Business Associate Agreement
THIS AGREEMENT is made effective the _____ day of _________________, 20____, by and between [Full Legal Name of Covered Entity] [Address, City, State Zip] hereinafter referred to as “Covered Entity” and Hiram D. Snowden & Associates, Inc., 812 Lyndon Lane Suite 101 Louisville, Kentucky 40222 hereinafter referred to as “Business Associate”.
The Covered Entity and Business Associate mutually agree to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations (45 C.F.R. Parts 160-64), the requirements of the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009 (the “HITECH Act”), and the 2013 final ruling from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights that modifies and strengthens a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, (“Omnibus Ruling”). The Covered Entity and Business Associate agree to incorporate into this Agreement any regulations issued with respect to HIPAA that relate to the obligations of Business Associates. Business Associate recognizes and agrees that it is obligated by law to meet the applicable HIPAA provisions.
The “HIPAA Rules” mean, collectively, the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”), the Security Standards for the Protection of Electronic PHI (the “Security Rule”), the Notification for Breach of Unsecured Protected Health Information (the “Breach Notification Rule”), and the Enforcement Rule and the Transactions Rule all as set forth at 45 C.F.R. Parts 160, 162 and 164 and as the same may be amended from time to time. Capitalized terms used herein without definition shall have the meaning as set forth in the HIPAA Rules.
The term “Secretary” means the Secretary of the Department of Health and Human Services.
- Obligations and Activities of Business Associate
- Minimum Necessary and Limited Data Set. Business Associate’s use, disclosure, access, or request of Covered Entity’s Protected Health Information shall utilize a Limited Data Set to the extent practicable. Otherwise, Business Associate shall, in its performance of the functions, activities, services, and operations use only the minimum amount of Covered Entity’s Protected Health Information reasonably necessary to accomplish the intended purpose of the use, disclosure, access, or request. In addition, Business Associate shall implement and follow appropriate Minimum Necessary policies in the performance of its obligations under this Agreement.
- Business Associate agrees to not use or further disclose Protected Health Information other than as permitted or required by the underlying Agreement or as required by law.
- Business Associate agrees to use appropriate safeguards, including without limitation administrative, physical, and technical safeguards, to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement and to reasonably and appropriately protect the confidentiality, integrity, and availability of any electronic Protected Health Information that it may receive, maintain, or transmit on behalf of the Covered Entity.
- Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement.
- Business Associate agrees to comply with the Security Rules, as required, in a manner consistent with the Security Rules and regulations that may be adopted by relevant federal agencies, to keep all Electronic Protected Health Information in a secure manner, as required under federal law.
- Business Associate agrees to ensure that any agent, including a Subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
- Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner designated by Covered Entity, to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR 164.524.
- Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity.
- Business Associate agrees to make internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Covered Entity, or at the request of the Covered Entity and/or to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy and Security Rules.
- Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528.
- Business Associate agrees to provide to Covered Entity or an Individual, in time and manner designated by Covered Entity, information collected in accordance with this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528.
- Business Associate hereby acknowledges and agrees that Covered Entity has notified Business Associate that it is required to comply with the confidentiality, disclosure, breach notification, compliance, and re-disclosure requirements of the Privacy Rule and the Security Rule to the extent such requirements may be applicable.
- Business Associate acknowledges that if it becomes aware of a “pattern of activity or practice” by Covered Entity, or any other Business Associate, that breaches a Business Associate Agreement, but fails to cure the breach, Business Associate shall immediately terminate the relevant Agreement, or report the non-compliance to the United States Department of Health and Human Services’ Office of Civil Rights.
- Business Associate acknowledges that it is subject to compliance audits by the United States Department of Health and Human Services’ Office of Civil Rights.
- Business Associate acknowledges that, in the event of any unauthorized acquisition, access, use or disclosure of Protected Health Information, Business Associate shall fully comply with the breach notification requirements, including any and all regulations which have been or may be promulgated.
