A. Terms used but not otherwise defined in this Agreement shall have the same meaning as the meaning ascribed to those terms in the Health Information Portability and Accountability Act of 1996, as codified at 42 U.S.C. § 1320d (“HIPAA”), the Health Information Technology Act of 2009, as codified at 42 U.S.C.A. prec. § 17901 (“HITECH Act”), and any current and future regulations promulgated under HIPAA or the HITECH Act (HIPAA, HITECH Act and any current and future regulations promulgated under either are referred to as the “Regulations”).
B. Protected Health Information or PHI. “Protected Health Information” or “PHI” shall have the same meaning as the term “Protected Health Information” in 45 CFR 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Person, including, but not limited to electronic PHI.
II. OBLIGATIONS OF BUSINESS ASSOCIATE
In order that Covered Person and Business Associate may achieve and maintain compliance with the requirements of HIPAA, Business Associate agrees:
A. To only use and disclose PHI as permitted by this Agreement or as required by law. Business Associate may 1) use and disclose PHI to perform its obligations as set forth in the PAO Agreement; (2) use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities; (3) disclose PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities, if such disclosure is required by law or if Business Associate obtains reasonable assurances from the recipient that the recipient will keep the PHI confidential, use or further disclose the PHI only as required by law or for the purpose for which it was disclosed to the recipient, and notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached; (4) use PHI to provide data aggregation services relating to the health care operations of Covered Person; (5) use or disclose PHI to report violations of the law to law enforcement; and (6) use PHI to create de- identified information consistent with the standards set forth at 45 CFR §164.514. Business Associate will not sell PHI or use or disclose PHI for purposes of marketing, as defined and proscribed in the Regulations.
B. To limit its uses and disclosures of, and requests for, PHI (a) when practical, to the information making up a Limited Data Set; and (b) in all other cases subject to the requirements of 45 CFR 164.502(b), to the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure or request;
C. To use appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of the PHI in compliance with the Regulations.
D. To require all of its subcontractors and agents that receive, use or have access to PHI to agree, in writing, to adhere to the same restrictions and conditions on the use or disclosure of PHI that apply to the Business Associate pursuant to this Agreement;
E. Upon reasonable notice and prior written request, to make available during normal business hours at Business Associate’s offices all records, books, agreements, internal practices, policies and procedures relating to the use or disclosure of PHI to the Office of the Secretary, Department of Health and Human Services, in a time and manner designated by the Secretary, for purposes of determining the Covered Person’s compliance with the Regulations, subject to attorney-client and other applicable legal privileges;
F. To provide documentation regarding any disclosures by Business Associate that would have to be included in an accounting of disclosures to an Individual under 45 CFR 164.528 (including without limitation a disclosure permitted under 45 CFR 164.512) and the HITECH Act, within a reasonable amount of time of receipt of a request from Covered Person;
G. If, and to the extent that Business Associate possesses an applicable Designated Record Set, within a reasonable amount of time of receipt of a request from the Covered Person for the amendment of an individual's PHI contained in the Designated Record Set, Business Associate shall provide such information to the Covered Person for amendment and shall also incorporate any such amendments in the PHI maintained by Business Associate as required by 45 C.F.R. 164.526.
H. Subject to Section III.C.2. of this Agreement, return to the Covered Person or destroy, within thirty (30) days of the termination of this Agreement, any and all PHI in its possession and retain no copies (which for purposes of this Agreement shall include without limitation destroying all backup tapes and permanently deleting all electronic PHI).
I. To mitigate, to the extent practicable, any harmful effects from any use or disclosure of PHI by Business Associate not permitted by this Agreement.
J. Business Associate agrees to notify the designated Privacy Official of the Covered Person of any use or disclosure of PHI by Business Associate not permitted by this Agreement, any Security Incident involving electronic PHI, and any Breach of Unsecured Protected Health Information within five (5) business days.
1. Business Associate shall provide the following information to Covered Person within ten (10) business days of discovery of a breach except when despite all reasonable efforts by Business Associate to obtain the information required, circumstances beyond the control of the Business Associate necessitate additional time. Under such circumstances Business Associate shall provide to Covered Person the following information as soon as possible and without unreasonable delay, but in no event later than thirty (30) calendar days from the date of discovery of a breach:
a. the date of the breach;
b. the date of the discovery of the breach;
c. a description of the types of unsecured PHI that were involved;
d. identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed; and
e. any other details necessary to complete an assessment of the risk of harm to the individual.
