Business Associate Agreement

Concurrent to the effective date of the Services Agreement, HOS (“Business Associate”) and The Subscriber (“Covered Entity”) make and enter into this Business Associate Agreement (“BAA”).

RECITALS

  • WHEREAS, Covered Entity has engaged Business Associate to provide services that allow Covered Entity to perform predictive risk scoring for individual patients;
  • WHEREAS, Covered Entity possesses Individually Identifiable Health Information (as hereinafter defined) and is permitted to use or disclose such information only in accordance with such laws and regulations;
  • WHEREAS, Business Associate may create or receive such Individually Identifiable Health Information from or on behalf of Covered Entity in order to perform certain of the services; and
  • WHEREAS, Covered Entity wishes to ensure that Business Associate appropriately safeguards Individually Identifiable Health Information;
  • NOW, THEREFORE, in consideration of the covenants, terms, conditions and considerations specified hereunder, receipt and sufficiency of which are hereby mutually acknowledged, the parties agree to the following:

DEFINITIONS

  • “HIPAA” refers to the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.
  • “Business Associate” is defined as set forth in 45 CFR 160.103.
  • “Covered Entity” is defined as set forth in 45 CFR 160.103.
  • “HIPAA Rules” refer to the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164
  • “Protected Health Information” or “PHI” is defined as set forth in 45 CFR § 164.501, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
  • “Electronic Protected Health Information” or “ePHI” is defined as Protected Health Information that is transmitted by or maintained in electronic media as defined in the HIPAA Security Regulations.
  • “HIPAA Security Regulations” refers to the regulations promulgated under HIPAA, including, but not limited to 45 CFR § 160 and 45 CFR § 164, Subpart A and C.
  • “HIPAA Privacy Regulations” refers to the regulations promulgated under HIPAA, including but not limited to, 45 CFR § 160 and 45 CFR § 164, Subpart A and E.
  • “HITECH” refers to the Health Information Technology for Economic and Clinical Health Act, which is Title XIII of the American Recovery and Reinvestment Act of 2009 (Public Law 111-5), and any regulations promulgated thereunder.
  • “Individual” is defined as set forth in 45 CFR § 164.501, and includes a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
  • “Individually Identifiable Health Information” is defined as information that is a subset of health information, including demographic information collected from an individual, and: (a) is created or received by a health care provider, health plan, employer or health care clearinghouse; and (b) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for provision of health care to an individual; and (c) that identifies the individual; or (d) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
  • “Breach” is defined as the acquisition, access, use or disclosure of Protected Health Information in a manner not permitted under 45 CFR § 164, Subpart E (the “HIPAA Privacy Rule”). Breach does not include:
  1. any unintentional acquisition, access, use or disclosure of Protected Health Information by a workforce member or person acting under the authority of Covered Entity or Business Associate, if such acquisition, access, use or disclosure was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the HIPAA Privacy Rule; or
  2. any inadvertent acquisition, access, use or disclosure of Protected Health Information by a person who is authorized to access Protected Health Information at Covered Entity or Business Associate to another person authorized to access Protected Health Information at Covered Entity or Business Associate, respectively, or organized health care arrangement in which Covered Entity participates, and the Protected Health Information received does not result in further use or disclosure in a manner not permitted under the HIPAA Privacy Rule; or
  3. any disclosure of Protected Health Information for which Covered Entity or Business Associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably be able to retain such Protected Health Information; or
  4. any disclosure of Protected Health Information for which a Covered Entity or Business Associate, as applicable, demonstrates there is a low probability the Protected Health Information has been compromised based on a risk assessment of at least the factors set forth in 45 CFR 164.402 (2)(1)-(iv).
  • “Required By Law” is defined as set forth in 45 CFR § 164.501.
  • “Secretary” refers to the Secretary of the United States of America Department of Health and Human Services or such designee.
  • The following terms, when used in this this BAA, are defined as set forth (i.e., have the same meaning as those terms) in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. All other terms used in this BAA, and not otherwise defined, are defined as set forth (i.e., have the same meaning as those terms) in the HIPAA Rules.

OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE

  1. Business Associate agrees to not use or disclose Protected Health Information other than as permitted or required by this BAA or as Required by Law.
  2. Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, to prevent use or disclosure of Protected Health Information other than as provided for by this BAA.
  3. Business Associate agrees to report to Covered Entity any use or disclosure of protected health information not provided for by this BAA of which it becomes aware, including breaches of Unsecured Protected Health Information as required at 45 CFR 164.410, and any security incident of which it becomes aware.
  4. Business Associate agrees to mitigate, to the extent practicable, any harmful effect of which it becomes aware regarding use or disclosure of Protected Health Information in violation of the requirements of this BAA.
  5. Business Associate agrees to in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain or transmit protected health information on behalf of Business Associate agree to the same restrictions, conditions and requirements that apply to Business Associate with respect to such information.
  6. Business Associate agrees to upon the reasonable request of Covered Entity, make available Protected Health Information in a Designated Record Set to Covered Entity, or as directed by Covered Entity, to an Individual, as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524.
  7. Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526.
  8. Business Associate agrees to comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s) to the extent Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164.
  9. Business Associate agrees to make internal practices, books and records relating to use and disclosure of Protected Health Information available to the Secretary for purposes of determining compliance with the HIPAA Rules.
  10. Business Associate agrees to document disclosures of Protected Health Information as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528.
  11. Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic Protected Health Information it creates, receives, maintains or transmits on behalf of Covered Entity in accordance with the 45 CFR 164.306.
  12. Business Associate agrees to report to Covered Entity any use or disclosure of Protected Health Information not permitted by this BAA.
  13. Business Associate agrees to report any Breach of Unsecured Protected Health Information to Covered Entity in a manner compliant with its obligations pursuant to 45 CFR §164.410 and without reasonable delay, no later than five business days from discovery as necessary to mitigate harm to an Individual or in any event no later than ten business days from discovery.
  14. Business Associate agrees to track and monitor all Security Incidents and to report successful Security Incidents in accordance with Section 3 and to report unsuccessful Security Incidents upon request of Covered Entity.
  15. Business Associate agrees to when using, disclosing or requesting Protected Health Information, to use, disclose or request the minimal amount of information necessary for the stated purpose, unless an exception to the Minimum Necessary rule, as set forth in 45 CFR §164.502(b)(2).

