EXHIBIT B: BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“Agreement”) is made and entered into effective as of [Effective Date], by and between [Company] (“Covered Entity”) and Pedia IQ, LLC, a Georgia limited liability company (“Business Associate”).
RECITALS
WHEREAS, Covered Entity possesses Protected Health Information (“PHI”) that is protected under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (collectively “HIPAA”), State Privacy Laws, and the rules and regulations issued pursuant to these state and Federal laws, (collectively, the “Privacy and Security Laws”);
WHEREAS, Covered Entity wishes to enter into a business relationship with Business Associate to perform mental health and learning disability screening tests (the “Services”) on behalf of Covered Entity pursuant to an underlying agreement (“Underlying Agreement”);
WHEREAS, in order to provide the Services, Business Associate will access, receive, maintain, create and/or transmit PHI on behalf of Covered Entity; and
WHEREAS, Covered Entity and Business Associate wish to enter into this Agreement to set forth the terms and conditions applicable to the use and disclosure of such PHI in compliance with the Privacy and Security Laws.
NOW THEREFORE, Covered Entity and Business Associate agree as follows:
1. Definitions. The parties agree that the following terms, when used in this Agreement, shall have the following meanings, provided that the terms set forth below shall be deemed to be modified to reflect any changes made to such terms from time to time under the Privacy and Security Laws. All capitalized terms used in this Agreement but not defined below shall have the meaning assigned to them under the HIPAA Regulations.
a. “Breach” shall have the meaning given such terms under 45 C.F.R. 164.402 as such regulation is revised from time to time.
b. “Business Associate” means,
(1) With respect to Covered Entity, a person who:
(a) On behalf of such covered entity or of an Organized Health Care Arrangement (“OHCA”) (as defined under HIPAA) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or OHCA, creates, receives, maintains, or transmits PHI for a function or activity regulated by the Privacy and Security Laws, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, Client safety activities listed at 42 C.F.R. 3.20, billing, benefit management, Company management, and repricing; or
(b) Provides, other than in the capacity of a member of the workforce of such Covered Entity, legal, actuarial, accounting, consulting, data aggregation (as defined in 45 C.F.R. 164.501), management, administrative, accreditation, or financial services to or for Covered Entity, or to or for an OHCA in which the Covered Entity participates, where the provision of the service involves the disclosure of PHI from such Covered Entity or Arrangement, or from another business associate of such Covered Entity or OHCA, to the person.
(2) Business Associate also includes a Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to PHI and that requires access on a routine basis to such PHI; a person that offers a personal health record to one or more individuals on behalf Covered Entity; and a subcontractor that creates, receives, maintains, or transmits PHI on behalf of the Business Associate.
c. “Data Aggregation” means, with respect to PHI created or received by a Business Associate in its capacity as the Business Associate of a Covered Entity, the combining of such PHI by the Business Associate with the PHI received by the Business Associate in its capacity as a Business Associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.
d. “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.
e. “HIPAA Regulations” means the regulations promulgated under HIPAA by the United States Department of Health and Human Services, including, but not limited to, 45 C.F.R. Part 160 and 45 C.F.R. Part 164 subparts A and E (“The Privacy Rule”) and the Security Standards as they may be amended from time to time, 45 C.F.R. Parts 160, 162 and 164, Subpart C (“The Security Rule”).
f. “HITECH Act” means the provisions of Division A, Title XIII of the American Recovery and Reinvestment Act of 2009 (“ARRA”), known as The Health Information Technology for Economic and Clinical Health, Act 42 U.S.C. §3000 et. seq., and rules, regulations and guidance issued pursuant thereto.
g. “Individually Identifiable Health Information” means information that is a subset of health information, including demographic information collected from an individual, and;
(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(2) Relates to past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
(a) that identifies the individual; or
(b) with respect to which there is a reasonable cause to believe the information can be used to identify the individual.
h. “Privacy and Security Laws” means collectively HIPAA, the HITECH Act and all regulations, rules, and guidance issued pursuant to HIPAA, the HITECH Act, and the applicable State Privacy Laws.
i. “Protected Health Information” or “PHI” means individually identifiable health information that is: transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. PHI does not include individually identifiable health information that is included in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g, records described at 20 U.S.C. 1232g(a)(4)(B)(iv), or employment records held by a covered entity in its role as employer, and it does not include information regarding a person who has been deceased for more than 50 years.
j. “Required by Law” shall have the meaning set forth in 45 C.F.R. 164.512.
k. “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with systems operations in an information system, but does not include minor incidents that occur on a daily basis, such as scans, “pings”, or unsuccessful random attempts to penetrate computer networks or servers maintained by Business Associate.
l. “Unsecured PHI” means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technology or methodology specified in the guidance issued under Section 13402(h)(2) of the HITECH Act on the HHS Web site.
m. Capitalized terms not defined herein shall have the meaning assigned under HIPAA or the applicable State Privacy Laws as applicable.
