© Copyright Biztree Inc. 2010. All rights reserved. Protected by the copyright laws of the United States & Canada and by international treaties. IT IS ILLEGAL AND STRICTLY PROHIBITED TO DISTRIBUTE, PUBLISH, OFFER FOR SALE, LICENSE OR SUBLICENSE, GIVE OR DISCLOSE TO ANY OTHER PARTY, THIS PRODUCT IN HARD COPY OR DIGITAL FORM. ALL OFFENDERS WILL BE SUED IN A COURT OF LAW.
|
|
© Copyright Biztree Inc. 2010. All rights reserved. Protected by the copyright laws of the United States & Canada and by international treaties. IT IS ILLEGAL AND STRICTLY PROHIBITED TO DISTRIBUTE, PUBLISH, OFFER FOR SALE, LICENSE OR SUBLICENSE, GIVE OR DISCLOSE TO ANY OTHER PARTY, THIS PRODUCT IN HARD COPY OR DIGITAL FORM. ALL OFFENDERS WILL BE SUED IN A COURT OF LAW.
|
|
© Copyright Biztree Inc. 2010. All rights reserved. Protected by the copyright laws of the United States and Canada and by international treaties. IT IS ILLEGAL AND STRICTLY PROHIBITED TO DISTRIBUTE, PUBLISH, OFFER FOR SALE, LICENSE OR SUBLICENSE, GIVE OR DISCLOSE TO ANY OTHER PARTY, THIS PRODUCT IN HARD COPY OR DIGITAL FORM. ALL OFFENDERS WILL AUTOMATICALLY BE SUED IN A COURT OF LAW.
|
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ("Agreement") is made and effective the [DATE],
BETWEEN: [COMPANY NAME] (the "Covered Entity"), a corporation organized and existing under the laws of [STATE], with its head office located at:
[YOUR COMPLETE ADDRESS]
AND: [RECIPIENT NAME] (the "Business Associate"), a corporation organized and existing under the laws of [STATE], with its head office located at:
[COMPLETE ADDRESS]
The Covered Entity and Business Associate, collectively, the “Parties”), wish to enter into this agreement (“Agreement”).
The Parties may contemplate entering into one or more agreements (the “Services Agreement”) pursuant to which Business Associate is providing certain [insert the kind(s) of services provided by the Business Associate] (“Services”) to the Covered Entity that require the disclosure and use of Protected Health Information (“PHI”). Unless the Services Agreement specifies otherwise, Business Associate is an independent contractor with respect to the performance of all Services, and neither Business Associate nor anyone employed by Business Associate will be deemed for any purpose to be the employee, agent, servant, or representative of the Covered Entity. Both Parties are committed to complying with the Privacy Rule and the Security Rule promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as well as the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and associated regulations.
This Agreement sets forth the terms and conditions pursuant to which Protected Health Information that is provided by, or created or received by, the Business Associate from or on behalf of the Covered Entity, will be handled between the Business Associate and the Covered Entity and with third parties during the term of each Services Agreement and after its termination. All capitalized terms in this Agreement have the meanings ascribed to them in Section 1 below, unless otherwise noted or the context clearly requires otherwise.
In consideration of the terms of this agreement, and other valuable consideration, the parties agree as follows:
- GENERAL TERMS AND CONDITIONS
- Definitions: All terms used in this Agreement shall have the meanings set forth in the HIPAA Security and Privacy Rule, unless otherwise defined herein.
- Existing Service Agreements: All existing Service Agreements and amendments thereto, between the Employer or Plan Sponsor and Business Associate are subject to this Agreement and are hereby amended by this Agreement. In the event of conflict between the terms of any Service Agreement and this Agreement, the terms and conditions of this Agreement shall govern.
- Where provisions of this Agreement are different from those mandated by the HIPAA Security and Privacy Rule, but are nonetheless permitted by the Rule, the provisions of this Agreement shall control.
- Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Business Associate and the respective successors or assigns of the Business Associate, any rights, remedies, obligations, or liabilities whatsoever.
- PERMITTED USE AND DISCLOSURE
- Treatment, Payment and Operations (“TPO”): Business Associate agrees to create, receive, maintain, transmit, use, or disclose Protected Health Information only in a manner that is consistent with this Agreement and the HIPAA Security and Privacy Rule and only in connection with providing the services to or on behalf of Covered Entity identified in any existing Service Agreement and amendments thereto. Accordingly, in providing services to or on behalf of the Covered Entity, the Business Associate, for example, will be permitted to use and disclose Protected Health Information for Treatment, Payment and Healthcare Operations consistent with the HIPAA Security and Privacy Rule, without obtaining authorization. Protected Health Information does not include summary health information or information that has been de-identified in accordance with the standards for de-identification provided for in the HIPAA Security and Privacy Rule.
- Business Associate may only use or disclose Protected Health Information to the extent permitted or required by this Agreement or by law. Except as otherwise provided herein, the Business Associate may not use or disclose Protected Health Information in a manner that would violate HIPAA's Security and Privacy Rules if such use or disclosure were made by a Covered Entity. In particular, a Business Associate may use or disclose Protected Health Information (1) to fulfill its obligations as set out in any agreement between the Parties evidencing their business relationship, including the Arrangement Agreement, or (2) as required by applicable laws, rules or regulations, or by an accrediting or credentialing body to which a Covered entity must disclose such information, or (3) as permitted by this Agreement, the Arrangement Agreement (if consistent with this Agreement and the HIPAA Security and Privacy Rule) or the HIPAA Security and Privacy Rule, or (4) as permitted by the HIPAA Security and Privacy Rule as if such use or disclosure were made by a Covered entity.
- Business Associate may de-identify Protected Health Information only at the express request of the Covered Entity and only for its use. The Business Associate may not sell Protected Health Information except on the instructions of the Covered Entity and in accordance with the requirements of the HIPAA Security and Privacy Rule.
- Notwithstanding the prohibitions set forth in this Agreement,
- Business Associate may use Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate;
- Business Associate may disclose Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that as to any such disclosure, the following requirements are met: (A) The disclosure is required by law; or (B) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and will be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached;
- Business Associate may provide data aggregation services relating to the health care operations of Covered Entity pursuant to any agreements between the Parties evidencing their business relationship. For purposes of this Agreement, data aggregation means the combining of Protected Health Information by Business Associate with the Protected Health Information received by Business Associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.
- OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
Business Associate agrees as follows:
- Business Associate undertakes not to use or disclose protected health information other than as permitted or required by the Master agreement or as required by law.
- Business Associate undertakes to use appropriate safeguards and comply with the HIPAA Security Rule with respect to Electronically Protected Health Information to prevent the use or disclosure of Protected Health Information other than as provided in this Agreement and the Master Agreement.
- Business Associate undertakes to report to the Covered Entity any use or disclosure of the Protected Health Information not provided for in this Agreement of which it becomes aware.
- Business Associate undertakes to report to the Covered Entity any breach of unsecured Protected Health Information or any security incident of which the Business Associate becomes aware without unreasonable delay, and in any event no later than five (5) business days after discovery; however, the parties acknowledge and agree that this Section 3(d) constitutes notice of the Covered Entity's continued presence and occurrence or attempted occurrence of such incidents without further notice for which the Covered Entity shall not be notified of the need for such notice. "Unsuccessful security incidents" means, without limitation, pings and other broadcast attacks on the Business Associate firewall, port scans, unsuccessful connection attempts, denial of service attacks and any combination of the foregoing, as long as no such incident results in unauthorized access, use or disclosure of the Protected Health Information.
- Business Associate undertakes to ensure that any Subcontractor, to whom it provides Protected Health Information received from or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
- Business Associate agrees to provide access, at the request of Covered Entity, access, within a reasonable time and in a reasonable manner, to the Protected Health Information in a designated file established for the Covered Entity to meet the requirements of 45 CFR 164.524.
- Business Associate agrees to make any changes to the Protected Health Information in a Designated Record Set that the Covered Entity orders or accepts in accordance with 45 CFR 164.526 at the request of the Covered Entity within a reasonable time and in a reasonable manner. In the event that a Person provides the Business Associate directly with a request to amend the Protected Health Information, the Business Associate must promptly forward such request to the relevant Entity.
- Business Associate agrees to make available to the Secretary internal practices, books and records, including policies and procedures and protected health information, relating to the use and disclosure of protected health information received or created or received by the Business Associate on behalf of the Covered Entity, at a time and on a basis determined by the Secretary, so that the Secretary determine the compliance with the Privacy and Security rules.
- Business Associate undertakes to document any disclosures of Protected Health Information and any information relating to such disclosures that would be necessary for the Covered Entity to respond to an Individual's request for an accounting of disclosures of Protected Health Information pursuant to 45 CFR 164.528. The Business Associate must provide the Covered Entity with information relating to disclosures of Protected Health Information by the Business Associate in order to enable the Covered Entity to respond to an Individual's request for an accounting of disclosures of Protected Health Information pursuant to 45 C.F.R. § 164.528. In the event that a Business Associate receives a direct request from an Individual for accounting for disclosures of Protected Health Information made by a Business Associate, the Business Associate agrees to promptly forward such request to the Covered Entity.
- Business Associates shall mitigate, to the extent possible, the negative effects of any inappropriate use and/or disclosure of Protected Health Information by a Business Associate that is known to the Business Associates.
- Of the transactions that Business Associate performs in its role as Business Associate of Covered Entity, Business Associate, its agents, and subcontractors shall do the following:
- be prepared to transmit and accept transactions electronically in the Standard Formats identified in 45 CFR §§162.1101 through 162.1802;
- adapt implementation plans and standards pursuant to applicable Implementation Guides;
- implement contingencies for non-compliant transactions as necessary to facilitate timely acceptance and payment of claims, particularly in light of state claim payment laws; and
- to the extent practicable, communicate with those providers, agents, or subcontractors who are submitting or receiving transactions electronically in order to facilitate compliant transactions.
- Business Associate understands and agrees that from time-to time the Department of Health and Human Services might modify the standard transactions now identified in 45 CFR §§162.1101 through 162.1802. Business Associate, its agents, and subcontractors agree to abide by any changes to such standard transactions that are applicable to services supplied by Business Associate in connection with the referenced Services Agreement.
- Business Associate shall implement administrative, physical, and technical safeguards that reasonably protect the confidentiality, integrity, and availability of Electronic Protected Health Information (“ePHI”) that it creates, maintains, or transmits on behalf of Covered Entity as required by 45 CFR §164.314.
- obligations of covered entity
- If Covered Entity wishes to receive Protected Health Information, it shall provide Business Associate with name or identity/job title of the individual(s) authorized to represent Covered Entity who can receive and disclose Protected Health Information for purposes of TPO below, and shall further notify Business Associate of any changes with respect to the persons so identified:
[NAME/TITLE] _______________________
- Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR 164.520 to the extent that such limitation may affect Business Associate’s use or disclosure of Protected Health Information.
- Covered Entity shall provide Business Associate with the plan amendment produced in accordance with 45 CFR §164.504.
- Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information.
- Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR §164.522.
- Covered Entity shall cooperate with Business Associate to provide Accounting of Disclosures when requested.
- Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
- Termination
This Agreement shall be effective as of the date first set forth above and shall terminate upon the earlier of (i) the termination of all agreements between the parties, and (ii) the termination by Covered Entity for cause as provided herein. Notwithstanding anything in this Agreement to the contrary, Covered Entity shall have the right to terminate this Agreement and the Arrangement Agreement immediately if Covered Entity determines that Business Associate has violated any material term of this Agreement. If Covered Entity reasonably believes that Business Associate will violate a material term of this Agreement and, where practicable, Covered Entity gives written notice to Business Associate of such belief within a reasonable time after forming such belief, and Business Associate fails to provide adequate written assurances to Covered Entity that it will not breach the cited term of this Agreement within a reasonable period of time given the specific circumstances, but in any event, before the threatened breach is to occur, then Covered Entity shall have the right to terminate this Agreement and the Arrangement Agreement immediately.
- MISCELLANEOUS
-
- Indemnification. Each Party shall, to the fullest extent permitted by law, protect, defend, indemnify and hold harmless the other Party and that Party’s respective employees, directors, and agents (“Indemnitees”) from and against any and all losses, costs, claims, penalties, fines, demands, liabilities, legal actions, judgments, and expenses of every kind (including reasonable attorneys fees, including at trial and on appeal) asserted or imposed against any Indemnitees arising out of the acts or omissions of the Party or any subcontractor of or consultant of the Party or any of the Party’s employees, directors, or agents related to material breach of this Agreement or willful or grossly negligent failure to comply with HIPAA.
-
- Severability. If any provision of this Agreement is held invalid or unenforceable, such invalidity or non-enforceability shall not invalidate or render unenforceable any other portion of this Agreement. The entire Agreement will be construed as if it did not contain the particular invalid or unenforceable provision(s), and the rights and obligations of Business Associate and Covered Entity will be construed and enforced accordingly.
-
- Waiver. The failure by one Party to require performance of any provision of this Agreement shall not affect that Party’s right to require performance at any time thereafter, nor shall a waiver of any breach or default of this Agreement constitute a waiver of any subsequent breach or default or a waiver of the provision itself.
-
- Amendment. Covered Entity and Business Associate may amend this Agreement by mutual written consent.
-
- Governing laws. This Agreement will be governed by the laws of the State [SPECIFY].
- Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the Privacy Rule.
-
- Master Agreement. This Agreement is hereby incorporated into the Master Agreement as an addendum to the Master Agreement. In the event of any inconsistency between the provisions of this Agreement and the Master Agreement, the provisions of this Agreement will prevail, unless the applicable terms of the Master Agreement would be more protective of Protected Health Information.
-
- Third Party Beneficiaries. Business Associate and Covered Entity agree that Individuals whose Protected Health Information is used or disclosed to Business Associates or its Subcontractors under this Agreement are not third-party beneficiaries of this Agreement or the Master Agreement.
-
- Correspondence. The Parties will send any reports or notices required under this Agreement to the addresses set forth in the notice provision of the Master Agreement.
-
- Entire Agreement. This Agreement supersedes and replaces any and all prior Business Associate Agreements between the Parties. To the extent that the Service Agreement addresses the rights and obligations contained in this Agreement, this Agreement supersedes and replaces all provisions in the Service Agreement related to the subject matter of this Agreement.
This Agreement expresses the full and complete understanding of the parties with respect to the subject matter hereof and supersedes all prior or contemporaneous proposals, agreements, representations and understandings, whether written or oral, with respect to the subject matter. This Agreement is not, however, to limit any rights that Owner may have under trade secret, copyright, patent or other laws that may be available to Owner. This Agreement may not be amended or modified except in writing signed by each of the parties to the Agreement. This Agreement shall be construed as to its fair meaning and not strictly for or against either party. The headings hereof are descriptive only and not to be construed in interpreting the provisions hereof.
IN WITNESS WHEREOF, the parties have executed this Agreement as of the date first above written.
COVERED ENTITY BUSINESS ASSOCIATE
Authorized Signature Authorized Signature
Print Name Print Name
Title Title
Date Date