2. Covered Person will be responsible to provide notification to individuals whose unsecured PHI has been disclosed, as well as the Secretary and the media, as required by Sec. 13402 of the HITECH Act, 42 U.S.C.A.§ 17932;
3. Business associate agrees to pay actual costs for notification and of any associated mitigation incurred by Covered Person, such as credit monitoring, if Covered Person determines that the breach is significant enough to warrant such measures.
4. Business associate agrees to establish procedures to investigate the breach, mitigate losses, and protect against any future breaches, and to provide a description of these procedures and the specific findings of the investigation to Covered Person in the time and manner reasonably requested by Covered Person.
5. The parties agree that this section satisfies any notices necessary by Business Associate to Covered Person of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Covered Person shall be required. For purposes of this Agreement, “Unsuccessful Security Incidents” include activity such as pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of electronic PHI.
III. RED FLAG RULES COMPLIANCE
The parties understand and agree that in connection with Business Associate’s performance under the PAO Agreement, Business Associate may maintain Covered Person “Covered Accounts” as defined in the Identity Theft Red Flags rules published by the Federal Trade Commission at 61 CFR part 681 (the “Red Flag Rules”). Each party warrants that it is familiar with the requirements of the Red Flag Rules, and will comply with the Red Flag Rules in connection with their respective performance under the PAO Agreement. Business Associate agrees to promptly report to Covered Person any incidents of which it becomes aware involving Covered Account of Covered Personthat Business Associate reasonably believes involve identity theft. Business Associate also agrees to provide assistance to Covered Person as reasonably necessary for Covered Person to respond to any identity theft incidents related to Business Associate’s services under the PAO Agreement.
IV. TERM AND TERMINATION:
A. Term. This Agreement shall become effective on the date of execution of a Service.
B. Agreement, and shall terminate upon the termination or expiration of all PAO Agreement(s). Notwithstanding the foregoing, obligations imposed on either party pursuant to the HITECH Act must be complied with only when the particular provisions referenced become effective or compliance becomes required, whichever is later.
C. Termination for Cause. Either Party may immediately terminate this Agreement and the PAO Agreement(s) if such Party makes the determination that the other Party has breached a material term of this Agreement. Alternatively, the terminating Party may choose to provide the other Party with thirty (30) days written notice of the existence of an alleged material breach and an opportunity to cure the breach. If termination is not feasible, the terminating Party shall report the breach to the Secretary.
D. Effect of Termination. 1. Upon termination or expiration of this Agreement, Business Associate agrees to return to Covered Person or destroy all PHI in the possession of Business Associate and/or in the possession of any subcontractor or agent of Business Associate (including without limitation destroying all backup tapes and permanently deleting all electronic PHI) and to retain no copies of the PHI. 2. In the event that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Person a written statement that it is infeasible to return or destroy the PHI and describe the conditions that make return or destruction of the PHI infeasible. Upon mutual agreement by the Parties that return or destruction of the PHI is infeasible; Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains the PHI.
Business Associate agrees to indemnify, defend and hold harmless Covered Person and its respective employees, directors, officers, subcontractors, agents or other members of its workforce (each of the foregoing hereinafter referred to as “Indemnified Party”) against all actual and direct losses suffered by the Indemnified Party and all liability to third parties arising from or in connection with any breach of this Agreement or from any acts or omissions related to this Agreement by Business Associate or its employees, directors, officers, subcontractors, agents or other members of its workforce. Accordingly, on demand, Business Associate shall reimburse any Indemnified Party for any and all actual and direct losses, liabilities, lost profits, fines, penalties, costs or expenses (including reasonable attorneys’ fees) which may for any reason be imposed upon any Indemnified Party by reason of any suit, claim, action, proceeding or demand by any third party which results from the Business Associate’s acts or omissions hereunder. Business Associates’ obligation to indemnify any Indemnified Party shall survive the expiration or termination of this Agreement.
A. Amendments. This Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the Parties. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary to achieve and maintain compliance with the requirements of the Regulations.
B. Survival. The respective rights and obligations of Business Associate and Covered Person set forth in Sections III and IV shall survive termination of this Agreement.
C. Regulatory References. Any reference herein to a federal regulatory section within the Code of Federal Regulations shall be a reference to such section as it may be subsequently updated, amended or modified.
D. Interpretation. Any ambiguity in this Agreement shall be resolved to permit covered entities to comply with HIPAA.
E. Notices. Any notices given hereunder shall be in writing and addressed as follows: