HIPAA – BUSINESS ASSOCIATE AGREEMENT
HIPAA Business Associate Agreement
A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity.
THIS BUSINESS ASSOCIATE AGREEMENT (this “Agreement”) is celebrated between Quality Computer Systems’ Customer “the customer” and Quality Computer Systems, Inc. (the “Business Associate”).
WHEREAS, the United States Department of Health and Human Services has promulgated regulations at 45 C.F.R. Parts 160, 162, and 164 relating to standards for privacy and security of individually identifiable health information (the “Privacy and Security Rules”) pursuant to Subtitle F (Administrative Simplification) of the Health Insurance Portability and Accountability Act of 1996, (Pub. L. 104-191, August 21, 1996, 110 Stat. 1936), 42 U.S.C. ¤ 1320d Ð 1320d-8 (collectively with the Privacy and Security Rules, as each may be amended from time to time, “HIPAA”);
WHEREAS, the Customer has been engaged by various Covered Entities, as defined below, as a business associate to perform certain services and, in the course of such engagement, the customer may receive Protected Health Information, as defined below, from Covered Entities;
WHEREAS, the Covered Entities have entered into business associate agreements with “the Customer”; and
WHEREAS, the customer has engaged the Business Associate to perform certain services and, in the course of such engagement, the Business Associate may receive Protected Health Information from “the customer” or from such Covered Entities.
NOW, THEREFORE, for good and valuable consideration, the receipt and adequacy of which is hereby acknowledged, the customer and the Business Associate, intending to be legally bound, agree as follows.
1.1 “Covered Entity” shall have the meaning given in 45 C.F.R. ¤ 160.103.
1.2 “Individual” shall have the meaning given in 45 C.F.R. ¤ 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. ¤ 164.502(g).
1.3 “Protected Health Information” or “PHI” shall have the meaning given in 45 C.F.R. ¤ 160.103, limited to the information received by the customer and/or the Business Associate from or on behalf of the Covered Entity. “Electronic Protected Health Information” or “EPHI” is a subset of PHI and shall have the meaning given in 45 C.F.R. ¤ 160.103.
1.4 “Required by Law” shall have the same meaning given in 45 C.F.R. ¤ 164.103.
1.5 “Secretary” shall mean the Secretary of the United States Department of Health and Human Services.
1.6 “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
1.7 “Security Regulations” means the Standards for Security of Electronic Protected Health Information at 45 C.F.R. Parts 160, 162 and 164, as they apply to Covered Entity.
OBLIGATIONS AND ACTIVITIES OF THE BUSINESS ASSOCIATE
2.1 Uses and Disclosures by the Business Associate.
The Business Associate may use or disclose Protected Health Information only as authorized by this Agreement or as Required by Law. Unless otherwise limited by this Agreement, the Business Associate may: (a) use the PHI in its possession to carry out the responsibilities of the Business Associate to the customer, and (b) use the PHI as necessary to assist the customer in providing services to the Covered Entity. Notwithstanding any express term or condition of this Agreement, the Business Associate shall be governed and abide by the terms and conditions of HIPAA and the rules and regulations promulgated pursuant to it. To the extent that a term or condition of this Agreement conflicts with or differs from HIPAA, HIPAA will prevail.
2.2 Specific Use and Disclosure Restrictions.
a. Business Associate will restrict the disclosure of an Individual’s PHI upon the Individual’s request to the Covered Entity, in accordance with 45 C.F.R. ¤164.522(a)(1)(i)(A) and ¤164.522(a)(1)(ii), when the customer notifies Business Associate that the Individual has made such a restriction request and each of the following conditions is satisfied: 1. the disclosure would be to a health plan for the purposes of carrying out payment or health care operations, as that term may be amended from time to time, and 2. the PHI pertains solely to a health care item or service for which the health care provider involved has been paid out-of-pocket in full. b. Business Associate will limit to the extent practicable the use, disclosure, or request of PHI to the minimum necessary to accomplish the intended purposes of such use, disclosure, or request, respectively. At such time when the Secretary issues further guidance on disclosure limitations, as mandated by Section 13405(b) of the American Reinvestment and Recovery Act of 2009 (“ARRA”), Business Associate shall comply with the applicable limitations established in the guidance.
