, LexisNexis(R) Forms FORM 260-49.04-2
Summary
This BUSINESS ASSOCIATE AGREEMENT (this “Agreement”) is entered into by and between (“Covered Entity”) and (“Business Associate”), and shall be effective April 14, 2003 (the “Effective Date”) or such other mandatory compliance date as may be set for the Privacy Rule enacted pursuant the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (“HIPAA”), including 45 C.F.R. Parts 160 and 164 (“Privacy Rule”) and the Security Standards set forth at 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subpart A and Subpart C (the “Security Rule”), as amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), as Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5) and including all amendments from the Omnibus Rule. All terms used in this Agreement and not defined herein which are defined under HIPAA shall have the meanings set forth in the applicable definition under the Privacy Rule, Security Rule, HITECH Act, and Omnibus Rule.
1. Scope. As of the Effective Date, this Agreement applies to all present and future agreements between Covered Entity and Business Associate, pursuant to which Business Associate receives from or receives or creates on behalf of, Covered Entity, protected health information (each agreement, an “Applicable Agreement” and collectively, the “Applicable Agreements”). As of the Effective Date, this Agreement, in addition to standing on its own, automatically extends to and amends all Applicable Agreements in effect on the Effective Date. This Agreement automatically shall be incorporated into all Applicable Agreements entered into by and between Covered Entity and Business Associate after the Effective Date.
2. Use and Disclosure of Protected Health Information. Business Associate may not use or disclose Protected Health Information (as defined in the Privacy Rule), or electronic Protected Health Information (as defined by the Security Rule) (collectively, “Protected Health Information”) received from, or received or created on behalf of, Covered Entity, except as follows:
(a) Business Associate is permitted to use or disclose Protected Health Information as permitted or required by this Agreement or as required by law.
(b) Business Associate is permitted to use or disclose Protected Health Information to perform functions, activities and services for, or on behalf of, Covered Entity pursuant to an Applicable Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity.
(c) Business Associate is permitted to use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
(d) Business Associate is permitted to disclose Protected Health Information for the proper management and administration of the Business Associate, provided that (i) such disclosure is required by law or (ii) Business Associate obtains reasonable assurance from the person or entity to whom the Protected Health Information will be disclosed that it will remain confidential and be used or further disclosed only for the specific purpose for which Business Associate disclosed it to the person or organization or as required by law, and the person or entity will notify Business Associate of any instance of which the person or organization becomes aware in which the confidentiality of such Protected Health Information was breached.
(e) Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528.
(f) Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
(g) Business Associate may use Protected health Information to report violations of law to appropriate Federal and state authorities, consistent with 45 C.F.R. § 164.502(j)(1).
3. Safeguards. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of Protected Health Information received other than as permitted or required by this Agreement.
4. Reporting of Disclosures of Protected Health Information. Business Associate shall promptly report to Covered Entity any use or disclosure of Protected Health Information of which it becomes aware that is other than as provided for in an Applicable Agreement or this Agreement.
5. Agreement by Third Parties. Business Associate shall ensure, to the extent required by law, that any of its agents, including, but not limited to, subcontractors, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, agree to substantially the same restrictions and conditions that apply to Business Associate under this Agreement with respect to such Protected Health Information, including the requirement to report security incidents and breaches. Should Business Associate subcontract any responsibilities to a subcontractor, Business Associate will ensure there is an agreement between the parties which ensure that the subcontractor adheres to all of the requirements within this Agreement. Business Associate shall be responsible for monitoring all Business Associate Agreements with their subcontractors.
6. Access to Protected Health Information. Business Associate shall provide access, at the request of Covered Entity, to Protected Health Information in a designated record set (as defined in the Privacy Rule), to Covered Entity, or as directed by Covered Entity, to an individual in order to meet the requirements of 45 C.F.R. § 164.524.
7. Amendment of Protected Health Information. Business Associate agrees to amend Protected Health Information in a designated record set that Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of Covered Entity or an individual. Covered Entity shall notify Business Associate in writing of any amendment agreed to by Covered Entity with respect to any Protected Health Information.
8. Accounting of Disclosures. At the request of Covered Entity, Business Associate shall make available the information required to provide an accounting to an individual of disclosures of Protected Health Information about that individual, in accordance with 45 C.F.R. § 164.528.
9. Availability of Books and Records. Business Associate shall make its internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created by Business Associate on behalf of Covered Entity, available to the Secretary of the Department of Health and Human Services (“HHS”) or any other officer or employee of HHS to whom the applicable authority has been delegated, as designated by HHS, for purposes of determining Covered Entity’s compliance with the Privacy Rule.
10. Obligations of Covered Entity. Covered Entity shall promptly notify Business Associate in writing of (a) any limitation(s) in its notice of privacy practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of Protected Health Information; (b) any changes in, or revocation of, permission by an individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information; (c) any amendments to Protected Health Information in a designated record set in accordance with 45 C.F.R. § 164.526; and (d) any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information. Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity except that Business Associate may use or disclose protected health information for data aggregation or management and administrative activities of Business Associates.
