.
6
If a Covered Entity has a concern that a Business Associate may use the terms of this Agreement or the Underlying
Agreement to justify direct or indirect marketing, fundraising, or selling of PHI, this language may be added to the
Agreement.
5
THIS IS AN OUTLINE ONLY
3. (Optional) Use PHI to provide data aggregation services to the extent
specified in the Service Agreement;
IV.
(Optional) Covered Entity’s Obligations.7
A.
(Optional) Notice of Change in Privacy Practices. Covered Entity shall notify
Business Associate of any limitation(s) in Covered Entity’s notice of privacy practices in
accordance with 45 C.F.R. §164.520, to the extent that such limitation may affect Business
Associate’s use or disclosure of PHI.
B.
(Optional) Notice of Change in Permissions. Covered Entity shall notify
Business Associate of any changes in, or revocation of, permission by an individual to use or
disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure
of PHI.
C.
(Optional) Notice of Change in Use. Covered Entity shall notify Business
Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to in
accordance with 45 C.F.R. §164.522, to the extent that such restriction may affect Business
Associate’s use or disclosure of PHI.
D.
(Optional) Appropriate Requests. Covered Entity shall not request that Business
Associate use or disclose PHI in any manner that would not be permissible under the Law and
Regulations if done by Covered Entity.
V.
Term and Termination.
A.
(Optional) Term. This Agreement shall become effective on the date of execution
of the Underlying Agreement, and shall terminate at the time of the termination or expiration of
all Underlying Agreements.
B.
(Required) Termination for Cause. If Covered Entity reasonably determines that
Business Associate has materially breached this Agreement, Covered Entity shall:
1. (Consider timeline) Provide Business Associate with [X] days written notice
of the alleged material breach and an opportunity to cure the breach, immediately after which
time this Agreement and the Services Agreement shall be automatically terminated if the breach
is not cured; or
2. Immediately terminate this Agreement and the Services Agreement if cure is
not possible; or
3. Report the violation to the Secretary if neither termination nor cure is feasible.
C.
(Optional) Termination for Change in Law. If a change in law causes the
performance of the Agreement to violate the law, Business Associate and/or Covered Entity shall
terminate this Agreement if cure is not possible.
D.
(Required) Effect of Termination.
1. (Alternative 1) Destroy or Return All PHI. Upon termination or expiration of
this Agreement, Business Associate shall, at Covered Entity’s option, return to
7
These provisions are not for the benefit of the Covered Entity and are optional as indicated.
6
THIS IS AN OUTLINE ONLY
Covered Entity or destroy8 all PHI in Business Associate’s possession.9
Business Associate shall not retain any copies of the PHI.
2. (Alternative 2) Upon termination of this Agreement for any reason, Business
Associate shall:
a. Retain only that PHI which is necessary for Business Associate to
continue its proper management and administration or to carry out its legal
responsibilities;
b. At Covered Entity’s option, return to Covered Entity or destroy the
remaining PHI that the Business Associate still maintains in any form;
c. Continue to use appropriate safeguards and comply with Subpart C of 45
CFR Part 164 with respect to Electronic PHI to prevent use or disclosure
of the PHI, other than as provided for in this Section, for as long as
Business Associate retains the PHI;
d. Not use or disclose the PHI retained by Business Associate other than for
the purposes for which such PHI was retained and subject to the same
conditions set out at [Insert section number related to paragraphs II.E
above] which applied prior to termination; and
e. At Covered Entity’s option, return to Covered Entity or destroy the PHI
retained by Business Associate when it is no longer needed by Business
Associate for its proper management and administration or to carry out its
legal responsibilities.
3. (Alternative 3) (Per OCR, the Agreement also could provide that Business
Associate will transmit the PHI to another business associate of the Covered
Entity at termination.)
4. (Optional) Survival. The obligations of Business Associate under this
Section shall survive the termination of this Agreement.
Indemnification and Insurance.10 (Optional)
Business Associate will defend and indemnify Covered Entity from and against any and
all claims, damages, liabilities, losses and expenses (including reasonable attorney’s fees) based
on or arising out of the breach of its obligations under this Agreement, including but not limited
to losses and damages relating to third party claims. If Covered Entity requires, Business
Associate shall obtain and maintain insurance coverage (if available) against improper uses and
disclosures of PHI by Business Associate, naming Covered Entity as an additional insured.
VI.
8
A Covered Entity may consider including acceptable methods for destroying PHI or requiring Business Associate
to certify in writing to Covered Entity that such PHI has been destroyed.
9
A Covered Entity may consider adding terms requiring a Business Associate’s obligations to obtain or ensure the
destruction of PHI created, received, or maintained by Subcontractors.
10
A Covered Entity may consider seeking indemnification by the Business Associate but should ensure that the
indemnification provision and any limits to liability do not conflict between this Agreement and any Underlying
Agreement. A Covered Entity may also want to consider requiring the Business Associate to maintain insurance to
cover a breach of its obligations under this Agreement.
7
THIS IS AN OUTLINE ONLY
Promptly following Covered Entity’s written request, Business Associate shall deliver to
Covered Entity a certificate evidencing Business Associate’s maintenance of such insurance.
VII. Miscellaneous.
A.
(Optional) Regulatory References. A reference in this Agreement to a section in
the HIPAA Rules means the section as in effect as of the effective date of the Agreement or as
amended in the future.
B.
(Optional) Amendments. The Agreement may not be modified, nor shall any
provision hereof be waived or amended, except in a writing duly signed by authorized
representative of the Parties. The Parties shall amend this Agreement from time to time as is
necessary to achieve and maintain compliance with the requirements of the HIPAA Rules and
any other applicable law.
C.
(Optional) Interpretation. Any ambiguity in this Agreement shall be resolved to
permit the Parties to comply with the requirements of the HIPAA Rules and any other applicable
law.
D.
(Optional) Choice of Law. This Agreement shall be governed by the laws of the
State of [__________] without regard to conflict of laws principles thereof.
E.
(Optional) Audits, Inspection and Enforcement. Upon request and with
reasonable prior notice by Covered Entity, Business Associate and its agents shall allow Covered
Entity to conduct a reasonable inspection of the facilities, systems, books, records, agreements,
policies and procedures relating to the use or disclosure of PHI pursuant to this Agreement or for
the purpose of determining whether Business Associate is in compliance with its obligations
under this Agreement.
F.
(Optional) Relationship to Agreements with Covered Entity. In the event that a
provision of this Agreement is contrary to a provision of any agreement with Covered Entity
pertaining to Business Associate’s services, the provisions of this Agreement shall control.
8
THIS IS AN OUTLINE ONLY
IN WITNESS WHEREOF, the parties have executed this Agreement as of the _ day of
_____, 20__.
(Business Associate)
By _________________________________
(Covered Entity)
By _________________________________
Title ________________________________
Title: _______________________________
9
Download