Business Associate Agreement
WHEREAS, ___________________ (covered entity) and Open Forest (Business Associate) intend to protect the privacy and security of certain Protected Health Information (PHI) to which Business Associate may have access in order to provide goods or services to or on behalf of the Covered Entity, in accordance with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH) , Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (ARRA), Pub. L. No. 111-5 (Feb 17, 2009) and related regulations, the HIPAA Privacy Rule (Privacy Rule), 45 C.F.R. Parts 160 and 164, as amended, 42 U.S.C. § 602(a)(1)(A)(iv), 42 U.S.C. § 139a(a)(7), 35 P.S. § 7607, 42 C.F.R. §§ 431.301-431.302 and other relevant laws, including subsequently adopted provisions applicable to the use and disclosure of confidential information, and applicable agency guidance.
WHEREAS, Business associate may receive PHI from Covered Entity, or may create or obtain PHI from other parties for use on behalf of Covered Entity, which PHI must be handled in accordance with this Agreement and the standards established by applicable laws and agency guidelines.
WHEREAS, Business Associate may receive PHI from Covered Entity, or may create or obtain PHI from other parties for use on behalf of Covered Entity, which PHI must be handled in accordance with the Agreement and the standards established by HIPAA, the HITECH Act and related regulations, and other applicable laws and agency guidance.
NOW THEREFORE, Covered Entity and Business Associate agree as follows:
- “Business Associate” shall have the meaning given to such term under HIPAA, the HITECH Act, applicable regulations and agency guidance.
- “Covered Entity” shall have the meaning given to such term under HIPAA, the HITECH Act and applicable regulations and agency guidance.
- “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.
- “HITECH Act” shall mean the Health Information Technology for Economic and Clinical Health (HITECH) Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (ARRA), Pub. L. No. 111-5 (Feb. 17, 2009).
- “Privacy Rule” shall mean the standards for privacy of individually identifiable health information in 45 C.F.R. Parts 160 and 164, as amended and related agency guidance.
- “Protected Health Information” or “PHI” means any information transmitted or recorded in any form or medium; (i) that relates to the past, present or future physical or mental condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual, and (ii) that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual, and shall have the meaning given to such term under HIPAA, the HITECH Act and related regulations and agency guidance. PHI also includes any and all information that can be used to identify a current or former applicant or recipient of benefits or services or Covered Entity (or Covered Entity’s contractors/business associates).
- “Security Rule” shall mean the security standards in 45 C.F.R. Parts 160, 162 and 164, as amended and related agency guidance.
- “Unsecured PHI” shall mean PHI that is not secured through the use of a technology or methodology as specified in HITECH regulations and agency guidance or as otherwise defined in the HITECH Act.
2. Standard Purposes For Which Business Associate May Use or Disclose PHI:
The Parties hereby agree that Business Associate shall be permitted to use and/or disclose PHI provided by or obtained on behalf of Covered Entity for the following stated purposes, except as otherwise stated in the Agreement:
- To manage the arrangement for and provision of services for, or on behalf of, Covered Entity including the use of PHI for Covered Entity as appropriate pursuant to the Business Associate’s status as a Covered Entity.
- As required by law or to carry out any legal responsibilities of the Business Associate.
- In any way consistent with the Covered Entity’s minimum necessary policies and procedures.
- In a manner that complies with Subpart E of 45 C.F.R. part 164.
NO OTHER DISCLOSURES OF PHI OR OTHER INFORMATION ARE PERMITTED
3. Business Associate Obligations:
- Limits on Use and Further Disclosure Established By Agreement and Law. Business Associate hereby agrees that the PHI provided by, or created or obtained on behalf of covered entity shall not be further used or disclosed other than as permitted or required by this Agreement or as required by law and agency guidance.
- Appropriate Safeguards. Business Associate Shall establish and maintain appropriate safeguards to prevent any use or disclosure of PHI other than as provided for by this Agreement. Appropriate safeguards shall include implementing administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic PHI that is created, received, maintained or transmitted on behalf of the Covered Entity and limiting use and disclosure to applicable minimum necessary requirements as set forth in applicable federal and state statutory and regulatory requirements and agency guidance.
