BUSINESS ASSOCIATE AGREEMENT

Similar documents
Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

ARTICLE 1. Terms { ;1}

Business Associate Agreement

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

TEXAS SOUTHERN UNIVERSITY HIPAA BUSINESS ASSOCIATE AGREEMENT

ACGME BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

HIPAA Business Associate Agreement Passport to Languages

HIPAA BUSINESS ASSOCIATE AGREEMENT

Interpreters Associates Inc. Division of Intérpretes Brasil

Business Associate Agreement

HIPAA ADDENDUM TO SERVICE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT Between THE NORTH CENTRAL TEXAS COUNCIL OF GOVERNMENTS and

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT (for use when there is no written agreement with the business associate)

IHDE BUSINESS ASSOCIATE AGREEMENT (BAA)

Business Associate Agreement

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

Emma Eccles Jones College of Education & Human Services. Title: Business Associate Agreements

BUSINESS ASSOCIATE AGREEMENT

ARTICLE 1 DEFINITIONS

COMMONWEALTH OF PENNSYLVANIA BUSINESS ASSOCIATE ADDENDUM

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

SUBCONTRACTOR BUSINESS ASSOCIATE ADDENDUM

Business Associate Agreement For Protected Healthcare Information

RECITALS. In consideration of the mutual promises below and the exchange of information pursuant to this BAA, the Parties agree as follows:

BUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H:

HIPAA BUSINESS ASSOCIATE AGREEMENT

Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

SDM Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS

HIPAA and ProAssurance

Limited Data Set Data Use Agreement For Research

BUSINESS ASSOCIATE AGREEMENT

FACT Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

JOTFORM HIPAA BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

BUSINESS ASSOCIATE AGREEMENT

HOW TO COMPLETE A BUSINESS ASSOCIATE AGREEMENT (BAA)

Central Fabrication Accreditation Application

AIUM Ultrasound Practice Accreditation Master Services Agreement & Business Associate Agreement (MSA/BAA)

Business Associate Agreement RECITALS AGREEMENT

HIPAA STUDENT ASSOCIATE AGREEMENT

* Corporation General Partnership Limited Partnership LLC Sole Proprietorship Non Profit Other Accounts Payable: Name

BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE ADDENDUM

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

BUSINESS ASSOCIATE AGREEMENT

SUNY DOWNSTATE MEDICAL CENTER UNIVERSITY HOSPITAL OF BROOKLYN POLICY AND PROCEDURE

Terms used, but not otherwise defined, in this Addendum shall have the same meaning as those terms in 45 CFR and

HIPAA BUSINESS ASSOCIATE AGREEMENT

MNsure Certified Application Counselor Services Agreement with Tribal Nation Attachment A State of Minnesota

SCHEDULE D HIPPA BUSINESS PARTNER AGREEMENT

Microsoft Online Subscription Agreement/Open Program License Agreement Amendment for HIPAA and HITECH Act Amendment ID MOS13

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

GROUP HEALTH INCORPORATED SELLING AGENT AGREEMENT

PURCHASE ORDER TERMS AND CONDITIONS

PLAN SPONSOR CERTIFICATION TO THE GROUP HEALTH PLAN

Washington Producer Application

NETWORK PARTICIPATION AGREEMENT

POLESTAR BENEFITS, INC. ADMINISTRATION AGREEMENT

COBRA Setup Fact Sheet for Oswald agent

LIMITED DATA SET REQUEST AND DATA USE AGREEMENT

UCLA Health System Data Use Agreement

REGISTRY PARTICIPATION AGREEMENT

RECIPROCAL BUSINESS ASSOCIATE AND DATA USE AGREEMENT BETWEEN THE PARTICIPATING PHYSICIAN ORGANIZATION AND MILLIMAN, INC.

