BUSINESS ASSOCIATE ADDENDUM

THIS BUSINESS ASSOCIATE ADDENDUM (“Addendum”) is made as of the Effective Date, by and between Participant (“Covered Entity”) and Group (“Business Associate”) (collectively the “Parties”) in order to comply with the Health Insurance Portability and Accountability Act of 196, Public Law 104-191, as amended and its implementing privacy, security and breach notification regulations (“HIPAA”), including as amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act in Public Law 111-5, 42 U.S.C. § 17921-54 and its implementing regulations, each as amended (collectively, the “HITECH Act”), and any other applicable state and federal confidentiality laws, as they may be amended from time to time.

RECITALS

WHEREAS, Business Associate provides services, including but not limited to, legal, actuarial, accounting consulting, data aggregation, management, administrative, care coordination and care management, accreditation or financial services on behalf of Covered Entity (the “Services”);

WHEREAS, in connection with these services, Covered Entity discloses to Business Associate certain information it receives from a Covered Entity that is subject to protection under the HITECH Act;

WHEREAS, the Covered Entity desires to receive adequate assurances that Business Associate will comply with certain obligations with respect to the PHI in the course of providing services on behalf of Covered Entity; and

WHEREAS, the purpose of this Addendum is to comply with the requirements of the HITECH Act.

NOW THEREFORE, in consideration of the mutual promises and covenants herein, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows:

ARTICLE 1

DEFINITIONS

Terms used herein, but not otherwise defined, shall have meaning ascribed by Title 45, Parts 160 and 164, of the United States Code of Federal Regulations, as amended from time to time. Should any term set forth in 45 CFR Parts 160 or 164 conflict with any defined term herein, the definition found in 45 CFR Parts 160 or 164 shall prevail.

1.1 Breach. “Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted which compromises the security or privacy of such information as defined and subject to the exceptions set forth in 45 CFR § 164.402.

1.2 Breach Notification Rule. “Breach Notification Rule” means the HIPAA Regulations pertaining to breaches of unsecured PHI as codified in 45 CFR Parts 160 and 164.

1.3 Designated Record Set. “Designated Record Set” means a group of records maintained by or for a covered entity, as defined by the HITECH Act, that is: (i) the medical records and billing records about Individuals maintained by or for a covered health care provider; (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) used, in whole or in part, by or for the covered entity to make decisions about Individuals. For purposes of this definition, the term “record” means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.

1.4 Electronic PHI. “Electronic PHI” or “EPHI” means PHI that is transmitted by or maintained in electronic media as defined by the Security Rule.

1.5 Individual. “Individual” means the same as the term “individual” in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502 (g).

1.6 Law. “Law” means all applicable federal and state statutes and all relevant regulations.

1.7 Privacy Rule. “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR parts 160 and 164, subparts A and E.

1.8 Protected Health Information (“PHI”). “Protected Health Information” or PHI has the same meaning as the term “Protected Health Information” in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.

1.9 Secretary. “Secretary” means the Secretary of the U.S. Department of Health and Human Services (“HHS”) or his or her designee.

1.10 Security Incident. “Security Incident” shall have the meaning set out in the Security Rule. Generally, a “Security Incident” shall mean any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or systems operations in an electronic information system.

1.11 Security Rule. “Security Rule” means the Security Standards and Implementation Specifications at 45 CFR parts 160 and 164, subparts A and C, as they may be amended from time to time.

1.12 Unsecured PHI. “Unsecured PHI” means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of either the encryption method or the destruction method, as defined in HHS guidance published on April 27, 2009 (74 FR 19006) and modified by guidance published on August 24, 2009 (74 FR 42740), as amended. Unsecured PHI can include information in any form or medium, including electronic, paper or oral.

ARTICLE 2

PURPOSES FOR DISCLOSURE

In connection with the Services provided by Business Associate to or on behalf of Covered Entity described in this Addendum, Covered Entity may disclose PHI to Business Associate for the purposes of treatment, payment or healthcare operations, as described in 45 CFR part 164.506(a)(b)(c), for standard uses and, as described in 45 CFR part 164.508, for uses and disclosures for which an authorization is required, provided such disclosure is consistent with 45 CFR part 164.508 and any other applicable laws, regulations, or rules.

