Business Associate Agreement
Last Modified: May 10, 2024
Agreement ("Agreement") is made and entered into as of the effective date stated above ("Effective Date") between Covered Entity and Business Associate. (Covered Entity and Business Associate are individually referred to as "Party" and collectively as "Parties").
RECITALS
A. Business Associate provides services to Covered Entity pursuant to an underlying business relationship between Parties regarding or related to the delivery or potential delivery of services, goods, intellectual property, or real property rights, however stated ("Services Agreement").
B. Parties acknowledge that the transmission or disclosure of certain information by Covered Entity to Business Associate in connection with the Services Agreement, if any such transmission occurs, may require compliance with regulatory requirements embodied under the HIPAA and the Health Information Technology for Economic and Clinical Health Act (the "HITECH Act") and regulations promulgated thereunder, and as may be amended from time to time (all such referenced laws shall be collectively referred to as the "Privacy & Security Regulations").
C. To the extent required by applicable law, including the Privacy & Security Regulations, the Parties hereby document the confirmation of their regulatory obligations under the Privacy & Security Regulations in this Agreement. NOW, THEREFORE, as a condition to the provision of services by Business Associate to Covered Entity under the Services Agreement that may involve the disclosure or transmission of certain Privacy Rule & Security Rule Regulations protected information, Parties agree to satisfy the foregoing regulatory requirements through their compliance with this Agreement, and Parties enter into this Agreement to clarify and confirm their respective responsibilities.
AGREEMENT
1. Definitions
Capitalized terms used in this Agreement that are not otherwise defined herein shall have the same meaning as those terms set forth in 45 C.F.R. Parts 160, 162, and 164. Other capitalized terms used herein have the respective meanings assigned in this section.
1.1. "Breach" has the same meaning as the term "breach" in 45 C.F.R. § 164.402.
1.2. "Business Associate" generally has the same meaning as the terms "business associate" at 45 C.F.R. § 160.103, and in reference to the party to this Agreement, means the undersigned Business Associate in this Agreement.
1.3. "Covered Entity" generally has the same meaning as the terms "covered entity" at 45 C.F.R. § 160.103, and as defined above.
1.4. "Designated Record Set" has the same meaning as the terms "designated record set" in 45 C.F.R. § 164.501.
1.5. "Electronic Protected Health Information" or "ePHI" means Protected Health Information that is transmitted by Electronic Media or that is maintained in Electronic Media.
1.6. "Electronic Media" means (1) electronic storage media, including computer hard drives, and any removable/transportable digital memory medium such as magnetic tape or disk, or (2) transmission media used to exchange information already in electronic storage media, e.g., the Internet.
1.7. "Guidance" means the "Guidance Specifying the Technologies and Methodologies that Render PHI Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements under HITECH," issued by the Secretary of HHS.
1.8. "HHS" means the Department of Health and Human Services.
1.9. "HIPAA" means the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996.
1.10. "HIPAA Rules" means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and Part 164.
1.11. "HITECH Act" means the Health Information Technology for Economic and Clinical Health Act, part of the American Recovery and Reinvestment Act of 2009.
1.12. "HITECH Breach Notification Requirements" means the regulations at 45 C.F.R. Part 164, Subpart D.
1.13. "Individual" has the same meaning as the term "individual" in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
1.14. "Privacy Rule" means the regulations at 45 C.F.R. Part 160, Subpart A and Part 164, Subparts A and E, implementing the privacy requirements set forth in HIPAA, as amended by the HITECH Act.
1.15. "Protected Health Information" or "PHI" has the same meaning as the terms "protected health information" in 45 C.F.R. § 160.103, except limited to the information created or received by Business Associate from or on behalf of Covered Entity.
1.16. "Required By Law" has the same meaning as the terms "required by law" in 45 C.F.R. § 164.103, and also incorporates HITECH Act and any other applicable law.
1.17. "Secretary" means the Secretary of HHS or designee.
1.18. "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of ePHI or interference with system operations in an information system containing ePHI.
1.19. "Security Rule" means the security standards described in 45 C.F.R. Part 160, Subpart A and Part 164, Subparts A and C.
1.20. "Unsecured PHI" means PHI that is rendered usable, readable, or decipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in the Guidance.
2. Obligations of Business Associate
2.1. Business Associate shall:
(a) Not use or disclose PHI other than as permitted or required by this Agreement or as Required By Law.
(b) Use appropriate administrative, technical, and physical safeguards and, where appropriate, comply with the Security Rule, to prevent use or disclosure of PHI other than as provided for by this Agreement.
(c) Promptly mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
(d) Promptly report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including Breaches of Unsecured PHI as required under 45 C.F.R. § 164.410.
(e) Ensure that any agent, including a Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate agrees in a written agreement, to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information, as required under 45 C.F.R. § 164.502(e)(1)(ii) and § 164.308(b)(2).
(f) Provide, in the manner reasonably requested by Covered Entity, access to PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual, in order and in such timely manner for Covered Entity to fulfill its obligations under 45 C.F.R. § 164.524 to provide access and copies of PHI to an Individual.