2. Permitted Uses and Disclosures. Business Associate shall not use or disclose PHI it receives from, maintains, or creates on behalf of the Covered Entity except as permitted or required under this Agreement or as Required by Law.
a. Performance of Services. Business Associate may use and disclose PHI received from, or created or received on behalf of, Covered Entity in connection with the performance of the Services contracted for in the Underlying Agreement provided that such use or disclosure would not violate the Privacy Rule if done by the Covered Entity.
b. Proper Management and Administration of Business Associate. Business Associate may use PHI received by Business Associate in its capacity as Business Associate of Covered Entity for the proper management and administration of Business Associate in connection with the performance of Services in the Underlying Agreement and as otherwise permitted by this Agreement.
Business Associate may disclose Covered Entity’s PHI for such proper management and administration of Business Associate, to carry out the legal responsibilities of Business Associate, and as otherwise permitted by this Agreement if (1) such disclosure is Required by Law, or (2) Business Associate obtains reasonable assurances, in writing, from the person to whom the PHI is disclosed that: (i) the PHI will be held confidentially, used or further disclosed only as required by law or for the purpose for which it was disclosed to the person; (ii) the person otherwise agrees to the same restrictions and conditions that apply to Business Associate with respect to such PHI; and (iii) the person will notify Business Associate of any instances of which the person becomes aware in which the confidentiality of the PHI has been breached.
c. Data Aggregation. Business Associate may use and disclose PHI received by Business Associate in its capacity as Business Associate of Covered Entity to provide Data Aggregation services relating to the health care operations of Covered Entity only with Covered Entity’s prior permission.
d. Disclosures Required By Law. Business Associate may make such disclosures as are Required by Law. To the extent permitted by law, Business Associate shall provide Covered Entity with copies of any documents Business Associate is required to disclose under this Section 2(d).
3. Prohibited Uses and Disclosures.
a. Restrictions Agreed to by Covered Entity. If Covered Entity notifies Business Associate that Covered Entity has agreed to be bound by additional restrictions on the uses or disclosures of Covered Entity’s PHI pursuant to 42 C.F.R. 164.502(c), Business Associate shall, within fifteen (15) business days of receipt of written notice, implement and be bound by such additional restrictions and shall not disclose Covered Entity’s PHI in violation of such additional restrictions.
b. Remuneration for PHI. Business Associate may not disclose PHI if Business Associate receives remuneration, directly or indirectly, from or on behalf of the recipient of the PHI, in exchange for the PHI unless such remuneration complies with Privacy and Security Laws, including, but not limited to, the provisions of 45 C.F.R. 164.502(a)(5)(ii) and applicable state law.
c. Marketing. Business Associate may not use or disclose PHI for marketing purposes, as that term is defined at 45 C.F.R. 164.501, unless such use or disclosure complies with Privacy and Security Laws, including, but not limited to, 45 C.F.R. 164.508 and applicable state law.
d. Other Restrictions. Business Associate may not use genetic information for underwriting purposes or engage in any other restricted uses or disclosures set forth under 45 C.F.R. 164.502.
4. Limited Data Sets. Covered Entity and Business Associate agree to limit, to the extent practical and except as permitted by 45 C.F.R. 164.502(b)(2), its uses, disclosures and requests of PHI under this Agreement to a Limited Data Set (as defined in 45 C.F.R. 164.514(e)(2)) or, if needed by Covered Entity or Business Associate, to the minimum necessary PHI to accomplish the intended purpose of such use, disclosure or request.
5. Safeguards, Reporting, Mitigation and Enforcement.
a. Safeguards/Training. Business Associate shall implement appropriate safeguards and comply with 45 C.F.R. Chapter 164, Subpart C, with respect to electronic PHI to prevent the use or disclosure of PHI except as permitted by the Agreement and the Privacy and Security Laws. Such safeguards include, but are not limited to, the performance of a risk assessment of data vulnerability, taking steps to address those vulnerabilities; the timely provision of workforce training related to the Privacy and Security Laws (including any applicable state law); and a policy/process for sanctioning individuals, including subcontractors, that fail to comply with this Agreement, Business Associate’s privacy policies, or the Privacy and Security Laws.
b. Business Associate’s Agents. Business Associate shall ensure that any agents, including subcontractors, to whom it provides PHI received from, or created or received by Business Associate for on behalf of, Business Associate agree in writing to be bound by the same or substantially similar restrictions and conditions that apply to Business Associate under this Agreement including implementation of reasonable and appropriate safeguards to protect such PHI.
c. Reporting. Business Associate shall, as soon as practical but not more than ten (10) business days after becoming aware of any security incident or use or disclosure of Covered Entity’s PHI in violation of this Agreement, submit a written report of any such use or disclosure to Covered Entity, detailing the circumstances surrounding the event. If Business Associate becomes aware of a Company of its subcontractor or agent that constitutes a material breach of this Agreement or a violation of the Privacy and Security Laws, Business Associate shall take steps to cure the breach or end the violation. Business Associate shall promptly notify Covered Entity of such breach or violation within ten (10) business days of becoming aware of such violation.