- Business Associate shall comply with any and all regulatory requirements which may arise in the future to comply fully with the Privacy Rule and Security Rule, including, but not limited to, restrictions on disclosures to health plans, clarified minimum necessary standards, expanded accounting requirements applicable to electronic health records, revised prohibitions on sales of Protected Health Information, and updated marketing and fundraising restrictions.
- Business Associate acknowledges that, pursuant to the Privacy and Security Rules, Business Associate, its employees and contractors, and any third party (and their employees, contractors, and further third parties) who may have access to or possession of the Covered Entity’s Protected Health Information, are subject to regulatory oversight of the various federal and/or state agencies as a Business Associate, and may be subject to both civil and criminal penalties which may arise from violations of this Agreement, the Privacy Rule or the Security Rule.
- Permitted Uses and Disclosures by Business Associate.
Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Underlying Agreement, provided that such use or disclosure would not violate the Privacy and Security Rule if done by Covered Entity.
- Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
- Except as otherwise limited in this Agreement, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, provided that disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
- Business Associate’s Mitigation and Breach Notification Obligations
- Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement. Business Associate agrees to be financially responsible for any fines and/or costs associated with a breach due to Business Associate’s violation of this Agreement.
- Following the discovery of a Breach of Unsecured Protected Health Information, Business Associate shall notify Covered Entity of such Breach without unreasonable delay and in no case later than twenty-four (24) hours after discovery of the Breach. A Breach shall be treated as discovered by Business Associate as of the first day on which such Breach is known to Business Associate or, through the exercise of reasonable diligence, would have been known to Business Associate.
- Notwithstanding the provisions of Section IV (b) above, if a law enforcement official states to Business Associate that notification of a Breach would impede a criminal investigation or cause damage to national security, then:
- If the statement is in writing and specifies the time for which a delay is required, Business Associate shall delay such notification for the time period specified by the official; or
- If the statement is made orally, Business Associate shall document the statement, including the identity of the official making it, and delay such notification for no longer than thirty (30) days from the date of the oral statement unless the official submits a written statement during that time.
- Following the period of time specified by the official, Business Associate shall promptly deliver a copy of the official’s statement to Covered Entity.
- The Breach notification provided shall include, to the extent possible:
- The identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during the Breach;
- A brief description of what happened, including the date of the Breach and the date of discovery of the Breach, if known;
- A description of the types of Unsecured Protected Health Information that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
- Any steps individuals should take to protect themselves from potential harm resulting from the Breach;
- A brief description of what Business Associate is doing to investigate the Breach, to mitigate harm to individuals, and to protect against any further Breaches; and
- Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, website, or postal address.
- Business Associate shall provide the information specified in Section IV (d) above to Covered Entity at the time of the Breach notification if possible or promptly thereafter as information becomes available. Business Associate shall not delay notification to Covered Entity that a Breach has occurred in order to collect the information described in Section IV (d) and shall provide such information to Covered Entity even if the information becomes available after the 45-day period provided for initial Breach notification.
- Obligations of the Covered Entity.
- Covered Entity shall provide Business Associate with the Notice of Privacy Practices that Covered Entity produces in accordance with 45 CFR 164.520, as well as any changes to such Notice.
- Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information if such changes affect Business Associate’s permitted or required uses and disclosures.
- Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR 164.522.
- Inspection of Internal Practices, Books, and Records.
Business Associate shall make its internal practices, books, and records relating to its use and disclosure of Covered Entity’s Protected Health Information available to Covered Entity and to Health and Human Services to determine Covered Entity’s compliance with the Privacy Rule and Security Rule.
- Additional Documentation.
- Effective July 1, 2018, Business Associate annually shall provide Covered Entity with either:
- A copy of a SOC 2, Type 2 report that has been issued within the last twelve (12) months, or;
- A copy of an ISO 27001 audit report that has been issued within the last twelve (12) months, or;
- An attestation from the CEO or other individual of similar seniority within the organization, in a form provided by Covered Entity, regarding the sufficiency of the Business Associate’s physical, technical and administrative controls on the privacy and security of Protected Health Information.
