Business Associate Agreement
This Business Associate Agreement (“BA Agreement”) is entered into as of and is in effect as of __________________ (“Effective Date”) by and between [Insert Name of Appropriate contracting party] (“[Insert Short Form Name of Contracting Party”), on behalf of Contracting Party, and [Insert Name of Business Associate] (“Business Associate”).
RECITALS
HEALTH PLAN provides certain Protected Information (as defined below) to Business Associate in the course of the parties’ business relationship.
In order to protect the privacy of the Protected Information and to comply with HIPAA and the HIPAA Regulations (as defined below), HEALTH PLAN and Business Associate desire to enter into this BA Agreement setting forth the terms and conditions of disclosure of Protected Information.
In consideration of the mutual promises set forth below, the parties agree as follows:
ARTICLE I: DEFINITIONS
General Rule. Capitalized terms not otherwise defined in this BA Agreement shall have the same meaning as those terms in the Privacy Rule and the Security Rule.
HIPAA means the Health Insurance Portability & Accountability Act of 1996, P.L. 104-191.
HIPAA Regulations means the regulations promulgated under HIPAA by the U.S. Department of Health and Human Services, including but not limited to, the Privacy Rule.
Privacy Rule means the Standards for Privacy of Individually Identifiable Health Information, codified at 45 CFR parts 160 and 164, Subparts A and E, as currently in effect.
Protected Information means Protected Health Information (“PHI”) provided by HEALTH PLAN to Business Associate, or created or received by Business Associate on HEALTH PLAN’s behalf.
Protected Health Information (PHI) shall have the meaning given to the term under the Privacy Rule, including by not limited to, 45 CFR Section 164.501.
ARTICLE II: OBLIGATIONS OF BUSINESS ASSOCIATE
General Requirements. Except as otherwise limited in this BA Agreement, Business Associate may use or disclose Protected Information to perform functions, activities, or services for, or on behalf of, HEALTH PLAN as described in Exhibit A, attached hereto and incorporated herein, provided that such Use or Disclosure would not violate the Privacy Rule if done by HEALTH PLAN. Business Associate and its agents and subcontractors shall only request, use, and disclose the minimum amount of Protected Information necessary to accomplish the purpose of the permitted Use or Disclosure. Business Associate agrees to comply with all applicable HIPAA Regulations.
Uses Permitted By Law. As permitted by the Privacy Rule, Business Associate may use or disclose Protected Information: (a) as is necessary for the proper management and administration of Business Associate's organization, or (b) to carry out the legal responsibilities of Business Associate; provided, however, that any permitted Disclosure to a third party must be either Required By Law or subject to reasonable assurances obtained by Business Associate from the third party that the Protected Information will be held confidentially, and securely, and used or disclosed only as Required By Law or for the purposes for which it was disclosed to such third party, and that any breaches of confidentiality of the Protected Information which become known to such third party will be immediately reported to Business Associate. Business Associate shall notify HEALTH PLAN in a timely manner prior to making any Disclosure of Protected Information Required By Law, to afford HEALTH PLAN the opportunity to respond to the request for such a Disclosure.
Data Aggregation. Business Associate may provide Data Aggregation services relating to the Health Care Operations of HEALTH PLAN.
Disclosures to Agents and Subcontractors. Business Associate shall ensure that any agent or subcontractor to whom it provides Protected Information agrees in writing to the same terms set forth herein regarding the Use and Disclosure and security of Protected Information, including, but not limited to, implementation of administration, physical and technical safeguards, notice of prohibited Use or Disclosure, mitigation of harmful effects, responses to requests for access and amendment, and a term permitting immediate termination of the agent’s or subcontractor’s agreement with Business Associate for improper Use or Disclosure of Protected Information. Business Associate shall terminate its agreement with any agent or subcontractor to whom it provides Protected Information if such agent or subcontractor fails to abide by any material term of such agreement.
Safeguards. Business Associate shall implement and use appropriate safeguards as necessary to prevent the Use or Disclosure of Protected Information in any manner that is not permitted by this BA Agreement, including but not limited to, safeguards designed to limit incidental Uses or Disclosures made pursuant to an otherwise permitted or required Use or Disclosure.
Notice of Prohibited Uses or Disclosures. Business Associate shall provide written notice to HEALTH PLAN of any Use or Disclosure of Protected Information that is in violation of this BA Agreement, the Privacy Rule, or other applicable federal or state law within five (5) business days of becoming aware of such Use or Disclosure. Business Associate shall also notify HEALTH PLAN in writing within five (5) business days of receipt of any complaint that Business Associate receives concerning the handling of Protected Information or compliance with this BA Agreement.