d. Breach of Unsecured PHI. With the exception of law enforcement delays that satisfy the requirements under 45 C.F.R. 164.412 or as otherwise required by applicable State law, Business Associate shall submit a written report of a Breach of Unsecured PHI without unreasonable delay and in no case later than five (5) business days of discovery of such Breach. Such notice must include, to the extent possible, the name of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed. Business Associate shall also provide, to the extent possible, any other information that Covered Entity is required to include in its notification to individuals under 45 C.F.R. 164.404(c), to the media under 45 C.F.R. 164.406, and to the Secretary of the United States Department of Health and Human Services (“Secretary”) under 45 C.F.R. 164.408 at the time of Business Associate’s notification to Covered Entity or promptly thereafter as such information becomes available. A Breach of Unsecured PHI shall be “discovered” by Business Associate as of the first day on which such Breach is known to Business Associate (including any person, other than the individual committing the Breach, who is an employee, officer, or other agent of Business Associate) or should reasonably have been known to Business Associate with the exercise of reasonable diligence. A business associate shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of the business associate (determined in accordance with the Federal common law of agency).
e. Mitigation. Business Associate shall have procedures in place to mitigate, to the maximum extent practicable, any deleterious effect from any use or disclosure of Covered Entity’s PHI in violation of this Agreement, the Privacy and Security Laws, or other applicable law. Such mitigation may include, but shall not be limited to, implementation of measures to stop such disclosure and to prevent future occurrences, obtaining identity theft insurance or other similar protections.
f. Covered Entity’s Rights of Access and Inspection. From time to time upon reasonable notice or upon reasonable determination by Covered Entity that Business Associate has breached this Agreement Covered Entity may inspect Business Associate’s facilities, policies, books, records and other applicable reports related to Covered Entity’s PHI as necessary to demonstrate Business Associate’s compliance with this Agreement and the Privacy and Security Laws. The fact that Covered Entity inspects, or fails to inspect, or has the right to inspect Business Associate’s facilities, systems and procedures does not relieve Business Associate of its responsibility to comply with this Agreement.
g. United States Department of Health and Human Services. Business Associate shall make its internal Company’s, books and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary for purposes of determining Covered Entity’s and/or Business Associate’s compliance with the Privacy and Security Laws. Business Associate shall notify Covered Entity of Business Associate’s receipt of such request for access, unless otherwise prohibited by law.
6. Obligation to Provide Access, Amendment and Accounting of PHI.
a. Access to PHI. Business Associate shall make available to Covered Entity, in the format, including electronic format if available, agreed upon by the Business Associate and the Covered Entity, PHI contained in a Designated Record Set held by Business Associate to allow Covered Entity to fulfill Covered Entity’s obligations to provide an individual access to, and copies of, the individual’s PHI under the Privacy and Security Laws. The Business Associate shall provide such information in the reasonably agreed upon format within ten (10) business days of Covered Entity’s request.
b. Amendment of PHI. Business Associate shall make available to Covered Entity PHI contained in a Designated Record Set held by Business Associate as Covered Entity may require to fulfill Covered Entity’s obligations to amend PHI in accordance with the Privacy and Security Laws. In addition, Business Associate shall, as directed by Covered Entity, incorporate any amendments to Covered Entity’s PHI into applicable records maintained by Business Associate within fifteen (15) business days of Business Associates receipt of request.
c. Accounting of Disclosures of PHI.
(1) Record of Disclosures. Business Associate shall maintain a record of all disclosures of PHI received from, or created or received by Business Associate on behalf of Covered Entity in accordance with 45 C.F.R. 164.528. Business Associate is not required to account for disclosures that are excluded from the accounting requirements. Business Associate shall make this record available to Covered Entity within thirty (30) business days of the Covered Entity’s request.
(2) Disclosures from EHR for Treatment, Payment and Operations. To the extent that Business Associate uses or maintains an Electronic Health Record (“EHR”), or uses Covered Entity’s EHR, and a disclosure is made through such EHR, Business Associate shall also account for disclosures made for Treatment, Payment and/or Healthcare Operations (as such terms are defined by HIPAA) as required by 45 C.F.R 164.528 or as otherwise required by the Privacy and Security Laws. Covered Entity is responsible for determining whether it has an EHR and confirming with Business Associate whether disclosures for carrying out the Covered Entity’s Treatment, Payment and/or Healthcare Operations requires the Business Associate to make an appropriate accounting of the disclosure.
d. Responding to Requests From Individuals. In the event that any individual submits directly to the Business Associate a request for access to, amendment of PHI or for an accounting of PHI, the Business Associate shall notify Covered Entity within five (5) business days of receipt of such request. If Covered Entity notifies Business Associate that it needs information to respond to the request, Business Associate shall make the information available within the applicable time frames noted in this Section, paragraphs (a) – (c).
