This Business Associate Agreement Addendum (“BAA Addendum”) supplements and is made a part of the RMD License and Service Agreement (“Agreement”) between Company (“Covered Entity”) and RMD (“Business Associate”) as of the Effective Date (as defined in the Agreement).
WHEREAS, Covered Entity and Business Associate entered into the Agreement pursuant to which Business Associate may provide products and/or services for Covered Entity that require Business Associate to access, create and use health information that is protected by state and/or federal law;
WHEREAS, pursuant to the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the U.S. Department of Health & Human Services (“HHS”) promulgated the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Standards”), at 45 C.F.R. Parts 160 and 164, requiring certain individuals and covered entities subject to the Privacy Standards to protect the privacy of certain individually identifiable health information (“Protected Health Information”, or “PHI”);
WHEREAS, pursuant to HIPAA, HHS has issued the Security Standards (the “Security Standards”), at 45 C.F.R. Parts 160, 162 and 164, for the protection of electronic protected health information (“EPHI”);
WHEREAS, in order to protect the privacy and security of PHI, including EPHI, created or maintained by or on behalf of the covered entity, the Privacy Standards and Security Standards require a covered entity to enter into a “business associate agreement” with certain individuals and entities providing services for or on behalf of the covered entity if such services require the use or disclosure of PHI or EPHI;
WHEREAS, on February 17, 2009, the federal Health Information Technology for Economic and Clinical Health Act was signed into law (the “HITECH Act”), and the HITECH Act imposes certain privacy and security obligations on covered entities in addition to the obligations created by the Privacy Standards and Security Standards;
WHEREAS, the HITECH Act revises many of the requirements of the Privacy Standards and Security Standards concerning the confidentiality of PHI and EPHI, including extending certain HIPAA and HITECH Act requirements directly to business associates;
WHEREAS, the HITECH Act requires that certain of its provisions be included in business associate agreements, and that certain requirements of the Privacy Standards be imposed contractually upon covered entities as well as business associates; and
WHEREAS, Business Associate and Covered Entity desire to enter into this BAA Addendum as required under the Agreement and applicable law.
NOW THEREFORE, in consideration of the mutual promises set forth in this BAA Addendum and the Agreement, and other good and valuable consideration, the sufficiency and receipt of which are hereby severally acknowledged, the parties agree as follows:
Business Associate may receive from Covered Entity, or create or receive on behalf of Covered Entity, health information that is protected under applicable state and/or federal law, including without limitation, PHI and EPHI. All capitalized terms not otherwise defined in this BAA Addendum or the Agreement shall have the meanings set forth in the Privacy Standards, Security Standards or the HITECH Act, as applicable (collectively referred to hereinafter as the “Confidentiality Requirements”). All references to PHI herein shall be construed to include EPHI. Business Associate agrees not to use or disclose (or permit the use or disclosure of) PHI in a manner that would violate the Confidentiality Requirements if the PHI were used or disclosed by Covered Entity in the same manner.
Covered Entity agrees that it: (i) has included and will include, in the Covered Entity’s Notice of Privacy Practices required by the Privacy Rule that Covered Entity may disclose PHI for Health Care Operations purposes; (ii) has obtained, and will obtain, from Individuals consents, authorizations, and other permissions necessary or required by laws applicable to Covered Entity for Business Associate and Covered Entity to fulfill their obligations under the Agreement and this BAA Addendum; (iii) will promptly notify Business Associate in writing of any restrictions on the use and disclosure of PHI about an Individual that Covered Entity has agreed to that may affect Business Associate’s ability to perform its obligations under the Agreement or this BAA Addendum; (iv) will promptly notify Business Associate in writing of any change in, or revocation of, permission by an individual to use or disclose PHI, if such change or revocation may affect Business Associate’s ability to perform its obligations under the Agreement or this BAA Addendum.