Mitigation. Business Associate shall mitigate promptly, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of Protected Information by Business Associate in violation of this BA Agreement, the Privacy Rule, or other applicable federal or state law.
Access and Amendment. To enable HEALTH PLAN to fulfill its obligations under the Privacy Rule, Business Associate shall make Protected Information in Designated Record Sets that are maintained by Business Associate or its agents or subcontractors available to HEALTH PLAN for inspection, copying or amendment within ten (10) days of a request by HEALTH PLAN. If an Individual requests inspection, copying or amendment of Protected Information directly from Business Associate or its agents or subcontractors, Business Associate shall notify HEALTH PLAN in writing within five (5) business days of receipt of the request, and shall defer to, and comply with, HEALTH PLAN’s direction in a timely manner regarding the response to the Individual regarding the request for inspection, copying or amendment.
Accounting. Business Associate will not attach any Protected Information to data collected as a part of this research and will not share individual data with any other parties, and therefore does not anticipate any Disclosures. Should accidental Disclosure of Protected Information occur, Business Associate shall implement the following procedure for recording Disclosures in order to enable HEALTH PLAN to comply timely with its obligations under the Privacy Rule including, but not limited to, 45 CFR Section 164.528. At a minimum, this Accounting of Disclosures shall include for each such Disclosure recordation of (a) the name and date of birth of the Individual whose Protected Information was the subject of the Disclosure; (b) the date of Disclosure; (c) the name and address of the recipient of the Protected Information; (d) a brief description of the Protected Information disclosed; and (e) a brief statement of the purpose for the Disclosure that reasonably informs the Individual of the basis for the Disclosure. Within ten (10) days of notice from HEALTH PLAN of a request for an accounting of Disclosures of Protected Information, Business Associate shall make available to HEALTH PLAN this Accounting Information. In addition, for any month in which Business Associate makes a Disclosure of Protected Information, Business Associate shall provide Accounting Information during the subsequent month pertaining to HEALTH PLAN, in a format and medium specified by HEALTH PLAN. If an Individual requests an accounting directly from Business Associate or its agents or subcontractors, Business Associate must notify HEALTH PLAN in writing within five (5) business days of the request, and shall defer to, and comply in a timely manner with, HEALTH PLAN’s direction regarding the response to the Individual regarding the request for an accounting.
Government Officials. Business Associate shall make its internal practices, books and records relating to the Use and Disclosure of Protected Information available to the Secretary of the U.S. Department of Health and Human Services (“Secretary”) for purposes of determining HEALTH PLAN’s compliance with the Privacy Rule. Business Associate shall notify HEALTH PLAN regarding any Protected Information that Business Associate provides to the Secretary concurrently with providing such Protected Information to the Secretary, and upon HEALTH PLAN’s request, shall provide HEALTH PLAN with a duplicate copy of such Protected Information.
Insurance and Indemnity. Business Associate shall maintain or cause to be maintained sufficient insurance coverage as shall be necessary to insure Business Associate and its agents or subcontractors against any claim or claims for damages arising under this BA Agreement. Such insurance coverage shall apply to all site(s) of Business Associate and to all services provided by Business Associate or its agents or subcontractors under this BA Agreement.
Business Associate shall indemnify, hold harmless and defend HEALTH PLAN and its affiliated entities from and against any and all claims, losses, liabilities, costs and other expenses (including reasonable attorneys’ fees and costs) incurred as a direct result of, or arising directly out of, or in direct connection with any negligent act or willful misconduct by Business Associate, its agents or subcontractors under this BA Agreement.
Disclosure. To the extent that Business Associate creates, receives, maintains, or transmits electronic PHI, Business Associate shall also implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any electronic Protected Information that may be transmitted in conformity with the requirements of the Security Rule.
Reporting of Security Incidents. If the Business Associate creates, receives, maintains, or transmits electronic PHI, Business Associate shall appropriately report any security incident, as defined by the Security Rule.
Mitigation. Business Associate shall mitigate promptly, to the extent practicable, any harmful effect of a security incident for which Business Associate is responsible, or of which Business Associate is aware, that involves electronic Protected Information and is in violation of this BA Agreement, the Security Rule, or other applicable federal or state law.
ARTICLE III: OBLIGATIONS OF HEALTH PLAN
Notice of Privacy Practices. HEALTH PLAN shall notify Business Associate of limitation(s) in its notice of privacy practices in accordance with 45 CFR Section 164.520, to the extent such limitation affects Business Associate’s permitted Uses or Disclosures.