ARTICLE 3

BUSINESS ASSOCIATE OBLIGATIONS

Business Associate agrees to comply with applicable federal and state confidentiality and security laws, specifically the provisions of the HITECH Act applicable to business associates (as defined by the HITECH Act), including:

3.1 Use and Disclosure of PHI. Except as otherwise permitted by this Addendum or applicable law, Business Associate shall not use, maintain, transmit or disclose PHI except as necessary to provide the Services to or on behalf of Covered Entity and except as required by Law. Provided, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities. Business Associate shall in such cases:


  • 3.1.1 provide information to members of its workforce using or disclosing PHI regarding the confidentiality requirements in the HITECH Act and this Addendum;

    3.1.2 obtain reasonable assurances from the person or entity to whom the PHI is disclosed that: (i) the PHI will be held confidential and further used and disclosed only as required by Law or for the purpose for which it was disclosed to the person or entity; and (ii) the person or entity will notify Business Associate of any instances of which it is aware in which confidentiality of the PHI has been breached;

    3.1.3 agree to notify the Privacy Officer of Covered Entity of any instances of which it is aware in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Addendum or for a purpose not expressly permitted by the HITECH Act.

3.2 Disclosure to Agents and Subcontractors. If Business Associate discloses PHI to agents, including a subcontractor, Business Associate shall require the agent or subcontractor to agree to the same restrictions and conditions as apply to Business Associate under this Addendum and to comply with the applicable requirements of the Privacy Rule, Security Rule, HITECH Act, Breach Notification Rule and other Law with respect to such information. Business Associate shall ensure that any agent, including a subcontractor, agrees to implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of the EPHI that it creates, receives, maintains, stores, uses or transmits on behalf of the Covered Entity in accordance with Law. Business Associate shall be liable to Covered Entity for any acts, failures or omissions of the agent or subcontractor in providing the services as if they were Business Associate’s own acts, failures or omissions, to the extent permitted by law. Business Associate further expressly warrants that its agents or subcontractors will be specifically advised of, and will comply in all respects with, the terms of this Addendum.

3.3 Data Aggregation. In the event that Business Associate works for more than one covered entity, Business Associate is permitted to use and disclose PHI for data aggregation purpose only to the extent that such use is permitted under the HITECH Act.

3.4 Withdrawal of Authorization. If the use or disclosure of PHI in this Addendum is based upon an Individual’s specific authorization for the use or disclosure of his or her PHI, and the Individual revokes such authorization, the effective date of such authorization has expired, or such authorization is found to be defective in any manner that renders it invalid, Business Associate shall, if it has notice of such revocation, expiration or invalidity, cease the use and disclosure of the Individual’s PHI except to the extent it has relied on such use or disclosure, or if an exception under the HITECH Act expressly applies.

3.5 Safeguards. Business Associate agrees to maintain appropriate safeguards as required by Law, including without limitation, a written security program that contains the necessary administrative, physical and technical safeguards to ensure that PHI or EPHI is not used, maintained, transmitted or disclosed other than as provided by this Addendum or as required by Law. Business Associate shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of any EPHI it creates, receives, maintains, stores, uses, transmits or discloses on behalf of Covered Entity in accordance with Law.

