PHI/HIPPA BAA Agreement

Business Associates Agreement

WHEREAS, Sections 261 through 264 of the federal Health Insurance Portability and

Accountability Act of 1996 (commonly known as “HIPAA”), Public Law 104-191, known

as “the Administrative Simplification provisions,” direct the Department of Health and

Human Services to develop standards to protect the security, confidentiality and

integrity of health information; and

WHEREAS, pursuant to the Administrative Simplification provisions, the Secretary of

Health and Human Services has issued regulations modifying 45 CFR Parts 160 and

164 (the “HIPAA Privacy Rule” and the “HIPAA Security Rule”); and

WHEREAS, Title XIII of the American Recovery and Reinvestment Act, known as “the

HITECH Act,” has amended HIPAA and the HIPAA regulations, including HIPAA’s

Administrative Simplification provisions; and

WHEREAS, the Parties wish to enter into or have entered into an arrangement whereby

Business Associate will provide certain services to Covered Entity, and, pursuant to

such arrangement, Business Associate may be considered a “business associate” of

Covered Entity as defined in the HIPAA Privacy Rule; and

WHEREAS, Business Associate may have access to Protected Health Information (as

defined below) in fulfilling its responsibilities under such arrangement;

THEREFORE, in consideration of the Parties’ continuing obligations under the HIPAA

Privacy Rule and Security Rule, and other good and valuable consideration, the receipt

and sufficiency of which is hereby acknowledged, the Parties agree to the provisions of

this Agreement in order to address the requirements of the HIPAA Privacy Rule and

Security Rule and to protect the interests of both Parties.

I. DEFINITIONS

Except as otherwise defined herein, any and all capitalized terms in this Section shall

have the definitions set forth in the HIPAA Privacy Rule and the HIPAA Security Rule. In

the event of an inconsistency between the provisions of this Agreement and mandatory

provisions of the HIPAA Privacy Rule and Security Rule, as amended, the HIPAA

Privacy Rule and Security Rule shall control. Where provisions of this Agreement are

different than those mandated in the HIPAA Privacy Rule and Security Rule, but are

nonetheless permitted by the HIPAA Privacy Rule and/or Security Rule, the provisions

of this Agreement shall control. The term “Protected Health Information” (abbreviated as

“PHI”) means individually identifiable health information including, without limitation, all

information, data, documentation, and materials, including without limitation,

demographic, medical and financial information, that relates to the past, present, or

future physical or mental health or condition of an individual; the provision of health care

to an individual; or the past, present, or future payment for the provision of health care

to an individual; and that identifies the individual or with respect to which there is a

reasonable basis to believe the information can be used to identify the individual.

Business Associate acknowledges and agrees that all Protected Health Information that

is created or received by Covered Entity and disclosed or made available in any form,

including paper record, oral communication, audio recording, and electronic display, by

Covered Entity or its operating units to Business Associate or is created or received by

Business Associate on Covered Entity’s behalf shall be subject to this Agreement.

II. CONFIDENTIALITY REQUIREMENTS

(A) Business Associate irrevocably agrees:

(i) to use or disclose any Protected Health Information solely: (1) for meeting its

obligations as set forth in any agreements between the Parties evidencing their

business relationship, or (2) as required by applicable law, rule or regulation, or by

accrediting or credentialing organization to whom Covered Entity is required to disclose

such information or as otherwise permitted under this Agreement, or the HIPAA Privacy

Rule or Security Rule; and

(ii) at termination of this Agreement, or any similar documentation of the business

relationship of the Parties, or upon request of Covered Entity, whichever occurs first, if

feasible, Business Associate will return or destroy all Protected Health Information

received from or created or received by Business Associate on behalf of Covered Entity

that Business Associate still maintains in any form and retain no copies of such

information, or if such return or destruction is not feasible, Business Associate will

extend the protections of this Agreement to the information in perpetuity and limit further

uses and disclosures to those purposes that make the return or destruction of the

information not feasible; and

(iii) to ensure that its agents, including a subcontractor, to whom it provides Protected

Health Information received from or created by Business Associate on behalf of

Covered Entity, agree to the same restrictions and conditions that apply to Business

Associate with respect to such information. In addition, Business Associate agrees to

take reasonable steps to ensure that its employees’ actions or omissions do not cause

Business Associate to breach the terms of this Agreement or the mandatory

requirements of the HIPAA Privacy Rule and Security Rule that may apply to Business

Associate.

