This BUSINESS ASSOCIATE AGREEMENT ("BA Agreement") supplements and is made a part of the existing Services Agreement (the "Services Agreement") provided by SLP Now®, LLC ("Business Associate" or "BA") to you ("Covered Entity" or "CE").
RECITALS
- CE wishes to disclose certain information to BA pursuant to the terms of this BA Agreement, some of which may constitute Protected Health Information ("PHI") and/or electronic Protected Health Information ("e-PHI").
- CE and BA intend to protect the privacy of PHI and e-PHI that may be Disclosed to or created, received, maintained, or transmitted by BA pursuant to the Services Agreement in compliance with applicable provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 ("HIPAA") and regulations promulgated and amended thereunder by the U.S. Department of Health and Human Services ("HHS"), including those added pursuant to the American Recovery and Reinvestment Act of 2009, Title XIII - Health Information Technology for Economic and Clinical Health ("HITECH") and other applicable laws.
- The purpose of this BA Agreement is to satisfy certain standards and requirements of the Privacy Rule, including, but not limited to, Title 45 Sections 164.502(e) and 164.504(e) of the Code of Federal Regulations ("CFR"), the Security Rule, including but not limited to, 45 CFR §§ 164.308, 164.310, 164.312, and 164.316 (as required by HITECH), and the Breach Notification Rule, including but not limited to 45 CFR § 164.410, as the same may be amended from time to time, including as amended by the final rules published by HHS on January 25, 2013 titled "Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules" (collectively "HIPAA Rules").
In consideration of the mutual promises below and the exchange of information pursuant to this BA Agreement, the parties agree as follows:
DEFINITIONS
Terms used, but not otherwise defined, in this BA Agreement shall have the same meaning as those terms in the HIPAA Rules. In the event of a conflict between the definitions in this BA Agreement and the definitions in the HIPAA Rules, the definitions in the HIPAA Rules shall be applied.
OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
- Compliance with Security Rule. BA will comply with the Security Rule with respect to e-PHI of the CE and will use appropriate administrative, technical, and physical safeguards that reasonably and appropriately protect the Confidentiality, Integrity, and Availability of e-PHI that BA creates, receives, maintains or transmits on the CE's behalf.
- Compliance with Privacy Rule. BA will comply with the standards, requirements, and implementation specifications adopted under the Privacy Rule that apply to the BA with respect to the PHI of the CE. To the extent the BA is to carry out one or more of CE's obligations under the Privacy Rule, BA must comply with the requirements of the Privacy Rule that apply to CE in the performance of such obligations.
- Nondisclosure. BA shall not Use or Disclose CE's PHI otherwise than as specifically permitted or required by this BA Agreement or as Required by Law.
- Minimum Necessary. To the extent required by HITECH and the Privacy Rule, BA shall make reasonable efforts to Use, Disclose, or request PHI in a Limited Data Set, if practicable, and if not practicable, only in the minimum amount and to the minimum number of individuals necessary to achieve the purpose of the services being rendered to or on behalf of CE, except that BA shall not be obligated to comply with this minimum necessary limitation if neither BA nor CE is required to limit its Use, Disclosure, or request to the minimum necessary.
- Mitigation. BA shall mitigate, to the extent practicable, any harmful effect that is known to BA of a Use or Disclosure of PHI by BA in violation of the requirements of this BA Agreement.
- BA's Subcontractors. BA shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of the BA, agrees to the same restrictions and conditions that apply to BA through this BA Agreement with respect to such PHI.
- Access to PHI in a Designated Record Set. BA shall provide access to PHI in a Designated Record Set, at the request of CE, to CE or, as directed by CE, to an Individual in order to meet the requirements under 45 CFR § 164.524.
- Documentation of Disclosures. BA shall document such disclosures of PHI and information related to such disclosures as would be required for CE to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.
- Accounting of Disclosures. BA shall provide to CE or, at the request of CE directly to an Individual, information collected in accordance with Section II.8 of this BA Agreement, to permit CE to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.
- Amendment of PHI in a Designated Record Set. BA shall make any amendment(s) to PHI in a Designated Record Set that the CE directs or agrees to pursuant to 45 CFR § 164.526 at the request of CE or an Individual. This provision applies only to PHI received or created by BA pursuant to this BA Agreement, if BA possesses such PHI.
