THIS BUSINESS ASSOCIATE ADDENDUM (“Addendum”) is made as of the Effective Date, by and between Participant (“Covered Entity”) and Group (“Business Associate”) (collectively the “Parties”) in order to comply with the Health Insurance Portability and Accountability Act of 196, Public Law 104-191, as amended and its implementing privacy, security and breach notification regulations (“HIPAA”), including as amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act in Public Law 111-5, 42 U.S.C. § 17921-54 and its implementing regulations, each as amended (collectively, the “HITECH Act”), and any other applicable state and federal confidentiality laws, as they may be amended from time to time.
WHEREAS, Business Associate provides services, including but not limited to, legal, actuarial, accounting consulting, data aggregation, management, administrative, care coordination and care management, accreditation or financial services on behalf of Covered Entity (the “Services”);
WHEREAS, in connection with these services, Covered Entity discloses to Business Associate certain information it receives from a Covered Entity that is subject to protection under the HITECH Act;
WHEREAS, the Covered Entity desires to receive adequate assurances that Business Associate will comply with certain obligations with respect to the PHI in the course of providing services on behalf of Covered Entity; and
WHEREAS, the purpose of this Addendum is to comply with the requirements of the HITECH Act.
NOW THEREFORE, in consideration of the mutual promises and covenants herein, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows:
Terms used herein, but not otherwise defined, shall have meaning ascribed by Title 45, Parts 160 and 164, of the United States Code of Federal Regulations, as amended from time to time. Should any term set forth in 45 CFR Parts 160 or 164 conflict with any defined term herein, the definition found in 45 CFR Parts 160 or 164 shall prevail.
1.1 Breach. “Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted which compromises the security or privacy of such information as defined and subject to the exceptions set forth in 45 CFR § 164.402.
1.2 Breach Notification Rule. “Breach Notification Rule” means the HIPAA Regulations pertaining to breaches of unsecured PHI as codified in 45 CFR Parts 160 and 164.
1.3 Designated Record Set. “Designated Record Set” means a group of records maintained by or for a covered entity, as defined by the HITECH Act, that is: (i) the medical records and billing records about Individuals maintained by or for a covered health care provider; (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) used, in whole or in part, by or for the covered entity to make decisions about Individuals. For purposes of this definition, the term “record” means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.
1.4 Electronic PHI. “Electronic PHI” or “EPHI” means PHI that is transmitted by or maintained in electronic media as defined by the Security Rule.
1.5 Individual. “Individual” means the same as the term “individual” in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502 (g).
1.6 Law. “Law” means all applicable federal and state statutes and all relevant regulations.
1.7 Privacy Rule. “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR parts 160 and 164, subparts A and E.
1.8 Protected Health Information (“PHI”). “Protected Health Information” or PHI has the same meaning as the term “Protected Health Information” in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
1.9 Secretary. “Secretary” means the Secretary of the U.S. Department of Health and Human Services (“HHS”) or his or her designee.
1.10 Security Incident. “Security Incident” shall have the meaning set out in the Security Rule. Generally, a “Security Incident” shall mean any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or systems operations in an electronic information system.
1.11 Security Rule. “Security Rule” means the Security Standards and Implementation Specifications at 45 CFR parts 160 and 164, subparts A and C, as they may be amended from time to time.
1.12 Unsecured PHI. “Unsecured PHI” means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of either the encryption method or the destruction method, as defined in HHS guidance published on April 27, 2009 (74 FR 19006) and modified by guidance published on August 24, 2009 (74 FR 42740), as amended. Unsecured PHI can include information in any form or medium, including electronic, paper or oral.
In connection with the Services provided by Business Associate to or on behalf of Covered Entity described in this Addendum, Covered Entity may disclose PHI to Business Associate for the purposes of treatment, payment or healthcare operations, as described in 45 CFR part 164.506(a)(b)(c), for standard uses and, as described in 45 CFR part 164.508, for uses and disclosures for which an authorization is required, provided such disclosure is consistent with 45 CFR part 164.508 and any other applicable laws, regulations, or rules.