(g) Make available to Covered Entity, in the manner reasonably requested by Covered Entity, such information as Covered Entity may require to fulfill in a timely manner Covered Entity’s obligations pursuant to 45 C.F.R. § 164.526 to amend PHI that Business Associate maintains in a Designated Record Set, and if so notified by Covered Entity, to incorporate any amendments to which Covered Entity has agreed.
(h) Make internal practices, books and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule. If Business Associate directly receives the request from the Secretary, then Business Associate agrees to promptly notify Covered Entity of any such request by the Secretary.
(i) Document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.
(j) Provide to Covered Entity or an Individual, as soon as practicable and in the manner reasonably requested by Covered Entity or Individual, information collected in accordance with this Agreement, to permit Covered Entity to respond in a timely manner to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528.
(k) Comply with the requirements of 45 C.F.R. Part 164, Subpart E that apply to Covered Entity, to the extent Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E.
3. Obligations of Covered Entity
3.1. Covered Entity shall:
(a) Covered Entity shall notify Business Associate of any limitation(s) in its Notice of Privacy Practices in accordance with 45 C.F.R. § 164.520, if and to the extent that such limitation restricts or affects Business Associate’s permitted uses and disclosures of PHI.
(b) Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, if and to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
(c) Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction limits or affects Business Associate’s permitted use or disclosure of PHI. Covered Entity shall only agree to such restrictions limiting Business Associate’s use or disclosure of PHI in the event that Covered Entity is legally required to so agree.
(d) Covered Entity shall not request that Business Associate use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity or by Business Associate, except to the extent that Business Associate may use or disclose PHI in accordance with Section 4 hereof.
4. Permitted Uses and Disclosures by Business Associate
4.1. Business Associate may:
(a) Use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in Parties’ Services Agreement, provided that such use or disclosure would not violate the Privacy Rule or the Security Rule if done by Covered Entity or violate the Minimum Necessary policies and procedures of Covered Entity.
(b) Use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
(c) Disclose PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities, provided that such disclosures are Required By Law or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been Breached.
(d) May use PHI to provide data aggregation services as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B). Data aggregation means combining PHI received from Covered Entity with PHI received by Business Associate in its capacity as the business associate of other group health plans to permit data analysis that relates to the Health Care Operations of various group health plans.
(e) Use PHI to report violations of law to the appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).
(f) Use PHI to create de-identified information pursuant to the provisions of the Privacy Rule and once such information is de-identified in compliance with the Privacy Rule, such de-identified information is no longer PHI and shall therefore not be subject to Privacy & Security Regulations or the terms of this Agreement.
Nothing in this Agreement requires Business Associate to create or maintain Designated Record Sets unless the Services Agreement so specifies.
5. Electronic Data Interchange
5.1. Business Associate represents that to the extent applicable to the services it provides to Covered Entity, it will comply with all applicable provisions of the HIPAA standards for electronic transactions and code sets, also known as the Electronic Data Interchange ("EDI") Standards, at 45 C.F.R. Part 162. Business Associate further agrees to ensure that any agent, including a Subcontractor, that conducts standard transactions, as such term is defined at 45 C.F.R. § 162.103, on its behalf complies with the EDI Standards.
6. Security Obligations For ePHI; Breaches
6.1. Business Associate shall:
(a) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity.
(b) Ensure, by entering into a contract or other arrangement that complies with the Security Rule, that any agent or Subcontractors that create, receive, maintain or transmit ePHI on behalf of Business Associate agree to comply with the applicable provisions of 45 C.F.R Part 164, Subpart C, including implementing reasonable and appropriate safeguards to protect such ePHI, and notifying Business Associate of any Security Incident or Breach of Unsecured PHI.
(c) Track any Security Incident involving ePHI of which it becomes aware.
(d) Report to Covered Entity in writing within five (5) business days of becoming aware of any Security Incident that results in actual unauthorized access, use, disclosure, modification or destruction of ePHI, and report unsuccessful Security Incidents to Covered Entity in the aggregate upon written request of Covered Entity, which requests shall be made no more frequently than once per year, and as reasonably appropriate.
(e) To the extent that a Security Incident also constitutes a Breach of Unsecured Protected Health Information, Business Associate shall notify Covered Entity in writing within five (5) business days following the discovery of such Breach, and shall include all information required by 45 C.F.R. § 164.410, provided that in the event that some of the details are not known at the time of Business Associate’s initial report to Covered Entity, Business Associate shall provide the additional information promptly thereafter.
(f) Without limiting the provisions of Sections 6.1(a)-6.1(e) above, Business Associate shall comply with all the applicable security provisions of 45 C.F.R. Part 164, Subpart C.
(g) Comply with any other requirements that the Secretary may require from time to time with respect to ePHI by the issuance of additional guidance pursuant to HIPAA.
7. Term and Termination
7.1. Term. This Agreement shall be effective as of the Effective Date and shall terminate when all of the PHI provided by Covered Entity to Business Associate or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information in accordance with Section 7.3.