- Internal Practices. Unless prohibited by applicable legal privileges or unless it would violate BA's contractual or other obligations to CE, BA shall make its internal practices, books and records relating to the Use and Disclosure of PHI received from CE, or created or received by BA on behalf of CE, available to the Secretary, for purposes of the Secretary determining CE's or BA's compliance with the HIPAA Rules or HITECH Act.
- Prohibition on Sale of Records. BA shall not directly or indirectly receive remuneration (including non-financial benefits) in exchange for any PHI of the CE unless the CE or BA obtains from each affected Individual, in accordance with 45 CFR § 164.508, a valid authorization that states that the disclosure will result in remuneration to BA.
- Availability of Books and Records. BA shall make its internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created by BA on behalf of Covered Entity, available to the Secretary of the Department of Health and Human Services ("HHS") or any other officer or employee of HHS to whom the applicable authority has been delegated, as designated by HHS, for purposes of determining Covered Entity's compliance with the Privacy Rule.
PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
- Permitted Uses and Disclosures. Except as otherwise limited or explicitly permitted in this BA Agreement, BA may Use or Disclose PHI to perform functions, activities, or services for, or on behalf of CE as specified in the Services Agreement, provided such Use or Disclosure would not violate the Privacy Rule if done by the CE.
- Use for Management and Administration. Except as otherwise limited in this BA Agreement, BA may Use PHI for the proper management and administration of the BA or to carry out the legal responsibilities of the BA.
- Disclosure for Management and Administration. Except as otherwise limited in this BA Agreement, BA may Disclose PHI for the proper management and administration of the BA or to carry out the legal responsibilities of the BA, provided that:
-
- Disclosures are Required By Law; or
- BA obtains reasonable assurances from the person to whom the information is Disclosed that it will remain confidential and will be Used or further Disclosed only as Required By Law or for the purpose for which it was Disclosed to the person, and the person agrees to notify the BA of any instances of which it is aware in which the Confidentiality of PHI has been breached.
- Data Aggregation. Except as otherwise limited in this BA Agreement, BA may Use PHI to provide Data Aggregation services to CE relating to the health care operations of the CE.
- Report Violations of Law. Except as otherwise limited in this BA Agreement, BA may Use or Disclose PHI to report violations of law to appropriate Federal and State authorities consistent with 45 CFR § 164.502(j)(1).
-
- Business Associate shall promptly report to Covered Entity any Security Incident of which it becomes aware
- Business Associate shall promptly notify Covered Entity of a Breach of Unsecured Protected Health Information. Business Associate's notification to Covered Entity hereunder shall: (i) be made to Covered Entity as soon as reasonably practical after discovery of the Breach, but no later than thirty (30) days after discovery; and (ii) include the date of the Breach, the date of discovery of the Breach, a description of the types of Unsecured Protected Health Information that were involved, the identity of the individuals whose Unsecured Protected Health Information has been, or is reasonably believed to have been, the subject of a Breach and any other information necessary to complete an assessment of the risk of harm to the individual or individuals.
- Covered Entity will be responsible to provide notification to individuals whose Unsecured Protected Health Information has been disclosed, as well as the Secretary and the media, as required by Section the HITECH Act and 45 C.F.R. §§ 164.400-414. Business Associate agrees to pay actual costs for notification and of any associated mitigation incurred by Covered Entity, such as credit monitoring, if Covered Entity determines that the Breach warrants such measures. Business Associate agrees to establish procedures to investigate the Breach, mitigate losses, and protect against any future Breaches, and to provide a description of these procedures and the specific findings of the investigation to Covered Entity in the time and manner reasonably requested by Covered Entity.
OBLIGATIONS OF COVERED ENTITY
- Notice of Limitations in Privacy Notice. CE shall notify BA of any limitations in the CE's notice of privacy practices that CE produces in accordance with 45 CFR § 164.520 to the extent such limitations may affect BA's Use or Disclosure of PHI.
- Changes in Authorization. CE shall notify BA in writing of any changes in, or revocation of authorization by Individual to Use or Disclose PHI, to the extent that such changes affect BA's Use or Disclosure of PHI.
