Business Associate Agreement
This Business Associate Agreement (this “Agreement”) is entered into effective as of ______ by and between _____ (herein “Covered Entity”) and Practis, LLC, a Delaware limited liability company (herein “Business Associate”), in order to comply with 45 C.F.R. 164.502(e) and 164.504(e), governing protected health information (“PHI”) and also with respect to the American Recovery Investment Act of 2009 (“ARRA”) under the Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191), 42 U.S.C. Section 1320d, et. seq., and regulations promulgated thereunder, as amended from time to time (statute and regulations hereafter collectively referred to as “HIPAA”). Covered Entity and Business Associate may be referred to herein individually as a “Party” or collectively as the “Parties”.
WHEREAS, Covered Entity and Business Associate are parties to an agreement (“Underlying Agreement”) pursuant to which Business Associate provides certain services (“Services”) to Covered Entity, which may require that Business Associate receive PHI from Covered Entity to perform such Services; and
WHEREAS, both Parties are committed to complying with HIPAA;
NOW, THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and adequacy of which are hereby acknowledged, the Parties agree as follows:
a. General HIPAA Terms. Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms have under HIPAA, including but not limited to the following terms: Data Aggregation, Designated Record Set, Health Care Operations, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required by Law, Secretary, Subcontractor, and Unsecured Protected Health Information.
b. “Breach” shall mean the acquisition, access, use, or disclosure of PHI in a manner not permitted under HIPAA, which compromises the security or privacy of the PHI. Breach shall not include:
i. Any unintentional acquisition, access, use, or disclosure of PHI by an employee or individual acting under the authority of Covered Entity or Business Associate, if such acquisition, access, Use or Disclosure was made in good faith and within the course and scope of employment, authority or other professional relationship of such employee or individual, respectively, with the Covered Entity or Business Associate, and such information is not further acquired, accessed, Used or Disclosed in a manner not permitted under HIPAA;
ii. Any inadvertent Disclosure by a person who is authorized to access PHI at Covered Entity or Business Associate to another person who is authorized to access PHI at Covered Entity or Business Associate, respectively, and the PHI received as a result of such Disclosure is not further Used or Disclosed in a manner not permitted under HIPAA; or
iii. A Disclosure of PHI where Covered Entity or Business Associate has a good faith belief that the unauthorized person to whom the Disclosure was made would not reasonably have been able to retain such information.
c. “Disclosure” means the release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information.
d. “Discovery” means the time at which a Breach or other Security Incident is known, or in the exercise of reasonable diligence, should have been known, to a person (other than the person committing the Breach or causing the Security Incident) who is an officer, director, employee, agent or representative of Business Associate.
e. “Individual” shall have the same meaning as the term “individual” in 45 CFR 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g).
f. “Security Incident” means the unauthorized access, Use, Disclosure, modification, or destruction of information or interference with system operations in an information system.
g. “Use” of PHI means the sharing, employment, application, utilization, examination, or analysis of such PHI within an entity that maintains such PHI.
2. Obligations and Activities of Business Associate.
a. Not to Use or Disclose PHI Unless Permitted. Business Associate agrees not Use or Disclose PHI other than as permitted or required by this Agreement or as Required by Law.
b. Safeguards. Business Associate agrees to use appropriate physical, administrative and technical safeguards to protect electronic PHI and to comply with Subpart C of 45 CFR Part 164 with respect to such electronic PHI.
c. Breach, Security Incident or Improper Disclosure or Use. Business Associate agrees to report to Covered Entity any Breach, Security Incident, unauthorized Use or unauthorized Disclosure affecting Covered Entity’s PHI of which Business Associate becomes aware (“Notification”), unless such Notification is prohibited by law. Such Notification shall be made no later than 60 days following the date of Discovery.
d. Subcontractors. Business Associate agrees to enter into a written agreement with each of Business Associate’s subcontractors that may have access to Covered Entity’s PHI that complies with the requirements of 45 CFR 164.05(e).
e. Access. Within twenty (20) days of Covered Entity’s written request, Business Associate shall provide Covered Entity with access to PHI in a designated record set as necessary for Covered Entity to satisfy its obligations under 45 CFR 164.524. If Business Associate receives a request for PHI in a designated record set directly from an Individual, Business Associate will promptly forward the Individual’s request to Covered Entity to fulfill the request.
