In accordance with the regulations set forth in 45 C.F.R. Parts 160 and 164 issued pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA
") and the Health Information Technology for Economis and Clinical Health ("HITECH
") Act set forth in 42 U.S.C. § 17921 et seq.,
("Company") on behalf of itself and any purposes of HIPAA for each affiliate and Mediprocity Inc.
") hereby enter into this Business Associate Agreement ("BA Agreement
") effective as of the "Effective Date"
; of this agreement posted at the end of this agreement. Affiliated Covered Entity and Business Associate are sometimes hereinafter referred to individually as a “Party” and collectively as the “Parties.”
WHEREAS, HIPAA requires covered entities to protect the privacy of “Protected Health Information” (as defined below) by entering into agreements with persons and entities providing services for covered entities that involve the use or disclosure of protected health information.
WHEREAS, Affiliated Covered Entity and Business Associate are directly subject to HITECH and certain HIPAA provisions.
WHEREAS, legally separate covered entities, as defined in HIPAA, under common ownership or control are permitted to designate themselves as an affiliated covered entity, which then permits sharing of protected health information among all component covered entities within the affiliated covered entity as if they were a single covered entity.
WHEREAS, Affiliated Covered Entity is an “affiliated covered entity,” as defined in HIPAA, and the "Company" and any and all affiliates have been designated as an affiliated covered entity.
WHEREAS, the Parties desire that their business relationship operates in a manner consistent with HIPAA and HITECH.
NOW THEREFORE, in exchange for good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree to incorporate the forgoing recitals and the below into the Agreement as follows:
- Generally. The following terms used in this BA Agreement shall have the same meaning as those terms in the HIPAA Rules (as defined below): Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, Use, and Workforce.
- Business Associate. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 C.F.R. §160.103, and in reference to the party to this BA Agreement, shall mean the party so identified above.
- Covered Entity. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 C.F.R. §160.103, and in reference to the party to this BA Agreement, shall mean the Affiliated Covered Entity.
- Affiliated Covered Entity. “Affiliated Covered Entity” shall generally have the same meaning as the term “affiliated covered entity” at 45 C.F.R. §164.105.
- HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and Part 164.
- Obligations Of Business Associate
- Use or Disclosure of Information.
- Business Associate shall not Use or Disclose Protected Health Information other than as required to perform the Services, as permitted or required under the Agreement or as Required By Law. Moreover, Business Associate shall at all times comply with the provisions of the HIPAA Rules applicable to Business Associate.
- Business Associate agrees to make reasonable efforts to limit Uses and Disclosures and requests for Protected Health Information to the Minimum Necessary.
- Business Associate shall not Use or Disclose Protected Health Information in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by a Covered Entity except for the specific Uses and Disclosures set forth in paragraphs (iv), (v), and (vi) below.
- Business Associate may Use Protected Health Information for the proper management and administration of the Business Associate or to carry out the Business Associate’s legal responsibilities.
- Business Associate may Disclose Protected Health Information for the proper management and administration of Business Associate or to carry out the Business Associate’s legal responsibilities, provided the Disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is Disclosed that the information will remain confidential and Used or further Disclosed only as Required by Law or for the purposes for which it was Disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
- Business Associate may provide Data Aggregation services to the Affiliated Covered Entity relating to the Health Care Operations of the Affiliated Covered Entity.
- Safeguards. Business Associate shall use appropriate administrative, physical and technical safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic Protected Health Information, to prevent Use or Disclosure of Protected Health Information other than as provided for by this BA Agreement, including, without limitation, appropriate training and discipline of Business Associate’s Workforce and restrictions on access to Protected Health Information.
- Mitigation. Business Associate shall mitigate, to the extent practicable, any harmful effect resulting from Use or Disclosure of Protected Health Information by Business Associate in violation of the requirements of this BA Agreement.
- Reporting Breaches. Business Associate shall notify Affiliated Covered Entity upon Business Associate’s discovery of a Breach of Unsecured Protected Health Information within five (5) business days of Business Associate’s discovery of such Breach. Such notice shall include, to the extent known, the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach.