11. Termination. In the event that Business Associate breaches any material provision contained in this Agreement, Covered Entity shall give Business Associate at least 10 days’ written notice to cure the breach. In the event that Business Associate fails to cure the breach within the specified period, Covered Entity may, in Covered Entity’s sole discretion, either cure the breach at Business Associate’s expense, or terminate this Agreement and/or any and all of the Applicable Agreements which relate to the breach. In the event that the termination of any or all of the Applicable Agreements, as the case may be, and/or this Agreement is, in Covered Entity’s sole discretion, not feasible, Covered Entity may report the breach to HHS.
12. Return or Destruction of Protected Health Information upon Termination. Upon termination of any of this Agreement and/or all of the Applicable Agreements, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. Business Associate shall not retain any copies of such Protected Health Information. However, in the event that Business Associate determines that it is not feasible for Business Associate to return or destroy such Protected Health Information, Business Associate shall notify Covered Entity. The terms and provisions of this Agreement shall survive termination of this Agreement and any or all of the Applicable Agreements with regard to such Protected Health Information, and such Protected Health Information shall be used or disclosed solely for such purpose or purposes that make the return or destruction of such Protected Health Information infeasible. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associates.
13. Covered Entity’s Obligations. To the extent Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 C.F.R. Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
14. Indemnification. Each party hereby agrees to indemnify and hold the other party, and such other party’s affiliates, officers, directors, members, employees and agents, harmless from and against any and all liability and costs, including reasonable attorneys’ fees, arising from any non-permitted or violating use or disclosure of Protected Health Information or breach of this Agreement by such party, its agents or subcontractors. In no event shall either party be liable for indirect or consequential damages.
15. Effect. The terms of this Agreement shall supersede any other conflicting or inconsistent terms in any and all Applicable Agreements to which this Agreement applies, including all exhibits or other attachments thereto and all documents incorporated therein by reference. Except as modified by this Agreement, all other terms of the Applicable Agreements shall remain in force and effect.
16. Amendment. The parties agree to amend this Agreement, such amendment to be in form and substance reasonably acceptable to each party, to the extent necessary to allow either party to comply with the Privacy Rule, the Standards for Electronic Transactions (45 C.F.R. Parts 160 and 162), and the Security Standards (45 C.F.R. Part 164) including any changes required by the American Recovery and Reinvestment Act of 2009 (“HITECH Act”) or the Omnibus Rule. All amendments to this Agreement must be documented in a writing signed by both parties.
17. No Third-Party Beneficiaries. Nothing expressed or implied in this Agreement is intended to confer, nor shall anything confer, upon any persons other than Covered Entity and Business Associate, and their respective successors and assigns, any rights, remedies, obligations or liabilities whatsoever.
18. General Provisions.
(a) This Agreement shall be governed in all respects, whether as to validity, construction, capacity, performance or otherwise, by the laws of the Commonwealth of Pennsylvania and applicable Federal laws.
(b) All notices or communications required or permitted pursuant to the terms of this Agreement shall be in writing and will be delivered in person or by means of certified or registered mail, postage paid, return receipt requested, to such Party at its address as set forth below, or such other person or address as such Party may specify by similar notice to the other party hereto, or by facsimile with a hard copy sent by mail with delivery on the next business day. All such notices will be deemed given upon delivery or delivered by hand, on the third business day after deposit with the U.S. Postal Service, and on the first business day after sending if by facsimile.
As to Covered Entity:
Chief Operating Officer
[name and address]
As to Business Associate:
[name and address]
(c) If any provision of this Agreement shall be held invalid or unenforceable, such invalidity or unenforceability shall attach only to such provision and shall not in any way affect or render invalid or unenforceable any other provision of this Agreement.
(d) The waiver by either Party of a breach or violation of any provision of this Agreement shall not operate as, or be construed to be, a waiver of any subsequent breach of the same or other provisions of this Agreement.
(e) This Agreement may be executed in any number of counterparts, all of which together shall constitute one and the same instrument.
(f) This Agreement shall be binding upon and inure to the benefit of the parties hereto and their respective successors and assigns. Neither Party shall assign or delegate its rights, duties, or obligations under this Agreement, without the prior written consent of the other Party.
(g) In the performance of the duties and obligations of the Parties pursuant to this Agreement, each of the Parties shall at all times be acting and performing as an independent contractor, and nothing in this Agreement shall be construed or deemed to create a relationship of employer and employee, or partner, or joint venture, or principal and agent between the Parties.
(h) A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended, and for which compliance is required.
(i) Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the Privacy Rule.
IN WITNESS WHEREOF, the parties hereto have duly executed this Agreement, effective as of the date and year indicated above.