Introduction
A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information. The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate. A business associate may use or disclose protected health information only as permitted or required by its business associate contract or as required by law. A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.
A written contract between a covered entity and a business associate must: (1) establish the permitted and required uses and disclosures of protected health information by the business associate; (2) provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law; (3) require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information; (4) require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information; (5) require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings; (6) to the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation; (7) require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule; (8) at termination of the contract, if feasible, require the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity; (9) require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information; and (10) authorize termination of the contract by the covered entity if the business associate violates a material term of the contract. Contracts between business associates and business associates that are subcontractors are subject to these same requirements.
Business Associate Agreement Provisions
RECITALS
A. CE
wishes to disclose certain information to BA pursuant to the terms of the
Contract, some of which may constitute protected Health Information (“PHI”)
(defined below).
B. CE
and BA intend to protect the privacy and provide for the security of PHI
disclosed to BA pursuant to the Contract in compliance with the Health
Information Portability and Accountability Act of 1996, Public Law 104-191
(“HIPAA”), the Health Information Technology for Economic and Clinical Health
Act (the HITECH Omnibus Rule Omnibus Final Rule, the “Final Rule”), and regulations promulgated there under by the U.S.
Department of Health and Human Service (the “HIPAA Regulations”) and other
applicable laws.
C. As
part of the HIPAA Regulations, the Privacy Rule and the Security Rule (defined
below) require CE to enter into a contract containing specific requirements
with BA prior to the disclosure of PHI, as set forth in, but not limited to, 45
C.F.R. § 164.504(e), Title
45, Sections 164.314(a), 164.502(e) and 164.504(e) of the Code of Federal
Regulations (“C.F.R.”), Final 45 C.F.R. Section 160.103 and contained in this
Agreement.
In consideration of the mutual promises below and the
exchange of information pursuant to this Agreement, the parties agree as
follows:
1. Definitions
a. Breach
shall have the meaning given to such term under the HITECH Omnibus Rule Omnibus
Rule [Final 78 Fed. Reg. at 5,695].
b. Business
Associate shall have the meaning given to such term under the Privacy Rule,
the Security Rule and the HITECH Omnibus Rule, including, but not limited to,
42 U.S.C. Section 17938 and Final 45 C.F.R. Section 160.103 and 78 Fed. Reg.
5,572 (Jan. 25, 2013).
c. Covered Entity
shall have the meaning given to such term under the Privacy Rule and the
Security Rule, including, but not limited to, Final 45 C.F.R. Section 160.103.
d. Data
Aggregation shall have the meaning
given to such term under the privacy Rule, including but not limited to, 45
C.F.R. Section 164.501.
e. Designated
Record Set shall have the meaning given to such term under the Privacy
Rule, including, but not limited to, 45 C.F.R. Section 164.501.
f. Electronic
Protected Health Information means Protected Health Information that is
maintained in or transmitted by electronic media.
g. Electronic
Health Record shall have the meaning given to such term in the HITECH
Omnibus Rule, including, but not limited to, 42 U.S.C. Section 17921.
h. Health Care
Operations shall have the meaning given to such term under the Privacy
Rule, including, but not limited to, 45 C.F.R. Section 164.501.
i. HIPAA Rules.
“HIPAA Rules” shall mean the Privacy, Security, Breach Notification and
Enforcement Rules at Final 45 CFR Part 160 and Part 164.
j. Minimum
Necessary shall have the meaning
given to such term under the Privacy Rule, including, but not limited to, 45
C.F.R. Section 164.501 and Final 45 C.F.R. § 160.103.
k. Privacy Rule
shall mean the HIPAA Regulation that is codified at 45 C.F.R. Parts 160 and
164, Subparts A and E.
l. Protected
Health Information or PHI means any information, whether oral or recorded
in any form or medium; (i) that relates to the past, present or future physical
or mental condition of an individual; the provision of health care to an
individual; or the past, present or future payment for the provision of health
care to an individual; and (ii) that identifies the individual or with respect
to which there is a reasonable basis to
believe the information can be used to
identify the individual, and shall have the meaning given to such term under
the Privacy Rule, including, but not limited to, 45 C.F.R. Section 164.501. Protected Health Information includes
Electronic Protected Health Information [Final 45 C.F.R. Sections 160.103,
164.501].
m. Protected
Information shall mean PHI provided by CE or BA or created or received by
BA on CE’s behalf.
n. Security Rule
shall mean the HIPAA Regulation that is codified at 45 C.F.R. Parts 160 and
164, Subparts A and C.
o. Unsecured PHI
shall have the meaning given to such term under the HITECH Omnibus Rule and any
guidance issued pursuant to such Act including, but not limited to, 42 U.S.C.
