THIS AGREEMENT between ____________________________ (“Business Associate”) and _________________________ (“Covered Entity”) is effective as of ___________, 2022.
WHEREAS, Covered Entity is considered a “Covered Entity” and Business Associate is considered a “Business Associate” as such terms are defined under the Health Insurance Portability and Accountability Act of 1996 (as amended, modified or superseded from time to time, “HIPAA”) and the final Privacy Rule issued pursuant thereto (codified at 45 CFR Parts 160 and 164 as amended, modified, or superseded from time to time, the “Privacy Rule”) (collectively, HIPAA, the Privacy Rule and any other state or federal legislation relating to the protection of health information is referred to herein as “Applicable Privacy Law”), and the HITECH Standards (as hereinafter defined);
WHEREAS, Covered Entity and Business Associate desire to enter into this Agreement in order to comply with the Applicable Privacy Law;
NOW THEREFORE, in consideration of the mutual promises below and the exchange of information pursuant to this Agreement, Covered Entity and Business Associate agree as follows:
1. Defined Terms. Unless otherwise indicated below or elsewhere in this Agreement, all capitalized terms shall have the meanings provided in 45 CFR 160.103 and 164.501, and as defined in the HITECH Standards. (For convenience, a few of the definitions are highlighted below.)
a. “Individual” means the person who is the subject of protected health information (45 CFR 160.103) and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g).
b. “Protected Health Information” or “PHI” means individually identifiable health information or personal identifiable information “PII” as defined in 45 CFR 160.103 and section 1171(6) of the Social Security Act, limited to the information received, maintained, or transmitted by Business Associate from Covered Entity or created, maintained, or received by Business Associate on behalf of Covered Entity.
c. “Secretary” means the Secretary of the Department of Health and Human Services or his or her designee.
d. “Breach” shall mean the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under 45 C.F.R. Part 164, Subpart E (the “HITECH Act”) which compromises the security or privacy of the Protected Health Information.
I. “Breach” shall not include:
(1) Any unintentional acquisition, access, or use of Protected Health Information by a workforce member or person acting under the authority of Covered Entity or Business Associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the HIPAA Privacy Rule; or
(2) Any inadvertent disclosure by a person who is authorized to access Protected Health Information at Covered Entity or Business Associate to another person authorized to access Protected Health Information at Covered Entity or Business Associate, respectively, or Organized Health Care Arrangement in which Covered Entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the HIPAA Privacy Rule; or
(3) A disclosure of Protected Health Information where Covered Entity or Business Associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
II. Except as provided in paragraph (I.) of this definition, an acquisition, access, use, or disclosure of protected health information in a manner not permitted under Subpart E is presumed to be a breach unless the Covered Entity or Business Associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
(i.) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
(ii.) The unauthorized person who used the protected health information or to whom the disclosure was made;
(iii.) Whether the protected health information was actually acquired or viewed; and
(iv.) The extent to which the risk to the protected health information has been mitigated.
e. “Covered Entity” means a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction covered by the HIPAA Privacy and Security Regulations and the HITECH Act, pursuant to 45 CFR 164.105(b). Covered Entity may mean a client or owner or supplier of PHI.
f. “Data Aggregation” means, with respect to PHI created or received by a Business Associate in its capacity as the Business Associate of a Covered Entity, the combining of such PHI by the Business Associate with the PHI received by the Business Associate in its capacity as a Business Associate of another Covered Entity, to permit data analyses that relate to the health care operations of the respective Covered Entities.
g. “HITECH Standards” means the privacy, security and security Breach notification provisions applicable to a Business Associate under Subtitle D of the Health Information Technology for Economic and Clinical Health Act (“HITECH”), which Title XIII of the American Recovery and Reinvestment Act of 2009 (Public Law 111-5), and any regulations promulgated thereunder.
h. “Unsecured PHI” means any PHI not protected through a technology or methods approved by the Secretary under section 13402(h)(2) of Pub. L. 111-5 that renders the PHI unusable, unreadable, or indecipherable to any and all unauthorized individuals.
2. Use and Disclosure of PHI. Business Associate shall not use or further disclose PHI other than as permitted or required by this Agreement or as Required By Law. Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of Covered Entity as specified in the agreement between Business Associate and Covered Entity, provided that such use or disclosure of PHI would not violate Applicable Privacy Law if done by Covered Entity. Except as otherwise limited in this Agreement or any other agreement between Covered Entity and Business Associate, Business Associate may also:
(a) Use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate;
(b) Disclose PHI for the proper management and administration of Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and that the person will notify Business Associate of any instances of which it is aware in which the confidentiality of the information may have been breached; and
(c) Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 CFR 164.504(e)(2)(i)(B).