PsyBar, LLC 6600 France Avenue South, Suite 640 Edina, MN Telephone: (952) Facsimile: (952)

AGREEMENT PURSUANT TO THE TERMS OF HIPAA ; HITECH ; and FIPA (Business Associate Agreement) (Revised August 2015)

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

Section 125 Flexible Spending Account Plan Client Setup & Document Checklist

Washington County Request for Proposal Group Health Plan 2015

HIPAA Privacy Compliance Checklist

Compliance Steps for the Final HIPAA Rule

AFTER THE OMNIBUS RULE

Oregon Healthcare Quality Reporting System Participating Provider Organization Portal Access Agreement

BROKER AGREEMENT. Wherein it is mutually agreed as follows:

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE

HRA Administration - SummaCare Plan Getting Started Checklist

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

RECITALS. NOW THEREFORE, in consideration of the terms, covenants and agreements set forth in this Agreement, the Parties agree as follows:

Producer Agreement DDWA Product means an Individual or Group dental benefits product offered by Delta Dental of Washington.

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES

Participation and HIPAA Compliance in the ACR National Radiology Data Registry

Sample Privacy Notice

Check In Systems. Software Usage Agreement

Determining Whether You Are a Business Associate

BREACH NOTIFICATION POLICY

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

HIPAA TRANSACTION 837 INSTITUTIONAL STANDARD COMPANION GUIDE

AMWELL GROUP PRACTICE AGREEMENT

Privacy Regulations HIPAA-Administrative Simplification Internal Assessment

Management Alert Final HIPAA Regulations Issued

Transcription:

BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (this Agreement ) is made effective as of the of, (the Effective Date ), by and between day hereafter referred to as ( Business Associate ), and Kalamazoo County by and through its Health and Community Services Department, hereafter referred to as the ( COUNTY ). 1. PURPOSE. The purpose of this Agreement (the Agreement ) is to assure the privacy and security of protected health information and electronic protected health information in accordance with the regulations, including the Privacy Rule and the Security Rule, issued by the Department of Health and Human Services ( HHS ) under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Clinical and Economic Health Act of 2009, as each may be amended from time to time (collectively, HIPAA ), including amendments for HITECH and the Omnibus Rule. Protected Health Information or PHI is information regarding the physical or mental condition of an individual, or the treatment of or payment for that condition, that identifies or can be used to identify the individual; Electronic Protected Health Information (or Electronic PHI ) is limited to PHI transmitted by or maintained in electronic media. For purposes of this Agreement, PHI and Electronic PHI are limited to PHI or Electronic PHI that creates, receives, maintains or transmits on behalf of the COUNTY. The Privacy Rule and the Security Rule provide that a covered entity is permitted to disclose PHI and Electronic PHI to a business associate and allow the business associate to obtain and receive PHI and Electronic PHI, if the covered entity obtains satisfactory assurances in the form of a written contract that the business associate will appropriately safeguard the PHI and Electronic PHI. The parties have entered or plan to enter a certain Purchase of Service Agreement, dated, that governs the underlying services (the Principal Agreement ). The COUNTY (the Covered Entity ) is or may be a covered entity within the meaning of that term under HIPAA., ( Business Associate ), provides services or performs functions or activities for or on behalf of the Covered Entity and in that capacity uses or discloses PHI, or otherwise creates, receives, maintains or transmits PHI; and, accordingly, is or may be a business associate to the Covered Entity. This Agreement modifies the Principal Agreement only if, and to the extent that, the Covered Entity is a covered entity and Business Associate is a business associate as those terms are defined at 45 CFR 160.103. 2. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE. Business Associate agrees that it will not use or disclose PHI created for, or received from, or on behalf of, the Covered Entity, except as provided for in this Section 2 or otherwise required by law. (a) General Rule. Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI in order to perform its obligations and services to the Covered Entity under the Principal Agreement, provided that such use or disclosure would not violate the Privacy Rule or the Security Rule if done directly by the Covered Entity. If Business Associate Page 1 of 8