Business Associate shall ensure, at a minimum, that:


  • 3.5.1 PHI or EPHI will be maintained in locked and secured areas when PHI or EPHI is not in use;

    3.5.2 Facsimile machines receiving EPHI shall not be located in a public area;

    3.5.3 EPHI stored electronically shall be password protected;

    3.5.4 PHI and EPHI will not be shared with outside organizations; and

    3.5.5 PHI and EPHI will be used internally on a need to know basis only.


3.6 Individual Rights.


  • 3.6.1 Business Associate shall document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI as required by and in accordance with 45 CFR § 164.528 as amended by the HITECH Act and its implementing regulations. Business Associate, in accordance with 45 CFR § 164.528, does not need to document disclosures of PHI that are for treatment, payment or healthcare operations or disclosures that are incidental to another permissible disclosure. If Business Associate or its agents or subcontractors uses or maintains PHI in an electronic record of health-related information created, gathered or maintained or consulted by authorized health care clinicians and staff (an “EHR”), then Business Associate and its agents and subcontractors shall document and make available to Covered Entity the information required to provide an accounting of disclosures to enable Covered Entity to fulfill its obligations under the HITECH Act as of the date compliance is required under the HITECH Act or its implementing regulations, including disclosures and uses relating to treatment, payment and health care operations.

    3.6.2 Business Associate agrees to provide to Covered Entity, within thirty (30) days of the request, in a mutually agreed upon form, information collected in accordance with Section 3.6.1 above to the extent required to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528, as amended by the HITECH Act. Covered Entity shall provide to Business Associate within thirty (30) days of the effective date of this Addendum, a written explanation of Covered Entity’s requirements under this Section 3.6.2 in sufficient detail to enable Covered Entity to comply with such requirements. Covered Entity agrees to respond promptly to requests from Business Associate for clarification of such requirements, and Business Associate may rely on such responses. The Parties agree to work together in good faith to resolve any disagreement over the requirements of 45 CFR § 164.528, as amended by the HITECH Act. Covered Entity will be responsible for the reasonable costs incurred by Business Associate to respond to a request for an accounting of disclosures. Covered Entity, rather than Business Associate, will directly handle all requests for accounting from an Individual. Business Associate shall promptly forward all requests for accounting it receives from Individuals to Covered Entity.

    3.6.3 Business Associate shall, at the request of Covered Entity, provide PHI maintained in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements of an Individual’s right of access and requests for access to his or her PHI. An Individual’s right of access to PHI includes the right to access EPHI contained in an EHR. Covered Entity will be responsible for the reasonable costs incurred by Business Associate to respond to a request for access. The provision of access to the Individual’s PHI or EPHI and any denials of access to PHI or EPHI shall be the sole responsibility of the Covered Entity. If Business Associate or its agents or subcontractors maintains or uses PHI in an EHR, then promptly after receipt of a request from Covered Entity, Business Associate shall make a copy of such PHI available to Covered Entity in an electronic format in order to enable Covered Entity to fulfill its obligations under the HITECH Act and the Privacy Rule.

    3.6.4 Business Associate shall make any amendment(s) to PHI maintained in a Designated Record Set that Covered Entity directs or agrees to at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity. Covered Entity will be responsible for the reasonable costs incurred by Business Associate to respond to a request to amend an Individual’s PHI in a Designated Record Set. All decisions regarding the amendment of PHI shall be the responsibility of the Covered Entity.


3.7 Internal Practices, Policies, and Procedures. Except as otherwise specified herein, Business Associate shall make available its internal practices, books, records, policies and procedures relating to the use and disclosure of PHI or EPHI, documentation required by the Security Rule relating to safeguards, and documentation required by the Breach Notification Rule available to the Secretary or to the Covered Entity for the purpose of determining Covered Entity’s compliance with the Privacy Rule, Security Rule and Breach Notification Rule. Records requested that are not protected by an applicable legal privilege will be made available in the time and manner specified by Covered Entity or the Secretary.

3.8 De-identified Information. Business Associate may use and disclose de-identified health information if (i) the de-identification is in compliance with 45 CFR §164.502(d); and (ii) the de-identified health information meets the standard and implementation specifications for de-identification under 45 CFR §164.514(a) and (b).

3.9 Minimum Necessary. Business Associate shall attempt to ensure that all uses and disclosures of PHI are subject to the principle of “minimum necessary use and disclosure,” i.e., that only PHI that is the minimum necessary to accomplish the intended purpose of the use, disclosure or request is used or disclosed.