Business Associate agrees to comply with applicable federal and state confidentiality and security laws, specifically the provisions of the HITECH Act applicable to business associates (as defined by the HITECH Act), including:
3.1 Use and Disclosure of PHI. Except as otherwise permitted by this Addendum or applicable law, Business Associate shall not use, maintain, transmit or disclose PHI except as necessary to provide the Services to or on behalf of Covered Entity and except as required by Law. Provided, however, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, or to carry out its legal responsibilities. Business Associate shall in such cases:
3.2 Disclosure to Agents and Subcontractors. If Business Associate discloses PHI to agents, including a subcontractor, Business Associate shall require the agent or subcontractor to agree to the same restrictions and conditions as apply to Business Associate under this Addendum and to comply with the applicable requirements of the Privacy Rule, Security Rule, HITECH Act, Breach Notification Rule and other Law with respect to such information. Business Associate shall ensure that any agent, including a subcontractor, agrees to implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of the EPHI that it creates, receives, maintains, stores, uses or transmits on behalf of the Covered Entity in accordance with Law. Business Associate shall be liable to Covered Entity for any acts, failures or omissions of the agent or subcontractor in providing the services as if they were Business Associate’s own acts, failures or omissions, to the extent permitted by law. Business Associate further expressly warrants that its agents or subcontractors will be specifically advised of, and will comply in all respects with, the terms of this Addendum.
3.3 Data Aggregation. In the event that Business Associate works for more than one covered entity, Business Associate is permitted to use and disclose PHI for data aggregation purpose only to the extent that such use is permitted under the HITECH Act.
3.4 Withdrawal of Authorization. If the use or disclosure of PHI in this Addendum is based upon an Individual’s specific authorization for the use or disclosure of his or her PHI, and the Individual revokes such authorization, the effective date of such authorization has expired, or such authorization is found to be defective in any manner that renders it invalid, Business Associate shall, if it has notice of such revocation, expiration or invalidity, cease the use and disclosure of the Individual’s PHI except to the extent it has relied on such use or disclosure, or if an exception under the HITECH Act expressly applies.
3.5 Safeguards. Business Associate agrees to maintain appropriate safeguards as required by Law, including without limitation, a written security program that contains the necessary administrative, physical and technical safeguards to ensure that PHI or EPHI is not used, maintained, transmitted or disclosed other than as provided by this Addendum or as required by Law. Business Associate shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of any EPHI it creates, receives, maintains, stores, uses, transmits or discloses on behalf of Covered Entity in accordance with Law.
Business Associate shall ensure, at a minimum, that:
3.6 Individual Rights.
3.7 Internal Practices, Policies, and Procedures. Except as otherwise specified herein, Business Associate shall make available its internal practices, books, records, policies and procedures relating to the use and disclosure of PHI or EPHI, documentation required by the Security Rule relating to safeguards, and documentation required by the Breach Notification Rule available to the Secretary or to the Covered Entity for the purpose of determining Covered Entity’s compliance with the Privacy Rule, Security Rule and Breach Notification Rule. Records requested that are not protected by an applicable legal privilege will be made available in the time and manner specified by Covered Entity or the Secretary.
3.8 De-identified Information. Business Associate may use and disclose de-identified health information if (i) the de-identification is in compliance with 45 CFR §164.502(d); and (ii) the de-identified health information meets the standard and implementation specifications for de-identification under 45 CFR §164.514(a) and (b).
3.9 Minimum Necessary. Business Associate shall attempt to ensure that all uses and disclosures of PHI are subject to the principle of “minimum necessary use and disclosure,” i.e., that only PHI that is the minimum necessary to accomplish the intended purpose of the use, disclosure or request is used or disclosed.
3.10 Notice of Privacy Practices. Business Associate shall abide by the limitations of Covered Entity’s notice of privacy practices (“Notice of Privacy Practices”) of which it has knowledge. Any use or disclosure permitted by this Addendum may be amended by changes to Covered Entity’s Notice of Privacy Practices; provided, however, that the amended Notice of Privacy Practices shall not affect permitted uses and disclosures on which Business Associate relied prior to receiving notice of such amended Notice of Privacy Practices.
3.11 Knowledge of HITECH Act. Business Associate agrees to review and understand the HITECH Act as it applies to Business Associate, and to comply with the applicable requirements of the HITECH Act, as well as any applicable amendments.