Section 17932(h).
2. Obligations and Activities of Business Associate
a. Permitted Uses.
BA shall not use Protected Information except for the purpose of performing
BA’s obligations under the Contract and as permitted under the Contract and
Attachments. Further, BA shall not use Protected Information in any manner that
would constitute a violation of the Privacy Rule or the HITECH Omnibus Rule if
so used by CE. However, BA may use
Protected Information (i) for the proper management and administration of BA,
BA may use Protected Information (i) for the proper management and
administration of BA, (ii) to carry out the legal responsibilities of BA, or
(iii) for Data Aggregation purposes for the Health Care Operations of CE [45
C.F.R. Sections 164.504(e)(2)(i), 164.504(e)(2)(ii)(A) and 164.504(e)(4)(i)].
b. Permitted
Disclosures. BA shall not disclose Protected Information except for the
purpose of performing BA’s obligations under the Contract and as permitted
under the Contract and Agreement. BA shall not disclose Protected Information
in any manner that would constitute a violation of the Privacy Rule or the HITECH
Omnibus Rule if so disclosed by CE. However
BA may disclose Protected Information (i) for the proper management and
administration of BA; (ii) to carry out the legal responsibilities of BA; (iii)
as required by law; or (iv) for Data Aggregation purposes for the Health Care
Operation of CE. If BA discloses Protected Information to a third party, BA
must obtain, prior to making any such disclosure, (i) reasonable written assurances from such third party that such Protected
Information will be held confidential as provided pursuant to this Addendum and
only disclosed as required by law or for the purposes for which it was
disclosed to such third party, and (ii) a written
agreement from such third party to immediately notify BA of any breaches of
confidentiality of the Protected Information, to the extent it has obtained
knowledge of such breach [Final 45 C.F.R. §
164.504(e)].
c. Prohibited Uses
and Disclosures. BA shall not use or disclose Protected Information for
fund-raising or marketing purposes. BA is not allowed to sell CE’s Protected
Information for any purpose. BA shall not disclose Protected Information to a
health plan for payment or health care operations purpose if the patient has
requested this special restriction, and has paid out of pocket in full for the
health care item or service to which the PHI solely relates 42 U.S.C. Section
17935(a). BA shall not directly or indirectly receive remuneration in exchange
for Protected Information, except with the prior written consent of CE and as
permitted by the HITECH Omnibus Rule, 42 U.S.C. Section 17935(d)(2); however,
this prohibition shall not affect payment by CE to BA for services provided
pursuant to the Contract.
d. Appropriate
Safeguards. BA shall implement appropriate safeguards as necessary to
prevent the use or disclosure of Protected Information otherwise than as
permitted by the contract or Attachments, including, but not limited to,
administrative, physical and technical safeguards that reasonably and
appropriately protect the confidentiality, integrity and availability of the
Protected Information, in accordance with 45 C.F.R. Sections 164.308, 164.310,
and 164.312.[45 C.F.R. Section
164.504(e)(2)(ii)(b); 45 C.F.R. Section 164.308(b)] and [45 C.F.R. § 164.504(e)]. BA shall comply with the policies and
procedures and documentation requirement of the HIPAA Security Rule, including,
but not limited to, 45 C.F.R. Section 164.316 [42 U.S.C. Section 17931] and [Final
45 C.F.R. § 164.504(e)].
e. Reporting
Improper Access, Use or Disclosure. BA shall report to CE in writing of any
access, use or disclosure of Protected Information not permitted by the
Contract and Attachments, and any Breach of Unsecured PHI of which it becomes
aware without unreasonable delay and in no case later than seven (7) calendar
days after discovery [42 U.S.C. Section 17921; 45 C.F.R. Section
164.504(e)(2)(ii)(c); 45 C.F.R. Section 164.308(b)] and [45 C.F.R. § 164.504(e)] and [Final 45
C.F.R. § 164.504(e)].
f. Business
Associate’s Subcontractors and Agents. BA shall ensure that any agents,
including subcontractors, to whom it provides Protected Information, agree in
writing to the same restrictions and conditions that apply to BA with respect
to such PHI and implement the safeguards required by paragraph c above with
respect to Electronic PHI [45 C.F.R. Section 164.504(e)(2)(ii); 45 C.F.R.
Section 164.308(b)] and [45 C.F.R. §
164.504(e)]. BA shall ensure compliance with and maintain documentation
of compliance with the “HIPAA Rules” and shall make available Attachment “A” of
this Agreement for all subcontractors. BA shall implement and maintain
sanctions against agents and subcontractors that violate such restrictions and
conditions shall mitigate the effects of any such violation (see 45 C.F.R.
