RECITALS
A. Covered Entity and Business Associate wish to comply with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”), and regulations promulgated thereunder by the U.S. Department of Health and Human Services (including the Privacy Rule and Security Rule), HITECH, and other applicable privacy laws which protect a patient’s privacy and the security and confidentiality of his/her protected health information (“PHI”).
B. Business Associate provides services to the Covered Entity that involves the use and/or disclosure of certain PHI subject to protection under the Privacy Rule, the Security Rule and HITECH.
C. Under HIPAA and HITECH, Covered Entity and Business Associate are required to enter into a contract containing specific requirements restricting the use and disclosure of PHI.
1. Definitions: The terms used but not otherwise defined in this Agreement shall have the same meaning ascribed to those terms in the Privacy Rule, the Security Rule or HITECH if applicable.
2. Permitted Uses and Disclosures by Business Associate.
(a) Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI on behalf of, or to perform functions, activities or services to Covered Entity as specified in this Agreement. Business Associate shall not use or disclose PHI in a manner that would violate the Privacy Rule if done by Covered Entity, except as provided at subsections (b) and (c) of this Section 2.
(b) Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, provided that (i) the disclosure is required by law or (ii) the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that such information will be held in confidence and used or disclosed only for the purpose that the disclosure was made and that such person will prevent its further use or disclosure.
(c) Except as otherwise limited in this Agreement, Business Associate may use PHI to provide data aggregation services to Covered Entity as permitted by 42 CFR § 164.504(e)(2)(i)(B).
3. Obligations of Business Associate.
(a) Business Associate agrees to not use or further disclose PHI other than as permitted or required by this Agreement or as required by law.
(b) Business Associate agrees to comply with the privacy and security requirements of the Privacy Rule, the Security Rule and HITECH as further detailed in this Agreement, and when required by 42 U.S.C. §§ 17931 and 17934.
(c) Business Associate agrees to use appropriate safeguards, and comply with the Security Rule with respect to electronic PHI, to prevent further use or disclosure of PHI other than as provided for by this Agreement.
(d) Business Associate agrees to mitigate promptly, to the extent practicable, any harmful effect of a use or disclosure of PHI by Business Associate in violation of this Agreement.
(e) Business Associate agrees to report promptly to Covered Entity any use or disclosure of PHI not provided for by this Agreement, including breaches of unsecured PHI as required at 45 CFR § 164.410, and any security incident of which it becomes aware. Business Associate also agrees to report promptly to Covered Entity any requests for inspection, copying or amendment of such information. In addition, Business Associate agrees, following discovery of a breach of unsecured PHI, to promptly notify Covered Entity of such breach as and when required by 42 U.S.C. § 17932.
(f) Business Associate agrees to ensure in writing that any agent, including a subcontractor, to whom it provides PHI received from, created by, maintained by, transmitted by or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply to Business Associate with respect to such information.
(g) Business Associate agrees to provide prompt access to PHI in designated record sets to Covered Entity whenever so requested by Covered Entity or, if directed by Covered Entity, to a Patient in order to meet the requirements of HIPAA. To the extent Business Associate maintains an electronic health record (“EHR”) with respect to PHI on behalf of Covered Entity, Business Associate shall provide a copy of such PHI in electronic format as required to enable Covered Entity to fulfill its obligations under HITECH at 42 U.S.C. § 17935(e). If Patient requests directly from Business Associate (i) to inspect or copy his or her PHI or (ii) disclosure of PHI to a third party, the Business Associate shall promptly notify Covered Entity’s Privacy Official of such request and await such official’s denial or approval of the request.
(h) Business Associate agrees to promptly make amendment(s) to PHI requested by Covered Entity and shall do so in the time and manner requested by Covered Entity to enable it to meet the requirements of HIPAA. If Patient requests an amendment to his or her PHI directly from Business Associate, Business Associate shall promptly notify Covered Entity’s Privacy Official of such request and await such official’s denial or approval of the request.
(i) Business Associate agrees to promptly make its internal practices, books and records relating to the use and disclosure of PHI available to the Covered Entity or the Secretary, in a time and manner designated by the Covered Entity or the Secretary, to enable the Covered Entity or the Secretary to determine compliance with HIPAA.
(j) Business Associate agrees to document and provide to Covered Entity all disclosures of PHI and information related to such disclosures as would be required for Covered Entity to enable it to meet privacy law requirements for an accounting of such disclosures. To the extent Business Associate maintains an EHR with respect to PHI on behalf of Covered Entity, such documentation shall include all disclosures of PHI for treatment, payment, and healthcare operations made three years prior to the request as and when required by 42 U.S.C. § 17935(c).
(k) Business Associate agrees to cooperate with Covered Entity and its medical staff to preserve and protect the confidentiality of PHI accessed or used pursuant to this Agreement. Business Associate may use PHI to report violations of law to appropriate federal and state authorities, consistent with 45 CFR §164.502(j)(1).
(l) Business Associate agrees to maintain a record of all requests for inspection, copying or amendment(s) and requests for disclosure of PHI not provided for by this Agreement, including those initiated by a Patient, Covered Entity or third parties, and to promptly provide such documentation to Covered Entity upon request.
(m) Business Associate agrees to comply with the conditions imposed by HITECH on which communications related to marketing may be treated as health care operations, as and when required by 42 U.S.C. § 17936(a).
(n) Business Associate agrees to include, in any fundraising communication it sends on behalf of Covered Entity that is a healthcare operation as defined at 45 C.F.R. 164.501, a provision allowing the recipient to opt-out of further such communication and treat such election as a revocation, as and when required by 42 U.S.C. § 17936(b).