- Reporting Noncompliance. Business Associate shall report to Affiliated Covered Entity any:
- Use or Disclosure of Protected Health Information not expressly provided for by this BA Agreement within five (5) business days of Business Associate’s discovery of such Use or Disclosure; and
- Security Incident of which Business Associate becomes aware in the following manner: (i) any actual, successful Security Incident will be reported to Affiliated Covered Entity in writing, after reasonable investigation by Business Associate; and (ii) any attempted, unsuccessful Security Incidents (such as pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service and any combination of the above) are hereby reported to Affiliated Covered Entity, and the Parties agree that no further notice of the foregoing is required. If the HIPAA Rules are amended to remove the requirement to report unsuccessful attempts at unauthorized access, this subsection (ii) shall no longer apply as of the effective date of the amendment of the HIPAA Rules.
- Subcontractors and Agents. In accordance with 45 C.F.R. §164.502(e)(1)(ii) and 164.308(b)(2), Business Associate shall, if applicable, ensure that any Subcontractors or agents that create, receive, maintain, or transmit Protected Health Information on the Business Associate’s behalf agree in writing to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.
- Access. Within ten (10) business days of receipt of a request from Affiliated Covered Entity, Business Associate shall make available Protected Health Information in a Designated Record Set or otherwise provide access to Protected Health Information to the Affiliated Covered Entity and/or the Individual in order to comply with the Individual’s right to access Protected Health Information as provided in 45 C.F.R. § 164.524.
- Accounting. Business Associate shall maintain and, within ten (10) business days of receipt of a request from Affiliated Covered Entity, make available the information required to provide an accounting of Disclosures to the Affiliated Covered Entity and/or the Individual as necessary to satisfy Affiliated Covered Entity’s obligations under 45 C.F.R. §164.528. If an Individual makes a request for an accounting of Disclosures directly to Business Associate, Business Associate shall provide such accounting to the Individual within ten (10) business days of receipt of the request.
- Amendments. Business Associate shall make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by the Affiliated Covered Entity pursuant to 45 C.F.R. §164.526, or take other measures as necessary to satisfy Affiliated Covered Entity’s obligations under 45 C.F.R. §164.526, within ten (10) business days of Business Associate’s receipt of such request.
- Compliance With Investigations. Business Associate shall make all internal practices, books, records relating to the Use and Disclosure of Protected Health Information received or maintained pursuant to this BA Agreement available to Affiliated Covered Entity or the Secretary for purposes of determining Affiliated Covered Entity’s and/or Business Associate’s compliance with the HIPAA Rules.
- Subpoenas. Business Associate shall notify Affiliated Covered Entity within two (2) business days, or as soon as is practicable, of Business Associate’s receipt of any subpoena, discovery request, or other lawful process for Protected Health Information of Affiliated Covered Entity that is not accompanied by an order of a court or administrative tribunal. To the extent that Affiliated Covered Entity decides to assume responsibility for challenging the validity of such request, Business Associate agrees to use commercially reasonable efforts to cooperate with Affiliated Covered Entity in such challenge at the sole cost of Affiliated Covered Entity.
- Performance of Affiliated Covered Entity’s Obligations. To the extent Business Associate is to carry out any obligation of Affiliated Covered Entity under the HIPAA Rules, Business Associate shall agree to comply with the same requirements that apply to Affiliated Covered Entity in the performance of such obligation.
- Obligations of Affiliated Covered Entity
- Notice of Privacy Practices and Restrictions.
- Affiliated Covered Entity shall notify Business Associate of any limitation(s) in Affiliated Covered Entity’s notice of privacy practices under 45 C.F.R. §164.520, to the extent that such limitation may affect Business Associate’s Use or Disclosure of Protected Health Information.
- Affiliated Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an individual to Use or Disclose his or her Protected Health Information, to the extent that such changes may affect Business Associate’s Use or Disclosure of Protected Health Information.
- Affiliated Covered Entity shall notify Business Associate of any restriction on the Use or Disclosure of Protected Health Information that Affiliated Covered Entity has agreed to or is required to abide by under 45 C.F.R. §164.522, to the extent that such restriction may affect Business Associate’s Use or Disclosure of Protected Health Information.