Sections 164.530(f), 164.530(e)(1)) and [45 C.F.R. § 164.504(e)].
g. Access to
Protected Health Information. BA shall make Protected Health Information
maintained by BA or its agents or subcontractors in Designated Record Sets
available to CE for inspection and copying within
ten (10) days of a request by CE to enable CE to fulfill its obligations
under the Privacy Rule, including, but not limited to, 45 C.F.R. Section
164.524 [45 C.F.R. Section 164.504(e)(2)(ii)(E)]. If BA maintains an Electronic
Health Record, BA shall provide such information in electronic format to enable
CE to fulfill its obligations under the HITECH Omnibus Rule, including, but not
limited to, 42 U.S.C. Section 17935(e) and [Final 45 C.F.R. § 164.504(e)]. BA shall
notify CE within seven (7) days should the individual request Protected Health
Information from the BA and forward any Protected Health Information requested
to the CE within ten (10) days. Unless agreed to and documented BA will not
directly disclose Protected Health Information.
h. Amendment of
PHI. Within 10 (ten) days of receipt
of a request from CE for an amendment of Protected Information or a record
about an individual contained in a Designated Record Set, BA or its agents
or subcontractors shall make such Protected Information available to CE for
amendment and incorporate any such amendment to enable CE to fulfill its
obligations under the Privacy Rule, including, but not limited to, 45 C.F.R.
Section 164.526. If any individual
requests an amendment of Protected Information directly from BA or its agents
or subcontractors, BA must notify CE in writing five (5) days of the request.
Any approval or denial of amendment of Protected Information maintained by BA
or its agents or subcontractors shall be the responsibility of CE [Final 45
C.F.R. Section 164.504(e)(2)(ii)(F)].
i. Accounting of
Disclosures Rights. [Within ten (10)
days of notice by CE of a request for an accounting of disclosures of Protected
Information] {Promptly upon any disclosure of Protected Information for which
CE is required to account to an individual,}, BA and its agents or
subcontractors shall make available to CE the information required to provide
an accounting of disclosures to enable CE to fulfill its obligations under the
Privacy Rule, including, but not limited to, 45 C.F.R. Section 164.528, and the
HITECH Omnibus Rule, including but not limited to 42 U.S.C. Section 17935(c),
as determined by CE. BA and its agent or subcontractors for at least six (6)
years prior to the request. However, accounting of disclosures from an
Electronic Health Record for treatment, payment or health care operations
purposes are required to be collected and maintained for only three (3) years
prior to the request, and only to the extent that BA maintains an electronic
health record and is subject to this requirement, At a minimum, the information
collected and maintained shall include: (i) the date of disclosure; (ii) the
name of the entity or person who received Protected Information and, if known,
the address of the entity or person; (iii) a brief description of Protected
Information disclose; and (iv) a brief statement of purpose of the disclosure
that reasonably informs the individual of the basis for the disclosure. In the event that the request for an accounted
is delivered directly to BA or its agents or subcontractors, BA shall within
five (5) days of a request forwarded it to CE in writing. It shall be CE’s
responsibility to prepare and deliver any such accounting requested. BA
shall not disclose any Protected Information except as set forth in Sections
2.b of this Agreement [45 C.F.R. Sections 164.504(e)(2)(ii)(G) and 165.528].
The provisions of this subparagraph h shall survive the termination of this
Agreement.
j. Governmental
Access to Records. BA shall make its internal practices, books and records
relating to the use and disclosure of Protected Information available to CE and
to the Secretary of the U.S. Department of Health and Human Services (the
“Secretary”) for purposes of determining BA’s compliance with the Privacy Rule
[45 C.F.R. Section 164.504(e)(2)(ii)(H). BA
shall provide to CE a copy of any Protected Information that BA provides to the
Secretary concurrently with providing such Protected Information to the
Secretary.
k. Minimum
Necessary. BA (and its agents or subcontractors) shall request, use and
disclose only the minimum amount of Protected Information necessary to
accomplish the purpose of the request, use or disclosure, [42 U.S.C. Section
17935(b); 45 C.F.R. Section 164.514(d)(3)] BA understands and agrees that the definition of “minimum necessary” is
as stated in 78 Fed. Reg. 5,559 and that the standard will “vary based on the
circumstances” and that the BA will stay apprised of future guidance by Health
and Human Services as to specific application of the minimum necessary standard
to business associates as outlined at Final 78 Fed. Reg. 5,559.
l. Data Ownership.
