Business Associate & Electronic Access Agreement
Terms used, but not otherwise defined, in this Business Associate & Electronic Access Agreement (“BAA”) shall have the same meaning as those terms in 45 Code of Federal Regulations (“CFR”) §§ 160.103, 164.402, and 164.501.
The Health Insurance Portability and Accountability Act of 1996, and all of the implementing regulations of that statute, including Parts 160 and 164 of Title 45 of the CFR, as amended from time to time.
The same meaning as the term “individual” in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
A3. Privacy Rule.
The Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E.
A4. Security Rule.
The Standards for Security of Individually Identifiable Health Information at 45 CFR parts 160 and 162 and part 164, subparts A and C.
The same meaning as the term “protected health information” in 45 CFR § 160.103, limited to the information created or received by Contractor from or on behalf of Facility.
A6. Required By Law.
The same meaning as the term “required by law” in 45 CFR § 164.103.
The same meaning as the term “breach” in 45 CFR § 164.402.
A8. Unsecured Information.
The same meaning as the term “unsecured protected health information” in 45 CFR § 164.402.
The Department of Health and Human Services or its designee.
The release, transfer or provision of access to Information, whether oral or recorded in any form or medium.
The sharing, employment, application, utilization, examination, or analysis, in any form or medium, of Information within the Contractor organization.
B. RESPONSIBILITIES OF CONTRACTOR
B1. Permitted Uses and Disclosures.
Contractor agrees not to use or disclose Information other than as permitted or required by the underlying services agreement between the parties (if any) or as required by law. Except as otherwise limited in this BAA, Contractor may:
a. Use or disclose Information to perform functions, activities, or services for, or on behalf of, Facility as specified in any service agreement currently in place, or negotiated in the future between the parties, that involves the use or disclosure of Information between Facility and Contractor, provided that such use or disclosure does not violate the Privacy Rule.
b. Use Information for the proper management and administration of Contractor or to carry out the legal responsibilities of Contractor.
c. Contractor may disclose Information as necessary for the proper management and administration of Contractor, and to carry out its legal responsibilities, if: (a) the disclosure is required by law; or (b) Contractor obtains reasonable assurances from the person to whom Information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Contractor of any instances of which it is aware in which the confidentiality of Unsecured Information has been potentially Breached.
d. Use Information to provide Data Aggregation services to Facility as permitted by HIPAA.
B2. Relationship to Individuals.
a. Contractor agrees that Facility and the Individual retain all ownership rights to the Information, and that Contractor does not obtain any right, title or interest to the Information furnished by Facility.
b. Contractor agrees to comply with all lawful requests of Individuals to permit access to inspect and obtain a copy their Information about the Individual that is subject to this BAA, as required by law, within thirty (30) days of such request.
c. Contractor agrees that, within fifteen (15) days of a request being made, it will provide Facility with any Information requested by Facility.
d. Contractor agrees to make Information available for amendment and to immediately incorporate any amendments or corrections to an Individual’s Information upon request by Facility in accordance with applicable law.
B3. Use/Disclosure in Accordance with Law.
Contractor understands that both Facility and Contractor may be subject to state and federal laws governing the confidentiality of the Information. Contractor agrees to abide by all such laws, whether or not fully articulated herein, and to keep the Information in the manner and subject to the standards required by the Privacy Rule and any other applicable state and federal laws. To the extent that Contractor is to carry out Facility’s obligations under the Privacy Rule, Contractor agrees to comply with the requirements applicable to the obligation.
B4. Safeguarding Information.
Contractor agrees to abide by the Security Rule, to establish appropriate administrative, technical, and physical safeguards to protect the confidentiality of Information that it receives from Facility, and to prevent individuals not involved in performing the services that it provides to Facility from using or accessing the Information.
B5. Mitigating Harmful Effects.
Contractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Contractor of a use or disclosure of Information by Contractor in violation of the requirements of this BAA. Contractor shall exercise reasonable diligence to discover any Breach of Information.
Contractor agrees that if Facility determines or has a reasonable belief that Contractor may have used, made a disclosure of, or permitted access to Information in a way that is not authorized by this BAA, then Facility may in its sole discretion require Contractor to: (a) promptly investigate and provide a written report to Facility of the Contractor’s determination regarding any alleged or actual unauthorized disclosure, access, or use; (b) cease such practices immediately; (c) return to Facility, or destroy, all Information; and (d) take any other reasonable action Facility deems appropriate.