- Reports of Improper Use or Disclosure. Business Associate hereby agree that it shall report to Covered Entity via email, within two (2) days of discovery, any use or disclosure of PHI not provided for or allowed by this Agreement.
- Reports of Security Incidents. In addition to the breach notification requirements in section 13402 of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) and related regulations, agency guidance and other applicable federal and state laws, Business Associate shall report to Covered Entity via email within two (2) days of discovery any security incident of which it becomes aware. At the sole expense of the Business Associate, Business Associate shall comply with all applicable federal and state breach notification requirements. Business Associate shall indemnify the Covered Entity for costs associated with any incident involving the acquisition, access, use or disclosure of Unsecured PHI in a manner not permitted under federal or state law and agency guidance.
- Right of Access to PHI. Business Associate hereby agrees to allow an individual who is the subject of PHI maintained in a designated record set, to have access to and copy that individual’s PHI within five (5) business days of receiving a written request from the Covered Entity. Business Associate shall provide PHI to the extent and in the manner required by 45 C.F.R. § 164.524 and other applicable federal and state law and agency guidance. If Business Associate maintains an electronic health record, Business Associate must provide the PHI in electronic format if requested. If any individual requests from Business Associate, access to PHI, Business Associate shall notify Covered Entity of same within five (5) business days. Business Associate shall further conform with and meet all of the requirements of 45 C.F.R. § 164.524 and other applicable laws, including the HITECH Act and related regulations, and agency guidance.
- Amendment and Incorporation of Amendments. Within five (5) business days of received a request from Covered Entity for an amendment of PHI maintained in a designated record set, Business Associate shall make the PHI available and incorporate the amendment to enable Covered Entity to comply with 45 C.F.R. § 164.526, applicable federal and state law, including the HITECH Act and related regulations and agency guidance. If any individual requests an amendment from Business Associate, Business Associate shall notify Covered Entity within five (5) business days.
- Provide Accounting of Disclosures. Business Associate agrees to maintain a record of all disclosures of PHI in accordance with 45 C.F.R. § 164.528 and other applicable laws and agency guidance, including the HITECH Act and related regulations. Such records shall include, for each disclosure, the date of the disclosure, the name and address of the recipient of the PHI, a description of the PHI disclosed, the name of the individual who is the subject of the PHI disclosed, and the purpose of the disclosure. Business Associate shall make such record available to the individual or the Covered Entity within five (5) business days of a request for an accounting of disclosures.
- Requests for Restriction. Business Associate shall comply with requests for restriction on disclosures of PHI about an individual if the disclosure is to a health plan for purposes of carrying out payment or health care operations (and is not for treatment purposes), and the PHI pertains solely to a health care item or service for which the service involved was paid in full out-of-pocket. For other requests for restriction, Business Associate shall otherwise comply with the Privacy Rule, as amended, and other applicable statutory and regulatory requirements and agency guidance.
- Access to Books and Records. Business Associate hereby agrees to make its internal practices, books and records relating to the use or disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary of Health for purposes of determining compliance with applicable laws and agency guidance.
- Return or Destruction of PHI. At termination of this Agreement, Business Associate hereby agrees to return or destroy all PHI provided by or obtained on behalf of Covered Entity. Business Associate agrees not to retain any copies of the PHI after termination of this Agreement. If return or destruction of the PHI is not feasible, Business Associate agrees to extend the protections of this Agreement to limit any further use or disclosure until such time as the PHI may be returned or destroyed. If Business Associate elects to destroy the PHI, it shall certify to Covered Entity that the PHI has been destroyed.
- Maintenance of PHI. Notwithstanding Section 3(k) of this Agreement, Business Associate shall retain all PHI throughout the term of the Agreement and shall continue to maintain the information required under the various documentation requirements of this Agreement (such as those in § 3(h)) for a period of six (6) years after termination of the Agreement, unless Covered Entity and Business Associate agree otherwise.
