SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

Transcription

1 SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (Revised on March 1, 2016) THIS HIPAA SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (the BAA ) is entered into on (the Effective Date ), by and between ( EMR ), on behalf of itself and its affiliates, if any (individually and collectively, Business Associate ) and Health Care Cloud Services, LLC, on behalf of itself and its affiliates, if any (individually and collectively, the Subcontractor ). Business Associate and Subcontractor may each be referred to as a Party and collectively, the Parties. WITNESSETH: WHEREAS, the Parties wish to enter into or have entered into an Agreement (the Underlying Agreement ) whereby Subcontractor will provide certain data aggregation and de-identification services for Business Associate as necessary to meet the needs of one or more Covered Entities which involve the use and/or disclosure of Protected Health Information that Subcontractor accesses, creates, receives, maintains or transmits on behalf of Business Associate and Covered Entity ( PHI ); WHEREAS, Business Associate and Subcontractor intend to protect the privacy and provide for the security of PHI in compliance with the Health Insurance Portability and Accountability Act of 1996, and any final regulations promulgated thereunder by the U.S. Department of Health and Human Services ( HHS ), as amended from time to time including by the Health Information Technology for Economic and Clinical Health Act ( HITECH ) (collectively HIPAA Rules ). THEREFORE, in consideration of the Parties continuing obligations under the Underlying Agreement, compliance with the HIPAA Rules, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, and intending to be legally bound, the Parties agree to the provisions of this BAA in order to address the requirements of the HIPAA Rules and to protect the interests of both Parties. 1. Definitions. Except as otherwise defined herein, any terms in this BAA shall have the definitions set forth in the HIPAA Rules. In the event of an inconsistency between the provisions of this BAA and mandatory provisions of the HIPAA Rules, as amended, the HIPAA Rules shall control. Where provisions of this BAA are different than those mandated in the HIPAA Rules, but are nonetheless permitted by the HIPAA Rules, the provisions of this BAA shall control. Additionally specific definitions are as follows: Breach generally means an unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information. Business Associate is a person or entity, other than an employee of a Covered Entity, who performs functions or activities on behalf of, or provides certain services to, a Covered Entity that involve access to PHI. Business Associates may also be subcontractors that create, receive, maintain, or transmit PHI on behalf of another Business Associate. Covered Entity means a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA. Designated Record Set shall mean a group of records maintained by or for the Covered Entity that is the medical records and billing records about Individuals maintained by or for the Covered Entity or Used Page 1 of 8

2 in whole or in part, by or for the Covered Entity to make decisions about Individuals, as specifically stated in the HIPAA Rules. Disclosure means the release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information. Individual means the person who is the subject of PHI. Protected Health Information ( PHI ) means individually identifiable health information including, without limitation, all information, data, documentation, and materials, including without limitation, demographic, medical and financial information, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. PHI includes, without limitation, Electronic PHI as defined below. Electronic PHI ( ephi ) means PHI which is transmitted by Electronic Media (as defined in the HIPAA Rules) or maintained in Electronic Media. Unsecured PHI means PHI that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of technology or methodology specified by the Secretary of the US Department of Health and Human Resources (the Secretary ) through published guidance. Subcontractor acknowledges and agrees that all PHI that is created or received by Subcontractor and disclosed or made available in any form, including paper record, oral communication, audio recording, and electronic display by Business Associate or its operating units to Subcontractor (or its subcontractors) or is created or received by Subcontractor (or its subcontractors) on Business Associate s behalf shall be subject to this Agreement. 2. Compliance with Applicable Law. The parties acknowledge and agree that, beginning with the relevant effective dates, Subcontractor shall comply with its obligations under this BAA and with all obligations of a subcontractor under HIPAA and other applicable laws and regulations, as they exist at the time this BAA is executed and as they are amended, for so long as this BAA is in place. 3. Uses and Disclosures of PHI. Except as otherwise limited in this BAA, Subcontractor shall not, and shall ensure that its directors, officers, employees, contractors, and agents do not, use or disclose PHI other than as follows: (a) Subcontractor may use or disclose Business Associate or Covered Entity s PHI as necessary to perform the services set forth in the Underlying Agreement with the Business Associate. (b) Subcontractor may use or disclose Business Associate or Covered Entity s PHI as required by law. (c) Subcontractor may disclose Business Associate or Covered Entity s PHI for the proper management and administration, or to carry out the legal responsibilities, of the Subcontractor, provided that disclosures are required by HIPAA, or Subcontractor obtains reasonable written assurances from the person or entity to whom the PHI is disclosed that it will remain confidential and be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person or entity, and the person or entity notifies the Subcontractor of any instances of which it is aware or suspects in which the confidentiality of the PHI has been Page 2 of 8

