BUSINESS ASSOCIATE AGREEMENT
These Standard HIPAA Business Associate Agreement Terms and Conditions (“HIPAA Addendum”) shall be incorporated into the Service Agreement for Customers that are Covered Entities (as defined below) and that provide Protected Health Information (“PHI”) (as defined below) to ClinicGrower in connection with the services they have purchased. These terms supplement and are made part of the purchase agreement between ClinicGrower and Customers (“Underlying Agreement”) in order to comply with the federal Standards for Privacy of Individually Identifiable Health Information, located at 45 C.F.R. Part 160 and Part 164, Subparts A through E (“Privacy Rule“) and the Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 (the “HITECH Act”).
WHEREAS, in order to ensure that Covered Entity and Business Associate remain in compliance with the HIPAA Rules and other applicable federal and state laws and regulations regarding the disclosure of PHI to Business Associate, the parties have agreed to enter into this Agreement.
NOW THEREFORE, Covered Entity and Business Associate agree as follows:
1.1 Covered Entity and Business Associate enter into this Agreement to comply with the requirements of Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended, including the privacy, security, breach notification and enforcement rules at 45 C.F.R. Part 160 and Part 164, as well as the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009 (“HITECH”), as amended, and other applicable federal and state laws (collectively the “HIPAA Rules”).
1.2 This Agreement is intended to ensure that Business Associate will establish and implement appropriate safeguards for certain individually identifiable Protected Health Information relating to patients of Covered Entity (“PHI” as that term is defined below) that Business Associate may receive, create, maintain, use or disclose in connection with certain functions, activities and services that Business Associate performs for Covered Entity. The functions, activities and services that Business Associate performs for Covered Entity are defined in one or more agreements between the Parties (the “Underlying Agreements”).
2.1 Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the HIPAA Rules, which definitions are incorporated in this Agreement by reference
2.2 For purposes of this Agreement:
2.2.1 “Electronic Protected Health Information” or “ePHI” shall have the meaning given to such term under the Privacy Rule and the Security Rule, including, but not limited to, 45 C.F.R. 160.103, as applied to the information created, received, maintained or transmitted by Business Associate from or on behalf of Covered Entity.
2.2.2 “Individual” shall have the same meaning given to such term in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R.
2.2.3 “Protected Health Information” or “PHI” shall have the meaning given to such term in 45
C.F.R. 160.103, limited to the information created, received, maintained or transmitted by Business Associate from or on behalf of Covered Entity.
2.2.4 “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information published in 45 C.F.R. Parts 160 and 164, Subparts A and E.
2.2.5 “Required by Law” shall have the meaning given to such term in 45 C.F.R. 164.103.
2.2.6 “Secretary” shall mean the Secretary of the Department of Health and Human Services or his or her designee.
2.2.7 “Security Rule” shall mean the Security Standards at 45 C.F.R. Part 160 and Part 164, Subparts A and C.
GENERAL OBLIGATIONS OF BUSINESS ASSOCIATE
3.1 Use and Disclosure. Business Associate agrees not to use or disclose PHI, other than as permitted or required by this Agreement or as Required By Law. To the extent Business Associate is carrying out one or more of Covered Entity’s obligations under the Privacy Rule pursuant to the terms of the Underlying Agreement or this Agreement, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation(s).
3.2 Appropriate Safeguards. Business Associate shall develop, implement, maintain and use appropriate physical, technical and administrative safeguards, and shall comply with the Security Rule with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this Agreement or as Required by Law.
3.3 Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this Agreement’s requirements or that would otherwise cause a Breach of Unsecured PHI.
3.4 Breach Reporting. Without unreasonable delay and, in any event, no more than forty-eight
(48) hours after discovery, Business Associate shall report to Covered Entity any suspected or actual: (a) use or disclosure of PHI not provided for or permitted by this Agreement; (b) Breach of Unsecured PHI as required under 45 C.F.R. § 164.410; (c) Security Incident; and (d) use or disclosure of PHI in violation of any applicable federal or state laws or regulations, of which it becomes aware.
3.4.1 Such notice to be provided by Business Associate under this Section 3.4 shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. In addition, Business Associate shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. § 164.404(c) at the time of notification. Business Associate ‘s notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of the HIPAA Rules and related guidance issued by the Secretary from time to time.
3.5 Subcontractors. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate shall enter into a written agreement with any agent or Business Associate that creates, receives, maintains or transmits PHI on behalf of the Business Associate for services provided to Covered Entity, which provides that the agent agrees to the same restrictions, conditions and requirements that apply to the Business Associate with respect to such information. Business Associate shall ensure that any agent, including a Business Associate , to whom it provides Electronic PHI agrees in writing to implement reasonable and appropriate safeguards to protect such information, including, but not limited to, any such safeguards required with respect to such agent or Business Associate by the Privacy Rule or the Security Rule.
3.6 Access to PHI. Business Associate agrees to provide access, in the time and manner designated by Covered Entity, to PHI in a Designated Record Set to the Covered Entity. If an Individual makes a request for access pursuant to 45 C.F.R. § 164.524 directly to Business Associate , or inquires about his or her right to access, Business Associate shall, within five (5) business days of receipt of such request, forward it to Covered Entity. Any response to such request shall be the responsibility of Covered Entity.
3.7 Minimum Necessary Requirement. Business Associate agrees that when requesting, using or disclosing PHI in accordance with 45 C.F.R. § 502(b)(1) that such request, use or disclosure shall be to the minimum extent necessary, including the use of a “limited data set” as defined in 45 C.F.R. § 164.514(e)(2), to accomplish the intended purpose of such request, use or disclosure, as interpreted under related guidance issued by the Secretary from time to time.
3.8 Amendment of PHI. Business Associate agrees to make PHI contained in a Designated Record Set available to Covered Entity for amendment pursuant to 45 C.F.R. § 164.526 within five (5) business days of Business Associate ’s receipt of a request from Covered Entity. If an Individual makes a request for amendment pursuant to 45 C.F.R. § 164.526 directly to Business Associate , or inquires about his or her right to access, Business Associate shall, within seven
(7) business days of receipt of such request, forward it to Covered Entity. Any response to such request shall be the responsibility of Covered Entity.
3.9 Accounting of Disclosures. Within seven (7) business days after Business Associate receives a request from Covered Entity, Business Associate shall provide to Covered Entity information collected in accordance with Section 3.11 of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. If any Individual requests an accounting of disclosures of PHI directly from Business Associate , Business Associate shall, within seven (7) business days of receipt thereof, forward such request to Covered Entity. Any response to such requests shall be the responsibility of Covered Entity.
3.10 Access to Policies and Records. Business Associate agrees to make its internal practices, books and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to Covered Entity or the Secretary for the purpose of Covered Entity or the Secretary determining compliance with the HIPAA Rules. In the event such a request comes directly from the Secretary, Business Associate agrees to notify Covered Entity immediately of such request.
3.11 Documentation of Disclosures. Business Associate shall document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. Business Associate shall document, at a minimum, the following information (“Disclosure Information”): (i) the date of the disclosure, (ii) the name and, if known, the address of the recipient of the PHI, (iii) a brief description of the PHI disclosed, (iv) the purpose of the disclosure that includes an explanation of the basis for such disclosure, and (v) any additional information required under the HITECH Act and any implementing regulations.
PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
4.1 General Uses and Disclosures. Business Associate agrees to receive, create, use or disclose PHI only as permitted by this Agreement, the HIPAA Rules, and only in connection with providing services to Covered Entity; provided that the use or disclosure would not violate the Privacy Rule if done by Covered Entity, except as set forth in this Article 4.
4.2 Business Associate may use or disclose PHI as Required By Law.
4.3 Except as otherwise provided in this Agreement, Business Associate may:
4.3.1 Use PHI for the proper management and administration of Business Associate , or to carry out its legal responsibilities.
4.3.2 Disclose PHI for the proper management and administration of Business Associate or to carry out legal responsibilities of Business Associate , provided that the disclosures are
Required by Law, or Business Associate obtains prior written reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached, in accordance with the breach notification requirements of this Agreement.
4.3.3 Use PHI to provide Data Aggregation Services to Covered Entity as permitted under the HIPAA Rules.
OBLIGATIONS OF COVERED ENTITY
5.1 Covered Entity shall:
5.1.1 Notify Business Associate of any limitation(s) in its Notice of Privacy Practices in accordance with 45 C.F.R. 164.520, to the extent that such limitation may affect Business Associate ‘s use or disclosure of PHI.
5.1.2 Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such changes may affect Business Associate ‘s use or disclosure of PHI.
5.1.3 Notify Business Associate of any changes in or revocation of permission by an individual to use or disclose his or her PHI, to the extent that such change or revocation may affect Business Associate ‘s permitted or required uses and disclosures of PHI.
5.2 Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule or the Security Rule if done by Covered Entity, except as provided under Article 4 of this Agreement.
Business Associate shall indemnify, defend and hold harmless Covered Entity, and Covered Entity’s affiliates (“Indemnified Parties”), from and against any and all losses, expense, damage or injury (including, without limitation, all costs and reasonable attorneys’ fees) that the Indemnified Parties may sustain as a result of, or arising out of (a) a breach of this Agreement by Business Associate or its agents or Business Associate s, including but not limited to any unauthorized use, disclosure or breach of PHI, (b) Business Associate ’s failure to notify any and all parties required to receive notification of any Breach of Unsecured PHI pursuant to Section 3.4 or (c) any negligence or wrongful acts or omissions by Business Associate or its
agents or Business Associate s, including without limitation, failure to perform Business Associate ‘s obligations under this Agreement or the HIPAA Rules.