- Mitigation Procedures. Business Associate agrees to establish and to provide to Covered Entity upon request, procedures for mitigating, to the maximum extent practicable, any harmful effect from the use or disclosure of PHI in a manner contrary to this Agreement or the Privacy Rule, as amended. Business Associate further agrees to mitigate any harmful effect that is known to Business Associate of a use of disclosure of PHI by Business Associate in violation of this Agreement of applicable laws and agency guidance.
- Sanction Procedures. Business Associate agrees that it shall develop and implement a system of sanctions for any employee or agent who violates this Agreement, applicable laws or agency guidance.
- Grounds for Breach. Non-compliance by Business Associate with this Agreement or the Privacy or Security Rules, as amended, is a breach of the Agreement, if Business Associate knew or reasonably should have known of such non-compliance and failed to immediately take reasonable steps to cure the non-compliance.
- Termination by Covered Entity. Business Associate authorizes the termination of this Agreement by the Covered Entity if the Covered Entity determines, in its sole discretion that Business Associate has violated a material term of this Agreement.
- Failure to Perform Obligations. In the event Business Associate fails to perform its obligations under this Agreement, Covered Entity may immediately discontinue providing PHI to Business Associate. Covered Entity may also, at its option, require Business Associate to submit a plan of compliance, including monitoring by Covered Entity and reporting by Business Associate, as Covered Entity in its sole discretion determines to be necessary to maintain compliance with this Agreement and applicable laws and agency guidance.
- Privacy Practices. Covered Entity will provide and Business Associate shall immediately begin using any applicable form, including but not limited to, any form used for Notice of Privacy Practices, Accounting for Disclosures, or Authorization, upon the effective date designated by the Covered Entity. Covered Entity retains the right to change the applicable privacy practices, documents and forms. The Business Associate shall implement changes as soon as practicable, but not later than 45 days from the date of notice of the change.
4. Obligations of Covered Entity:
- Provision of Notice of Privacy Practices. Covered Entity shall provide Business Associate with the notice of privacy practices that the Covered Entity produces in accordance with applicable law and agency guidance, as well as changes to such notice.
- Permissions. Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by individual to use or disclose PHI of which Covered Entity is aware, if such changes affect Business Associate’s permitted or required uses and disclosures.
- Restrictions. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that the Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522 and other applicable laws and applicable agency guidance, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
- Management of Services. Covered Entity is responsible for the management and administration of services to their end users. Thus, the Covered Entity bears all responsibility for implementing and using all security protections and controls available to support HIPAA compliance.
- Non-covered Functions. All non-covered functions and interactions or transmissions of any data between the parties are the sole responsibility of the Covered entity. The Covered Entity must oversee non-covered functions and develop their own privacy policies applicable to such functions.
- HIPAA Compliance. Covered Entity must not request that the Business Associate use or disclose PHI in any manner that is not compliant with HIPAA. Covered Entity must ensure its compliance with HIPAA at all times relevant to this Agreement.
- End Users. Covered Entity is responsible for determining whether the end users are authorized to use or share PHI. Business Associate will have no responsibility to determine the appropriateness of PHI disclosure to or use by the Covered Entity’s end users.
- Termination. Following the termination of this Agreement, the Customer will be solely responsible for storing PHI previously used or stored by the Business Associate under this Agreement.
Your use of our Services includes the ability to enter into agreements and/or to make transactions electronically. YOU ACKNOWLEDGE THAT YOUR ELECTRONIC SUBMISSIONS CONSTITUTE YOUR AGREEMENT AND INTENT TO BE BOUND BY SUCH AGREEMENTS AND TRANSACTIONS. YOUR AGREEMENT AND INTENT TO BE BOUND BY ELECTRONIC SUBMISSIONS APPLIES TO ALL RECORDS RELATING TO ALL TRANSACTIONS YOU ENTER INTO ON THE SERVICES, INCLUDING NOTICES OF CANCELLATION, POLICIES, CONTRACTS, AND APPLICATIONS.