f. Amendments. Business Associate shall make any amendment(s) to PHI in a designated record set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526. If Business Associate receives a request for amendment to PHI in a designated record set directly from an Individual, Business Associate will promptly forward the Individual’s request to the Covered Entity to fulfill the request.
g. Accounting. Covered Entity acknowledges that Business Associate is not required by this Agreement or the Underlying Agreement to make Disclosures of PHI to Individuals or any person other than Covered Entity and that Business Associate does not, therefore, expect to maintain documentation of such Disclosures as described in 45 CFR 164.528. If Business Associate is required make such Disclosures, it shall document the Disclosures as would be required for the Covered Entity to respond to a request by an Individual for an accounting of Disclosures and shall provide such documentation to Covered Entity upon Covered Entity’s request as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528. Should an accounting of disclosures of PHI for a particular individual be requested more than once in any twelve (12) month period, Business Associate may charge Covered Entity a reasonable, cost-based fee.
h. Compliance with 45 CFR Part 165, Subpart E. To the extent the Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164 governing privacy of PHI, Business Associate shall comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
i. Books and Records. Business Associate shall make available to the Department of Health and Human Services its internal practices, books, and records relating to the Use and Disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity for purposes of determining the Covered Entity’s or Business Associate’s compliance with HIPAA.
3. Permitted Uses and Disclosures by Business Associate
a. Use and Disclosure; Rights. Business Associate may not Use or Disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 (Privacy of PHI). Business Associate acknowledges that this Agreement does not in any manner grant Business Associate any greater rights than Covered Entity enjoys, nor shall this Agreement be deemed to permit or authorize Business Associate to use or further disclose PHI in a manner that would otherwise violate the requirements of HIPAA if done by Covered Entity.
b. Management and Administration. Business Associate may Use PHI for the proper management and administration of Business Associate.
c. Minimum Necessary. Business Associate must limit any Use, Disclosure, or request for Use or Disclosure to the Minimum Necessary amount to accomplish the intended purpose of the Use, Disclosure, or request in accordance with the requirements of HIPAA.
4. Obligations of Covered Entity
a. No Improper Requests. Covered Entity shall not request that Business Associate Use or Disclose PHI in any manner that would not be permissible under HIPAA. Covered Entity also shall not request that Business Associate Use or Disclose PHI in a manner that would not be permissible if done by Covered Entity.
b. Privacy Practices Notice. Covered Entity shall notify Business Associate of any changes in, or revocation of permission by an Individual to Use or Disclose PHI, to the extent that such changes may affect Business Associate’s use or Disclosure of PHI.
c. Revocation of Permission. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an individual to Use or Disclose his or her PHI, to the extent that such changes may affect Business Associate’s Use or Disclosure of PHI.
d. Restrictions on Use or Disclosure. Covered Entity shall notify Business Associate of any restriction on the Use or Disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s Use or Disclosure of PHI.
5. Term and Termination
a. Term. This Agreement shall commence on the Effective Date and shall terminate when all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity.
b. Termination for Cause. Notwithstanding the terms of the Underlying Agreement and/or any other agreement between the Parties, either Party may terminate this Agreement if the other Party has breached a material term of this Agreement. Unless the terminating Party has reason to believe that the breach is not capable of being cured within a reasonable period and/or is likely to recur in the future, the terminating Party shall give the other Party thirty (30) days written notice of the existence of an alleged material breach and a reasonable opportunity to cure the breach prior to terminating this Agreement.
c. Obligations of Business Associate Upon Termination. Business Associate agrees that upon termination of this Agreement, if feasible, Business Associate shall (a) return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity that Business Associate still maintains in any form and retain no copies of such information or, (b) if such return or destruction is not feasible, extend the protection of this Agreement to such PHI and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.
a. Future Agreements. The Parties acknowledge and agree that the terms and conditions stipulated in this Agreement shall apply to any future written or oral agreements between Covered Entity and Business Associate that involve the Use or Disclosure of PHI, whether or not this Agreement is specifically incorporated by reference in such future agreements between the Parties.
b Regulatory References. A reference in this Agreement to a HIPAA section means the section as in effect or as amended that the time of the Party’s performance and/or obligation to perform under this Agreement.