3.10 Notice of Privacy Practices. Business Associate shall abide by the limitations of Covered Entity’s notice of privacy practices (“Notice of Privacy Practices”) of which it has knowledge. Any use or disclosure permitted by this Addendum may be amended by changes to Covered Entity’s Notice of Privacy Practices; provided, however, that the amended Notice of Privacy Practices shall not affect permitted uses and disclosures on which Business Associate relied prior to receiving notice of such amended Notice of Privacy Practices.

3.11 Knowledge of HITECH Act. Business Associate agrees to review and understand the HITECH Act as it applies to Business Associate, and to comply with the applicable requirements of the HITECH Act, as well as any applicable amendments.

3.12 Security Incident / Unauthorized Disclosure of PHI.


  • (a) Business Associate shall report to Covered Entity any instances, including Security Incidents, of which it is aware in which PHI or EPHI is used or disclosed for a purpose that is not otherwise provided for in this Addendum. In the event that Business Associate knows of: (i) any suspected Breach of any individual PHI or EPHI; (ii) a Security Incident (i.e. PHI was inappropriately used, disclosed, released or obtained) or (iii) a Breach of Unsecured PHI, Business Associate shall notify Covered Entity in writing within five (5) calendar days of such Breach. Notification shall include detailed information about the Breach, including, but not limited to, the nature and circumstances of such Breach, the means by which PHI or EPHI was or may have been breached (e.g. stolen laptop; breach of security protocols; unauthorized access to computer systems, etc.), the names and contact information of all individuals affected or reasonably believed by the Business Associate to be affected, and such other information as Covered Entity may reasonably request. Any delay in notification must include evidence demonstrating the necessity of the delay. The notice shall also set forth the remedial action taken or proposed to be taken with respect to such prohibited use or disclosure. Business Associate and Covered Entity agree to act together in good faith to take reasonable steps to investigate and mitigate any harm caused by such unauthorized use or successful Security Incident. The party responsible for the breach shall bear the cost of any required notifications and corrective actions (e.g. credit monitoring services). The Business Associate will provide the Covered Entity with any reasonable information known by Business Associate that the Covered Entity needs for the required notifications under the Breach Notification Rule. The Covered Entity shall have responsibility for determining that an incident is a Breach, including the requirement to perform a risk assessment. However, the Business Associate is expected to perform a risk assessment and provide such assessment to the Covered Entity. Further, Business Associate shall provide and pay for required notifications to Individuals, HHS and/or the media, as requested by the Covered Entity.

  • (b) Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI or EPHI by Business Associate in violation of the requirements of this Addendum.

3.13 Prohibited Actions.

With respect to PHI and EPHI, Business Associate agrees to:

(i) not directly or indirectly receive remuneration in exchange for any PHI as prohibited by, and subject to the exceptions under the HITECH Act, Privacy Rule and state law as of their respective compliance dates.

(ii) not make or cause to be made any communication about a product or service that encourages recipients of the communication to purchase or use the product or service as prohibited by, and subject to the exceptions under the HITECH Act and the Privacy Rule, as of their respective compliance dates. Business Associate agrees to comply with applicable Law regarding marketing communications involving the use of disclosure of PHI; and

(iii) not make or cause to be made any written fundraising communications that is a health care operation without provision, in a clear and conspicuous manner, of an opportunity for the recipient to elect not to receive further fundraising communications in accordance with the HITECH Act and the Privacy Rule as of their respective compliance dates. Business Associate further agrees to comply with all applicable Law regarding the use of PHI for fundraising communications.

ARTICLE 4

COVERED ENTITY OBLIGATIONS

4.1 If deemed applicable by Covered Entity, Covered Entity shall:


  • 4.1.1 provide Business Associate a copy of its Notice of Privacy Practices produced by Covered Entity in accordance with 45 CFR 164.520 as well as any changes to such notice;

    4.1.2 provide Business Associate with any changes in, or revocation of, authorizations by Individuals relating to the use and/or disclosure of PHI, if such changes affect Business Associate’s permitted or required uses and/or disclosures;

    4.1.3 notify Business Associate of any restriction to the use and/or disclosure of PHI to which Covered Entity has agreed in accordance with 45 CFR 164.522;

    4.1.4 notify Business Associate of any amendment to PHI to which Covered Entity has agreed that affects a Designated Record Set maintained by Business Associate; and

    4.1.5 if Business Associate maintains a Designated Record Set, provide Business Associate with a copy of its policies and procedures related to an Individual’s right to: access PHI; request an amendment to PHI; request confidential communications of PHI; or request an accounting of disclosures of PHI.

