Form CMS-10199 BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT
This Privacy Agreement ("Agreement") is effective upon signing this Agreement and is entered
into by and between

("Covered Entity") and

Fu Associates, Ltd. (the "Business Associate").
1. Term. This Agreement shall remain in effect for the duration of the Task Order the Business
Associate has with CMS to maintain Carotid Stenting Data (September 13, 2018), and shall
apply to all of the Services and/or Supplies delivered by the Business Associate pursuant to this
Agreement.
2. HIPAA Assurances. In the event Business Associate creates, receives, maintains, or
otherwise is exposed to personally identifiable or aggregate patient or other medical information
defined as Protected Health Information ("PHI") in the Health Insurance Portability and
Accountability Act of 1996 or its relevant regulations ("HIPAA") and otherwise meets the
definition of Business Associate as defined in the HIPAA Privacy Standards (45 CFR Parts 160
and 164), Business Associate shall:
(a) Recognize that HITECH (the Health Information Technology for Economic and
Clinical Health Act of 2009) and the regulations thereunder (including 45 C.F.R. Sections
164.308, 164.310, 164.312, and 164.316), apply to a business associate of a covered
entity in the same manner that such sections apply to the covered entity;
(b) Not use or further disclose the PHI, except as permitted by law;
(c) Not use or further disclose the PHI in a manner that had
done so, would violate the
requirements of HIPAA;
(d) Use appropriate safeguards (including implementing administrative, physical, and
technical safeguards for electronic PHI) to protect the confidentiality, integrity, and
availability of and to prevent the use or disclosure of the PHI other than as provided
for by this Agreement;
(e) Comply with each applicable requirements of 45 C.F.R. Part 162 if the Business
Associate conducts Standard Transactions for or on behalf of the Covered Entity;
(f) Report promptly to
any security
incident or other use or disclosure of PHI not provided for by this Agreement of which
Business Associate becomes aware;
(g) Ensure that any subcontractors or agents who receive or are exposed to PHI
(whether in electronic or other format) are explained the Business Associate obligations
under this paragraph and agree to the same restrictions and conditions;
(h) Make available PHI in accordance with the individual’s rights as required under the
HIPAA regulations;
(i) Account for PHI disclosures for up to the past six (6) years as requested by
Covered Entity, which shall include:

(1) Dates of disclosure, (2) names of the entities or persons who received the
PHI, (3) a brief description of the PHI disclosed, and (4) a brief statement of
the purpose and basis of such disclosure;
(j) Make its internal practices, books, and records that relate to the use and disclosure
of PHI available to the U.S. Secretary of Health and Human Services for purposes of
determining Customer’s compliance with HIPAA; and
(k) Incorporate any amendments or corrections to PHI when notified by Customer
or enter into a Business Associate Agreement or other necessary Agreements to
comply with HIPAA.
3. Termination upon Breach of Provisions. Notwithstanding any other provision of this
Agreement, Covered Entity may immediately terminate this Agreement if it determines that
Business Associate breaches any term in this Agreement. Alternatively, Covered Entity may
give written notice to Business Associate in the event of a breach and give Business Associate
five (5) business days to cure such breach. Covered Entity shall also have the option to
immediately stop all further disclosures of PHI to Business Associate if Covered Entity
reasonably determines that Business Associate has breached its obligations under this
Agreement. In the event that termination of this Agreement and the Agreement is not feasible,
Business Associate hereby acknowledges that the Covered Entity shall be required to report the
breach to the Secretary of the U.S. Department of Health and Human Services, notwithstanding
any other provision of this Agreement or Agreement to the contrary.
4. Return or Destruction of Protected Health Information upon Termination. Upon the
termination of this Agreement, unless otherwise directed by Covered Entity, Business Associate
shall either return or destroy all PHI received from the Covered Entity or created or received by
Business Associate on behalf of the Covered Entity in which Business Associate maintains in
any form. Business Associate shall not retain any copies of such PHI. Notwithstanding the
foregoing, in the event that Business Associate determines that returning or destroying the
Protected Health Information is infeasible upon termination of this Agreement, Business
Associate shall provide to Covered Entity notification of the condition that makes return or
destruction infeasible. To the extent that it is not feasible for Business Associate to return or
destroy such PHI, the terms and provisions of this Agreement shall survive such termination or
expiration and such PHI shall be used or disclosed solely as permitted by law for so long as
Business Associate maintains such Protected Health Information.
5. No Third Party Beneficiaries. The parties agree that the terms of this Agreement shall apply
only to themselves and are not for the benefit of any third party beneficiaries.
6. De-Identified Data. Notwithstanding the provisions of this Agreement, Business Associate
and its subcontractors may disclose non-personally identifiable information provided that the
disclosed information does not include a key or other mechanism that would enable the
information to be identified.

7. Amendment. Business Associate and Covered Entity agree to amend this Agreement to the
extent necessary to allow either party to comply with the Privacy Standards, the Standards for
Electronic Transactions, the Security Standards, or other relevant state or federal laws or
regulations created or amended to protect the privacy of patient information. All such
amendments shall be made in a writing signed by both parties.
8. Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that
permits Covered Entity to comply with the then most current version of HIPAA and the HIPAA
privacy regulations.
9. Definitions. Capitalized terms used in this Agreement shall have the meanings assigned to
them as outlined in HIPAA and its related regulations.
10. Survival. The obligations imposed by this Agreement shall survive any expiration or
termination of this Agreement.
Facility:
Facility Address:
City/State/Zip:
The facility signer should be the person responsible for maintaining PHI for the facility
(e.g., the Chief Privacy Officer, System Security Officer, or Chief Executive Officer).

Signature:
Name:
Title:
E-mail address of signer:
Date:

Business Associate: Fu Associates, Ltd.
Suite 1400, 2300 Clarendon Drive, Arlington, VA 22201
Signature:
Name:
Title:
Date:
E-mail address of signer:
According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid
OMB control number. The valid OMB control number for this information collection is 0938-1011 (Expires XX/XX/XXXX). This is a
mandatory information collection. The time required to complete this information collection is estimated to average 11 hours per response,
including the time to review instructions, search existing data resources, gather the data needed, and complete and review the information
collection. If you have comments concerning the accuracy of the time estimate(s) or suggestions for improving this form, please write to:
CMS, 7500 Security Boulevard, Attn: PRA Reports Clearance Officer, Mail Stop C4-26-05, Baltimore, Maryland 21244-1850.
*****CMS Disclaimer*****Please do not send applications, claims, payments, medical records or any documents containing sensitive
information to the PRA Reports Clearance Office. Please note that any correspondence not pertaining to the information collection
burden approved under the associated OMB control number listed on this form will not be reviewed, forwarded, or retained. If you
have questions or concerns regarding where to submit your documents, please contact Sarah Fulton at [email protected].