c. Interpretation. Any ambiguity in this Agreement shall be resolved in favor of an interpretation that complies with HIPAA.
d. Notices. All notices and other communications under this Agreement to any Party shall be in writing and shall be deemed given when delivered personally, telecopied (which is confirmed) to that Party at the telecopy number for that Party set forth at the end of this Agreement, mailed by certified mail (return receipt requested) to that Party at the address for that Party set forth at the end of this Agreement (or at such other address for such Party as such Party shall have specified in a notice to the other Parties), or delivered to Federal Express, UPS, or any similar express delivery service for delivery to that Party at that address.
e. Non-Waiver. No failure by any Party to insist upon strict compliance with any term or provision of this Agreement, to exercise any option, to enforce any right, or to seek any remedy upon any default of any other Party shall affect, or constitute a waiver of, any Party’s right to insist upon such strict compliance, exercise that option, enforce that right, or seek that remedy with respect to that default or any prior, contemporaneous, or subsequent default. No custom or practice of the Parties at variance with any provision of this Agreement shall affect or constitute a waiver of, any Party’s right to demand strict compliance with all provisions of this Agreement.
F. Entire Agreement. This Agreement constitutes the entire agreement and supersedes all prior agreements and understandings, written and oral, betweeen the Parties with respect to the subject matter of this Agreement. To the extent that any provisions of this Agreement conflict with the provisions of any other agreement or understanding between the Parties, including the Underlying Agreement, this Agreement shall control with respect to the subject matter of this Agreement.
g. No Third-Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any other person other than the Parties and their respective successor or assigns, any rights, remedies, obligations or liabilities whatsoever.
h. Independent Contractors; No Agency. No provision of this Agreement is intended to create, nor shall be deemed or construed to create, any employment, agency or joint venture relationship between Covered Entity and Business Associate other than that of independent entities contracting with each other hereunder solely for the purpose of effectuating the provisions of this Agreement. None of the Parties nor any of their respective representatives shall be construed to be the agent, employer or representative of the other. The Parties acknowledge that Covered Entity shall not have authority to direct or control Business Associate’s conduct to an extent or in a manner that would give rise to an agency relationship under applicable law.
i. Disclaimer. Business Associate makes no warranty or representation that compliance by the Covered Entity with this Agreement or HIPAA will be adequate or satisfactory for Covered Entity’s own purposes. Business Associate is only responsible for decisions made by Business Associate regarding the safeguarding of PHI it receives, generates or maintains on behalf of Covered Entity pursuant to the Underlying Agreement.
j. Assignment. This Agreement shall be binding upon, inure to the benefit of and be enforceable by and against the Parties and their respective heirs, personal representatives, successors, and assigns. Neither this Agreement nor any of the rights, interests or obligations under this Agreement shall be transferred or assigned by Business Associate without the prior written consent of Covered Entity, except that Business Associate may assign some or all of its rights and obligations under this Agreement, without the consent of Covered Entity, to (i) any surviving entity by way of merger, consolidation or corporate restructuring of Business Associate or one of its affiliates; and (ii) any purchaser of all or substantially all of the assets or stock of the Business Associate or one of its affiliates.
k. Severability. With respect to any provision of this Agreement finally determined by a court of competent jurisdiction to be unenforceable, such court shall have jurisdiction to reform such provision so that it is enforceable to the maximum extent permitted by applicable law, and the Parties shall abide by such court’s determination. In the event that any provision of this Agreement cannot be reformed, such provision shall be deemed to be severed from this Agreement, but every other provision of this Agreement shall remain in full force and effect.
l. Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of North Carolina.
m. State Law. Nothing in this Agreement shall be construed to require Business Associate to use or disclose PHI without written authorization from an Individual who is a subject of the PHI, or written authorization from any other person, where such authorization would be required under state law for such use or disclosure
n. Survival. All representations, covenants, and agreements in or under this Agreement or any other documents executed in connection with the transactions contemplated by this Agreement, shall survive the execution, delivery, and performance of this Agreement and such other documents.
o. Further Assurances. Each Party shall execute, acknowledge or verify, and deliver any and all documents which may from time to time be reasonably requested by the other Party to carry out the purpose and intent of this Agreement.