Business Associate Agreement
BUSINESS ASSOCIATE AGREEMENT
Last updated July 21, 2020.
THIS BUSINESS ASSOCIATE AGREEMENT (“BAA”) is entered into and binding as of the effective date of the Service Order or any other document that otherwise incorporates by reference this BAA, by and between the Company or Affiliate performing the Services (hereinafter referred to as “Business Associate”) and Counterparty (herein also referred to as “Covered Entity”). Unless otherwise defined in this BAA, the capitalized terms set forth herein shall have the meanings set forth in the General Terms. To the extent that any of the Services contemplated under the General Terms or any other document that otherwise incorporates by reference this BAA require the Business Associate to create, access, receive, maintain or transmit certain Protected Health Information (as defined in 45 C.F.R. 160.103), the Parties agree that this BAA will govern the use and/or disclosure of the Protected Health Information. In event of a conflict between the BAA and the General Terms, the provisions of the BAA shall control but only to the extent it is related to Protected Health Information.
This BAA may refer to either Business Associate or Covered Entity, as applicable, as a “Party” or collectively as the “Parties”.
Unless otherwise defined, capitalized terms used herein shall carry the following meanings:
- "Administrative Safeguards" shall mean administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect Electronic Protected Health Information (PHI) and to manage the conduct of the Business Associate's workforce in relation to the protection of that information.
- "Breach" shall mean the unauthorized acquisition, access, use, or disclosure of unsecured PHI that compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.
- “Business Associate” is defined as set forth in 45 CFR 160.103 and shall include and pertain to Business Associate only to the extent that any Business Associate employee or agent, other than Business Associate’s temporary or contract employees assigned to Covered Entity to perform Services under the Covered Entity’s supervision, performs functions or activities on behalf of Covered Entity involving the use and/or disclosure of PHI.
- "Designated Record Set" shall mean a group of records maintained by a Covered Entity that is (i) the medical records and billing records about individuals maintained by a Covered Entity, (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) used, in whole or in part, by or for Business Associate to make decisions about individuals. As used herein, the term "Record" means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by a Covered Entity or used by Business Associate.
- "Electronic PHI" shall mean PHI that is transmitted or maintained in electronic media.
- "HIPAA" shall mean the Health Insurance Portability and Accountability Act of 1996, and any amendments thereto.
- "HITECH" shall mean the Health Information Technology for Economic and Clinical Health Act, which is Title XIII of the American Recovery and Reinvestment Act, and any amendments, regulations, rules, and guidance issued thereto and the relevant dates for compliance.
- "Individually Identifiable Health Information" shall mean information that is a subset of health information, including demographic information collected from an individual, and
- is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
- relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) identifies the individual, or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
- "Physical Safeguards" shall mean physical measures, policies, and procedures to protect Business Associate's electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.
- "Privacy Standards" shall mean the Standards for Privacy of Individually Identifiable Health Information, 45 CFR Parts 160 and 164.
- "Protected Health Information" or "PHI" shall mean Individually Identifiable Health Information that is (i) transmitted by electronic media; (ii) maintained in any medium constituting electronic media; or (iii) transmitted or maintained in any other form or medium. "PHI" shall not include education records covered by the Family Educational Right and Privacy Act, as amended, 20 USC § 1232g, or records described in 20 USC § 1232g(a)(4)(B)(iv).
- "Secretary" shall mean the Secretary of the U.S. Department of Health and Human Services.
- "Security Incident" shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
- "Security Standards" shall mean the regulations with regard to security standards for health information, 45 CFR Parts 160 and 164.
- "Technical Safeguards" shall mean the technology, and the policy and procedures for its use, that protects Electronic PHI and controls access to it.
- "Unsecured PHI" shall mean PHI not secured through the use of a technology or methodology specified in guidance by the Secretary that renders PHI unusable, unreadable, or indecipherable to unauthorized individuals.