(d) Business Associate waives any and all liability regarding the shipment of unsecured PHI by the Covered Entity to the Business Associate. If Covered Entity requests the return of any and all unsecured PHI, Covered Entity must waive the Business Associates liability regarding the shipment of that unsecured PHI to the Covered Entity or provide alternative methods of delivery.
3. Safeguards. Business Associate shall use any and all appropriate safeguards to prevent use or disclosure of the PHI other than as permitted by this Agreement. Business Associate further agrees to use appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of any Electronic PHI in accordance with the HIPAA Security Regulations and the HITECH Standards.
4. Mitigation. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement. The Business Associate and Covered Entity will use its best efforts to immediately remediate any violation or breach of PHI.
5. Report Breaches. Business Associate will report to Covered Entity any use or disclosure of PHI known to Business Associate that is neither permitted by this Agreement nor given prior written approval by Covered Entity. Business Associate further agrees to report to the Covered Entity any security incident (as defined by the HIPAA Security Regulations, 45 CFR 164.304) on or after the compliance date of the HIPAA Security Regulations of which it becomes aware. Security Incidents shall not include unsuccessful attempts, such as port scans or probes. Business Associate shall report to Covered Entity any Breach consistent with the regulations promulgated under the HITECH Standards by the United States Department of Health and Human Services at 45 C.F.R. Part 164, Subpart D. Business Associate shall cooperate in good faith with Covered Entity in the investigation of any Breach or Security Incident.
6. Downstream Contracts. Business Associate shall ensure that any agent or subcontractor, to whom it provides PHI agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. However, the Business Associate shall not disclose or provide access to PHI to any subcontractor or agent without the prior written consent of Covered Entity. 6
7. Access to PHI. Business Associate, including its agents and subcontractors, shall provide access, at the written request of Covered Entity or an Individual, to PHI in a Designated Record Set, to Covered Entity or an Individual in order to meet Covered Entity’s requirements under 45 CFR 164.524.
8. Amendments to PHI. Upon receipt of a written request from Covered Entity or an Individual for an amendment of PHI or a record about an Individual contained in a Designated Record Set, Business Associate or its agents or subcontractors shall make such PHI available to Covered Entity for amendment and/or incorporate any such amendment to enable Covered Entity to fulfill its obligations under the Privacy Rule and the HITECH Standards, including, but not limited to, 45 CFR 164.526
9. Access to Books and Records. Business Associate shall make internal practices, books and records relating to the use and disclosure of PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, available to Covered Entity, or at the request of Covered Entity to the Secretary, in a time and manner designated by Covered Entity or the Secretary, for purposes of determining Covered Entity’s compliance with Applicable Privacy Law.
10. Documentation of Disclosures of PHI. Upon receipt of a written request from Covered Entity or an Individual for an accounting of disclosures of PHI, Business Associate and its agents or subcontractors shall make available to Individual an accounting of disclosures or to Covered Entity the information required to provide an accounting of disclosures to enable Covered Entity to fulfill its obligations under the Privacy Rule and the HITECH Standards, including, but not limited to, 45 CFR 164.528. As set forth in, and as limited by, 45 CFR 164.528, Business Associate shall not provide an accounting to Covered Entity or an Individual of disclosures:
(i) to carry out treatment, payment or health care operations, as set forth in 45 CFR 164.506;
(ii) to Individuals of PHI about them as set forth in 45 CFR 164.502;
(iii) to persons involved in the Individual’s care or other notification purposes as set forth in 45 CFR 164.510;
(iv) for national security or intelligence purposes as set forth in 45 CFR 164.512(k)(2); or
(v) to correctional institutions or law enforcement officials as set forth in 45 CFR 164.512(k)(5).
Business Associate shall not disclose any PHI except as set forth in Section 2 of this Agreement. Notwithstanding Section 16 of this Agreement, Business Associate and its subcontractors or agents shall continue to maintain the information required under this Section 10 for a period of six (6) years after the applicable disclosure. Such requirement shall not extend to disclosures occurring prior to February 23, 2005.
11. Notice to Media of Breaches. If a breach involves more than 500 residents of the same State or jurisdiction, Business Associate will notify the media in accordance with the Breach Notification Requirements. Such notification will be provided without unreasonable delay and in no case later than sixty (60) calendar days after the discovery of the breach. Business Associate will provide Covered Entity with a copy of the notice it determines is required by this paragraph within a sufficient time prior to its required distribution date.
12. Confidential Communications. Business Associate shall, if directed by Covered Entity or an Individual, use alternative means or alternative locations when communicating PHI to an Individual based on the Individual’s request for confidential communications in accordance with 45 CFR 164.522.
13. Minimum Necessary. Business Associate and its agents or subcontractors shall only request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure.
14. Data Ownership. Business Associate acknowledges that Business Associate has no ownership rights with respect to the PHI.
15. Warranty for Transactions and Code Sets Rule. If Business Associate conducts all or part of any transaction covered by 45 CFR 162 with or on behalf of Covered Entity (including but not limited to, claims payment and referral certification and authorizations), then Business Associate covenants and warrants that by October 16, 2003
(i) it shall comply with all applicable requirements of 45 CFR 162, and
(ii) it shall require its agents or subcontractors to comply with all applicable requirements of 45 CFR 162.
16. Compliance with HITECH Standards.
Notwithstanding any other provision in this Agreement, no later than February 17, 2010, unless a separate effective date is specified by law or this Agreement for a particular requirement (in which case the separate effective date shall be the effective date for that particular requirement), Business Associate shall comply with the HITECH Standards, including, but not limited to:
(i) compliance with the requirements regarding minimum necessary under HITECH § 13405(b);
(ii) requests for restrictions on use or disclosure to health plans for payment or health care operations purposes when the provider has been paid out of pocket in full consistent with HITECH § 13405(a);
(iii) the prohibition of sale of PHI without authorization unless an exception under HITECH § 13405(d) applies;
(iv) the prohibition on receiving remuneration for certain communications that fall within the exceptions to the definition of marketing under 45 C.F.R. § 164.501 unless permitted by this Agreement and Section 13406 of HITECH;
(v) the requirements relating to the provision of access to certain information in electronic access under HITECH § 13405(e);
(vi) compliance with each of the Standards and Implementation Specifications of 45 C.F.R. §§ 164.308 (Administrative Safeguards), 164.310 (Physical Safeguards), 164.312 (Technical Safeguards) and 164.316 (Policies and Procedures and Documentation Requirements); and (vii) the requirements regarding accounting of certain disclosures of PHI maintained in an Electronic Health Record under HITECH § 13405(c).
17. Termination.
(a)Termination for Cause. Upon Covered Entity’s knowledge of a material breach of this Agreement in violation of HIPAA, the HIPAA Privacy Regulations, the HIPAA Security Regulations, or the HITECH Standards by Business Associate, Covered Entity may
(i) provide an opportunity for Business Associate to cure the breach and then terminate this Agreement and the then-existing business relationship with Covered Entity if Business Associate does not cure the breach to Covered Entity’s satisfaction within the time specified by Covered Entity,
(ii) immediately terminate this Agreement and the then-existing business relationship with Covered Entity or
(iii) if neither termination nor cure are feasible, Covered Entity shall report violation to the Secretary.
(b) Effect of Termination of Agreement for Any Reason.
(1) Except as provided in paragraph (2) of this Section 17(b), or as otherwise required by applicable law, upon termination of this Agreement for any reason, Business Associate shall promptly return to Covered Entity or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to all PHI that is in the possession of Business Associate and its subcontractors or agents. Business Associate shall retain no copies of the PHI.
(2) In the event that Business Associate determines that returning or destroying PHI is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction not feasible, for so long as Business Associate maintains such PHI.
18. Mutual Indemnification for HIPAA ONLY.
Business Associate hereby indemnifies and holds harmless the Covered Entity, its directors, officers, employees, agents and attorneys, from and against any and all claims, damages, fines, penalties, loss, liabilities, costs or expenses, including reasonable attorney fees or which may be claimed against Covered Entity by any person or entity whatsoever, by reason of or in connection with any breach by Business Associate and its own conduct with respect to PHI and its obligations under HIPAA, HIPAA regulations, and the HITECH Standards.
Covered Entity hereby indemnifies and holds harmless the Business Associate, its directors, officers, employees, agents and attorneys, from and against any and all claims, damages, fines, penalties, loss, liabilities, costs or expenses, including reasonable attorney fees or which may be claimed against Business Associate by any person or entity whatsoever, by reason of or in connection with any breach by Covered Entity and its own conduct with respect to PHI and its obligations under HIPAA, HIPAA regulations, and the HITECH Standards.
19. Miscellaneous.
(a) Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section then in effect or as amended.
(b) Amendment. The Parties agree that if Applicable Privacy Law changes, this Agreement shall be deemed to incorporate such changes as necessary in order for Covered Entity to operate in compliance with the amended or modified requirements of Applicable Privacy Law.
(c) Survival. The respective rights and obligations of Business Associate under Sections 10, 17(b) and 18 shall survive the termination of this Agreement.
(d) Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with Applicable Privacy Law.