B6. Reporting of Violations.
Contractor agrees that it will immediately report to Facility any use or disclosure of Information received from Facility that is not authorized by or otherwise constitutes a violation of the BAA.
In the event of a potential Breach of Unsecured Information, Contractor agrees that it will immediately report the potential Breach to Facility, and in no event will it fail to report the potential Breach within three (3) days of its discovery by Contractor. Contractor shall include in its report to Facility the following: (a) the identification of each individual whose Information may have been accessed, acquired, used, or disclosed during the Breach; (b) a brief description of what happened, including the date of the Breach and the date of discovery of the Breach; (c) a description of the types of Information that were involved in the Breach; (d) steps Individuals may take to protect themselves from potential harm resulting from the Breach; and (e) a description of what the Contractor is doing to investigate the Breach, mitigate harm to Individuals, and protect against further Breaches. In the event this information is not immediately available, Contractor shall provide the information to Facility as soon as it is discovered. Contractor shall assist Facility as requested to provide notification to affected Individuals, and, if requested by Facility, Contractor agrees to provide a toll-free number, e-mail address, website, or postal address for Individuals to ask questions or learn additional information about the Breach. Contractor agrees to be responsible for all costs related to the Breach, including, but not limited to, any costs incurred by Facility to mail notifications, maintain a toll-free number or website, research information regarding the Breach, or mitigate the effects of the Breach (which may include, without limitation, the costs of obtaining credit monitoring services and identity theft insurance, among other costs).
B7. Agents and Subcontractors.
If it becomes necessary for Contractor to share Information that has been disclosed to it by Facility with any person or any entity who is not an employee of Contractor, then Contractor agrees to cause such person or entity to enter into a written agreement in which the person or entity agrees to abide by all of the terms to which Contractor is subject under this BAA with respect to the Information.
B8. Accounting of Disclosures.
a. Contractor agrees to document disclosures of Information and the details of such disclosures as would be required for Facility to respond to a request by an Individual for an accounting of disclosures of Information in accordance with HIPAA.
b. Within ten (10) days of notice by Facility of a request for an accounting of disclosures of Information, Contractor shall make available to Facility the information required to provide an accounting of disclosures to enable Facility to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 CFR § 164.528. Except in the case of a direct request from an Individual for an accounting related to treatment, payment, or operations disclosures through an electronic health record, if the request for an accounting is delivered directly to Contractor or its agents or subcontractors, Contractor shall, within five (5) business days of a request, notify Facility about such request. Facility may either request that Contractor provide such information directly to the Individual, or it may request that the information be immediately forwarded to Facility for compilation and distribution to such Individual. In the case of a direct request for an accounting from an Individual related to treatment, payment, or operations disclosures through electronic health records, Contractor shall provide such accounting to the Individual in accordance with and effective on the applicable date set forth in section 13405(c) of the Health Information Technology for Economic and Clinical Health Act. Contractor and any agents or subcontractors shall continue to maintain the information required for purposes of complying with this section for a period of six (6) years after the disclosure.
B9. Minimum Necessary.
Contractor represents and warrants that if it uses or discloses Information or an element of Information, as permitted under this BAA, it will do so only in the minimum amount and to the minimum number of individuals necessary to achieve the purpose of the services being rendered to or on behalf of Facility. Contractor agrees that it will use all reasonable efforts to limit its request for Information to the minimum amount of Information necessary to achieve the purpose for which the request is being made. Contractor agrees to follow any guidance issued by HHS regarding the minimum necessary standard.
B10. Availability of Information.
Contractor shall make any and all internal practices, books, records and Information related to this BAA available to Facility for inspection and/or audit upon request by Facility. In addition, Contractor agrees to make its internal practices, books and records relating to the use and disclosure of Information available to HHS for review, upon the request of that Department.
C. RESPONSIBILITIES OF FACILITY
C1. Disclosure of Information.
Facility agrees to disclose Information to Contractor upon its own volition, upon Contractor’s request, or upon the request of a third party if such disclosure is permissible by law, so that Contractor may provide the agreed to services to or on behalf of Facility, unless Facility otherwise objects to the disclosure, or Contractor is no longer providing the services to Facility. Facility shall not request Contractor to use or disclose Information in any manner that would not be permissible under the Privacy Rule if done by Facility.