3 breached. In such case, Subcontractor shall report such known or suspected breaches to Business Associate as soon as possible and in accordance with timeframes set forth in this BAA. (d) Subcontractor, upon written request by Business Associate, may use Business Associate or Covered Entity s PHI to provide Data Aggregation services relating to the health care operations of the Covered Entity under the Underlying Agreement. For purposes of this Section, Data Aggregation means, with respect to Business Associate or Covered Entity s PHI, the combining of such PHI by Subcontractor with the PHI received by Subcontractor in its capacity as a Subcontractor of another Business Associate to permit data analyses that relate to the health care operations of the respective Covered Entities. (e) Subcontractor may de-identify any and all PHI created or received by Subcontractor under this BAA pursuant to 45 C.F.R (a)-(c); provided, however, that the de-identification conforms to the requirements of HIPAA and in accordance with any guidance issued by the Secretary. Such resulting de-identified information would not be subject to the terms of this BAA. (f) Subcontractor may create a Limited Data Set, as defined in HIPAA, and use such Limited Data Set pursuant to a Data Use BAA that meets the requirements of HIPAA and as required by the Underlying Agreement. (g) Subcontractor will take all reasonable efforts to limit requests for use and disclosure of PHI and Electronic PHI to the minimum necessary to accomplish the intended request, use, or disclosure. With respect to permitted disclosures set forth herein, unless otherwise specifically agreed to by the parties, Subcontractor will not permit the disclosure of PHI to any person or entity other than such of its employees, agents or subcontractors who must have access to the PHI in order for Subcontractor to perform its obligations under the Underlying Agreement and who agree to keep such PHI confidential as required by this BAA. 4. Required Safeguards To Protect PHI. Subcontractor agrees to use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ephi, to prevent use or disclosure of PHI other than as provided for by the BAA. Subcontractor agrees to use appropriate Administrative, Physical, and Technical Safeguards to (a) maintain the security of the PHI and Electronic PHI and (b) prevent the use and disclosure of PHI other than as provided for by this BAA. 5. Agents and Subcontractors. Subcontractor agrees to ensure through a written agreement that any agent, including another subcontractor, to whom it provides PHI received from, or created or received by Subcontractor on behalf of Subcontractor, agrees (or has agreed) to the same restrictions and conditions that apply throughout this BAA to subcontractor with respect to such information. 6. Prohibition on Sale of PHI. Without limiting any uses or disclosures expressly permitted in this BAA, Subcontractor will not sell PHI created or received for or from Business Associate or Covered Entity or use or disclose PHI for purposes of marketing or fundraising, as defined and proscribed in the HIPAA Rules. 7. Breach and Security Incident Reporting. Subcontractor agrees to report promptly to the Business Associate any use or disclosure of the PHI not provided for by this BAA of which it becomes aware, including Breaches of Unsecured PHI, and any Security Incident of which it becomes aware. Such reports shall include a (1) brief description of what happened, including date of the Breach or Security Incident(s) or other inappropriate or impermissible or unlawful use or disclosure of PHI, if known; and (2) a description of the types of PHI that were involved (e.g. SSN, name, DOB, home address, account number or disability code). Subcontractor shall provide any additional information reasonably requested by Business Associate for purposes of investigating the Breach and any other available information that Subcontractor is required to include in notification to the affected Business Associate under HIPAA at the time of the notification, or as promptly thereafter. For any breach of unsecured PHI, to the extent Page 3 of 8

4 possible, Subcontractor agrees to provide the identity of each individual involved and any other information necessary to allow Covered Entity to provide notice within sixty (60) days. 8. Mitigation of Harmful Effects. Subcontractor agrees to mitigate, to the extent commercially reasonable and practicable, any harmful effect of a use or disclosure of PHI by Subcontractor in violation of the requirements of this BAA. 9. Access to Information. Within ten (10) days of a request by Business Associate for access to PHI about an individual contained in a Designated Record Set, Subcontractor shall make available to Business Associate such PHI for so long as such information is maintained by Subcontractor in the Designated Record Set, as required by 45 C.F.R In the event any individual delivers directly to Subcontractor a request for access to PHI, Subcontractor shall within five (5) days forward such request to Business Associate. 10. Amendment of PHI. Within ten (10) days of receipt of a request from Business Associate for the amendment of an individual s PHI or a record regarding an individual contained in a Designated Record Set (for so long as the PHI is maintained in the Designated Record Set), Subcontractor shall provide such information to Business Associate for amendment and incorporate any such amendments in the PHI as required by 45 C.F.R In the event any individual delivers directly to Subcontractor a request to amend their PHI, Subcontractor shall within five (5) days forward such request to Business Associate. 11. Documentation of Disclosures. Subcontractor agrees to document disclosures of PHI and information related to such disclosures as would be required for Business Associate or Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R At a minimum, except where exempt under with 45 C.F.R (a), Subcontractor shall provide Business Associate with the following information: (i) the date of the disclosure; (ii) the name of the entity or person who received the PHI, and if known, the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of such disclosure which includes an explanation of the basis for such disclosure. 12. Accounting of Disclosures. On a timely basis, but no later than thirty (30) calendar days following Business Associate's written request for an accounting of disclosures of PHI regarding an individual, Subcontractor agrees to make internal practices, books, and records relating to the use and disclosure of PHI received from, or created, or received by Subcontractor on behalf of Business Associate available to Business Associate, or at the request of Business Associate, to the Secretary in a time and manner designated by Business Associate or the Secretary, for purposes of the Secretary determining Business Associate s compliance with applicable law, including without limitation, HIPAA and HIPAA Regulations, including the Privacy Rule. 13. Other Obligations. To the extent that Subcontractor is to carry out Business Associate s obligation under HIPAA, Subcontractor shall comply with the requirements of HIPAA that apply to the Business Associate in the performance of such obligation. 14. Availability of Books and Records. Subcontractor hereby agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Subcontractor on behalf of, Business Associate available to the Secretary for Health and Human Services for purposes of determining Business Associate s compliance with HIPAA. 15. Term and Termination. (a) Term. The Term of this BAA shall be effective as of date first written below, and shall terminate when all of the PHI provided by Business Associate to Subcontractor, or created or received by Subcontractor on behalf of Business Associate, is destroyed or returned to Business Associate, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions of this section. Page 4 of 8

5 (b) Termination. Upon Business Associate s knowledge of a material violation of the terms of this BAA by Subcontractor, Business Associate shall provide an opportunity for Subcontractor to cure or end the violation and terminate this BAA if Subcontractor does not cure or end the violation within the time specified by Business Associate, but not less than thirty (30) days. Business Associate may, at its discretion, require Subcontractor to submit reports to demonstrate that violation has been cured or ended. This provision shall apply to PHI that is in the possession of subcontractors or agents of Subcontractor. (c) Effect Upon Termination. Except as provided in paragraph (b) of this section, upon termination of this BAA, for any reason, Subcontractor shall return or destroy all PHI in any form that is received from Business Associate, or created or received by Subcontractor on behalf of Business Associate. This provision shall apply to PHI that is in the possession of subcontractors or agents of Subcontractor. Subcontractor shall retain no copies of the PHI. In the event that Subcontractor determines that returning or destroying the PHI is infeasible, Subcontractor shall provide to Business Associate notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of PHI is infeasible, Subcontractor shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Subcontractor maintains such PHI. In the event that the Business Associate fails to arrange to obtain the records containing PHI from Subcontractor and fails to instruct Subcontractor with respect to the destruction of PHI within sixty (60) days of termination of this BAA, Subcontractor may elect to retain or to destroy the PHI in a manner as provided in this BAA, in whole or in part, at Subcontractor s discretion. 16. Owner of PHI. Under no circumstances shall Subcontractor be deemed in any respect to be the owner of any PHI used or disclosed by or to Subcontractor pursuant to the terms of this BAA. 17. Judicial and Administrative Proceedings. In the event Subcontractor receives a subpoena, court, or administrative order or other discovery request or mandate for release of PHI, Business Associate shall have the right to control Subcontractor s response to such request. Subcontractor shall notify Business Associate of the request as soon as reasonably practicable, but in any event within forty-eight (48) business hours of receipt of such request. 18. Obligations on Business Associate. Business Associate further agrees to the following terms and conditions: (a) Business Associate shall provide Subcontractor with the Notice of Privacy Practices any Covered Entity furnishes to patients in accordance with the HIPAA Rules, and any changes or limitations to such notice to the extent that such limitation may affect Subcontractor's use or disclosure of PHI. (b) Business Associate shall notify Subcontractor of any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent that such changes may affect Subcontractor's use or disclosure of PHI. (c) Business Associate shall notify Subcontractor of any restriction on the use or disclosure of PHI that Business Associate has agreed to in accordance with 45 C.F.R , to the extent that such restriction may affect Subcontractor's use or disclosure of PHI. (d) Business Associate shall not request that Subcontractor use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Business Associate or Covered Entity. Page 5 of 8