- Compliance with Applicable Law. The Parties acknowledge and agree that, beginning with the relevant effective date, Business Associate shall comply with its obligations under this BAA and with all obligations of a business associate under HIPAA, HITECH, and other related laws and any implementing regulations, as they exist at the time this BAA is executed and as they are amended, for so long as this BAA is in place.
- Uses and Disclosures of PHI. Business Associate shall not, and shall ensure that its directors, officers, employees, and agents do not, use or disclose PHI received from Covered Entity in any manner that is not permitted or required by the BAA or required by law. Business Associate may only use or disclose PHI as necessary to perform the Services, as required by applicable law or for the proper management, administration or legal requirements of the Business Associate. All uses and disclosures of and requests by Business Associate for PHI are subject to the minimum necessary rule of the Privacy Standards and shall be limited to the information contained in a limited data set, to the extent practical, unless additional information is needed to accomplish the intended purpose, or as otherwise permitted in accordance with Section 13405(b) of HITECH and any implementing regulations.
- Required Safeguards to Protect PHI. Business Associate agrees that it will implement appropriate safeguards in accordance with the Privacy Standards to prevent the use or disclosure of PHI other than pursuant to the General Terms and Service Order.
- Reporting of Improper Use and Disclosures of PHI. Business Associate shall, within a reasonable time, report to Covered Entity a use or disclosure of PHI of which it becomes aware in violation of this BAA by Business Associate, its officers, directors, employees, or agents, or by a third party to whom Business Associate disclosed PHI.
- Reporting of Breaches of Unsecured PHI. Business Associate shall promptly report to Covered Entity a breach of unsecured PHI, in accordance with Section 13402(b) of HITECH.
- Mitigation of Harmful Effects. Business Associate agrees to mitigate, to the extent reasonably practicable, any harmful effect of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA, including, but not limited to, compliance with any state law or contractual data breach requirements.
- Agreements by Third Parties. Business Associate shall enter into an agreement with any agent or subcontractor of Business Associate that will have access to PHI that is received from, or is created or received by, Business Associate on behalf of Covered Entity. Pursuant to such agreement, the agent or subcontractor shall agree to be bound by the same restrictions, terms, and conditions that apply to Business Associate under this BAA with respect to such PHI.
- Access to Information. Within five (5) business days of a request by Covered Entity for access to PHI about an individual contained in a Designated Record Set, Business Associate shall make available to Covered Entity such PHI for so long as such information is maintained by Business Associate in the Designated Record Set, as required by 45 CFR § 164.524. In the event any individual delivers directly to Business Associate a request for access to PHI, Business Associate shall within two (2) business days forward such request to Covered Entity.
- Availability of PHI for Amendment. Within ten (10) days of receipt of a request from Covered Entity for the amendment of an individual's PHI or a record regarding an individual contained in a Designated Record Set (for so long as the PHI is maintained in the Designated Record Set), Business Associate shall provide such information to Covered Entity for amendment and incorporate any such amendments in the PHI as required by 45 CFR § 164.526.
- Documentation of Disclosures. Business Associate agrees to document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. At a minimum, Business Associate shall provide Covered Entity with the following information: (i) the date of the disclosure; (ii) the name of the entity or person who received the PHI and, if known, the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of such disclosure which includes an explanation of the basis for such disclosure.
- Accounting of Disclosures. Within ten (10) days of notice by Covered Entity to Business Associate that it has received a request for an accounting of disclosures of PHI regarding an individual during the six (6) years prior to the date on which the accounting was requested, Business Associate shall make available to Covered Entity information collected in accordance with this Section of the BAA, to permit Covered Entity to respond to the request for an accounting of disclosures of PHI, as required by 45 CFR § 164.528. In the case of an electronic health record maintained or hosted by Business Associate on behalf of Covered Entity, the accounting period shall be three (3) years and the accounting shall include disclosures for treatment, payment, and health care operations, in accordance with the applicable effective date of Section 13402(a) of HITECH. In the event the request for an accounting is delivered directly to Business Associate, Business Associate shall within two (2) business days forward such request to Covered Entity. Business Associate hereby agrees to implement an appropriate record keeping process to enable it to comply with the requirements of this Section.
