The Covered Entity wishes to disclose certain information to the Business Associate, some of which may constitute Protected Health Information (as defined below) in connection with the functions, activities and services that Business Associate performs for Covered Entity in accordance with the Underlying Agreement.
Unless the context clearly indicates otherwise, terms used, but not otherwise defined, in this Business Associate Agreement shall have the same meaning as those terms in the HIPAA Rules (defined below).
“Breach” shall have the same meaning as the term “breach” under 45 C.F.R. §164.402, except that in the context of a breach of an agreement or contract, including this Business Associate Agreement, or in the context of a “material breach,” the term “breach” shall refer to a failure to perform a term of an agreement and shall be given the meaning afforded the term under ordinary contract law
“HIPAA” means the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191
“HITECH Act” means the Health Information Technology for Economic and Clinical Health Act of 2009.
“HIPAA Rules” means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
“Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 CFR §160.103, limited to the information received or created by Business Associate from or on behalf of Covered Entity.
“Secretary” means the Secretary of the Department of Health and Human Services (“HHS”) or his designee
1. Obligations of the Business Associate.
The Business Associate shall not use or disclose PHI other than as permitted or required by this Business Associate Agreement or as Required By Law.
The Business Associate shall use appropriate safeguards, and comply with Subpart C of 45 CFR part 164 with respect to electronic PHI, to prevent the use or disclosure of PHI other than as provided for by this Business Associate Agreement
Upon “discovery,” as the term is defined in 45 C.F.R. §164.410, by Business Associate of a Breach of unsecured PHI, Business Associate agrees to report such Breach to Covered Entity without unreasonable delay, and in any case within 30 calendar days of Business Associate’s “discovery” of such Breach. Such notice shall include the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach, to the extent Business Associate has access to such information without decryption of data. In addition, Business Associate shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the Individual under 45 C.F.R. §164.404(c) at the time of notification or promptly thereafter as information becomes available. Business Associate’s notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of the HIPAA Rules and the HITECH Act.
Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Business Associate Agreement of which it becomes aware, as required under 45 C.F.R. § 164.410, and any security incident of which it becomes aware
In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, the Business Associate shall ensure that any subcontractor that creates, receives, maintains, or transmits PHI on behalf of the Business Associate agrees in writing to the same restrictions, conditions and requirements that apply to the Business Associate under this Business Associate Agreement with respect to such PHI.
Within 30 calendar days from the receipt of a request from Covered Entity, and in the manner agreed to between the parties, and to the extent Business Associate has access to Covered Entity’s data in an decrypted format, Business Associate agrees to provide access to PHI in a Designated Record Set to Covered Entity as necessary to meet the Covered Entity’s obligations under 45 CFR §164.524
To the extent Business Associate has access to Covered Entity’s data in an decrypted format, Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR §164.526. Notwithstanding the foregoing, Business Associate need not make amendments to PHI in a Designated Record Set unless the Covered Entity is unable to make such amendments to such PHI.
Business Associate agrees that when requesting, using or disclosing PHI, such request, use or disclosure shall be to the minimum extent necessary to accomplish the intended purpose of such request, use or disclosure
Business Associate agrees to make internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary, in a time and manner designated by the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the HIPAA Rules.
Business Associate agrees to maintain and make available to the Covered Entity, within 30 calendar days of the receipt of a request from Covered Entity, any information required for Covered Entity to respond to a request by an Individual or the Secretary for an accounting of PHI disclosures as necessary to satisfy the Covered Entity’s obligations under 45 C.F.R. 164.528.