Individual Permission. HEALTH PLAN shall notify Business Associate of changes in, or revocation of, permission by an Individual to use or disclose Protected Information, to the extent such changes affect Business Associate’s permitted Uses or Disclosures.
Restrictions. HEALTH PLAN shall notify Business Associate of restriction(s) in the Use or Disclosure of Protected Information that HEALTH PLAN has agreed to in accordance with 45 CFR Section 164.522, to the extent such restriction affects Business Associate’s permitted Uses or Disclosures.
Prohibited Requests. HEALTH PLAN shall not request Business Associate to use or disclose Protected Information in any manner that would not be permissible under the Privacy Rule if done by HEALTH PLAN.
OHCA. The provisions of this BA Agreement regarding the obligations and rights of HEALTH PLAN, and the obligations owed by Business Associate to HEALTH PLAN, shall be deemed to extend to every entity in the HEALTH PLAN as if each such entity was a party to this BA Agreement.
ARTICLE IV: TERM AND TERMINATION
Term. This BA Agreement shall commence as of the Effective Date and shall continue in effect unless and until terminated by HEALTH PLAN under this Section 4.1 or Section 4.2, below. HEALTH PLAN may terminate this BA Agreement, without cause, on five (5) days’ prior written notice to Business Associate.
Termination for Cause. If HEALTH PLAN determines that Business Associate, or any of its agents or subcontractors, has breached any material provision of this BA Agreement, which may include a pattern of activity or practice that constitutes a material breach, then HEALTH PLAN, in its sole discretion, may (a) notify Business Associate of the material breach and request that it be cured; (b) terminate this BA Agreement and HEALTH PLAN’s business relationship with Business Associate immediately or upon such notice as HEALTH PLAN may determine; or (c) report the material breach to the Secretary of the Department of Health and Human Services, if HEALTH PLAN determines in its sole discretion that termination of its business relationship with Business Associate is infeasible. In the event that HEALTH PLAN notifies Business Associate of the material breach and requests that it be cured under (a) above, but HEALTH PLAN subsequently determines in its sole discretion that Business Associate has failed to cure the material breach to the reasonable satisfaction of HEALTH PLAN, then HEALTH PLAN may in its sole discretion follow the procedures set forth in (b) or (c) above without further notice.
Effects of Termination. Upon termination of the business relationship between the parties and/or the BA Agreement for any reason, Business Associate shall, at HEALTH PLAN’s direction, return or destroy all Protected Information that Business Associate or its agents or subcontractors still maintain in any form, and shall retain no copies of such Protected Information. Upon HEALTH PLAN’s request, Business Associate shall certify in writing that such return or destruction has occurred. If Business Associate determines that return or destruction is not feasible, Business Associate shall explain to HEALTH PLAN in writing why conditions make the return or destruction of such Protected Information not feasible. If HEALTH PLAN agrees that the return or destruction of Protected Information is not feasible, Business Associate shall retain the Protected Information, subject to all of the protections of this BA Agreement, and shall make no further Use or Disclosure of the Protected Information, except as for those purposes that make the return or destruction of the Protected Information not feasible. In any event, upon termination of the business relationship between the parties and/or the BA Agreement, Business Associate shall retain for no less than six (6) years the Accounting Information compiled by Business Associate pursuant to section 2.9 of this BA Agreement, and shall make such Accounting Information available to HEALTH PLAN within five (5) business days of a request.
Survival. The obligations of Business Associate under this Article IV shall survive the termination of the business relationship between the parties and/or the BA Agreement.
ARTICLE V: MISCELLANEOUS
Assistance. In the event of an administrative or judicial action commenced against HEALTH PLAN where Business Associate may be at fault, in whole or in part, as the result of its performance under this BA Agreement, Business Associate agrees to defend or to cooperate with HEALTH PLAN in the defense against such action.
Subcontracts and Assignment. Business Associate shall not subcontract its obligations, assign its rights, or delegate its duties under this BA Agreement without the express written consent of HEALTH PLAN.
Amendment. If any modification to this BA Agreement is required for conformity with federal or state law or if HEALTH PLAN reasonably concludes that an amendment to this BA Agreement is required because of a change in federal or state law, or by reason of HEALTH PLAN’s status as a business associate of another covered entity, HEALTH PLAN shall notify Business Associate of such proposed modification(s) (“Required Modifications”). Such Required Modifications shall be deemed accepted by Business Associate and this BA Agreement so amended, if Business Associate does not, within thirty (30) calendar days following the date of the notice, deliver to HEALTH PLAN its written rejection of such Required Modifications. If Business Associate submits a written rejection of the Required Modification, HEALTH PLAN may terminate its business relationship with Business Associate upon thirty (30) days written notice, or such longer period as may be required by law. Other modifications to this BA Agreement may be made on mutual agreement of the parties.