2.3 Responsibilities and Activities of the Business Associate.
With respect to the Protected Health Information, the Business Associate agrees to:
a. Use all reasonable efforts to safeguard the security of the PHI and to prevent unauthorized use and/or disclosure of the PHI by the Business Associate, its employees, agents and subcontractors. b. Report to the customer any unauthorized use and/or disclosure of the PHI within ten (10) calendar days of the Business Associate’s discovery of such unauthorized use and/or disclosure. c. Require all subcontractors or other agents of the Business Associate that receive or use, or have access to, PHI to agree to adhere to the same restrictions and conditions on the use and/or disclosure of PHI that apply to the Business Associate under this Agreement. d. Upon prior request and during normal business hours, make available to the Secretary or his/her designee, all internal policies and procedures and records relating to the use and/or disclosure of PHI by the Business Associate and the PHI in the Business Associate’s possession, for purposes of determining the Business Associate’s compliance with the Privacy and Security Rules. e. Document disclosures of PHI as would be required for the customer and/or a Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI, to the extent required by 45 C.F.R. ¤164.528. f. Provide to the customer, within ten (10) days of receipt of a request from the customer, such information as is requested by the customer to permit the customer to respond to a request by an Individual for an accounting of the disclosures of the Individual’s PHI, including those disclosures by the Business Associate, to the extent required by 45 C.F.R. ¤164.528. g. Provide the customer or, as directed by the customer, an Individual with access to PHI, to the extent required by 45 C.F.R. ¤164.524. Such access shall be in a timely and reasonable manner, as agreed upon by the parties. h. Make any amendment(s) to PHI that the customer directs, to the extent required by 45 C.F.R. ¤164.526, at the request of Covered Entity or an Individual, in a time and manner reasonably agreed upon by the parties. i. Subject to Section 4.3 of this Agreement, return to the customer, within thirty (30) days of the termination of this Agreement, the PHI in the Business Associate’s possession and retain no copies, backup tapes, or any other reproduction, electronic or otherwise, of the PHI. j. Disclose to subcontractors, agents or other third parties only the minimum Protected Health Information necessary to perform or fulfill a specific function required hereunder.
2.4 Electronic Protected Health Information.
With respect to Electronic Protected Health Information, the Business Associate agrees that:
a. Business Associate will ensure that its administrative, physical and technical safeguards reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic Protected Health Information that it creates, receives, maintains or transmits on behalf of the customer. b. Business Associate has implemented the data security measures of the Security Regulations set forth at 45 C.F.R. ¤¤164.308, 164.310, 164.312, and 164.316, as they may be amended from time to time. Such compliance shall include the implementation of written data security policies and procedures that satisfy the standards, implementation specifications and other requirements of the Security Regulations. Those standards, implementation specifications and other requirements include: 1. Administrative safeguards, which include risk assessment and periodic reassessments; risk management security measures; information system activity risk reviews; an assigned security official; workforce training and sanctions; data access controls; data back-up and disaster recovery plans; and security incident management. 2. Physical safeguards, which include facility and workstation access controls; portable and removable device and media management; device and medical disposal, re-use, back-up and storage controls. 3. Technical safeguards, which include access, authentication and audit controls; data integrity and transmission security. c. Business Associate is required to do the following: 1. Business Associate will notify the customer within five (5) days of when Business Associate discovers a Breach of Unsecured PHI or when such a discovery should have been known. i. “Unsecured PHI” means PHI that is not secured through the use of a technology or methodology specified by the Secretary in guidance, as such guidance may be amended from time to time, as required by Section 13402 of ARRA. ii. For purposes of this section, a “Breach of Unsecured PHI” shall be discovered by the Business Associate as of the first day on which such breach is known to Business Associate (including any person, other than the individual committing the breach, that is an employee, officer, or other agent of Business Associate) or should reasonably have been known to Business Associate to have occurred. Business Associate must provide evidence demonstrating the need for delay in the event of notice is not provided in accordance with this provision. 2. Business Associate will, at a minimum, identify each Individual whose Unsecured PHI has been breached, or Business Associate reasonably believes has been breached, and, if requested by the customer, supply the customer with each Individual’s contact information and such other information as the customer may reasonably request from Business Associate in order for the customer to meet its notification requirements for Breaches of Unsecured PHI. 3. Ensure that any agent, including a subcontractor, to whom it provides EPHI agrees to implement reasonable and appropriate safeguards to protect it. 4. Business Associate shall comply with the disclosure obligations related to accountings for treatment, payment and health care operations disclosures made through electronic health records in accordance with the specifications and time frames established by the Secretary. 5. Report to the customer any Security Incident of which it becomes aware.