7. Material Breach, Enforcement and Termination.
a. Term. This Agreement shall become effective on the Effective Date noted above and shall continue unless or until the Agreement is terminated in accordance with the provisions of this Agreement, the Underlying Agreement between the parties terminates or the Business Associate has completed performance of the services in the Underlying Agreement, whichever is earlier.
b. Termination. Covered Entity may terminate this Agreement:
(1) immediately if Business Associate is named as a defendant in a criminal proceeding for a violation of any Privacy and Security Laws;
(2) immediately if a finding or stipulation that Business Associate has violated any of the Privacy and Security Laws, or other applicable laws, is made in any administrative or civil proceeding in which Business Associate has been joined;
(3) immediately upon completion of performance of the services in the Underlying Agreement; and
(4) pursuant to Sections 7(c), 7(d) or 9(d) of this Agreement.
c. Remedies. Upon one party's knowledge of a material breach by the other party, the non-breaching party shall either:
(1) provide an opportunity for the breaching party to cure the breach and end the violation or terminate this Agreement and the Underlying Agreement if the breaching party does not cure the breach or end the violation within five (5) business days of receipt of written notice from the non-breaching party; or
(2) immediately terminate this Agreement and the Underlying Agreement if, in Covered Entity’s sole discretion, the nature of the breach or violation is such that a cure is not possible.
d. Knowledge of Non-Compliance. Any non-compliance by Business Associate with this Agreement will automatically be considered a breach or violation of a material term of this Agreement if Business Associate knew of such non-compliance and failed to immediately take reasonable steps to cure the non-compliance.
8. Destruction/Return of PHI. Business Associate agrees that upon termination of this Agreement or the Underlying Agreement, for whatever reason, it will return or destroy Covered Entity’s PHI in compliance with 45 C.F.R. 164.504 (e) (2) (ii) (I).
a. Destruction and Return. Business Associate will return or destroy all PHI, if feasible, received from or created or received by it on behalf of Covered Entity which Business Associate maintains in any form, and retain no copies of such information which for purposes of this Agreement including any backup tapes, copies or recordings. Prior to doing so, Business Associate further agrees to recover any PHI in the possession of its subcontractors or agents. An authorized representative of Business Associate shall, upon request of Covered Entity, certify in writing to Covered Entity, within thirty (30) days from the date of termination or other expiration of the Underlying Agreement, that all PHI has been returned or disposed of as provided above and that Business Associate no longer retains any such PHI in any form. Business Associate shall obtain similar certifications from its subcontractors with access to Covered Entity’s PHI.
b. Destruction/Return Not Feasible. If it is not feasible for Business Associate, or one of its subcontractors or agents, to return or destroy said PHI, Business Associate will notify the Covered Entity in writing. The notification shall include a statement that the Business Associate has determined that it is infeasible to return or destroy the PHI in its possession, and the specific reasons for such determination. Business Associate shall extend, and shall require it subcontractors and agents to agree to extend, any and all protections, limitations and restrictions contained in this Agreement to any PHI retained by Business Associate or its subcontractor, as applicable, after the termination of this Agreement, and to limit any further uses and/or disclosures to the purposes that make the return or destruction of the PHI infeasible.
9. Miscellaneous Terms.
a. State Law. Nothing in this Agreement shall be construed to require Business Associate to use or disclose PHI without written authorization from an individual who is the subject of the PHI, or written authorization from any other person, where such authorization would be required under State law for such use or disclosure.
b. Minimum Necessary. Business Associate will disclose to its subcontractors, agents or other third parties, and request from Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted under this Agreement or the Underlying Agreement. Covered Entity shall disclose to Business Associate only the minimum information necessary to carry out the Services.
c. Conflicts. To the extent that any provision of this Agreement conflict with the provisions of any other agreement or understanding between the parties, this Agreement shall control.
d. Amendment. Covered Entity and Business Associate agree to enter into good faith negotiations to amend this Agreement to come into compliance with changes in state and federal laws and regulations relating to the privacy, security and confidentiality of PHI. Covered Entity may terminate this Agreement, upon written notice to the other party, in the event that the parties are not able to reach an agreement, within thirty (30) days of beginning such negotiations, that is sufficient to ensure that the parties will be able to comply with such laws and regulations.
e. Notices. Any notices to be given hereunder to a party shall be made via certified or registered mail or express courier to such party’s address given below, and/or delivered in person. Notice shall be deemed to be delivered and received: (i) if personally delivered or delivered by courier, at the time the notice is received by the party, or (ii) if by mail, at the close of the third business day following the day the notice was placed in the mail.
To Business Associate:
Pedia IQ, LLC
8920 Eves Road
Box 768381
Roswell, GA 30076
Attention: Rebecca Marshall, Ph.D.
With a copy to:
Gray Reed & McGraw, P.C.
