WHEREAS, Covered Entity wishes to allow the Business Associate to have access to Protected Health Information (“PHI”) and including Electronic Protected Health Information (“EPHI”) referred to hereafter as PHI that is either provided to the Business Associate by Covered Entity, or received, viewed, maintained, transmitted or created by the Business Associate on behalf of Covered Entity in the course of performing services to, for or on behalf of Covered Entity; and
WHEREAS, the Business Associate requires access to such PHI in order to effectively perform Services to, for or on behalf of Covered Entity; and
WHEREAS, Covered Entity and Business Associate are subject to the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and as may be further modified or superseded from time to time, (collectively "HIPAA"), and among other obligations under HIPAA are required to enter into agreements with respect to the use and disclosure and safeguarding of PHI; and
WHEREAS, the parties desire to enter into this Agreement in order to set forth the terms and conditions pursuant to which PHI will be handled by the Business Associate and certain third parties, as applicable, during the duration of this Agreement and upon its termination, cancellation, expiration or other conclusion.
NOW, THEREFORE, in consideration of the mutual promises and covenants set forth herein, and for good and valuable consideration receipt of which is hereby acknowledged, the parties hereby agree as follows:
1.1 Catch-all definition. The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
1.2 “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this Agreement, shall mean the Business Associate as defined above in this Agreement.
1.3 “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean the Covered Entity as defined above in this Agreement.
1.4 “License Agreement” means the License Agreement entered between Business Associate and Covered Entity.
1.5 “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
1.6 “CFR” shall mean the Electronic Code of Federal Regulations.
2. Obligations and Activities of Business Associate
Business Associate agrees to:
2.1 Not use or disclose PHI other than as permitted or required by the Agreement or as required by law;
2.2 Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to EPHI, to prevent use or disclosure of PHI other than as provided for by the Agreement;
2.3 Report to Covered Entity any use or disclosure of PHI not provided for by the Agreement of which it becomes aware, including breaches of unsecured PHI as required at 45 CFR 164.410, and any security incident of which it becomes aware;
2.4 In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the business associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;
2.5 Make available PHI in a designated record set to the Covered Entity to meet Covered Entity’s obligations under 45 CFR 164.524;
2.6 make any amendment(s) to PHI in a designated record set as agreed to by the Covered Entity pursuant to 45 CFR 164.526, provided that Covered Entity informs Business associate of such amendment(s) in accordance with the provisions set forth in 45 CFR 164.526; Maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to meet entity’s obligations under 45 CFR 164.528;
2.7 To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and
2.8 Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.
3. Permitted Uses and Disclosures by Business Associate
3.1 Business Associate may use or disclose PHI as necessary to perform the Services set forth in the License Agreement.
3.2 Business Associate may use or disclose PHI as required by law.
3.3 Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
3.4 Business Associate may provide data aggregation services relating to the health care operations of the Covered Entity.
3.5 Notwithstanding the provisions of this Agreement, Business Associate and its subcontractors may disclose non-personally identifiable information provided that the disclosed information does not include a key or other mechanism that would enable the information to be identified.
4. Privacy Practices and Restrictions
4.1 Covered Entity shall notify Business Associate of any limitation(s) in the notice of privacy practices of covered entity under 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
4.2 Covered Entity shall provide all notices and obtain all required consents from an Individual to allow Business Associate to use the PHI as set forth in this Agreement.
4.3 Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
4.4 Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
5. Term and Termination
5.1 Term. The term of this Agreement shall be effective as of the Effective Date, and shall continue in effect until the earliest of: (1) all of the PHI provided by Covered Entity to the Business Associate, or created or received by the Business Associate on behalf of Covered Entity, is destroyed to Covered Entity (or, if it is infeasible to destroy such PHI, then such PHI shall continue to be protected as set forth in this Agreement) and all other obligations of the parties have been met; (2) the Agreement is terminated by Covered Entity as provided in Section 5.2; or (3) the License Agreement is completed, concluded or otherwise terminated, in which case this Agreement will terminate automatically and without the need for any further action or notice on the part of either Covered Entity or Business Associate, and such automatic termination shall occur simultaneously with the conclusion, completion or termination of the arrangement for Services as defined in the License Agreement, whichever of the above options is sooner.
5.2 Termination for Cause. Business Associate authorizes termination of this Agreement by Covered Entity, if Covered Entity determines Business Associate has violated a material term of the Agreement, and Business Associate has not cured the breach or ended the violation within the time specified by Covered Entity, which in any event will be no less than ten (10) days from Covered Entity's notice to Business Associate of such material breach or violation.
5.3 Obligations of Business Associate upon Termination.
Upon termination of this Agreement for any reason, Business Associate shall destroy all PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, that the Business Associate still maintains in any form. Business Associate shall retain no copies of the PHI.
6.1 Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.
6.2 Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law. Upon the effective date of any amendment to final regulations promulgated by the U.S. Department of Health and Human Services with respect to the HITECH ACT or HIPAA, the Omnibus Rule, and other modifications and regulations promulgated thereunder, this Agreement and the associated Business Agreement(s), will automatically amend to the extent such changes are directly applicable to the services provided by Business Associate on behalf of Covered Entity in order for the parties to remain in compliance with all applicable regulations.
6.3 Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.
6.4 Notices. All notices or other communications under this Agreement shall be in writing and shall be effective upon the earlier of actual receipt, the fifth (5th) business day following deposit into mail (registered or certified), the next business day following deposit with a nationally recognized overnight courier service, and the same day following transmission via facsimile or electronic mail. Notices shall be sent to Business Associate at the physical address listed on Business Associate’s main website or by electronic mail to the address listed on Business Associate’s main website and to Covered Entity at the addresses submitted to Business Associate.
6.5 Conflicts. The terms and conditions of this Agreement will supersede and control any conflicting term or condition of the Business Agreement(s) that addresses privacy and confidentiality of confidential medical information. All non-conflicting terms and conditions of the Business Agreement(s) remain in full force and effect.
6.6 Survival of Certain Terms. In the event that this Agreement ends or is terminated pursuant to Section 5 and the parties conclude in accordance with Section 5.3 that the destruction of PHI is not feasible, those terms of this Agreement that are required to continue its protections of PHI shall survive termination for as long as the PHI remains undestroyed to Covered Entity.
6.7 No Third Party Beneficiaries. Nothing contained herein, whether express or implied, is intended to confer, nor shall anything herein confer, upon any person other than the parties and their respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.
6.8 Disputes. If any controversy, dispute or claim arises between the parties with respect to this Agreement, the parties shall make good faith efforts to resolve such matters informally.
6.9 Governing Law. This Agreement shall be governed by and construed in accordance with the substantive laws of the state of New York without regard to conflicts of law principles.
6.10 Counterparts. This Agreement may be executed in counterparts, each of which shall be deemed to be an original, with all of such counterparts together shall constitute one and the same contract.
6.11 Severability. The provisions of this Agreement shall be deemed severable and if any portion shall be held invalid, illegal or unenforceable for any reason, the remainder of this Agreement shall be effective and binding upon the Parties.