Except as otherwise required by law, Business Associate shall use PHI in compliance with 45 C.F.R. § 164.504(e). Subject to any limitations in this Agreement, Business Associate may use and disclose PHI (i) as necessary to perform its obligations under the Agreement and as permitted by applicable federal or state law, (ii) as necessary for the proper management and administration of the Business Associate or to carry out its legal responsibilities, provided that such uses are permitted under federal and state law, (iii) as necessary to provide Data Aggregation services as permitted by 42 C.F.R. 164.504(e)(2)(i)(B), and (iv) as required to report violations of law to appropriate Federal and State authorities, consistent with 164.5020)(1). If Business Associate discloses PHI to third parties, Business Associate agrees to: (a) obtain reasonable assurances from any third party to whom the information is disclosed that it will be held confidential and further used and disclosed only as required by law or for the purpose for which it was disclosed to the third party; and (b) require the third party to agree to notify Business Associate of any instances of a breach of confidentiality. Business Associate shall ensure that all disclosures of PHI by Business Associate and the third party comply with the principle of “minimum necessary use and disclosure,” i.e., only the minimum PHI that is necessary to accomplish the intended purpose may be disclosed; provided further, Business Associate shall comply with Section 13405(b) of the HITECH Act, and any regulations or guidance issued by HHS concerning such provision, regarding the minimum necessary standard and the use and disclosure (if applicable) of Limited Data Sets. If Business Associate discloses PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, to agents, including a subcontractor (collectively, “Recipients”), Business Associate shall require Recipients to agree in writing to the same restrictions and conditions that apply to the Business Associate under this Agreement. Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted by this Agreement, of which it becomes aware, such report to be made within five (5) business days of the Business Associate becoming aware of such use or disclosure. In addition to Business Associate’s obligations under Section 9, Business Associate agrees to mitigate, to the extent practical and unless otherwise requested by Covered Entity in writing, any harmful effect that is known to Business Associate and is the result of a use or disclosure of PHI by Business Associate or Recipients in violation of this Agreement. Covered Entity shall retain all rights in the PHI not granted herein.
Business Associate shall not receive direct or indirect remuneration for any exchange of PHI not otherwise authorized under HITECH/ARRA without Individual authorization, unless (i) specifically required for the provision of services under the Agreement; (ii) for treatment purposes; (iii) providing the Individual with a copy of his or her PHI; or (iv) otherwise determined by the Secretary in regulations.
Covered Entity expressly authorizes Business Associate to use, create and disclose De-Identified Health Information as permitted under law. “De-Identified Health Information” is health information that does not identify an individual and for which there is no reasonable basis to believe that the information can be used to identify an individual; information will be deemed to be de-identified if the following identifiers of the individual or relatives, employers, or household members of the individual are removed: (i) names; (ii) all geographic subdivisions smaller than a state including street address, city, county, precinct, zip code and their equivalent geocodes, except for the initial three digits of a zip code if, according to current publicly available data from the Bureau of Census (a) the geographical unit form by combining all zip codes within the same three initial digits contains more than 20,000 people, and (b) the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000; (iii) all elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older; (iv) voice and fax telephone numbers; (v) electronic mail addresses; (vi) medical record numbers, health plan beneficiary numbers, or other health plan account numbers; (vii) certificate and license numbers; (viii) vehicle identifiers and serial numbers, including license plate numbers; (ix) device identifiers and serial numbers; (x) Internet Protocol (IP) address numbers and Universal Resource Locators (URLs); (xi) biometric identifiers, including finger and voice prints; (xii) full face photographic images and any comparable images; and (xiii) any other unique identifying number, characteristic or code.
A “Designated Record Set” is a group of records maintained by or for a health plan or health care provider which includes at least (a) the medical records and billing records about individuals maintained by or for Covered Entities, (b) the enrollment, payment, claims adjudication and case or medical management record systems maintained by or for a health plan, or (c) items used, in whole or in part, by or for the health plan or health care provider to make decisions about individuals. If Business Associate maintains a Designated Record Set on behalf of Covered Entity, Business Associate shall (i.) provide access to, and permit inspection and copying of, PHI by Covered Entity or, as directed by Covered Entity, an individual who is the subject of the PHI under conditions and limitations required under 45 CFR § 164.524, as it may be amended from time to time, and (ii) amend PHI maintained by Business Associate as requested by Covered Entity. Business Associate shall respond to any request from Covered Entity for access by an individual within ten (10) days of such request and shall make any amendment requested by Covered Entity within ten (10) days of such request. Business Associate may charge a reasonable fee based upon the Business Associate’s labor costs in responding to a request for electronic information (or a cost-based fee for the production of non-electronic media copies). Covered Entity shall determine whether a denial is appropriate or an exception applies. Business Associate shall notify Covered Entity within ten (10) days of receipt of any request for access or amendment by an individual. Covered Entity shall determine whether to grant or deny any access or amendment requested by the individual. Business Associate shall have a process in place for requests for amendments and for appending such requests to the Designated Record Set, as requested by Covered Entity.
Business Associate shall make available to Covered Entity in response to a request from an individual, information required for an accounting of disclosures of PHI with respect to the individual in accordance with 45 CFR § 164.528, as amended by Section 13405(c) of the HITECH Act and any related regulations or guidance issued by HHS in accordance with such provision. Business Associate shall provide to Covered Entity such information necessary to provide an accounting within thirty (30) days of Covered Entity’s request or such shorter time as may be required by state or federal law. Such accounting must be provided without cost to the individual or to Covered Entity if it is the first accounting requested by an individual within any twelve (12) month period. For subsequent accountings within a twelve (12) month period, Business Associate may charge a reasonable fee based upon the Business Associate’s labor costs in responding to a request for electronic information (or a cost-based fee for the production of non- electronic media copies) so long as Business Associate informs the Covered Entity and the Covered Entity informs the individual in advance of the fee, and the individual is afforded an opportunity to withdraw or modify the request. Such accounting obligations shall survive termination of this Agreement and shall continue as long as Business Associate maintains PHI.