BA acknowledges that BA has no ownership
rights with respect to the Protected Information.
m. Notification of
Breach. During the term of the Contract, BA shall notify CE within seven (7) days of any suspected or
actual breach of security, intrusion or unauthorized use or disclosure of
PHI of which BA becomes aware and/or any
actual or suspected use or disclosure of data in violation of any applicable
federal or state laws or regulations. BA shall take (i) prompt corrective
action to cure any such deficiencies and (ii) any action pertaining to such
unauthorized disclosure required by applicable federal and state laws and
regulations including [Final 45 C.F.R. §
164.504(e)].
n. Breach Pattern
or Practice by Covered Entity. Pursuant to 42 U.S.C. Section 17934(b), if
the BA knows of a pattern of activity or practice of the CE that constitutes a
material breach or violation of the CE’s obligations under the Contract or
Attachments or other arrangement, the BA must take reasonable steps to cure the
breach or end the violation. If the steps are unsuccessful, the BA must
terminate the Contract or other arrangement if feasible. BA shall provide written notice to CE of any pattern of activity or
practice of the CE that BA believes constitutes a material breach or violation
of the CE’s obligations under the Contract or Attachments or other arrangement
within five (5) days of discovery and shall meet with CE to discuss and attempt
to resolve the problem as one of the reasonable steps to cure the breach or end
the violation.
o. Audits,
Inspection and Enforcement. Within ten (10) days of a written request by
CE, BA and its agents or subcontractors shall allow CE to conduct a reasonable
inspection of the facilities, systems, books, records, agreement, policies and procedures
relating to the use or disclosure of Protected Information pursuant to this
Addendum for the purpose of determining whether B.A. has complied with this
Agreement; provided, however that (i) BA and CE shall mutually agree in advance
upon the scope, timing and location of such an inspection, (ii) CE shall
protect the confidentiality of all confidential and proprietary information of
BA to which CE has access during the course of such inspection’ and (iii) CE
shall execute a nondisclosure agreement, upon terms mutually agreed upon by the
parties, if requested by BA. The fact that CE inspects, or fails to inspect, or
has the right to inspect, BA’s facilities, systems, books, records, agreement,
policies and procedures does not relieve BA of its responsibility to comply
with this Agreement, nor does CE’s (i) failure to detect or (ii) detection, but
failure to notify BA or require BA’s remediation of any unsatisfactory
practices, constitute acceptance of such practice or a waiver of CE’s enforcement rights under the Contract
or Agreement, BA shall notify CE within ten (10) days of learning that BA has
become the subject an audit, compliance review, or complaint investigation by
the Office of Civil Rights. BA understands that CE’s audit logs are
reviewed each month to check for intrusion attempts, unauthorized access and
other unusual or suspicious behavior.
p. Remedies in Event of Breach. Business
Associate hereby recognizes that irreparable harm will result to Covered
Entity, and to the business of Covered Entity, in the event of breach by
Business Associate or subcontractor of the Business Associate of any of the
covenants and assurances contained in Paragraphs a thru o of this agreement. As
such, in the event of breach of any of the covenants and assurances contained
in Paragraph 2. a thru o above, Covered Entity shall be entitled to enjoin and
restrain Business Associate from any continued violation of Paragraph 2. a thru
o. Further, in the event of breach of Paragraph 2. a thru o by Business
Associate or subcontractor of the Business Associate, Covered Entity shall be
entitled to reimbursement and indemnification from Business Associate for the
Covered Entity’s reasonable attorneys fees and expenses and costs that were
reasonably incurred as a proximate result of the Business Associate’s breach.
The remedies constrained in this Paragraph p shall be in addition to (and not
supersede) any action for damages and/or other remedy Principal may have for
breach of any part of this agreement.
3. Termination
a. Material Breach.
A breach by BA of any provision of this Addendum, as determined by CE, shall
constitute a material breach of the Contract and shall provide grounds for
immediate termination of the Contract, any provision in the Contract to the contrary notwithstanding. [45 C.F.R.
Section 164.504(e)(2)(iii)] and [Final 45 C.F.R. §
164.504(e)].
b. Judicial or Administrative Proceedings.