Business Relationship. Except as specifically required to implement the purposes of this BA Agreement, and except to the extent inconsistent with this BA Agreement, all terms of the business relationship between the parties shall remain in full force and effect. In the event of a conflict between the terms of the business relationship between the parties and this BA Agreement, this BA Agreement shall control.
Ambiguity. Any ambiguity in this BA Agreement relating to the Use and Disclosure of Protected Information shall be resolved in favor of a meaning that furthers the obligations to protect the privacy and security of the Protected Information, whether electronic or other medium, in accordance with the Privacy Rule.
State Law. In addition to HIPAA and all applicable HIPAA Regulations, Business Associate shall comply with all applicable state and federal security and privacy laws.
Third Party Beneficiaries. Except as expressly provided for in this BA Agreement or the Privacy Rule, there are no third party beneficiaries to this BA Agreement.
Counterparts. This BA Agreement and any exhibits hereto may be executed in one or more counterparts; each counterpart shall be deemed an original.
Notices. All notices required or permitted to be given under this BA Agreement shall be in writing and shall be sufficient in all respects if delivered personally, by nationally recognized overnight delivery service, or by registered or certified mail, postage prepaid, addressed as follows:
If to HEALTH PLAN:
________________________________
________________________________
Attention: Privacy/Security Officer_
|
If to Business Associate:
________________________________
________ _______________________
Attention: ______________________
|
Notice shall be deemed to have been given upon transmittal thereof as to those personally delivered, upon the first day after mailing as to those sent by nationally recognized overnight delivery service, and upon the third day after mailing as to those sent by United States Mail. The above addresses may be changed by giving notice in the manner provided for above.
[REMAINDER OF PAGE INTENTIONALLY LEFT BLANK]
IN WITNESS WHEREOF, the parties hereto have duly executed this BA Agreement as of the date set forth below.
[HEALTH PLAN Contracting Party] |
BUSINESS ASSOCIATE |
By: ______________________________ |
By: ______________________________ |
|
|
Name: ____________________________ |
Name: ____________________________ |
|
|
Title: _____________________________ |
Title: _____________________________ |
|
|
Date: _____________________________ |
Date: _____________________________ |
EXHIBIT A
Description of Business Relationship Between HEALTH PLAN and Business Associate:
HEALTH PLAN has volunteered to participate in a demonstration of a pilot tool with the Center for Medicare and Medicaid Services (CMS). Business Associate is conducting the evaluation of this demonstration for CMS. Business Associate and HEALTH PLAN have not entered a financial agreement. This agreement regards HEALTH PLAN and Business Associate’s procedure for the sharing and use of Protected Information.
__________________________________________________________
___________________________________________________________
___________________________________________________________
___________________________________________________________
Permitted Uses and Disclosures of Protected Information by Business Associate:
Business Associate will obtain from HEALTH PLAN the following information in order to administer a survey: names, contact information (telephone, email, and mailing address if available), chronic disease status, age, and gender for Medicare beneficiaries registered for HEALTH PLAN’s personal health record. If applicable, HEALTH PLAN will give NORC the contact information for the registered Medicare beneficiaries’ providers in order to administer telephone discussions around provider experiences with Personal Health Records.
Use of Protected Information by Business Associate will be solely for the purpose of contacting participants for survey and focus group discussions. No Protected Information such as Medicare number, insurance plan information, or social security number will be collected by Business Associate. All subject data will be de-identified in order to secure any Protected Information participants may choose to share with Business Associate as a part of the evaluation.
All names and contact information obtained from HEALTH PLAN in paper form will be filed in secured, locked cabinets. Subject data obtained from the survey and focus groups in paper form will be stored in locked cabinets separately from contact information. Electronic subject data will be stored in a password-protected secure database accessible only to Business Associate. Electronic contact information will be stored in a separate password-protected secure database accessible only by Business Associate. Upon completion of this evaluation, all forms of subject data and contact information will be destroyed by Business Associate.
Business Associate will not Disclose Protected Information to any parties. Deidentified, aggregate data will be shared with client (CMS) and in a report to government officials in the Department of Health and Human Services (DHHS).
___________________________________________________________
___________________________________________________________
___________________________________________________________
| File Type | application/msword |
| File Title | BUSINESS ASSOCIATE AGREEMENT |
| Author | VANPATRO |
| Last Modified By | CMS_DU |
| File Modified | 2008-08-27 |
| File Created | 2008-08-27 |