performs an obligation of the Covered Entity under HIPAA, Business Associate will be compliant with the relevant HIPAA provision. (b) Other Uses and Disclosures. (1) Except as otherwise limited in this Agreement, Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. (2) Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that the disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. (3) Except as otherwise limited in this Agreement, Business Associate may use PHI to report violations of law to appropriate federal and state authorities, consistent with the provisions of HIPAA. (4) Except as otherwise limited in this Agreement, Business Associate may use PHI to create a Limited Data Set or a De-Identified data set, as those terms are defined under HIPAA. Business Associate may further use or disclose a Limited Data Set pursuant to a Data Use Agreement for the purposes and as specified under HIPAA; and may further use or disclose a De-Identified data set for any lawful purpose not inconsistent with the Principal Agreement. 3. BUSINESS ASSOCIATE RESPONSIBILITIES. (a) Business Associate will not use or further disclose PHI or Electronic PHI other than as required by this Agreement or as required by law, including situations where HIPAA may not permit certain disclosures requested by patients. (b) Business Associate agrees to use appropriate safeguards and apply such security measures that are in compliance with the Privacy Rule and other applicable laws to prevent the use or disclosure of the PHI other than as allowed under this Agreement. Business Associate agrees to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic PHI, as required by the Security Rule. (c) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement, the Privacy Rule, the Security Rule or other applicable law. (d) Business Associate agrees to promptly report to the Covered Entity any breach or use or disclosure of PHI not provided for by this Agreement of which Business Associate Page 2 of 8

becomes aware. Business Associate agrees to promptly report any security incident (as that term is defined in the Security Rule) of which it becomes aware to the Covered Entity. In the event of a breach of unsecured PHI (as defined at 45 CFR 164.402), Business Associate shall notify the Covered Entity promptly without unreasonable delay, and in any event within forty-five (45) days, of its discovery of such breach, the identification of each individual whose unsecured PHI was or is reasonably believed to have been accessed, acquired or disclosed during such breach. (e) Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by Business Associate on behalf of the Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. Business Associate will advise the Covered Entity if any agent or subcontractor breaches its agreement with Business Associate with respect to the disclosure or use of PHI, and, except as otherwise provided by HIPAA, if the breach is material to the subcontractor s obligation or arrangement, Business Associate will take reasonable steps to cure the breach or end the violation, as applicable, and if such steps are unsuccessful, terminate the Business Associate s contract or arrangement with the subcontractor, if feasible. (f) Within fifteen (15) days of a request by the Covered Entity, Business Associate agrees to provide access to, or a copy of, PHI in a designated record set, or as otherwise required by HIPAA, to the Covered Entity in order to meet the requirements of the Privacy Rule. (g) Within fifteen (15) days of a request by the Covered Entity, Business Associate agrees to make any amendments to PHI in a designated record set that the Covered Entity directs or agrees to pursuant to the 45 CFR 164.526, or as otherwise required by HIPAA, at the request of the Covered Entity or the individual. (h) For purposes of the Secretary of HHS determining the Covered Entity s compliance with HIPAA, Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of the Covered Entity available to the Secretary of HHS. (i) Business Associate agrees to document such disclosures of PHI as would be required to respond, or to enable the Covered Entity to respond, to a request by an individual for an accounting of disclosures of PHI in accordance with the Privacy Rule, and will do so for at least the minimum amount of time required by HIPAA (including for records maintained in electronic form). Business Associate agrees to provide to the Covered Entity or the individual, as the case may be, upon its request the information collected in accordance with this section of this Agreement, to respond or to permit the Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with the Privacy Rule. (j) Business Associate agrees to notify the Covered Entity of all requests for the disclosure of PHI from a law enforcement or government official, or pursuant to a subpoena, court or administrative order, or other legal request as soon as possible prior to making the requested disclosure. Page 3 of 8