7.2. Termination for Cause. Upon either Party’s knowledge of a material breach of this Agreement by the other Party, the non-breaching Party may (1) provide a reasonable opportunity for the breaching Party to cure the Breach or end the violation, and terminate this Agreement and the Services Agreement if the breaching Party does not cure the Breach or end the violation within the time specified by the non-breaching Party; (2) immediately terminate this Agreement and the Services Agreement if cure is not possible; or (3) if neither termination nor cure is feasible, the non-breaching Party may report the violation to the Secretary.
7.3. Effect of Termination. Except as provided in Section 7.4, upon the termination of this Agreement for any reason, Business Associate shall:
(a) Retain only the PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities.
(b) Return or destroy the remaining PHI that Business Associate still maintains in any form;
(c) Continue to use appropriate safeguards and comply with 45 C.F.R. Part 164, Subpart C with respect to ePHI to prevent use or disclosure of the PHI, other than as provided for in this Section 7.3, for as long as Business Associate retains the PHI;
(d) Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out in Sections 4.1(b) and 4.1(c) which applied prior to termination; and
(e) Return to Covered Entity the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.
7.4. Effect of Termination; Business Associate. Section 7.3(a) shall also apply to PHI that is in the possession of Subcontractors or agents of Business Associate. In the event that Business Associate determines that returning or destroying some or all of the PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
8. Miscellaneous
8.1. Regulatory References. A reference in this Agreement to a section in the Privacy Rule or Security Rule in the Privacy & Security Regulations means that Privacy Rule or Security Rule section in effect or as amended.
8.2. Amendment. Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Business Associate or Covered Entity to comply with the requirements of the Privacy Rule, the Security Rule, other provisions of HIPAA, or as Required By Law. Notwithstanding the foregoing, Parties further agree that this Agreement cannot otherwise be changed, modified or discharged except by an agreement in writing and signed by both Parties.
8.3. Survival. The Agreement provisions protecting PHI survive the termination of this Agreement.
8.4. Interpretation. Any ambiguity in this Agreement shall be resolved to permit both Parties to comply with Privacy & Security Regulations, including the Privacy Rule and the Security Rule, and any other applicable law.
8.5. Governing Law. The construction, interpretation, and performance of this Agreement and all transactions under this Agreement shall be governed by the laws of the state where the Covered Entity is located, excluding choice-of-law principles, except as such laws are preempted by any provision Required By Law (including required by the Privacy & Security Regulations). Any action or proceeding arising out of or relating to this Agreement shall be brought and tried in a state or federal court of competent jurisdiction in the state where the covered entity is located.
8.6. No Third-Party Beneficiary. Nothing expressed or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than Parties and the respective successors or assigns of Parties, any rights, remedies, obligations, or liabilities whatsoever.
8.7. Controlling Provisions. In the event of any conflict between the Service Agreement entered into by Parties and this Agreement, the provisions of this Agreement shall control.
8.8. Effect. This Agreement shall be binding upon, and shall inure to the benefit of, Parties hereto and their respective successors, assigns, heirs, executors, administrators, and other legal representatives.
8.9. Severability. In the event that any provision or part of this Agreement is found to be totally or partially invalid, illegal, or unenforceable, then that provision will be deemed to be modified or restricted to the extent and in the manner necessary to make it valid, legal, or enforceable, or it will be excised without affecting any other provision of this Agreement and Parties agreeing that the remaining provisions are to be deemed to be in full force and effect as if they had been executed by both Parties subsequent to the expungement of any such invalid provision.
8.10. Counterparts. This Agreement may be executed in any number of counterparts transmitted electronically, each of which shall be deemed an original. Facsimile copies thereof shall be deemed to be originals.
8.11. Notices. All notices to be given pursuant to the terms of this Agreement shall be in writing and shall be sent either by electronic mail, or, by certified mail, return receipt requested, postage prepaid or by overnight air express mail service to the addresses referred to above for the Parties. All notices shall be effective as of the date of hand delivery or on the date of receipt, whichever is applicable.
8.12. Waiver. The failure of Covered Entity to insist upon the performance of any of the terms and conditions of this Agreement, or the waiver of any breach of any of the terms and conditions of this Agreement, shall not be construed as thereafter waiving any such terms and conditions, but the same shall continue and remain in full force and effect as if no such forbearance or waiver had occurred.
8.13. Priority of Agreement. If any portion of this Agreement is inconsistent with the terms of any Services Agreement, the terms of this Agreement shall prevail. Except as set forth above, the remaining provisions of any Services Agreement are ratified in their entirety and integrated herein by this reference.
8.14. Entire Agreement. This Agreement, in conjunction with the Services Agreement, constitutes the entire agreement between Parties with respect to the matters contemplated herein and supersedes all previous and contemporaneous oral and written negotiations, commitments, and understandings related thereto.
IN WITNESS WHEREOF, Parties, by and through their duly authorized officers, have caused this Agreement to be executed on the Effective Date above.