To the extent Business Associate has access to Covered Entity’s data in an decrypted format, Business Associate agrees to account for any disclosure of PHI used or maintained as an electronic record of health-related information on an Individual that is created, gathered, managed and consulted by authorized health care clinicians and staff (“Electronic Health Record” or “EHR”) in a manner consistent with 45 C.F.R. §164.528; provided that an Individual shall have the right to receive an accounting of disclosures of EHR by the Business Associate made on behalf of the Covered Entity only during the six years prior to the date on which the accounting is requested from Covered Entity
Business Associate agrees to comply with the “Prohibition on Sale of Electronic Health Records or Protected Health Information,” as provided in section 13405(d) of Subtitle D (Privacy) of the HITECH Act, and the “Conditions on Certain Contacts as Part of Health Care Operations,” as provided in section 13406 of Subtitle D (Privacy) of the HITECH Act
Business Associate shall comply with any required provisions of the HIPAA Rules
To the extent that Business Associate is to carry out an obligation of the Covered Entity under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of that subpart that apply to the Covered Entity in the performance of such obligation
2. Permitted Uses and Disclosures by Business Associate.
Except as otherwise limited in this Business Associate Agreement, Business Associate may use or disclose PHI to perform under the Underlying Agreement(s), provided that such use or disclosure would not violate Subpart E of 45 CFR Part 164 if done by Covered Entity
Business Associate may use or disclose PHI as permitted by law
3. Obligations of and Permissible Requests by Covered Entity.
Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR §164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI
Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI
Covered Entity shall notify Business Associate of any restrictions on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subparts C and E of 45 CFR Part 164 if done by Covered Entity
4. Term and Termination.
Term. The Term of this Business Associate Agreement shall be effective as of the Effective Date, and shall terminate when all of the PHI received or created by Business Associate from or on behalf of Covered Entity is destroyed or returned to Covered Entity, or, if it is not feasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section
Termination for Breach. Upon either party’s knowledge of material breach by the other party, the non-breaching party shall provide an opportunity for the breaching party to cure the breach or end the violation within a reasonable timeframe, not to exceed 30 days from receipt of written notification of the breach. If the breaching party does not cure the breach or end the violation, or if a material term of this Business Associate Agreement has been breached and a cure is not possible, the non-breaching party may terminate this Business Associate Agreement and the applicable Underlying Agreement(s), upon written notice to the other party
Judicial or Administrative Proceeding. Either party may terminate this Agreement, effective immediately, if (i) the other party is named as a defendant in a criminal proceeding for a violation of the HIPAA Rules or (ii) a finding or stipulation that the other party has violated any standard or requirement of the HIPAA Rules or other security or privacy laws is made in any administrative or civil proceeding in which the party has been joined
Termination of Underlying Agreement. Upon termination or expiration of the Underlying Agreement(s) for any reason, either party may terminate this Business Associate Agreement immediately upon written notice
Effect of Termination. Upon termination of this Business Associate Agreement for any reason, the Business Associate shall return or destroy all PHI received from Covered Entity, and the Business Associate shall retain no copies of the PHI. In the event that the return or destruction of PHI is not feasible, the Business Associate shall extend the protections of this Business Associate Agreement to such PHI and limit further uses or disclosures to those purposes that make the return or destruction not feasible, for so long as the Business Associate maintains such PHI
Regulatory References. A reference in this Business Associate Agreement to a section in the HIPAA Rules means the section as in effect or as amended.
Interpretation. Any ambiguity in this Business Associate Agreement shall be resolved to permit Covered Entity to comply with the HIPAA Rules. Any inconsistency between this Business Associate Agreement and the HIPAA Rules, including all amendments, as interpreted by the HHS, court or another regulatory agency with authority over the parties, shall be interpreted according to the interpretation of the HHS, the court or the regulatory agency. Any provisions of this Business Associate Agreement that are not mandated by the HIPAA Rules, but are nonetheless permitted by the HIPAA Rules, shall be adhered to as stated in this Business Associate Agreement.
Conflict. If any express terms of this Business Associate Agreement conflict with the Underlying Agreement, then this Business Associate Agreement, if applicable, shall control as to those terms. The Underlying Agreement shall control in all other instances, including, without limitation, liability, remedies, limitation of liability, limitation of remedies, warranties, disclaimer of warranties, or indemnification
Governing Law. Except to the extent preempted by federal law, this Business Associate Agreement shall be governed by and construed in accordance with the same internal laws as stated in the applicable Underlying Agreement.
Amendment. This Business Associate Agreement may be modified in accordance with the Underlying Agreement.