(k) Business Associate acknowledges that it shall request from the Covered Entity and so disclose to its affiliates, subsidiaries, agents and subcontractors or other third parties, only the minimum necessary PHI, within the meaning of the Privacy Rule, to perform or fulfill a specific function required or permitted hereunder. 4. THE COVERED ENTITY S RESPONSIBILITIES. (a) The Covered Entity will provide Business Associate with the notice of privacy practices that the Covered Entity uses or produces, or that is produced on the Covered Entity s behalf, in accordance with the Privacy Rule, as well as any changes to that notice. The Covered Entity shall notify Business Associate of any limitations in the Covered Entity s notice of privacy practices to the extent such limitations may affect Business Associate s use or disclosure of PHI. (b) The Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by an individual to use or disclose PHI, if such changes affect Business Associate s permitted or required uses and disclosures. (c) The Covered Entity shall notify Business Associate of any restriction to or confidential communication of the use or disclosure of PHI that the Covered Entity has agreed to, or is required to adhere to in accordance with the Privacy Rule, and Business Associate agrees to conform to any such restriction or confidential communication. (d) The Covered Entity shall not request Business Associate to use, disclose or transmit PHI in any manner that would not be permissible under the Privacy Rule or Security Rule if done by the Covered Entity. 5. TERM AND TERMINATION. (a) Term. The provisions of this Agreement shall take effect as of the date first written above and shall terminate when all of the PHI provided by the Covered Entity to Business Associate, or created or received by Business Associate on behalf of the Covered Entity, is destroyed or returned to the Covered Entity, or, if it is infeasible to return or destroy such PHI, protections are extended to such information, in accordance with the provisions in this Agreement. (b) Termination for Cause. Upon either party s material breach of this Agreement, the aggrieved party shall provide an opportunity for the breaching party to cure the breach or end the violation. The aggrieved party shall have the right to immediately terminate the Agreement and related agreements (including the Principal Agreement if necessary to comply with HIPAA) if the breaching party does not cure the breach or end the violation within a reasonable time as determined by the aggrieved party, or immediately terminate the Agreement and any related agreements (including the Principal Agreement if necessary to comply with HIPAA) if cure of such breach is not possible. If neither cure nor termination is feasible, the aggrieved party shall notify the Secretary (or his or her designee) of the breach or violation. (c) This Agreement shall terminate immediately and automatically upon termination or expiration of the Principal Agreement, subject to the survival provisions set forth herein. Page 4 of 8

(d) Effect of Termination. (1) Except as provided in paragraph (2) of this section, upon termination of the Agreement, for any reason, Business Associate shall destroy all electronic PHI received from the Covered Entity, or created or received by Business Associate on behalf of the Covered Entity. Covered Entity acknowledges that Business Associate maintains only electronic records including those records containing PHI. (2) In the event Business Associate determines that destroying the PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI only for those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. Following the termination of the Agreement, Business Associate shall not disclose PHI except to the Covered Entity or as required by law. 6. MISCELLANEOUS. (a) Amendment. This Agreement may be amended upon the mutual written agreement of the parties. Upon the enactment of any law or regulation affecting the use or disclosure of PHI, or the publication of any decision of a court of the United States or any state relating to any such law or the publication of any interpretive policy or opinion of any governmental agency charged with the enforcement of any such law or regulation, either party may, by written notice to the other party, propose an amendment to the Agreement as such party determines necessary to comply with such law or regulation. If the other party disagrees with such amendment, it shall so notify the first party in writing within thirty (30) days of the notice. If the parties are unable to agree on an amendment within thirty (30) days thereafter, then either of the parties may terminate the Agreement immediately upon written notice to the other party. An amendment shall be effective only upon the mutual written agreement of the parties. (b) Survival. The respective rights and obligations of the parties under Section 5 of this Agreement shall survive the termination of the Agreement. (c) Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the Covered Entity and the Business Associate to comply with HIPAA. In the event of any inconsistency or conflict between this Agreement and any other agreement between the parties, the terms, provisions and conditions of this Agreement shall govern and control. Page 5 of 8

IN WITNESS WHEREOF, each of the undersigned parties is duly authorized to execute this Agreement on behalf of their respective party as of the date first set forth above. Signature of Authorized Official Date Name Title COUNTY: John Patrick Taylor, Chairperson Date Timothy A. Snow, Clerk/Register Date Page 6 of 8

IN WITNESS WHEREOF, each of the undersigned parties is duly authorized to execute this Agreement on behalf of their respective party as of the date first set forth above. Signature of Authorized Official Date Name Title COUNTY: John Patrick Taylor, Chairperson Date Timothy A. Snow, Clerk/Register Date Page 7 of 8

IN WITNESS WHEREOF, each of the undersigned parties is duly authorized to execute this Agreement on behalf of their respective party as of the date first set forth above. Signature of Authorized Official Date Name Title COUNTY: John Patrick Taylor, Chairperson Date Timothy A. Snow, Clerk/Register Date Page 8 of 8

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback