Business Associate Agreement
This Business Associate Agreement (“AGREEMENT”), effective as dated below (“Effective Date”), is entered into by and between COVERED ENTITY with an address as noted below and BUSINESS ASSOCIATE with an address as noted below each a “Party” and collectively the “Parties”.
WITNESSETH:
BUSINESS ASSOCIATE will provide services as defined in a separate “Services Agreement” document that are in fulfillment of services that COVERED ENTITY is obligated to provide for COVERED ENTITY’s customers; and
WHEREAS, HIPAA permits a business associate to disclose PHI (as defined below) to a business associate subcontractor and allows a business associate subcontractor to create, receive, transmit or maintain PHI on a business associate’s behalf for certain purposes, provided that the business associate obtains satisfactory assurances in the form of a written contract or other arrangement that the business associate subcontractor will appropriately safeguard the PHI; and
WHEREAS, BUSINESS ASSOCIATE and its employees, affiliates, agents or representatives may access paper and/or electronic records containing PHI in carrying out their obligations to COVERED ENTITY pursuant to either an existing or contemporaneously executed agreement for services (“Services Agreement”); and
WHEREAS, the Parties desire to enter into this AGREEMENT to establish how the Parties may use and disclose PHI, to comply with HIPAA and to amend any agreements between them as described in this AGREEMENT, whether oral or written, with the execution of this AGREEMENT.
NOW, THEREFORE, for and in consideration of the premises and mutual covenants and agreements contained herein, the Parties agree as follows:
1. Definitions
Unless otherwise specified in this Agreement, all capitalized terms used in this Agreement not otherwise defined shall have the meanings set forth in HIPAA and its implementing regulations. As used in this Agreement, the following defined terms have the meanings indicated below:
1.1 “Breach” means the acquisition, access, use or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI as defined, and subject to the exclusions set forth, in 45 C.F.R. § 164.402.
1.2 “Breach Notification Rule” means the federal breach regulations, as amended from time to time, issued pursuant to HIPAA and codified at 45 C.F.R. Part 164, Subpart D.
1.3 “Electronic Transactions Rule” means the final regulations concerning standard transactions and code sets codified at 45 C.F.R. Parts 160 and 162.
1.4 “ePHI” means PHI that is transmitted or maintained in Electronic Media.
1.5 “HITECH” means Subtitle D of the Health Information Technology for Economic and Clinical Health Act provisions of the American Recovery and Reinvestment Act of 2009, 42 U.S.C. §§ 17921-17954, and all associated existing and future implementing regulations, when and as each is effective.
1.6 “PHI” means Protected Health Information, as defined in 45 C.F.R. § 160.103, and is limited to the Protected Health Information received from, or received, maintained, created or transmitted on behalf of, COVERED ENTITY by BUSINESS ASSOCIATE in performance of the Services.
1.7 “Privacy Rule” means the federal privacy regulations, as amended from time to time, issued pursuant to HIPAA and codified at 45 C.F.R. Parts 160 and 164, Subparts A & E.
1.8 “Security Rule” means the federal security regulations, as amended from time to time, issued pursuant to HIPAA and codified at 45 C.F.R. Parts 160 and 164, Subparts A & C.
1.9 “Services” means, to the extent and only to the extent they involve the receipt, creation, maintenance, or transmission of PHI, the services provided by BUSINESS ASSOCIATE to COVERED ENTITY pursuant to the Services Agreement.
2. Services Agreements
COVERED ENTITY and BUSINESS ASSOCIATE are parties to a Services Agreement. This Agreement hereby amends the Services Agreement as necessary to incorporate into the Services Agreement this Agreement. In the event of conflict between the terms of the Services Agreement and this Agreement, the terms and conditions of this Agreement shall govern.
3. Responsibilities of BUSINESS ASSOCIATE
With regard to its use and/or disclosure of PHI, BUSINESS ASSOCIATE agrees to:
3.1 not use and/or further disclose PHI other than as necessary to provide the Services, as permitted or required by this Agreement, in compliance with each applicable requirement of 45 C.F.R. § 164.504(e) or as otherwise Required by Law; provided that, to the extent BUSINESS ASSOCIATE is to carry out a Covered Entity’s obligations under the Privacy Rule, BUSINESS ASSOCIATE will comply with the requirements of the Privacy Rule that apply to that Covered Entity in the performance of those obligations.
3.2 use appropriate administrative, technical and physical safeguards, and comply with applicable Security Rule requirements with respect to ePHI, to prevent use or disclosure of PHI other than as provided for in this Agreement.
3.3 report to COVERED ENTITY in writing without unreasonable delay, and in any event on or before five (5) calendar days after its discovery by BUSINESS ASSOCIATE, any use or disclosure of PHI not provided for by this Agreement of which BUSINESS ASSOCIATE becomes aware in accordance with 45 C.F.R. § 164.504(e)(2)(ii)(C).
3.4 report to COVERED ENTITY in writing without unreasonable delay, and in any event on or before five (5) calendar days after its discovery by BUSINESS ASSOCIATE, any Security Incident of which BUSINESS ASSOCIATE becomes aware in accordance with 45 C.F.R. § 164.314(a)(2)(i)(C).
3.5 notify COVERED ENTITY in writing without unreasonable delay, and in any event on or before five (5) calendar days after its Discovery by BUSINESS ASSOCIATE, of any incident that involves an unauthorized acquisition, access, use or disclosure of PHI, even if BUSINESS ASSOCIATE believes the incident will not rise to the level of a Breach. The notification shall include, to the extent possible, and shall be supplemented on an ongoing basis with: (i) all information required to be provided under 45 C.F.R. § 164.410(c); (ii) all other information required for or requested by COVERED ENTITY (or the applicable Covered Entity) to perform a risk assessment in accordance with 45 C.F.R. § 164.402 with respect to the incident to determine whether a Breach of Unsecured PHI occurred; and (iii) all other information reasonably necessary to provide notice to the applicable Covered Entities, Individuals, the Secretary and/or the media, all in accordance with the Breach Notification Rule. Notwithstanding the foregoing, in COVERED ENTITY’s sole discretion and in accordance with its directions, and without limiting in any way any other remedy available to COVERED ENTITY at law, equity or contract, including but not limited to any rights or remedies COVERED ENTITY may have under the Services Agreement, BUSINESS ASSOCIATE shall (i) conduct, or pay the costs of conducting, an investigation of any incident required to be reported under this Section 3.5; (ii) reimburse and pay COVERED ENTITY for all expenses and costs incurred by COVERED ENTITY that arise from an investigation of any incident required to be reported under this Section 3.5; and (iii) provide, and/or pay the costs of providing, the required notices as set forth in this Section 3.5. COVERED ENTITY on behalf of the applicable Covered Entity shall be solely responsible for providing notification to Individuals, the Secretary and/or the media if and as required by the Breach Notification Rule unless COVERED ENTITY notifies BUSINESS ASSOCIATE in writing that BUSINESS ASSOCIATE shall be responsible for said notifications at BUSINESS ASSOCIATE’s sole cost and expense.
3.6 in accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), if applicable, ensure that any Subcontractors of BUSINESS ASSOCIATE that create, receive, maintain or transmit PHI on behalf of BUSINESS ASSOCIATE agree, in writing, to the same restrictions and conditions on the use and/or disclosure of PHI that apply through this Agreement to BUSINESS ASSOCIATE with respect to that PHI, including complying with the applicable Security Rule requirements with respect to ePHI.
3.7 make its internal practices, books, and records relating to the use and disclosure of PHI received from or created or received by BUSINESS ASSOCIATE on behalf of, COVERED ENTITY available to the Secretary for purposes of determining the applicable Covered Entity’s and COVERED ENTITY’s compliance with the Privacy Rule.
3.8 make available, within five (5) calendar days after receiving a written request from the applicable Covered Entity (or COVERED ENTITY on behalf of the applicable Covered Entity), any PHI maintained by BUSINESS ASSOCIATE in a Designated Record Set about an Individual to: (i) the applicable Covered Entity (or COVERED ENTITY on behalf of the applicable Covered Entity), so that the applicable Covered Entity (or COVERED ENTITY on behalf of the applicable Covered Entity) can respond to the Individual’s request for access to PHI in accordance with the requirements of 45 C.F.R. § 164.524; or (ii) the Individual to whom such PHI relates or his or her authorized representative, when and as requested by COVERED ENTITY, in accordance with the requirements of 45 C.F.R. § 164.524.
3.9 make available, within ten (10) calendar days after receiving a written request from the applicable Covered Entity (or COVERED ENTITY on behalf of the applicable Covered Entity), PHI maintained by BUSINESS ASSOCIATE in a Designated Record Set about an Individual to the applicable Covered Entity (or COVERED ENTITY on behalf of the applicable Covered Entity) for amendment and incorporate any amendments to the PHI as requested by the applicable Covered Entity (or COVERED ENTITY on behalf of the applicable Covered Entity) in accordance with 45 C.F.R. § 164.526.