1601 Elm Street, Suite 4600
Dallas, TX 75201
Attention: Ruth Ann Daniels
This Business Associate Agreement (“Agreement”) is made and entered into effective as of [Effective Date], by and between [Company] (“Covered Entity”) and Pedia IQ, LLC, a Georgia limited liability company (“Business Associate”).
RECITALS
WHEREAS, Covered Entity possesses Protected Health Information (“PHI”) that is protected under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (collectively “HIPAA”), State Privacy Laws, and the rules and regulations issued pursuant to these state and Federal laws, (collectively, the “Privacy and Security Laws”);
WHEREAS, Covered Entity wishes to enter into a business relationship with Business Associate to perform mental health and learning disability screening tests (the “Services”) on behalf of Covered Entity pursuant to an underlying agreement (“Underlying Agreement”);
WHEREAS, in order to provide the Services, Business Associate will access, receive, maintain, create and/or transmit PHI on behalf of Covered Entity; and
WHEREAS, Covered Entity and Business Associate wish to enter into this Agreement to set forth the terms and conditions applicable to the use and disclosure of such PHI in compliance with the Privacy and Security Laws.
NOW THEREFORE, Covered Entity and Business Associate agree as follows:
1. Definitions. The parties agree that the following terms, when used in this Agreement, shall have the following meanings, provided that the terms set forth below shall be deemed to be modified to reflect any changes made to such terms from time to time under the Privacy and Security Laws. All capitalized terms used in this Agreement but not defined below shall have the meaning assigned to them under the HIPAA Regulations.
a. “Breach” shall have the meaning given such terms under 45 C.F.R. 164.402 as such regulation is revised from time to time.
b. “Business Associate” means,
(1) With respect to Covered Entity, a person who:
(a) On behalf of such covered entity or of an Organized Health Care Arrangement (“OHCA”) (as defined under HIPAA) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or OHCA, creates, receives, maintains, or transmits PHI for a function or activity regulated by the Privacy and Security Laws, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, Client safety activities listed at 42 C.F.R. 3.20, billing, benefit management, Company management, and repricing; or
(b) Provides, other than in the capacity of a member of the workforce of such Covered Entity, legal, actuarial, accounting, consulting, data aggregation (as defined in 45 C.F.R. 164.501), management, administrative, accreditation, or financial services to or for Covered Entity, or to or for an OHCA in which the Covered Entity participates, where the provision of the service involves the disclosure of PHI from such Covered Entity or Arrangement, or from another business associate of such Covered Entity or OHCA, to the person.
(2) Business Associate also includes a Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to PHI and that requires access on a routine basis to such PHI; a person that offers a personal health record to one or more individuals on behalf Covered Entity; and a subcontractor that creates, receives, maintains, or transmits PHI on behalf of the Business Associate.
c. “Data Aggregation” means, with respect to PHI created or received by a Business Associate in its capacity as the Business Associate of a Covered Entity, the combining of such PHI by the Business Associate with the PHI received by the Business Associate in its capacity as a Business Associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.
d. “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.
e. “HIPAA Regulations” means the regulations promulgated under HIPAA by the United States Department of Health and Human Services, including, but not limited to, 45 C.F.R. Part 160 and 45 C.F.R. Part 164 subparts A and E (“The Privacy Rule”) and the Security Standards as they may be amended from time to time, 45 C.F.R. Parts 160, 162 and 164, Subpart C (“The Security Rule”).
f. “HITECH Act” means the provisions of Division A, Title XIII of the American Recovery and Reinvestment Act of 2009 (“ARRA”), known as The Health Information Technology for Economic and Clinical Health, Act 42 U.S.C. §3000 et. seq., and rules, regulations and guidance issued pursuant thereto.
g. “Individually Identifiable Health Information” means information that is a subset of health information, including demographic information collected from an individual, and;
(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(2) Relates to past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
(a) that identifies the individual; or
(b) with respect to which there is a reasonable cause to believe the information can be used to identify the individual.
h. “Privacy and Security Laws” means collectively HIPAA, the HITECH Act and all regulations, rules, and guidance issued pursuant to HIPAA, the HITECH Act, and the applicable State Privacy Laws.
i. “Protected Health Information” or “PHI” means individually identifiable health information that is: transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. PHI does not include individually identifiable health information that is included in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g, records described at 20 U.S.C. 1232g(a)(4)(B)(iv), or employment records held by a covered entity in its role as employer, and it does not include information regarding a person who has been deceased for more than 50 years.
j. “Required by Law” shall have the meaning set forth in 45 C.F.R. 164.512.
k. “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with systems operations in an information system, but does not include minor incidents that occur on a daily basis, such as scans, “pings”, or unsuccessful random attempts to penetrate computer networks or servers maintained by Business Associate.
l. “Unsecured PHI” means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technology or methodology specified in the guidance issued under Section 13402(h)(2) of the HITECH Act on the HHS Web site.
m. Capitalized terms not defined herein shall have the meaning assigned under HIPAA or the applicable State Privacy Laws as applicable.