- Effective July 1, 2018, Business Associate annually shall provide Covered Entity with either:
- Permissible Requests by the Covered Entity.
Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy and Security Rule if done by Covered Entity.
- Term and Termination.
- Term: The Term of this Agreement shall be effective as of the Effective Date, and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section.
- Termination for Cause: Upon Covered Entity’s knowledge of a material breach by Business Associate, Covered Entity may, in its sole discretion, either (1) provide Business Associate with an opportunity to cure the breach and then terminate the Underlying Agreement if Business Associate does not cure the breach within time period specified by the Covered Entity or (2) terminate the Underlying Agreement immediately.
- Effect of Termination:
- Except as provided in paragraph (2) of this section, upon termination of this Agreement or the Underlying Agreement for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of Subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information.
- In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return, or destruction of Protected Health Information is infeasible, Business Associate shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information.
- This agreement supersedes all previous signed agreements between Business Associate and Covered Entity
- Regulatory References: A reference in this Agreement to a section in the Privacy and Security Rule means the section as in effect or as amended, and for which compliance is required.
- Indemnification: Business Associate shall release, indemnify and hold Covered Entity harmless from and against any claims, fees, and costs, including, without limitation, reasonable attorneys’ fees and costs, which are related to Business Associate’s failure to perform its obligations under this Agreement. Covered Entity shall release, indemnify and hold Business Associate harmless from and against any claims, fees, and costs, including without limitation, reasonable attorneys’ fees and costs, which are related to Covered Entity’s alleged improper use or disclosure of Protected Health Information.
- Remedies: The parties acknowledge that breach of this Agreement may cause irreparable harm for which there is no adequate remedy at law. In the event of a breach, or if Covered Entity has actual notice of an intended breach, Covered Entity shall be entitled to a remedy of specific performance and/or injunction refraining Business Associate from violating or further violating this Agreement. The parties agree the election of the Covered Entity to seek injunctive relief and or specific performance of this Agreement does not foreclose or have any effect on any right the Covered Entity may have to recover damages.
- Amendment: The Parties agree to take such action as is necessary to amend the Underlying Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy and Security Rules, the Health Insurance Portability and Accountability Act, Public Law 104-191 and HITECH; provided, however, that no amendment shall be deemed valid unless signed by both parties.
- Survival: The respective rights and obligations of Business Associate under Sections 2, 3 and 4 of this Agreement shall survive the termination of this Agreement and/or the Underlying Agreements, as shall the rights of access and inspection of Business Associate by Covered Entity.
- Interpretation: Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the Privacy and Security Rules.
- Material Breach:The parties acknowledge that in the event the Covered Entity learns of a pattern or activity or practice of the Business Associate that constitutes violation of a material term of this Agreement, then the parties promptly shall take reasonable steps to cure the violation. If such steps are, in the judgment of the Covered Entity, unsuccessful, ineffective or not feasible, then the Covered Entity may terminate, in its sole discretion, any or all of the Underlying Agreements upon written notice to the Business Associate, if feasible, and if not feasible, shall report the violation to the Secretary of HHS.
- Governing Law; Conflict: This Agreement shall be enforced and construed in accordance with the laws of the State of Kentucky. In the event of a conflict between the terms of this Agreement and the terms of any of the Underlying Agreements, the terms of this Agreement shall control.
- Notices: Any notice given under this Agreement must be in writing and delivered via first class mail, via reputable overnight courier service, or in person to the parties’ respective addresses as first written above or to such other address as the parties may from time to time designate in writing.
- Assigns: Neither this Agreement nor any of the rights, benefits, duties, or obligations provided herein may be assigned by Business Associate without the prior written consent of the Covered Entity.
- Third Party Beneficiaries: Nothing in this Agreement shall be deemed to create any rights or remedies in any third party.