(B) Notwithstanding the prohibitions set forth in this Agreement, Business Associate may

use and disclose Protected Health Information only as follows:

(i) if necessary, for the proper management and administration of Business Associate or

to carry out the legal responsibilities of Business Associate, provided that as to any

such disclosure, the following requirements are met:

(a) the disclosure is required by law, not merely permitted by law; or

(b) Business Associate obtains reasonable written assurances from the person or party

to whom the information is disclosed that it will be held confidentially and used or further

disclosed only as required by law or for the purpose for which it was disclosed to the

person or party, and the person or party promptly notifies Business Associate of any

instances of which it is aware in which the confidentiality of the information has been

breached;

(ii) for data aggregation services, if to be provided by Business Associate for the health

care operations of Covered Entity pursuant to any agreements between the Parties

evidencing their business relationship. For purposes of this Agreement, data

aggregation services means the combining of Protected Health Information by Business

Associate with the Protected Health Information received by Business Associate in its

capacity as a business associate of another covered entity, to permit data analyses that

relate to the health care operations of the respective covered entities.

disclosure of Protected Health Information other than as permitted in this Agreement.

The Secretary of Health and Human Services shall have the right to audit Business

Associate’s records and practices related to uses and disclosures of Protected Health

Information to ensure Covered Entity’s compliance with the terms of the HIPAA Privacy

Rule and Security Rule. Business Associate shall timely report to Covered Entity any

use or disclosure of Protected Health Information which is not in compliance with the

terms of this Agreement of which it becomes aware.

III. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE

(a) Business Associate agrees that it is required under the amended HIPAA

regulations to comply with, and shall comply with, the HIPAA Security Rule,

including the Security Rule’s Administrative, Physical, and Technical safeguard

requirements.

(b) Business Associate agrees that it is required under the amended HIPAA

regulations to comply with, and shall comply with, the use and disclosure provisions

of the HIPAA Privacy Rule.

other than as permitted or required by the Agreement or as required by law.

(d) Business Associate agrees to use appropriate safeguards to prevent use or

disclosure of the Protected Health Information other than as provided for by this

Agreement.

(e) Business Associate agrees to mitigate, to the extent practicable, any harmful

effect that is known to Business Associate of a use or disclosure of Protected Health

Information by Business Associate in violation of the requirements of this

Agreement.

(f) Breach Disclosures to Covered Entity: Business Associate agrees to immediately

report to Covered Entity any use or disclosure of Protected Health Information not

provided for by this Agreement of which it becomes aware. Further, Business

Associate agrees to notify the Covered Entity of any individual whose Protected

Health Information has been accidentally, inappropriately or unlawfully released,

accessed, or obtained. Business Associate agrees that such notification will meet

the requirements of Section 13402 of the HITECH Act and 164.410 of the

amended HIPAA regulations. Specifically, the following shall apply:

i. A breach is considered discovered on the first day the Business

Associate knows or should have known about it.

ii. In no case shall the Business Associate notify the Covered Entity of

any breach later than five (5) days after a breach is discovered.

iii. Business Associate shall notify the Covered Entity of any and all

breaches of Protected Health Information, and provide detailed information to

the Covered Entity about the breach, along with the names and contact

information of all individuals whose Protected Health Information was

involved.

iv. For breaches determined to be caused by the Business Associate,

where such breaches require notifications to patients or consumers, the cost

of such breach notifications shall be borne by the Business Associate.

(g) Business Associate agrees to ensure that any agent, including a subcontractor,

to whom it provides Protected Health Information received from, or created or

received by Business Associate on behalf of Covered Entity, agrees to the same

restrictions and conditions that apply through this Agreement to Business Associate

with respect to such information.

(h) Business Associate agrees to provide access, at the request of Covered Entity,

and in the time and manner requested, to Protected Health Information in a

Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an

Individual in order to meet the requirements under 45 CFR 164.524.

(i) Business Associate agrees to make any amendment(s) to Protected Health

Information in a Designated Record Set that the Covered Entity directs or agrees to

pursuant to 45 CFR 164.526 at the request of Covered Entity or an Individual, and

in the time and manner requested.