- Availability of Books and Records. Business Associate hereby agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary for purposes of determining Covered Entity's compliance with the Privacy Standards.
- Electronic PHI. To the extent that Business Associate creates, receives, maintains, or transmits Electronic PHI on behalf of Covered Entity when required by the nature of the Services being performed under the Service Order, Business Associate shall comply with the Security Standards as of the relevant effective date and further, shall:
- Implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI, in accordance with Section 13401(a) of HITECH;
- Ensure that any agent, including a Business Associate, to whom it provides Electronic PHI agrees to implement reasonable and appropriate safeguards to protect it;
- Report to Covered Entity any Security Incident of which Business Associate becomes aware; and
- Ensure that all software applications being provided, if applicable, shall comply with Security and Transaction Standards.
- Effect of Termination of Service Order. Upon the termination of the Service Order or any other document that otherwise incorporates by reference this BAA for any reason, Business Associate shall return to Covered Entity, or, at Covered Entity's direction, destroy, all PHI received from Covered Entity that Business Associate maintains in any form, recorded on any medium, or stored in any storage system, unless said information has been de-identified and is no longer PHI. This provision shall apply to PHI that is in the possession of Business Associates or agents of Business Associate. Business Associate shall retain no copies of the PHI other than which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities. Business Associate shall remain bound by the provisions of this BAA, even after termination of the Service Order until such time as all PHI has been returned, deidentified, or otherwise destroyed as provided herein.
- Breach of Contract by Business Associate. In addition to any other rights Covered Entity may have in the General Terms or Service Order or by operation of law or in equity, Covered Entity may immediately terminate the Service Order if Business Associate has violated a material term of the Service Order and General Terms and Business Associate has failed to cure such violation after 10 business days’ prior written notice and opportunity to cure.
- Breach of Contract by Covered Entity. If Covered Entity has violated a material term of the Service Order and has failed to cure such violation after 10 business days’ prior written notice, Business Associate may terminate the Service Order or report the problem to the Secretary, to the extent explicitly required by and in accordance with Section 13404(b) of HITECH, and shall provide advance or simultaneous notice to Covered Entity.
- Third-Party Rights. The terms of the Service Order are not intended, nor should they be construed, to grant any rights to any parties other than Business Associate and Covered Entity.
- Indemnification. Business Associate shall indemnify and hold harmless Covered Entity and its officers, employees, and agents from any and all claims, penalties, fines, costs, liabilities, or damages, including but not limited to reasonable attorney fees, incurred by Covered Entity arising from a violation caused by a negligent or willful act or omission by Business Associate of its obligations under this BAA, but only to the extent caused by Business Associate’s negligence or willful act or omission.
- Injunctive Relief. Business Associate acknowledges and stipulates that its unauthorized use or disclosure of PHI while performing Services pursuant to the General Terms and Service Order would cause irreparable harm to Covered Entity, and in such event, Covered Entity shall be entitled, if it so elects to seek injunctive relief.
- Owner of PHI. Under no circumstances shall Business Associate be deemed in any respect to be the owner of any PHI used or disclosed by or to Business Associate pursuant to the terms of the Service Order.
- Changes in the Law. The Parties may amend the Service Order, as appropriate, to conform to any new or revised legislation, rules, and regulations to which Covered Entity and Business Associate are subject now or in the future including, without limitation, HIPAA, HITECH, the Privacy Standards and Security Standards.
- Judicial and Administrative Proceedings. In the event Business Associate receives a subpoena, court or administrative order, or other discovery request or mandate for release of PHI, Business Associate shall use reasonable efforts to notify Covered Entity within fortyeight (48) business hours of receipt of such request in order to provide Covered Entity an opportunity to respond. Business Associate shall comply with such order or request as required or permitted by law.