6 (e) Business Associate shall take immediate steps to mitigate an impermissible use or disclosure of PHI from Subcontractor to Business Associate, including its staff, employees and agents who send and receive PHI to and from Subcontractor in the course and scope of their employment, such as obtaining the recipient s satisfactory assurances that the information will not be further used or disclosed (through a confidentiality agreement or similar means) or will be destroyed. (f) Abide by all the responsibilities of Business Associates, including but not limited to the responsibilities specified in 45 C.F.R such as the maintenance of records and compliance reports, cooperation with complaint investigations and compliance reviews, and the permitting of access to information. 21. Miscellaneous (a) Regulatory References. A reference in this BAA to a section in the HIPAA Rules means the section as in effect or amended, and for which compliance is required. (b) Amendment. This BAA may only be modified, or any rights under it waived, by a written agreement executed by both parties. The Parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law. (c) Interpretation. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits the Parties to comply with the HIPAA Rules. (d) Survival. The terms of this Agreement, which by their nature are to survive this BAA, shall survive the termination or expiration of the Arrangement or this BAA for any reason. (e) Confidentiality. The Parties acknowledge that this BAA is intended to supplement any and all other confidentiality obligations that either Party may have under this or any other agreement or applicable law (f) Underlying Agreement. The terms of this BAA will govern the use of PHI under the Underlying Agreement. Except as specified herein, all other terms of the Underlying Agreement will continue in full force and effect. In the event of any conflict among the provisions of this Agreement and the Underlying Agreement, the provisions of this BAA will control. (g) Waiver of Breach. Waiver of violation of any provision of this BAA shall not be deemed a waiver of any other violation of the same or different provision. (h) Notices. Any notice or other communication given pursuant to this BAA must be in writing and (a) delivered personally, (b) delivered by overnight express, or (c) sent by registered or certified mail, postage prepaid, to the addresses set forth below and shall be considered given upon delivery: If to Subcontractor: If to Business Associate: Attention: Eduardo Martinez Attention: Page 6 of 8

7 Title: Director of Information Technology Title: Address: Address: 3265 MERIDIAN PKWY STE 112 WESTON FL (a) Binding Effect. This BAA shall be binding upon, and shall inure to the benefit of, the parties, their respective successors and permitted assignees. No assignment of the rights or obligations of either Party under this BAA shall be made without the express written consent of the other Party, which consent shall not be unreasonably withheld. Notwithstanding the foregoing, a Party may assign this BAA to a party taking assignment of the Underlying Agreement in accordance with its terms. (b) Third Party Rights. The terms of this BAA are not intended, nor should they be construed, to grant any rights, obligations, remedies, or liabilities to any parties other than Subcontractor and Subcontractor. (c) Severability. If any provision of this BAA shall be declared invalid or illegal for any reason whatsoever, then notwithstanding such invalidity or illegality, the remaining terms and provisions of this BAA shall remain in full force and effect. (d) Counterparts. This BAA may be executed in counterparts, each of which, shall be deemed an original, but all of which, shall constitute the same instrument. (e) Entire Agreement. This BAA sets for the entire agreement and understanding between the Parties relating to the subject matter hereof and supersedes all discussions, representations, agreements, and understandings of every kind or nature, whether oral or written, with respect to such matters, including, but not limited to other subcontractor agreements or agreements related to patient data and the access, use, privacy, security and confidentiality of patient data. In the event of any conflict between the terms of this BAA and any other oral or written discussions, representations, agreements, and understandings between the Parties, the terms of this Agreement shall control. (f) Indemnification. Each Party agrees to indemnify, defend and hold harmless the other Party and its employees and agents, against any loss, claim, damage or liability ( Claim ) if and to the extent proximately caused by (a) violation of a material term of this Agreement by such Party; (b) a violation of the HIPAA by such Party or (c) the gross negligence or willful misconduct of such Party. If seeking indemnification, the Party indemnifying the other shall furnish to the other party prompt written notice of any such Claim of which the indemnifying Party has actual knowledge, provided, however, that the failure to deliver such prompt notice shall not release indemnifying Party from any of its indemnity obligations hereunder except to the extent such obligations have increased as a result of such failure, and then only to the extent of such increase. The indemnified Party shall use good faith efforts to furnish the indemnifying Party with reasonable and sufficient authority, information and assistance necessary to defend the Claim. Page 7 of 8

8 (g) Application of State Law. Where any applicable provision of state law relates to the privacy or security of health information and is not preempted by HIPAA, as determined by application of the HIPAA Standards, the Parties shall comply with the applicable provisions of state law. IN WITNESS WHEREOF, the Parties have caused their duly authorized representatives to execute this BAA on the date indicated below: Business Associate: Subcontractor: Signature: Signature: Name: Eduardo Martinez Name: Title: Director of Information Technology\d1 \ Title: Date: Date: Page 8 of 8