(j) Business Associate agrees to make internal practices, books, and records,

including policies and procedures and Protected Health Information, relating to the

use and disclosure of Protected Health Information received from, or created or

received by Business Associate on behalf of, Covered Entity available to the

Covered Entity or to the Secretary, in a time and manner requested or designated by

the Secretary, for purposes of the Secretary determining Covered Entity’s

compliance with the HIPAA Privacy Rule and Security Rule.

(k) Business Associate agrees to document such disclosures of Protected Health

Information and information related to such disclosures as would be required for

Covered Entity to respond to a request by an Individual for an accounting of

disclosures of Protected Health Information in accordance with 45 CFR 164.528.

(l) Business Associate agrees to provide to Covered Entity or an Individual, in the

time and manner requested, information collected in accordance with any applicable

Section of this Agreement, to permit Covered Entity to respond to a request by an

Individual for an accounting of disclosures of Protected Health Information in

accordance with 45 CFR 164.528.

(m) Business Associate agrees to comply with the requirements of the “Red Flags”

Rule and implement a compliant identity theft prevention program by or before the

required “Red Flags” Rule compliance date.

IV. AVAILABILITY OF PHI

(a) Business Associate agrees to make available Protected Health Information to the

extent and in the manner required by Section 164.524 of the HIPAA Privacy Rule.

(b) Business Associate agrees to make Protected Health Information available for

amendment and incorporate any amendments to Protected Health Information in

accordance with the requirements of Section 164.526 of the HIPAA Privacy Rule.

available for purposes of accounting of disclosures, as required by Section 164.528

of the HIPAA Privacy Rule.

V. TERMINATION

Notwithstanding anything in this Agreement to the contrary, Covered Entity shall have

the right to terminate this Agreement immediately if Covered Entity determines that

Business Associate has violated any material term of this Agreement. If Covered Entity

reasonably believes that Business Associate will violate a material term of this

Agreement and, where practicable, Covered Entity gives written notice to Business

Associate of such belief within a reasonable time after forming such belief, and

Business Associate fails to provide adequate written assurances to Covered Entity that

it will not breach the cited term of this Agreement within a reasonable period of time

given the specific circumstances, but in any event, before the threatened breach is to

occur, then Covered Entity shall have the right to terminate this Agreement immediately.

VI. MISCELLANEOUS

Except as expressly stated herein or in the HIPAA Privacy Rule or Security Rule, the

Parties to this Agreement do not intend to create any rights in any third parties. The

obligations of Business Associate under this Section shall survive the expiration,

termination, or cancellation of this Agreement, and/or the business relationship of the

Parties, and shall continue to bind Business Associate, its agents, employees,

contractors, successors, and assigns as set forth herein. This Agreement may be

amended or modified only in a writing signed by the Parties. No Party may assign its

respective rights and obligations under this Agreement without the prior written consent

of the other Party. None of the provisions of this Agreement are intended to create, nor

will they be deemed to create, any relationship between the Parties other than that of

independent parties contracting with each other solely for the purposes of affecting the

provisions of this Agreement and any other agreements between the Parties evidencing

their business relationship. This Agreement shall be governed by the laws of the State

of Texas and is performable in Collin County, Texas. No change, waiver or discharge of

any liability or obligation hereunder on any one or more occasions shall be deemed a

waiver of performance of any continuing or other obligation, or shall prohibit

enforcement of any obligation, on any other occasion. The Parties agree that, in the

event that any documentation of the arrangement pursuant to which Business Associate

provides services to Covered Entity contains provisions relating to the use or disclosure

of Protected Health Information which are more restrictive than the provisions of this

Agreement, the provisions of the more restrictive documentation will control. The

provisions of this Agreement are intended to establish the minimum requirements

regarding Business Associate’s use and disclosure of Protected Health Information. In

the event that any provision of this Agreement is held by a court of competent

jurisdiction to be invalid or unenforceable, the remainder of the provisions of this

Agreement will remain in full force and effect. In addition, in the event a Party believes

in good faith that any provision of this Agreement fails to comply with the then-current

requirements of the HIPAA Privacy Rule or Security Rule, such Party shall notify the

other Party in writing, For a period of up to thirty (30) days, the Parties shall address in

good faith such concern and amend the terms of this Agreement, if necessary to bring it

into compliance. If, after such a thirty-day period, the Agreement fails to comply with the

requirements of the HIPAA Privacy Rule and Security Rule, then either Party has the

right to terminate upon written notice to the other Party.