- Permissible Requests by Affiliated Covered Entity. Affiliated Covered Entity shall not request Business Associate to Use or Disclose Protected Health Information in any manner that would not be permissible under Subpart E of 45 C.F.R. Part 164 if done by Affiliated Covered Entity, except for the specific Uses or Disclosure of set forth in paragraphs (iv), (v), and (vi) of Section 2(a).
- Affiliated Covered Entity represents and warrants that, during the term of this BA Agreement: (i) it will comply with all requirements applicable to an Affiliated Covered Entity under HIPAA, HITECH and the HIPAA Rules, (ii) will, and will require its affiliates and any other entities to which it allows access to the Services to comply with HIPAA, HITECH and the HIPAA Rules and to comply with and support the terms and conditions of this BA Agreement, (iii) commingling of PHI belonging to Affiliated Covered Entity or any entity to which it allows access to the Services is permissible, (iv) will be solely responsible for any requirements, obligations and restrictions under any arrangement or agreement with any affiliate or other entity to which it allow access to the Services to ensure all of the foregoing. Affiliated Covered Entity agrees to indemnify and hold harmless Business Associate, its licensors, service providers, and their respective affiliates, managers, agents and employees, from and against all losses, costs, damages and expenses, including reasonable attorneys’ fee, from claims arising from Affiliated Covered Entity’s breach of this Section 3.c, including without limitation, to the extent that Business Associate is deemed to be a “business associate” of any entity to which Affiliated Covered Entity allows access to the Services.
- Term. The term of this BA Agreement shall begin on the Effective Date and shall terminate upon the termination or expiration of the Agreement to which this Exhibit E is attached or on the date either Party terminates this BA Agreement for cause as authorized in paragraph (b) of this Section, whichever is sooner.
- Cause for Termination. Either Party may immediately terminate this BA Agreement and the Agreement to which this Exhibit E is attached upon a material breach of the provisions of this BA Agreement by the other Party, provided that the non-breaching Party provides written notice of the breach and an opportunity for the breaching Party to cure within thirty days. If the breaching Party does not cure the breach within thirty days, termination will be effective immediately upon delivery of written notice of termination to the breaching Party.
- Effect of Termination. Upon termination of this BA Agreement for any reason, Business Associate, with respect to Protected Health Information received from Affiliated Covered Entity, or created, maintained, or received by Business Associate on behalf of Affiliated Covered Entity, shall, except as provided below, return or destroy such Protected Health Information. Business Associate shall:
- Retain only that Protected Health Information for which return is not feasible or which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
- Continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic Protected Health Information to prevent Use or Disclosure of the Protected Health Information, other than as provided for in this Section 4(c), for as long as Business Associate retains the Protected Health Information;
- Not Use or Disclose the Protected Health Information retained by Business Associate other than for the purposes for which such Protected Health Information was retained and subject to the same conditions set forth in Section 2(a) which applied prior to termination; and
- Return to Affiliated Covered Entity or destroy the Protected Health Information retained by Business Associate when it is feasible to do so or no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.
- Survival. The obligations of Business Associate under this Section and Section 2(l) shall survive the termination or expiration of this BA Agreement.
- Regulatory References. A reference in this BA Agreement to a section in the HIPAA Rules means the section as in effect or as amended, and for which compliance is required.
- Amendment. The Parties agree to take such action as is necessary to amend this BA Agreement from time to time as is necessary or appropriate for the Parties to comply with the requirements of the HIPAA Rules.
- Interpretation. Any ambiguity in this BA Agreement shall be resolved in favor of a meaning that permits compliance with the HIPAA Rules.
- No Third Party Rights. Nothing in this BA Agreement is intended or shall be construed to confer any rights or entitlements to remedy on any person or entity other than Affiliated Covered Entity and Business Associate.
Acceptance of Business Associate Agreement
***Please complete the Business Associate Agreement using our secure electronic version. Once completed, you will receive an executed version by Mediprocity after review.***
YES, I have read and agree
with the Business Associate and Account Restrictions Agreements.Mediprocity will send a copy of these counter-signed agreements.
IN WITNESS WHEREOF, the parties hereto have duly executed this BAA as of the Effective Date.