TERM AND TERMINATION
7.1 Term. This Agreement shall be in effect as of the Effective Date and shall terminate on the earlier of the date that:
7.1.1 Either party terminates for cause as authorized under Section 7.2.
7.1.2 All PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity. If it is determined, upon the mutual agreement of the Parties, to be infeasible to return or destroy PHI, protections are extended to such information in accordance with Section 7.3.
7.2 Termination for Cause. Upon Covered Entity’s knowledge of material breach by Business Associate , Covered Entity shall provide an opportunity for Business Associate to cure the breach or end the violation. If Business Associate does not cure the breach or end the violation within the timeframe specified by Covered Entity, or if a material term of this Agreement has been breached and a cure is not possible, Covered Entity may terminate this Agreement and the Underlying Agreement(s), if any, upon written notice to Business Associate.
7.3 Obligations of Business Associate Upon Termination. Upon termination of this Agreement for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:
7.3.1 Retain only that PHI that is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
7.3.2 Return to Covered Entity or, if agreed to by Covered Entity in writing, destroy the remaining PHI that the Business Associate still maintains in any form; 7.3.3 Continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI to prevent use or disclosure of the PHI, other than as provided for in this Section 7, for as long as Business Associate retains the PHI; 7.3.4 Limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI;
7.3.4 Limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI;
8.1 Amendment. The Parties agree to take such action as is necessary to amend this Agreement to comply with the requirements of the HIPAA Rules and any other applicable law.
8.2 Survival. The respective rights and obligations of Business Associate under Article 7 of this Agreement shall survive the termination of this Agreement.
8.3 Regulatory References. A reference in this Agreement to a section of the HIPAA Rules means the section as in effect or amended.
8.4 Interpretation. This Agreement shall be interpreted in the following manner:
8.4.1 Any ambiguity shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules.
8.4.2 Any inconsistency between the Agreement’s provisions and the HIPAA Rules, including all amendments, as interpreted by the Department of Health and Human Services, court or another regulatory agency with authority over the Parties, shall be interpreted according to the interpretation of the Department of Health and Human Services, the court or the regulatory agency.
8.4.3 Any provision of this Agreement that differs from those mandated by the HIPAA Rules, but is nonetheless permitted by the HIPAA Rules, shall be adhered to as stated in this Agreement.
8.5 Entire Agreement, Severability. This Agreement constitutes the entire agreement between the Parties related to the subject matter of this Agreement, except to the extent that the Underlying Agreement(s), if any, impose more stringent requirements related to the use and protection of PHI upon Business Associate. This Agreement supersedes all prior negotiations, discussions, representations or proposals, whether oral or written. This Agreement may not be modified unless done so in writing and signed by a duly authorized representative of both Parties. If any provision of this Agreement, or part thereof, is found to be invalid, the remaining provisions shall remain in effect.
8.6 Assignment. This Agreement will be binding on the successors and assigns of Covered Entity and Business Associate . However, this Agreement may not be assigned by Business Associate , in whole or in part, without the written consent of Covered Entity. Any attempted assignment in violation of this provision shall be null and void.
8.7 Multiple Counterparts. This Agreement may be executed in two or more counterparts, each of which shall be deemed an original.
8.8 Governing Law. Except to the extent preempted by federal law, this Agreement shall be governed by and construed in accordance with the laws of the state in which the Covered Entity’s principal place of business is located.
In addition, in the event a Party believes in good faith that any provision of this Agreement fails to comply with the then-current requirements of the HIPAA Security and Privacy Rule, including any then-current requirements of the HITECH Act or its regulations, such Party shall notify the other Party in writing. For a period of up to thirty days, the Parties shall address in good faith such concern and amend the terms of this Agreement, if necessary to bring it into compliance. If, after such thirty-day period, the Agreement fails to comply with the HIPAA Security and Privacy Rule, including the HITECH Act, then either Party has the right to terminate upon written notice to the other Party.
- Amendments. This Agreement may not be modified in any respect other than by a written instrument signed by both parties.
- Severability. In the event any part or parts of this Agreement are held to be unenforceable, the remainder of this Agreement will continue in effect.
- Governing Law. To the extent not preempted by Federal law, this Agreement shall be governed and construed in accordance with the state laws governing the Terms of Service Agreement, without regard to conflicts of law provisions.
- Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.
- No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the parties and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.