C2. Notification of Changes and Restrictions.
a. Facility shall provide Contractor with any changes in, or revocation of, permission by an Individual to use or disclose Information, if such changes affect Contractor’s permitted or required uses and disclosures.
b. Facility shall notify Contractor of any restriction to the use or disclosure of Information to which Facility has agreed in accordance with HIPAA.
C3. Notice of Privacy Practices.
Upon request, Facility will provide Contractor with a copy of its notice of privacy practices or direct Contractor to a source where it can be accessed. Facility may notify Contractor of limitation(s) in the notice of privacy practices of Facility under 45 CFR § 164.520, to the extent that such limitation may affect Contractor’s use or disclosure of Information.
D. ACCESS TO ELECTRONIC SYSTEMS
The parties acknowledge that Facility may provide Contractor access to certain electronic data and medical record systems maintained by Facility (collectively, the “Systems”), as permitted by HIPAA, to enable Contractor to provide services to Facility and/or to Facility patients. Contractor shall only access or attempt to access those clinical records on the Systems required for Contractor to provide services to or review services for Contractor’s patients. If any other clinical records are inadvertently received by Contractor, Contractor will immediately notify Facility.
Contractor acknowledges that the Systems are provided through a third party, and, as such, Facility does not control Contractor’s access to Systems. Contractor acknowledges that Facility does not guarantee Contractor’s access to the Systems and that Facility may permanently terminate or temporarily suspend Contractor’s access to the Systems with or without notice at any time. Contractor agrees to immediately cease all attempts to access the Systems if it ceases providing services to Facility residents and/or in the event of termination of its relationship with Facility, and Contractor will comply with Facility’s process for terminating access to the Systems.
Contractor will keep its username(s) and password(s) confidential. Contractor will not access Systems using any other username(s) or password(s) and will not permit any other person to access Systems using its username(s) or password(s). If Contractor believes another person has access to its username(s)/password(s), Contractor will immediately notify Facility.
D4. Policies & Procedures.
Contractor shall abide by all of Facility’s policies and procedures related to accessing the Systems. Facility reserves the right to change its policies and procedures at any time, for any reason, and Contractor agrees to abide by any changes. Contractor shall participate in any training programs or other security precautions relating to the Systems as requested by Facility.
D5. Illegal Activity.
Contractor shall not use the Systems for any illegal activity. Illegal activity includes, but is not limited to, activity that would violate Federal and State laws, rules, or regulations governing fraud and abuse or patient privacy. If Contractor uses the Systems for any illegal activity, Facility may report Contractor’s activities to the appropriate authorities in accordance with law.
Contractor acknowledges that it does not own any of the data stored by Facility on the Systems. Contractor shall respect System copyrights, software licenses, and property rights, and Contractor shall not use the name, logo, symbol or trademark of any System.
Contractor understands that an authorized representative of Facility may review, track, monitor or store information related to Contractor’s use of the Systems, and Contractor acknowledges that it has no privacy right or expectation of privacy in regard to its use of the Systems.
Contractor shall ensure that any employees and/or agents of Contractor accessing the Systems abide by the terms of this BAA. References to “Contractor” in this BAA apply equally to Contractor’s employees and agents.
Contractor will immediately report all of the following to Facility: (1) any violation of this BAA by Contractor or Contractor’s employees/agents; (2) Contractor or any of its employees/agents using the Systems cease providing services to Facility patients or Facility for any reason, including termination of employment; (3) Contractor or any of its employees/agents complete necessary tasks on a particular System; and (4) any change in Contractor’s password(s) to access the Systems..
E. TERM & TERMINATION
The term of this BAA shall be effective as of the commencement date of the underlying services agreement between Facility and Contractor, or, if no underlying services agreement is entered into between the parties, on the date that the Contractor is first provided access to Information by Facility. The BAA shall terminate when all of the Information provided by Facility to Contractor, or created or received by Contractor on behalf of Facility, is destroyed or returned to Facility, or, if it is infeasible to return or destroy Information, protections are extended to such Information, in accordance with the termination provisions in this Section.
E2. Termination for Cause.
Upon Facility’s knowledge of a material breach by Contractor of a requirement in this BAA, Facility shall provide an opportunity for Contractor to cure the breach or end the violation. Facility shall terminate this BAA if Contractor does not cure the breach, or end the violation, within the time specified by Facility. Facility may immediately terminate this BAA if Contractor has breached a material term of the BAA, and cure is not possible. If neither termination nor cure is feasible, Facility may report the violation to HHS.
E3. Effect of Termination.
Contractor agrees that upon termination of this BAA, Contractor shall contact Facility regarding any Information currently in its possession that was received from or created on behalf of Facility and determine whether Facility wishes to have the Information returned to it or destroyed. If feasible, Contractor agrees to proceed in accordance with the Facility’s instruction to return or destroy Information within thirty (30) days of receiving such instruction. If Facility elects to the have the Information destroyed, Contractor agrees to destroy the Information in a manner specified by HHS as a means of securing Information in guidance issued under section 13402(h)(2) of Public Law 111-5 on the HHS website and by a method acceptable to Facility.
If Contractor believes that returning or destroying the Information is not feasible because of a regulatory duty imposed on Contractor by law, or other valid reason, then Contractor shall provide to Facility notification of the conditions that make return or destruction not feasible. If Facility agrees that return or destruction of Information is not feasible, Contractor agrees that the protections afforded to such Information by this BAA will extend indefinitely and that Contractor will limit further uses and disclosures to those purposes that make the return or destruction of the Information infeasible. If Facility disagrees that return or destruction of Information is not feasible, Contractor agrees to destroy the Information. Contractor agrees that its obligations with regard to notifying Facility of any potential Breach will also extend indefinitely beyond the term of this BAA. Contractor further agrees that no Information, copies of Information, or parts thereof, shall be retained when the aforementioned Information are returned or destroyed.
Contractor agrees to indemnify and hold Facility (including Facility’s Board of Directors, individually and collectively, and its managers, owners, officers, members, directors, affiliates, parent companies, subsidiaries, employees, attorneys, agents, and other representatives, individually and collectively) harmless from and against all claims, liabilities, damages, costs and expenses, including, without limitation, reasonable attorneys’ fees and fines from any governmental agency or expenses incurred in appealing a governmental citation, brought against Facility related to Contractor’s or any of its employee’s, subcontractor’s, or agent’s noncompliance with this BAA and/or use of the Systems. This obligation shall survive termination of this BAA.
Any notice, demand or communication required, permitted or desired to be given to Facility hereunder shall be provided to email@example.com and a copy shall be sent to c/o 4042 Park Oaks Boulevard, Suite 300, Tampa, Florida 33610, Attn: Compliance Officer.
No assignment of this BAA or the rights and obligations hereunder shall be valid without the specific written consent of both parties hereto. Notwithstanding the foregoing, this BAA shall be deemed to be assigned automatically to any successor entity operating Facility or Contractor, and to apply automatically to any services provided pursuant to any agreement entered into between the parties in the future (whether or not specifically referenced herein) that involves the use or disclosure of Information between or by the parties.
(a) The waiver by either party of a breach or violation of any provision of this BAA shall not operate as, or be construed to be a waiver of any subsequent breach of the same or other provision hereof. (b) In the event any provision of this BAA is held to be unenforceable for any reason, the unenforceability thereof shall not affect the remainder of this BAA, which shall remain in full force and effect and enforceable in accordance with its terms. (c) Whenever the context hereof requires, the gender of all words shall include the masculine, feminine, and neuter, and the number of all words shall include the singular and plural. (d) This BAA constitutes the entire agreement of the parties with respect to the subject matter hereof, and all prior and contemporaneous understandings, agreements and representations, whether oral or written, with respect to such matters are superseded. (e) This BAA may only be amended by the written consent of both parties. The Parties agree to take such action as is necessary to amend this BAA from time-to-time as is necessary for Facility to comply with the requirements of HIPAA. (f) A reference in this BAA to a section in the Privacy Rule or Security Rule means the sections as in effect or as amended, and for which compliance is required. (g) Any ambiguity in this BAA shall be resolved in favor of a meaning that permits Facility to comply with HIPAA. (h) This BAA shall be binding upon the parties hereto and their respective successors and assigns. (i) Nothing in this BAA shall be construed as limiting the right of either party to affiliate or contract with any other person or entity on either a limited or general basis while this BAA is in effect. (k) The respective rights and obligations of Contractor under Sections E and F of this BAA shall survive the termination of the BAA.