OBLIGATIONS OF the customer
3.1 The customer hereby agrees:
a. To inform the Business Associate of any changes in or withdrawals of authorizations, if any, by Individuals provided to the Business Associate that are applicable to the Protected Health Information.
b. To notify the Business Associate of any limitation(s), if any, developed in accordance with 45 C.F.R. ¤164.520 to the extent that such limitation(s) may affect the Business Associate’s use or disclosure of Protected Health Information.
c. To notify the Business Associate of any restriction(s), if any, on the use and/or disclosure of Protected Health Information as provided for in 45 C.F.R. ¤164.522, which may affect the Business Associate’s use or disclosure of Protected Health Information.
TERM AND TERMINATION
This term of this Agreement shall commence on the Effective Date and shall terminate either concurrently with the termination of any other agreement between the parties that requires the parties to maintain in full force and effect this Agreement or, if no such agreement exists, when the matters requiring the transmission of Protected Health Information are ended. Certain provisions and requirements of this Agreement shall survive its termination in accordance with Section 4.3 herein.
4.2 Termination for Cause. In the event that the customer believes the Business Associate has breached a material term of this Agreement, the customer shall either, in its sole discretion: (a) terminate this Agreement and the underlying agreement, if any, or (b) provide the Business Associate with written notice of the existence of the alleged breach. Upon receipt of such notice, the Business Associate shall promptly take all reasonable steps necessary to cure the breach and end the violation to the customer’s reasonable satisfaction as soon as possible. If the breach has not been cured to the customer’s reasonable satisfaction within a reasonable period of time not to exceed thirty (30) days from the date of receipt of the original notice, the customer may immediately terminate this Agreement and the underlying Agreement, if any. At any time, if neither termination nor cure is feasible, the customer may report the breach to the Secretary.
4.3 Obligations of the Business Associate Upon Termination. a. Upon the termination of this Agreement, the Business Associate agrees to return all PHI in its possession or in the possession of its subcontractors or agents, if it is feasible to do so. b. If it is not feasible for the Business Associate to return the PHI, the Business Associate will notify the customer of the reasons why it is not feasible and will retain the information in a manner consistent with this section. c. If the information is not returned upon termination, the Business Associate agrees to extend the protections set forth in this Agreement to the Protected Health Information, to limit further uses or disclosures of the PHI to the purposes that make the return of the PHI infeasible for as long as the PHI is maintained by the Business Associate, and to abide by all applicable terms and conditions HIPAA, as amended from time to time.
5.1 Regulatory References.
A reference in this Agreement to a section in the Privacy and Security Rules means the section as in effect at the relevant time.
5.2 Amendments; Waiver. This Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events. the customer and the Business Associate agree to discuss any need to amend this Agreement from time to time as is necessary for the customer and the Business Associate to comply with the requirements of HIPAA.
5.3 Survival. The provisions of Section 4.3 shall survive termination or expiration of this Agreement.
5.4 No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the parties and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.
5.5 Incorporation. The recitals set forth above are true and correct and are incorporated into this Agreement by this reference.
5.6 Notices. Any notices to be given hereunder to a party shall be made via hand delivery, U.S.P.S. Certified Mail Return Receipt Requested, or nationally recognized express courier with proof of delivery, to such party’s address as set forth below and shall be effective upon actual delivery.
5.7 Counterparts; Facsimiles. This Agreement may be executed in any number of counterparts, which may be delivered by facsimile or other electronic transmission, including email, each of which shall be deemed an original.
5.8 Further Assurances. Each party hereto agrees to do all acts and things and to make, execute and deliver such written instruments as shall from time to time be reasonably required to carry out the terms, conditions and provisions of HIPAA, as promulgated from time to time. Such amendment shall be entered into on or before the date on which covered entities are required to be in compliance with such law and the regulations published pursuant thereto.
5.9 Enforcement Costs. If any legal action or other proceeding is brought for the enforcement or interpretation of this Agreement, or because of an alleged dispute, breach, default or misrepresentation in connection with any provision of this Agreement, the substantially prevailing party shall be entitled to recover reasonable attorneys’ fees, court costs and all expenses incurred in that action or proceeding and at all levels of trial and appeal, in addition to any other relief to which such party may be entitled.