PERMITTED USES AND DISCLOSURES OF BUSINESS ASSOCIATE

  1. Business Associate may use or disclose Protected Health Information to perform its duties and obligations under the Services Agreement and this BAA, provided that such use or disclosure does not violate the Minimum Necessary policies and procedures of Covered Entity.
  2. Business Associate may use or disclose Protected Health Information as Required by Law.
  3. Business Associate may use or disclose Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(1).
  4. Business Associate may use Protected Health Information for the proper management and administration of Business Associate or to carry out legal responsibilities of the Business Associate, provided such disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom Protected Health Information is disclosed that such Protected Health Information will remain confidential and used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which such Protected Health Information is breached.
  5. Except as otherwise limited in this BAA, Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B).

OBLIGATIONS AND ACTIVITIES OF COVERED ENTITY

  1. Covered Entity agrees to notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity under 45 CFR § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of Protected Health Information.
  2. Covered Entity agrees to notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her Protected Health Information, to the extent such changes may affect Business Associate’s use or disclosure of Protected Health Information.
  3. Covered Entity agrees to notify Business Associate of any restriction on the use or disclosure of Protected Health Information that covered entity has agreed to or is required to abide by under 45 CFR § 164.522, to the extent such restriction may affect Business Associate’s use or disclosure of Protected Health Information.
  4. Covered entity agree not to request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity.
  5. Covered Entity agrees to comply with the HIPAA Security Rule, including, without limitation, safeguarding all computing devices (i.e., desktops, laptops, smartphones, notebooks, tablets and all others) in accordance with the HIPAA Security Regulations.
  6. To the extent Covered Entity utilizes services provided by Business Associate to communicate with patients, Covered Entity agrees to determine what permissions, authorizations or consents are documented and maintained for HIPAA compliance purposes.

TERMINATION

  1. Notwithstanding anything to the contrary stated in this BAA and Section 28 hereunder, upon termination of this BAA for any reason, and after any Data Retention Period set forth in the Services Agreement between Business Associate and Covered Entity during which Business Associate may obtain copies of Protected Health Information, Business Associate agrees to destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity that Business Associate still maintains in any form. This provision applies to Protected Health Information in the possession of subcontractors or agents of Business Associate. Business Associate agrees to retain no copies of Protected Health Information.
  2. To the extent Section 19 applies to any Protected Health Information, Business Associates agrees to: (a) retain only that Protected Health Information which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities; (b) destroy he the remaining Protected Health Information that Business Associate still maintains in any form; (c) continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information to prevent use or disclosure, other than as provided for in this Section, for as long as Business Associate retains the Protected Health Information; (d) not use or disclose the Protected Health Information retained by Business Associate other than for the purposes for which such Protected Health Information was retained and subject to the same conditions set out under Permitted Uses and Disclosures By Business Associate which applied prior to termination; and (e) Destroy the Protected Health Information retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.
  3. The respective rights and obligations of Business Associate under this Section survive the termination of this BAA.
  4. A Breach of this BAA or the termination of this BAA will not solely be basis for a material breach of the Services Agreement.

OTHER

  1. This BAA is incorporated into the Services Agreement as if specifically set forth therein.
  2. The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.
  3. Any ambiguity in this BAA will be interpreted to permit compliance with the HIPAA Rules.
  4. The parties agree that Business Associate may unilaterally amend this BAA from time to time for the reasons set forth in Section 32 and for other business reasons, and that any such amended BAA is effective immediately upon posting an updated version of this BAA on The Services or the HOS web page at which this BAA is posted.
  5. The terms Covered Entity and Business Associate are used in this BAA solely for purposes of convenience and are not meant to imply that either party meets the definition of Covered Entity or Business Associate set forth in the HIPAA regulations.
  6. To the extent not preempted by Federal law, this BAA is governed and construed in accordance with the state laws governing the Services Agreement, without regard to conflict of laws principles.
  7. This BAA does not, and is not intended, to confer any rights or remedies upon any person or entity other than the parties.
  8. This BAA supersedes and replaces any prior Business Associate Agreement between Covered Entity and Business Associate as of the effective date of the Services Agreement.
  9. If any covenant, term, condition or consideration of this BAA is, or becomes, invalid or unenforceable, all other covenants, terms, conditions and considerations remain in full force and effect, and do not in any way impact the enforceability of the Services Agreement.