If the use or disclosure of PHI in this Agreement is based upon an individual’s specific authorization for the use of his or her PHI, and (i) the individual revokes such authorization in writing, (ii) the effective date of such authorization has expired, or (iii) the consent or authorization is found to be defective in any manner that renders it invalid, Business Associate agrees, if it has notice of such revocation or invalidity, to cease the use and disclosure of any such individual’s PHI except to the extent it has relied on such use or disclosure, or where an exception under the Confidentiality Requirements expressly applies.
Business Associate shall make available to the United States Department of Health and Human Services or its agents, its internal practices, books, and records relating to the use and disclosure of PHI received from, created, or received by Business Associate on behalf of Covered Entity for the purpose of determining Covered Entity’s compliance with the Confidentiality Requirements or any other health oversight agency, in a time and manner designated by the Secretary. Except to the extent prohibited by law, Business Associate agrees to notify Covered Entity immediately upon receipt by Business Associate of any and all requests by or on behalf of any and all federal, state and local government authorities served upon Business Associate for PHI.
Business Associate will use appropriate safeguards to prevent the use or disclosure of PHI other than as expressly permitted under this Agreement. Business Associate will implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the PHI that it creates, receives, maintains or transmits on behalf of Covered Entity. Business Associate acknowledges that the HITECH Act requires Business Associate to comply with 45 C.F.R. § 164.308, 164.310, 164.312 and 164.316 as if Business Associate were a Covered Entity and Business Associate agrees to comply with these provisions of the Security Standards and all additional security provisions of the HITECH Act. Furthermore, to the extent feasible, Business Associate will use commercially reasonable efforts to ensure that the technology safeguards used by Business Associate to secure PHI will render such PHI unusable, unreadable and indecipherable to individuals unauthorized to acquire or otherwise have access to such PHI in accordance with HHS Guidance published at 74 Federal Register 19006 (April 17, 2009), or such later regulations or guidance promulgated by HHS or issued by the National Institute for Standards and Technology (“NIST”) concerning the protection of identifiable data such as PHI. Lastly, Business Associate shall report to Covered Entity any Successful Security Incident of which it becomes aware within five (5) business days. At a minimum, such report shall contain the following information: (i.) date and time when the Security Incident occurred and/or was discovered; (ii.) names of systems, programs, or networks affected by the Security Incident; (iii) preliminary impact analysis; (iv) description of and scope of EPHI used, disclosed, modified, or destroyed by the Security Incident; and (v) provide a report of any mitigation steps taken.
Business Associate agrees to implement reasonable systems for the discovery and prompt reporting to Covered Entity of any “breach” of “unsecured PHI” as those terms are defined by 45 C.F.R. §164.402 or of any reasonable belief that a “breach” has occurred (hereinafter a “HIPAA Breach”). The parties acknowledge and agree that 45 C.F.R. §164.404, as described below in this Section 9.1, governs the determination of the date of a HIPAA Breach. In the event of any conflict between this Section 9.1 and the Confidentiality Requirements, the more stringent requirements shall govern. Business Associate will, following the discovery of a HIPAA Breach, notify Covered Entity immediately and in no event later than three (3) business days after Business Associate discovers such HIPAA Breach, unless Business Associate is prevented from doing so by 45 C.F.R. §164.412 concerning law enforcement investigations. For purposes of reporting a HIPAA Breach to Covered Entity, the discovery of a HIPAA Breach shall occur as of the first day on which such HIPAA Breach is known to the Business Associate or, by exercising reasonable diligence, would have been known to the Business Associate. Business Associate will be considered to have had knowledge of a HIPAA Breach if the HIPAA Breach is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing the HIPAA Breach) who is an employee, officer or other agent of the Business Associate. No later than seven (7) business days following a HIPAA Breach, Business Associate shall provide Covered Entity with sufficient information to permit Covered Entity to comply with the HIPAA Breach notification requirements set forth at 45 C.F.R. § 164.400 et seq. Specifically, if the following information is known to (or can be reasonably obtained by) the Business Associate, Business Associate will provide Covered Entity with: (i) contact information for individuals who were or who may have been impacted by the HIPAA Breach (e.g., first and last name, mailing address, street address, phone number, email address); (ii) a brief description of the circumstances of the HIPAA Breach, including the date of the HIPAA Breach and date of discovery; (iii) a description of the types of unsecured PHI involved in the HIPAA Breach (e.g., names, social security number, date of birth, address(es), account numbers of any type, diagnostic and/or billing codes and similar information); (iv) a brief description of what the Business Associate has done or is doing to investigate the HIPAA Breach, mitigate harm to the individual impacted by the HIPAA Breach, and protect against future HIPAA Breaches; and (v) appoint a liaison and provide contact information for same so that the Covered Entity may ask questions or learn additional information concerning the HIPAA Breach. Following a HIPAA Breach, Business Associate will have a continuing duty to inform Covered Entity of new information learned by Business Associate regarding the HIPAA Breach, including but not limited to the information described in items (i) through (v), above.
In addition to the requirements of Section 9.1, Business Associate agrees to implement reasonable systems for the discovery and prompt reporting of any breach of individually identifiable information (including but not limited to PHI, and referred to hereinafter as “Individually Identifiable Information”) that, if misused, disclosed, lost or stolen, Covered Entity believes would trigger an obligation under one or more State data breach notification laws (each a “State Breach”) to notify the individuals who are the subject of the information. Business Associate agrees that in the event any Individually Identifiable Information is lost, stolen, used or disclosed in violation of one or more State data breach notification laws, Business Associate shall promptly: (i) cooperate and assist Covered Entity with any investigation into any State Breach or alleged State Breach; (ii) cooperate and assist Covered Entity with any investigation into any State Breach or alleged State Breach conducted by any State Attorney General or State Consumer Affairs Department (or their respective agents); (iii) comply with Covered Entity’s determinations regarding Covered Entity’s and Business Associate’s obligations to mitigate to the extent practicable any potential harm to the individuals impacted by the State Breach; and (iv) assist with the implementation of any decision by Covered Entity or any State agency, including any State Attorney General or State Consumer Affairs Department (or their respective agents), to notify individuals impacted or potentially impacted by a State Breach.
Business Associate shall indemnify, defend and hold Covered Entity and its officers, directors, employees, agents, successors and assigns harmless, from and against any and all losses, claims, actions, demands, liabilities, damages, costs and expenses (including costs of judgments, settlements, court costs and reasonable attorneys’ fees actually incurred) (collectively, “Information Disclosure Claims”) arising from or related to: (i) the use or disclosure of Individually Identifiable Information (including PHI) in violation of the terms of this Agreement or applicable law, and (ii) whether in oral, paper or electronic media, any HIPAA Breach of unsecured PHI and/or State Breach of Individually Identifiable Information. If Business Associate assumes the defense of an Information Disclosure Claim, Covered Entity shall have the right, at its expense, to participate in the defense of such Information Disclosure Claim. Business Associate shall not take any final action with respect to any Information Disclosure Claim without the prior written consent of Covered Entity. To the extent permitted by law, Business Associate shall be fully liable to Covered Entity for any acts, failures or omissions of Recipients in furnishing the services as if they were the Business Associate’s own acts, failures or omissions.
This Agreement shall commence on the Effective Date of the Agreement and shall automatically terminate upon the termination or expiration of the Agreement, provided, however, that termination shall not affect the respective obligations or rights of the parties arising under the Agreement prior to the effective date of termination, all of which shall continue in accordance with their terms.
Upon termination or expiration of this Agreement, Business Associate agrees either to return to Covered Entity or to destroy all PHI received from Covered Entity or otherwise through the performance of services for Covered Entity, that is in the possession or control of Business Associate or its agents. In the case of PHI which is not feasible to “return or destroy,” Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. Business Associate further agrees to comply with other applicable state or federal law, which may require a specific period of retention, redaction, or other treatment of such PHI.
Business Associate represents and warrants to Covered Entity that Business Associate (i) is not currently excluded, debarred, or otherwise ineligible to participate in any federal health care program as defined in 42 U.S.C. Section 1320a-7b(f) (the “Federal Healthcare Programs”); (ii) has not been convicted of a criminal offense related to the provision of health care items or services and not yet been excluded, debarred, or otherwise declared ineligible to participate in the Federal Healthcare Programs, and (iii) is not under investigation or otherwise aware of any circumstances which may result in Business Associate being excluded from participation in the Federal Healthcare Programs. This shall be an ongoing representation and warranty during the term of this Agreement, and Business Associate shall immediately notify Covered Entity of any change in the status of the representations and warranty set forth in this section. Any breach of this section shall give Covered Entity the right to terminate this Agreement immediately for cause.
Any ambiguity in this BAA Addendum shall be resolved to permit the Covered Entity as a “covered entity” to comply with the HIPAA Rules. The parties acknowledge that the HITECH Act requires the Secretary to promulgate regulations and interpretative guidance that is not available at the time of executing this BAA Addendum. In the event the Covered Entity determines in good faith that any such regulation or guidance adopted or amended after the execution of this Agreement shall cause any paragraph or provision of this Agreement to be invalid, void or in any manner unlawful or subject either party to penalty, then the parties agree modify and amend this Agreement in a manner that would eliminate any such risk.