3.12 Security Incident / Unauthorized Disclosure of PHI.
3.13 Prohibited Actions.
With respect to PHI and EPHI, Business Associate agrees to:
(i) not directly or indirectly receive remuneration in exchange for any PHI as prohibited by, and subject to the exceptions under the HITECH Act, Privacy Rule and state law as of their respective compliance dates.
(ii) not make or cause to be made any communication about a product or service that encourages recipients of the communication to purchase or use the product or service as prohibited by, and subject to the exceptions under the HITECH Act and the Privacy Rule, as of their respective compliance dates. Business Associate agrees to comply with applicable Law regarding marketing communications involving the use of disclosure of PHI; and
(iii) not make or cause to be made any written fundraising communications that is a health care operation without provision, in a clear and conspicuous manner, of an opportunity for the recipient to elect not to receive further fundraising communications in accordance with the HITECH Act and the Privacy Rule as of their respective compliance dates. Business Associate further agrees to comply with all applicable Law regarding the use of PHI for fundraising communications.
4.1 If deemed applicable by Covered Entity, Covered Entity shall:
5.1 Electronic Transactions and Code Sets. Both Parties understand and agree that they are required to comply with the HIPAA Standards for Electronic Transactions, 45 CFR Parts 160 and 162 (HIPAA Electronic Transaction Law) as amended from time to time. The HIPAA Electronic Transaction Law requires Business Associate to conduct certain transactions as “standard transactions” using defined medical data code sets. Business Associate agrees that it will require its subcontractors, vendors and independent contractors to comply with HIPAA Electronic Transaction Law as applicable. Business Associate agrees that it will not:
5.2 Upon the enactment after the date of this Addendum of any Law affecting the use or disclosure of PHI, or the publication after the date of this Addendum of any decision of a court of the United States relating to any such Law, or the publication after the date of this Addendum of any interpretive policy or opinion of any governmental agency charged with the enforcement of any such Law or regulation, Covered Entity and Business Associate shall jointly agree to negotiate in good faith to amend this Addendum in such manner as necessary to comply with such Law or regulation. If Covered Entity and Business Associate cannot come to an agreement within thirty (30) calendar days following the initial amendment discussion between Covered Entity and Business Associate, this Addendum will terminate upon written notice to the other party.
6.1 Term. The term of this Addendum shall begin on the Effective Date and shall terminate when all of the PHI is destroyed or returned to Covered Entity, or, if it is not feasible to return or destroy PHI, protections are extended to such PHI, in accordance with the provisions in Section 6.3.
6.2 Termination for Breach. If Business Associate breaches any provision in this Addendum, Business Associate may timely (but no more than thirty (30) days) cure the breach to reasonable satisfaction of Primary Business Association and this Addendum shall remain in full force and effect. Upon breach, Covered Entity may, at its option, access and audit the records of Business Associate related to its use and disclosure of PHI, require Business Associate to submit to monitoring and reporting, and such other conditions as Covered Entity may determine is necessary to ensure compliance with this Addendum, or Covered Entity may terminate this Addendum on a date specified by Covered Entity.
6.3 Effect of Termination. Upon termination of this Addendum for any reason, Business Associate agrees to return or destroy all PHI maintained by Business Associate in any form. If Business Associate determines that the return or destruction of PHI is not feasible, Business Associate shall inform Covered Entity in writing of the reason thereof, and shall agree to extend the protections of this Addendum to such PHI and limit further uses and disclosures of the PHI to those purposes that make the return or destruction of the PHI not feasible for so long as Business Associate retains the PHI.
7.1 Survival. The respective rights and obligations of Business Associate with regard to the return of records to Covered Entity shall survive the termination of the Addendum.
7.2 Regulatory References. A citation in this Addendum to the Code of Federal Regulations means the cited section as that section may be amended from time to time.
7.3 Interpretation. Any ambiguity in this Addendum shall be resolved in favor of a meaning that permits Covered Entity to comply with the HITECH Act. The provisions of this Addendum shall prevail over the provisions of any other agreement that exists between the Parties that may conflict with, or appear inconsistent with, any provision of this Addendum or the HITECH Act.