3.10 document, and within seven (7) calendar days after receiving a written request from the applicable Covered Entity (or COVERED ENTITY on behalf of the applicable Covered Entity), make available to the applicable Covered Entity (or COVERED ENTITY on behalf of the applicable Covered Entity) information necessary for the applicable Covered Entity (or COVERED ENTITY on behalf of the applicable Covered Entity) to make an accounting of disclosures of PHI about an Individual, in accordance with 45 C.F.R. § 164.528 and, as of the later of the date compliance is required by final regulations or the Effective Date, 42 U.S.C. § 17935(c).
3.11 forward to COVERED ENTITY, within five (5) calendar days after its receipt, any request BUSINESS ASSOCIATE receives directly from an Individual for access to or amendment of PHI or for an accounting of disclosures.
3.12 accommodate reasonable requests for confidential communications in accordance with 45 C.F.R. § 164.522(b), as requested by the applicable Covered Entity (or COVERED ENTITY on behalf of the applicable Covered Entity).
3.13 take all necessary steps, at the request of the applicable Covered Entity (or COVERED ENTITY on behalf of the applicable Covered Entity), to comply with requests by Individuals not to send PHI to a Health Plan in accordance with 45 CFR § 164.522(a).
3.14 mitigate, to the extent practicable, any harmful effect known to BUSINESS ASSOCIATE resulting from a use or disclosure of PHI in violation of this Agreement.
3.15 request, use and/or disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure consistent with the minimum necessary policies of the applicable Covered Entity and COVERED ENTITY; provided that, BUSINESS ASSOCIATE shall comply with 45 C.F.R. §§ 164.502(b) and 164.514(d).
3.16 not directly or indirectly receive remuneration in exchange for any PHI of an Individual.
3.17 not use or disclose PHI for Marketing purposes under any circumstances.
3.18 Secure PHI in accordance with the Breach Notification Rule, as well as any guidance issued by the Secretary that specifies secure technologies and methodologies, such that Unsecured PHI is not maintained by BUSINESS ASSOCIATE.
4. Compliance with EDI Standards, Operating Rules, Standard Transactions Requirements and Code Sets.
If BUSINESS ASSOCIATE conducts in whole or part electronic transactions on behalf of COVERED ENTITY for which the Department of Health and Human Services has established standards, BUSINESS ASSOCIATE will comply, and will require any subcontractor it involves with the conduct of such transactions to comply, with each applicable requirement of the Electronic Transactions Rule and Operating Rules. BUSINESS ASSOCIATE shall also comply with the National Provider Identifier requirements, if and to the extent applicable. In the event of a change in the Operating Rules, Standard Transactions and Code Sets Regulations, the Parties agree that they shall negotiate an amendment to this Agreement as soon as reasonably practicable to address that change, if necessary to ensure that this Agreement complies with HIPAA.
5. Permitted Uses and Disclosures of PHI by BUSINESS ASSOCIATE
Unless otherwise limited in this Agreement, BUSINESS ASSOCIATE may use and disclose PHI, if necessary, for the proper management and administration of BUSINESS ASSOCIATE or to carry out the legal responsibilities of BUSINESS ASSOCIATE, provided that the disclosures are Required by Law, or BUSINESS ASSOCIATE obtains reasonable assurances from any person to whom PHI is disclosed for those purposes that: (i) the PHI will be held confidentially and used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the person; and (ii) the person will notify BUSINESS ASSOCIATE of any instances of which it becomes aware in which the confidentiality of the PHI has been breached.
6. Term and Termination.
6.1 Term. This Agreement shall become effective on the Effective Date and shall have a term that shall run concurrently with that of the Services Agreement unless earlier terminated in accordance with Section 6.2.
6.2 Termination for Cause. If COVERED ENTITY knows of a pattern of activity or practice of BUSINESS ASSOCIATE that constitutes a material breach or violation of this Agreement, then COVERED ENTITY may provide written notice of the breach or violation to BUSINESS ASSOCIATE that specifies the nature of the breach or violation. BUSINESS ASSOCIATE must cure the breach or end the violation on or before ten (10) calendar days after receipt of the written notice. If BUSINESS ASSOCIATE fails to cure the breach or end the violation within the specified timeframe, COVERED ENTITY may terminate this Agreement and the Services Agreement. COVERED ENTITY also may terminate this Agreement and the Services Agreement to the extent that any of COVERED ENTITY’s applicable Covered Entity customers terminates its agreement with COVERED ENTITY.