CE may terminate the Contract, effective
immediately, if (i) BA is named as a defendant in a criminal proceeding for a
violation of HIPAA, The HITECH Omnibus Rule, the HIPAA Regulations or other
security or privacy laws or (ii) a finding or stipulation that the BA has
violated any standard or requirement of HIPAA, the HITECH Omnibus Rule, the
HIPAA Regulations or other security or privacy laws is made in any
administrative, civil or criminal proceeding in which the party has been
joined.
c. Effect of
Termination. Upon termination of the Contract for any reason, BA shall, at
the option of CE, return or destroy all Protected Information that BA or its
agents or subcontractors still maintain in any form, and shall retain no copies
of such Protected Information. If return or destruction is not feasible, as
determined by CE, BA shall contour to extend the protections of Section 3 of
this Agreement to such information, and limit further use of such PHI to those
purposes that make the return or destruction of such PHI infeasible [45 C.F.R.
Section 164.504(e)(ii)(2)(1). If CE elects destruction of the PHI, BA shall
certify in writing to CE that such PHI has been destroyed in compliance with
standards set by “HIPAA Rule” Regulations.
d. Survival. The
obligations to protect Protected Health Information of business associate shall
survive the termination of this agreement.
6. Disclaimer
CE makes no warranty or representation that compliance by
BA with this Addendum, HIPAA, the HITECH Omnibus Rule, or the HIPAA Regulations
will be adequate or satisfactory for BA’s own purposes. BA is solely
responsible for all decisions made by BA regarding the safeguarding of PHI.
7. Certification
To the extent that
CE determines that such examination is necessary to comply with CE’s legal
obligation pursuant to HIPAA relating to certification of its security
practices, CE or its authorized agents or subcontractors, may at CE’s expense,
examine BA’s facilities, security risk assessment, policies & procedures,
employee training requirements, employee files and other systems. Procedures
and records as may be necessary for such agents or contractors to certify to CE
the extent to which BA’s security safeguards comply with HIPAA, the HITECH
Omnibus Rule, the HIPAA Regulations or this Agreement. BA is required to
complete Attachment “A” – “Business Associates Compliance Status Questionnaire”
as part of this Agreement.
8. Amendment
a. Amendment to Comply with Law. The parties acknowledge the state and
federal laws relating to data security and privacy are rapidly evolving and
that amendment of the Contract or Agreement may be required to provide for
procedures to ensure compliance with such development. The parties specifically
agree to take such action as is necessary to implement the standards and
requirements of HIPAA, the HITECH Omnibus Rule, the Privacy Rule, The Security
Rule and other applicable laws relating to the security or confidentiality of
PHI. The parties understand and agree that CE must receive satisfactory
written assurance from BA that BA will adequately safeguard all Protected
Information. Upon the request of either party, the other party agrees to
promptly enter into negotiations concerning the terms of an amendment to this
Agreement embodying written assurances consistent with the standards and
requirements of HIPAA, The HITECH Omnibus Rule, the Privacy Rule or other
applicable laws. CE may terminate the Contract upon thirty (30) days written
notice in the event (i) BA does not promptly enter into negotiations to amend
the Contract or Addendum when requested by CE pursuant to this Section or (ii)
BA does not enter into an amendment to the Contract or Agreement providing
assurances regarding the safeguarding of PHI that CE, in its sole discretion, deems
sufficient to satisfy the standards and requirements of applicable laws.
9. Assistance in
Litigation or Administrative Proceedings
BA shall make itself, and any subcontractors, employees
or agents assisting BA in the perform ace of its obligations under the Contract
or Agreement, available to CE, at no cost to CE, to testify as a witnesses, or
otherwise in the event o litigation or administrative proceedings being
commenced against CE, its directors, officers or employees based upon a claimed
violation of HIPAA, the HITECH Omnibus Rule, the Privacy Rule, The Security
Rule, or other laws relating to security and privacy, except where BA or its
subcontractors, employee or agent is a named adverse party.
10. No Third-Party
Beneficiaries
Nothing express or implied in the Contract or Agreement
is intended to confer, nor shall anything herein confer, upon any person other
than CE, BA and their respective successors or assigns, any rights, remedies,
obligations or liabilities whatsoever.
11. Effect on
Contract
Except as specifically required to implement the purposes
of this Agreement, or to the extent inconsistent with this Agreement, all other
terms of the Contract shall remain in force and effect.
12. Interpretation
The provisions of the Agreement shall prevail over any
provisions in the Contract that may conflict or appear inconsistent with any
provision in the Agreement. This Agreement and the Contract shall be
interpreted as broadly as necessary to implement and comply with HIPAA, the
HITECH Omnibus Rule, the Privacy Rule and the Security Rule. The parties agree
that any ambiguity in this Addendum shall be resolved in favor of a meaning
that complies and is consistent with HIPAA, the HITECH Omnibus Rule, the
Privacy Rule and the Security Rule.
IN WITNESS WHEREOF,
the parties hereto have duly executed this Agreement as of the Agreement
Effective Date.