2. Permitted Uses and Disclosures. Business Associate shall not use or disclose PHI it receives from, maintains, or creates on behalf of the Covered Entity except as permitted or required under this Agreement or as Required by Law.
a. Performance of Services. Business Associate may use and disclose PHI received from, or created or received on behalf of, Covered Entity in connection with the performance of the Services contracted for in the Underlying Agreement provided that such use or disclosure would not violate the Privacy Rule if done by the Covered Entity.
b. Proper Management and Administration of Business Associate. Business Associate may use PHI received by Business Associate in its capacity as Business Associate of Covered Entity for the proper management and administration of Business Associate in connection with the performance of Services in the Underlying Agreement and as otherwise permitted by this Agreement.
Business Associate may disclose Covered Entity’s PHI for such proper management and administration of Business Associate, to carry out the legal responsibilities of Business Associate, and as otherwise permitted by this Agreement if (1) such disclosure is Required by Law, or (2) Business Associate obtains reasonable assurances, in writing, from the person to whom the PHI is disclosed that: (i) the PHI will be held confidentially, used or further disclosed only as required by law or for the purpose for which it was disclosed to the person; (ii) the person otherwise agrees to the same restrictions and conditions that apply to Business Associate with respect to such PHI; and (iii) the person will notify Business Associate of any instances of which the person becomes aware in which the confidentiality of the PHI has been breached.
c. Data Aggregation. Business Associate may use and disclose PHI received by Business Associate in its capacity as Business Associate of Covered Entity to provide Data Aggregation services relating to the health care operations of Covered Entity only with Covered Entity’s prior permission.
d. Disclosures Required By Law. Business Associate may make such disclosures as are Required by Law. To the extent permitted by law, Business Associate shall provide Covered Entity with copies of any documents Business Associate is required to disclose under this Section 2(d).
3. Prohibited Uses and Disclosures.
a. Restrictions Agreed to by Covered Entity. If Covered Entity notifies Business Associate that Covered Entity has agreed to be bound by additional restrictions on the uses or disclosures of Covered Entity’s PHI pursuant to 42 C.F.R. 164.502(c), Business Associate shall, within fifteen (15) business days of receipt of written notice, implement and be bound by such additional restrictions and shall not disclose Covered Entity’s PHI in violation of such additional restrictions.
b. Remuneration for PHI. Business Associate may not disclose PHI if Business Associate receives remuneration, directly or indirectly, from or on behalf of the recipient of the PHI, in exchange for the PHI unless such remuneration complies with Privacy and Security Laws, including, but not limited to, the provisions of 45 C.F.R. 164.502(a)(5)(ii) and applicable state law.
c. Marketing. Business Associate may not use or disclose PHI for marketing purposes, as that term is defined at 45 C.F.R. 164.501, unless such use or disclosure complies with Privacy and Security Laws, including, but not limited to, 45 C.F.R. 164.508 and applicable state law.
d. Other Restrictions. Business Associate may not use genetic information for underwriting purposes or engage in any other restricted uses or disclosures set forth under 45 C.F.R. 164.502.
4. Limited Data Sets. Covered Entity and Business Associate agree to limit, to the extent practical and except as permitted by 45 C.F.R. 164.502(b)(2), its uses, disclosures and requests of PHI under this Agreement to a Limited Data Set (as defined in 45 C.F.R. 164.514(e)(2)) or, if needed by Covered Entity or Business Associate, to the minimum necessary PHI to accomplish the intended purpose of such use, disclosure or request.
5. Safeguards, Reporting, Mitigation and Enforcement.
a. Safeguards/Training. Business Associate shall implement appropriate safeguards and comply with 45 C.F.R. Chapter 164, Subpart C, with respect to electronic PHI to prevent the use or disclosure of PHI except as permitted by the Agreement and the Privacy and Security Laws. Such safeguards include, but are not limited to, the performance of a risk assessment of data vulnerability, taking steps to address those vulnerabilities; the timely provision of workforce training related to the Privacy and Security Laws (including any applicable state law); and a policy/process for sanctioning individuals, including subcontractors, that fail to comply with this Agreement, Business Associate’s privacy policies, or the Privacy and Security Laws.
b. Business Associate’s Agents. Business Associate shall ensure that any agents, including subcontractors, to whom it provides PHI received from, or created or received by Business Associate for on behalf of, Business Associate agree in writing to be bound by the same or substantially similar restrictions and conditions that apply to Business Associate under this Agreement including implementation of reasonable and appropriate safeguards to protect such PHI.
c. Reporting. Business Associate shall, as soon as practical but not more than ten (10) business days after becoming aware of any security incident or use or disclosure of Covered Entity’s PHI in violation of this Agreement, submit a written report of any such use or disclosure to Covered Entity, detailing the circumstances surrounding the event. If Business Associate becomes aware of a Company of its subcontractor or agent that constitutes a material breach of this Agreement or a violation of the Privacy and Security Laws, Business Associate shall take steps to cure the breach or end the violation. Business Associate shall promptly notify Covered Entity of such breach or violation within ten (10) business days of becoming aware of such violation.