6.3 Effect of Termination or Expiration. Within thirty (30) calendar days after the expiration or termination for any reason of this Agreement, BUSINESS ASSOCIATE shall return or destroy all PHI, if feasible to do so, including all PHI in possession of BUSINESS ASSOCIATE’s Subcontractors. To the extent return or destruction of the PHI is not feasible, BUSINESS ASSOCIATE shall notify COVERED ENTITY in writing of the reasons return or destruction is not feasible and, if COVERED ENTITY agrees, may retain the PHI; provided, however, that BUSINESS ASSOCIATE shall extend any and all protections, limitations and restrictions contained in this Agreement to BUSINESS ASSOCIATE’s use and/or disclosure of any PHI retained after the expiration or termination of this Agreement, and shall limit any further uses and/or disclosures solely to the purposes that make return or destruction of the PHI infeasible.
7. Miscellaneous
7.1 Interpretation. Any ambiguity in this AGREEMENT shall be resolved to permit the applicable Covered Entity and COVERED ENTITY to comply with the applicable requirements of HIPAA.
7.2 Survival. Sections 6.3, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9, 7.10, and 7.11 shall survive the expiration or termination for any reason of this AGREEMENT.
7.3 No Third-Party Beneficiaries. Nothing expressed or implied in this AGREEMENT is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever. Nothing in this AGREEMENT shall be construed to create any third-party beneficiary rights in any person.
7.4 Disputes. If any controversy, dispute or claim arises between the Parties with respect to this AGREEMENT, the Parties shall make good faith efforts to resolve such matters informally. All disputes arising hereunder shall be venued in a state or federal court located in New York State.
7.5 Counterparts; Facsimiles. This AGREEMENT may be executed in any number of counterparts, each of which shall be deemed an original and all of which will be one and the same document. Facsimile copies hereof shall be deemed to be originals.
7.6 Independent BUSINESS ASSOCIATE Relationship. No provision of this AGREEMENT is intended to create, nor shall be deemed or construed to create, any employment, agency or joint venture relationship between COVERED ENTITY and BUSINESS ASSOCIATE other than that of independent entities contracting with each other hereunder solely for the purpose of effectuating the provisions of this AGREEMENT. Neither of the Parties nor any of their respective representatives shall be construed to be the agent, employer, or representative of the other.
7.7 Penalties for Noncompliance. BUSINESS ASSOCIATE acknowledges that it may be subject to civil and criminal enforcement for failure to comply with HIPAA.
7.8 Amendments; Waiver. This AGREEMENT may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the Parties. The failure of either Party to enforce at any time any provision of this AGREEMENT shall not be construed to be a waiver of such provision, nor in any way to affect the validity of this AGREEMENT or the right of either Party thereafter to enforce each and every such provision. In the event of a change in HIPAA, the Parties agree that they shall negotiate an amendment to this AGREEMENT as soon as reasonably practicable to address that change, if necessary, to ensure that this AGREEMENT complies with HIPAA.
7.9 Attorney Client Privilege. Nothing herein contained shall be construed to modify, impair or diminish either Party’s attorney client privilege.
7.10 Indemnification. BUSINESS ASSOCIATE agrees to indemnify COVERED ENTITY, its officers, employees, parents and affiliates and hold them harmless, during the term of this AGREEMENT and thereafter, from any and all claims, losses, liabilities, penalties, fines, costs (including the cost of any breach notices which the applicable COVERED ENTITY is required to send due to any Breach), damages and expenses, including reasonable attorney’s fees, incurred by or imposed upon any of them as a result of BUSINESS ASSOCIATE’s breach of this Agreement or violation of HIPAA.
7.11 Limitation of liability. Except for fraud and intentional misrepresentations, no party shall be liable for any special, consequential, punitive, exemplary, incidental or indirect damages, costs, expenses, charges or claims.
7.12 Notices. Any notice required or permitted under this Agreement shall be given in writing and delivered by hand, via a nationally recognized overnight delivery service (e.g., Federal Express), via registered mail or certified mail, postage prepaid and return receipt requested or when transmitted if transmitted by facsimile with electronic confirmation, to the below locations, or to such other addresses or to such other persons’ attention as either Party shall advise the other Party in writing, to the following:
- If to COVERED ENTITY: At the address set forth in this AGREEMENT, With a copy to: Attn: Chief Legal Officer
- BUSINESS ASSOCIATE : at the address below
Notice of a change in address of one of the parties shall be given in writing to the other Party as provided.
INTENDING TO BE LEGALLY BOUND, the Parties hereto have duly executed this AGREEMENT as of the Effective Date.
EFFECTIVE DATE: _______________________
INTENDING TO BE LEGALLY BOUND, the Parties hereto have duly executed this Agreement as of the Effective Date.
| COVERED ENTITY | BUSINESS ASSOCIATE |
|---|---|
| Name: Title: Date: Signed: | Name: NISOS TECHNOLOGIES ADDRESS: C-602, Citi Towers, Navi Mumbai 400706 Title: Date: Signed: |