(o) Business Associate agrees that, as and when required by 42 U.S.C. § 17935(d), it will not directly or indirectly receive remuneration in exchange for the PHI absent a valid authorization from the individual that includes a specification of whether the PHI can be further exchanged for remuneration by the entity receiving the PHI of that individual unless an exception applies.
(p) Business Associate agrees that, as and when required by 42 U.S.C. § 17935(d), it will not directly or indirectly receive remuneration in exchange for the PHI absent a valid authorization from the individual that includes a specification of whether the PHI can be further exchanged for remuneration by the entity receiving the PHI of that individual unless an exception applies.
(q) Business Associate agrees that, to the extent it is to carry out one or more of Covered Entity’s obligation(s) under the Privacy Rule, it will comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation(s).
4. Obligations of Covered Entity.
(a) Covered Entity shall provide Business Associate with a copy of its privacy practices policy and any changes to such policy.
(b) Covered Entity shall provide Business Associate with any changes in or revocation of permission by a Patient to the use or disclosure of PHI, if such changes affect Business Associate’s permitted or required uses and disclosures.
5. Restrictions Requested by Patients.
(a) Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI to which Covered Entity has agreed.
(b) To the extent and when required by 42 U.S.C. § 17935(a), Covered Entity and Business Associate agree to comply with a request by a Patient to restrict disclosures to a health plan if the disclosure is for the purpose of payment or health care operations and the PHI pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.
6. Minimum Necessary. Covered Entity and Business Associate understand and agree that, as and when required by 42 U.S.C. § 17935(b), the minimum necessary standard, when applicable, requires Covered Entity and Business Associate to limit PHI they request, use, or disclose, to the extent practicable, to the limited data set, or, if needed, to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request until the Secretary of Health and Human Services issues guidance on what constitutes “minimum necessary,” after which such guidance will apply. Prior to making a disclosure to which the minimum necessary standard applies, Business Associate agrees to determine what constitutes the minimum necessary to accomplish the intended purpose of the disclosure as and when required by 42 U.S.C. § 17935(b).
7. Breach Pattern or Practice. If either party knows of a pattern of activity or practice of the other party that constitutes a material breach or violation of this Agreement, if the breach or violation continues despite the other party’s reasonable steps taken to cure or end the breach or violation, and if termination of this Agreement is not feasible, the party with knowledge of the pattern or practice shall report the problem to the Secretary of Health and Human Services as and when required by the Privacy Rule, the Security Rule and HITECH.
8. Security of Electronic PHI. Business Associate will: (i) implement, maintain and use appropriate and effective administrative, technical and physical safeguards to reasonably preserve the confidentiality, integrity and availability of any electronic PHI as required by the Security Standards; (ii) comply with the policies and procedures and documentation requirements of the HIPAA Security Rule, including 45 C.F.R. § 164.316 as and when required by HITECH; (iii) ensure that any agent, including a subcontractor, of Business Associate agrees to implement reasonable and appropriate safeguards to protect the electronic PHI; and (iv) report to Covered Entity any security incident immediately upon becoming aware of such incident.
9. Effect of Breach of Obligations. Should Business Associate breach any of its obligations herein, Covered Entity shall provide Business Associate an opportunity to cure the breach and end the violation within the time specified by Covered Entity. If Business Associate does not cure the breach or end the violation as specified by Covered Entity, Covered Entity may immediately terminate any agreement or arrangement with Business Associate, without prejudice to other legal remedies available to Covered Entity, notwithstanding anything to the contrary in this Agreement.
10. Effect of Termination.
(a) Upon termination of any agreement or arrangement or this Agreement, Business Associate shall promptly return to Covered Entity all PHI or, upon Covered Entity’s request, destroy such data. Business Associate shall promptly term all access to PHI upon Covered Entity’s request. This provision shall apply to PHI in the possession of subcontractors or agents of Business Associate. Upon destruction of PHI, Business Associate shall certify in writing that such information has been destroyed.
(b) If the return or destruction of PHI is not feasible, Business Associate shall promptly notify Covered Entity of the conditions that make such return or destruction is infeasible. Upon mutual determination by the parties that return or destruction of PHI is not feasible; Business Associate shall extend the protections of this Agreement to such data and shall limit its further use or disclosure to purposes that make its return or destruction not feasible.
11. Regulatory References. A reference in this Agreement to HIPAA, HIPAA regulations or the Privacy Rule, the Security Rule or HITECH shall mean the law or regulation as in effect, including all amendments, at the time compliance is required.
12. Amendment to Comply with Law. The parties acknowledge that state and federal laws regarding health information and data security are undergoing rapid change and hereby mutually agree to amend this Agreement from time to time as necessary to enable Covered Entity and Business Associate to comply with all legal requirements.
13. Survival Provisions. The respective obligations and rights of Business Associate and the Covered Entity relating to protecting the confidentiality of a patient’s PHI shall survive the termination of this Agreement.
14. Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with HIPAA and applicable state and federal privacy laws.
15. Litigation Assistance. In the event of litigation or administrative proceedings against Covered Entity related to the performance of obligations under this Agreement based on a claimed violation of HIPAA or any laws on privacy and data security, Business Associate, its employees, agents and subcontractors agree to cooperate and submit to deposition or testify in court as appropriate at no cost to Covered Entity, except where the Business Associate or its agent or subcontractor is the named adverse party.
16. Mitigation Procedures. Business Associate agrees to have procedures in place for mitigating, to the extent practicable, any harmful effect known of a use or disclosure of PHI in a manner contrary to law or to the provisions of this Agreement.
17. Sanction Procedures. Business Associate agrees and understands that, to the extent practicable, it must develop a system of sanctions for any or its employees, subcontractors or agents who fail to comply with the restrictions of use and requirements to protect PHI provided for in this Agreement.
Whether You are a Solo Practitioner or a Large Practice
Start Creating Video with CaptureMD