d. Breach of Unsecured PHI. With the exception of law enforcement delays that satisfy the requirements under 45 C.F.R. 164.412 or as otherwise required by applicable State law, Business Associate shall submit a written report of a Breach of Unsecured PHI without unreasonable delay and in no case later than five (5) business days of discovery of such Breach. Such notice must include, to the extent possible, the name of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed. Business Associate shall also provide, to the extent possible, any other information that Covered Entity is required to include in its notification to individuals under 45 C.F.R. 164.404(c), to the media under 45 C.F.R. 164.406, and to the Secretary of the United States Department of Health and Human Services (“Secretary”) under 45 C.F.R. 164.408 at the time of Business Associate’s notification to Covered Entity or promptly thereafter as such information becomes available. A Breach of Unsecured PHI shall be “discovered” by Business Associate as of the first day on which such Breach is known to Business Associate (including any person, other than the individual committing the Breach, who is an employee, officer, or other agent of Business Associate) or should reasonably have been known to Business Associate with the exercise of reasonable diligence. A business associate shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of the business associate (determined in accordance with the Federal common law of agency).
e. Mitigation. Business Associate shall have procedures in place to mitigate, to the maximum extent practicable, any deleterious effect from any use or disclosure of Covered Entity’s PHI in violation of this Agreement, the Privacy and Security Laws, or other applicable law. Such mitigation may include, but shall not be limited to, implementation of measures to stop such disclosure and to prevent future occurrences, obtaining identity theft insurance or other similar protections.
f. Covered Entity’s Rights of Access and Inspection. From time to time upon reasonable notice or upon reasonable determination by Covered Entity that Business Associate has breached this Agreement Covered Entity may inspect Business Associate’s facilities, policies, books, records and other applicable reports related to Covered Entity’s PHI as necessary to demonstrate Business Associate’s compliance with this Agreement and the Privacy and Security Laws. The fact that Covered Entity inspects, or fails to inspect, or has the right to inspect Business Associate’s facilities, systems and procedures does not relieve Business Associate of its responsibility to comply with this Agreement.
g. United States Department of Health and Human Services. Business Associate shall make its internal Company’s, books and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary for purposes of determining Covered Entity’s and/or Business Associate’s compliance with the Privacy and Security Laws. Business Associate shall notify Covered Entity of Business Associate’s receipt of such request for access, unless otherwise prohibited by law.
6. Obligation to Provide Access, Amendment and Accounting of PHI.
a. Access to PHI. Business Associate shall make available to Covered Entity, in the format, including electronic format if available, agreed upon by the Business Associate and the Covered Entity, PHI contained in a Designated Record Set held by Business Associate to allow Covered Entity to fulfill Covered Entity’s obligations to provide an individual access to, and copies of, the individual’s PHI under the Privacy and Security Laws. The Business Associate shall provide such information in the reasonably agreed upon format within ten (10) business days of Covered Entity’s request.
b. Amendment of PHI. Business Associate shall make available to Covered Entity PHI contained in a Designated Record Set held by Business Associate as Covered Entity may require to fulfill Covered Entity’s obligations to amend PHI in accordance with the Privacy and Security Laws. In addition, Business Associate shall, as directed by Covered Entity, incorporate any amendments to Covered Entity’s PHI into applicable records maintained by Business Associate within fifteen (15) business days of Business Associates receipt of request.
c. Accounting of Disclosures of PHI.
(1) Record of Disclosures. Business Associate shall maintain a record of all disclosures of PHI received from, or created or received by Business Associate on behalf of Covered Entity in accordance with 45 C.F.R. 164.528. Business Associate is not required to account for disclosures that are excluded from the accounting requirements. Business Associate shall make this record available to Covered Entity within thirty (30) business days of the Covered Entity’s request.
(2) Disclosures from EHR for Treatment, Payment and Operations. To the extent that Business Associate uses or maintains an Electronic Health Record (“EHR”), or uses Covered Entity’s EHR, and a disclosure is made through such EHR, Business Associate shall also account for disclosures made for Treatment, Payment and/or Healthcare Operations (as such terms are defined by HIPAA) as required by 45 C.F.R 164.528 or as otherwise required by the Privacy and Security Laws. Covered Entity is responsible for determining whether it has an EHR and confirming with Business Associate whether disclosures for carrying out the Covered Entity’s Treatment, Payment and/or Healthcare Operations requires the Business Associate to make an appropriate accounting of the disclosure.
d. Responding to Requests From Individuals. In the event that any individual submits directly to the Business Associate a request for access to, amendment of PHI or for an accounting of PHI, the Business Associate shall notify Covered Entity within five (5) business days of receipt of such request. If Covered Entity notifies Business Associate that it needs information to respond to the request, Business Associate shall make the information available within the applicable time frames noted in this Section, paragraphs (a) – (c).
7. Material Breach, Enforcement and Termination.
a. Term. This Agreement shall become effective on the Effective Date noted above and shall continue unless or until the Agreement is terminated in accordance with the provisions of this Agreement, the Underlying Agreement between the parties terminates or the Business Associate has completed performance of the services in the Underlying Agreement, whichever is earlier.
b. Termination. Covered Entity may terminate this Agreement:
(1) immediately if Business Associate is named as a defendant in a criminal proceeding for a violation of any Privacy and Security Laws;
(2) immediately if a finding or stipulation that Business Associate has violated any of the Privacy and Security Laws, or other applicable laws, is made in any administrative or civil proceeding in which Business Associate has been joined;
(3) immediately upon completion of performance of the services in the Underlying Agreement; and
(4) pursuant to Sections 7(c), 7(d) or 9(d) of this Agreement.
c. Remedies. Upon one party's knowledge of a material breach by the other party, the non-breaching party shall either:
(1) provide an opportunity for the breaching party to cure the breach and end the violation or terminate this Agreement and the Underlying Agreement if the breaching party does not cure the breach or end the violation within five (5) business days of receipt of written notice from the non-breaching party; or
(2) immediately terminate this Agreement and the Underlying Agreement if, in Covered Entity’s sole discretion, the nature of the breach or violation is such that a cure is not possible.
d. Knowledge of Non-Compliance. Any non-compliance by Business Associate with this Agreement will automatically be considered a breach or violation of a material term of this Agreement if Business Associate knew of such non-compliance and failed to immediately take reasonable steps to cure the non-compliance.
8. Destruction/Return of PHI. Business Associate agrees that upon termination of this Agreement or the Underlying Agreement, for whatever reason, it will return or destroy Covered Entity’s PHI in compliance with 45 C.F.R. 164.504 (e) (2) (ii) (I).
a. Destruction and Return. Business Associate will return or destroy all PHI, if feasible, received from or created or received by it on behalf of Covered Entity which Business Associate maintains in any form, and retain no copies of such information which for purposes of this Agreement including any backup tapes, copies or recordings. Prior to doing so, Business Associate further agrees to recover any PHI in the possession of its subcontractors or agents. An authorized representative of Business Associate shall, upon request of Covered Entity, certify in writing to Covered Entity, within thirty (30) days from the date of termination or other expiration of the Underlying Agreement, that all PHI has been returned or disposed of as provided above and that Business Associate no longer retains any such PHI in any form. Business Associate shall obtain similar certifications from its subcontractors with access to Covered Entity’s PHI.
b. Destruction/Return Not Feasible. If it is not feasible for Business Associate, or one of its subcontractors or agents, to return or destroy said PHI, Business Associate will notify the Covered Entity in writing. The notification shall include a statement that the Business Associate has determined that it is infeasible to return or destroy the PHI in its possession, and the specific reasons for such determination. Business Associate shall extend, and shall require it subcontractors and agents to agree to extend, any and all protections, limitations and restrictions contained in this Agreement to any PHI retained by Business Associate or its subcontractor, as applicable, after the termination of this Agreement, and to limit any further uses and/or disclosures to the purposes that make the return or destruction of the PHI infeasible.
9. Miscellaneous Terms.
a. State Law. Nothing in this Agreement shall be construed to require Business Associate to use or disclose PHI without written authorization from an individual who is the subject of the PHI, or written authorization from any other person, where such authorization would be required under State law for such use or disclosure.
b. Minimum Necessary. Business Associate will disclose to its subcontractors, agents or other third parties, and request from Covered Entity, only the minimum PHI necessary to perform or fulfill a specific function required or permitted under this Agreement or the Underlying Agreement. Covered Entity shall disclose to Business Associate only the minimum information necessary to carry out the Services.
c. Conflicts. To the extent that any provision of this Agreement conflict with the provisions of any other agreement or understanding between the parties, this Agreement shall control.
d. Amendment. Covered Entity and Business Associate agree to enter into good faith negotiations to amend this Agreement to come into compliance with changes in state and federal laws and regulations relating to the privacy, security and confidentiality of PHI. Covered Entity may terminate this Agreement, upon written notice to the other party, in the event that the parties are not able to reach an agreement, within thirty (30) days of beginning such negotiations, that is sufficient to ensure that the parties will be able to comply with such laws and regulations.
e. Notices. Any notices to be given hereunder to a party shall be made via certified or registered mail or express courier to such party’s address given below, and/or delivered in person. Notice shall be deemed to be delivered and received: (i) if personally delivered or delivered by courier, at the time the notice is received by the party, or (ii) if by mail, at the close of the third business day following the day the notice was placed in the mail.
To Business Associate:
Pedia IQ, LLC
8920 Eves Road
Box 768381
Roswell, GA 30076
Attention: Rebecca Marshall, Ph.D.
With a copy to:
Gray Reed & McGraw, P.C.
1601 Elm Street, Suite 4600
Dallas, TX 75201
Attention: Ruth Ann Daniels