ARTICLE 5

MUTUAL OBLIGATIONS

5.1 Electronic Transactions and Code Sets. Both Parties understand and agree that they are required to comply with the HIPAA Standards for Electronic Transactions, 45 CFR Parts 160 and 162 (HIPAA Electronic Transaction Law) as amended from time to time. The HIPAA Electronic Transaction Law requires Business Associate to conduct certain transactions as “standard transactions” using defined medical data code sets. Business Associate agrees that it will require its subcontractors, vendors and independent contractors to comply with HIPAA Electronic Transaction Law as applicable. Business Associate agrees that it will not:

  • 5.1.1 change the definition, data condition or use of a data element or segment in a standard; 
  • 5.1.2 add any data elements or segments to the maximum defined data set;
  • 5.1.3 use any code or data elements that are either marked “not used” or not included in the standard’s implementation specification(s); or
  • 5.1.4 change the meaning or intent of the standard’s implementation specification(s).

5.2 Upon the enactment after the date of this Addendum of any Law affecting the use or disclosure of PHI, or the publication after the date of this Addendum of any decision of a court of the United States relating to any such Law, or the publication after the date of this Addendum of any interpretive policy or opinion of any governmental agency charged with the enforcement of any such Law or regulation, Covered Entity and Business Associate shall jointly agree to negotiate in good faith to amend this Addendum in such manner as necessary to comply with such Law or regulation. If Covered Entity and Business Associate cannot come to an agreement within thirty (30) calendar days following the initial amendment discussion between Covered Entity and Business Associate, this Addendum will terminate upon written notice to the other party.

ARTICLE 6

TERM AND TERMINATION

6.1 Term. The term of this Addendum shall begin on the Effective Date and shall terminate when all of the PHI is destroyed or returned to Covered Entity, or, if it is not feasible to return or destroy PHI, protections are extended to such PHI, in accordance with the provisions in Section 6.3.

6.2 Termination for Breach. If Business Associate breaches any provision in this Addendum, Business Associate may timely (but no more than thirty (30) days) cure the breach to reasonable satisfaction of Primary Business Association and this Addendum shall remain in full force and effect. Upon breach, Covered Entity may, at its option, access and audit the records of Business Associate related to its use and disclosure of PHI, require Business Associate to submit to monitoring and reporting, and such other conditions as Covered Entity may determine is necessary to ensure compliance with this Addendum, or Covered Entity may terminate this Addendum on a date specified by Covered Entity.

6.3 Effect of Termination. Upon termination of this Addendum for any reason, Business Associate agrees to return or destroy all PHI maintained by Business Associate in any form. If Business Associate determines that the return or destruction of PHI is not feasible, Business Associate shall inform Covered Entity in writing of the reason thereof, and shall agree to extend the protections of this Addendum to such PHI and limit further uses and disclosures of the PHI to those purposes that make the return or destruction of the PHI not feasible for so long as Business Associate retains the PHI.

ARTICLE 7

MISCELLANEOUS

7.1 Survival. The respective rights and obligations of Business Associate with regard to the return of records to Covered Entity shall survive the termination of the Addendum.

7.2 Regulatory References. A citation in this Addendum to the Code of Federal Regulations means the cited section as that section may be amended from time to time.

7.3 Interpretation. Any ambiguity in this Addendum shall be resolved in favor of a meaning that permits Covered Entity to comply with the HITECH Act. The provisions of this Addendum shall prevail over the provisions of any other agreement that exists between the Parties that may conflict with, or appear inconsistent with, any provision of this Addendum or the HITECH Act.