- Notification of Restrictions. CE shall notify BA in writing of any restriction to the Use or Disclosure of PHI that CE has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect BA's Use or Disclosure of PHI. BA shall, upon receipt of written notification, not Disclose PHI that pertains solely to a health care item or service for which the health care provider has been paid out-of-pocket in full to any health plan for purposes of carrying out payment or health care operations.
- Minimum Necessary. To the extent required by HITECH and the Privacy Rule, CE shall make reasonable efforts to Disclose PHI to BA and request PHI from BA in a Limited Data Set, if practicable, and if not practicable, only in the minimum amount and to the minimum number of individuals necessary to achieve the purpose of the services being rendered to or on behalf of CE, except that CE shall not be obligated to comply with this minimum necessary limitation if neither BA nor CE is required to limit its Use, Disclosure, or request to the minimum necessary.
PERMISSIBLE REQUESTS BY COVERED ENTITY
- Requests by Covered Entity. Except as otherwise permitted in Section III of this BA Agreement for BA's proper management and administration, CE shall not request BA to Use or Disclose PHI in any manner that would not be permissible under the Privacy Rule if done by CE.
NOTIFICATION
- Reporting Unauthorized Uses or Disclosures and Security Incidents. BA agrees to notify CE of any Use or Disclosure of PHI by BA not permitted by this BA Agreement or any Security Incident that results in the unauthorized access, Use, or Disclosure of e-PHI of which BA becomes aware.
- Reporting Breaches of Unsecured Protected Health Information.
-
- BA agrees to notify CE of any Breach of Unsecured Protected Health Information without unreasonable delay, and in any event no later than sixty (60) calendar days after discovery of the Breach. The notice will include, to the extent possible:
- A brief description of how the Breach occurred;
- The date of the Breach;
- The date of discovery of the Breach;
- A description of the types of Unsecured PHI that were involved;
- Identification of each Individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired or Disclosed;
- A brief description of what BA is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against further Breaches; and
- Any other available information that CE is required to include in its notifications to affected Individuals.
- CE will be responsible for providing notification to Individuals whose Unsecured PHI has been breached, as well as the Secretary and the media, as required by § 13402 of HITECH, 42 U.S.C. § 17932 and 164 CFR §§ 404, 406, and 408.
- BA agrees to notify CE of any Breach of Unsecured Protected Health Information without unreasonable delay, and in any event no later than sixty (60) calendar days after discovery of the Breach. The notice will include, to the extent possible:
TERM AND TERMINATION
- Term. The Term of this BA Agreement shall commence upon the Effective Date and shall terminate when all of the PHI provided by CE to BA or created or received by BA on behalf of CE, is, destroyed or returned to the CE, or if it is infeasible to return it or destroy PHI, protections are extended to such information in accordance the termination provisions in this Section VII.
- Termination for Cause. Upon CE's knowledge of a material breach by BA, CE may either:
-
- provide an opportunity for BA to cure the breach or end the violation and if BA does not cure the breach or end the violation within the time specified by CE, terminate this BA Agreement and the Services Agreement; or
- immediately terminate this BA Agreement and the Services Agreement if BA has breached a material term of this BA Agreement and cure is not possible;
- Effect of Termination. Upon termination of this BA Agreement for any reason, BA, with respect to PHI received from CE, or created, maintained, or received by BA on behalf of CE, shall:
-
- Retain only that PHI which is necessary for BA to continue its proper management and administration or to carry out its legal responsibilities;
- Return to CE or destroy the remaining PHI that the BA still maintains in any form;
- Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to e-PHI to prevent use or disclosure of the PHI, other than as provided for in this Section, for as long as BA retains the PHI;
- Not use or disclose the PHI retained by BA other than for the purposes for which such PHI was retained and subject to the same conditions set out at paragraphs (2) and (3) above under "Permitted Uses and Disclosures By Business Associate" which applied prior to termination; and
- Return to CE or destroy the PHI retained by BA when it is no longer needed by BA for its proper management and administration or to carry out its legal responsibilities.
This provision shall apply to all PHI, including PHI that is in the possession of Subcontractors of BA. BA shall retain no copies of the PHI.
AGREEMENT BY THIRD PARTIES
- Agreement by Third Parties. Business Associate shall ensure, to the extent required by law, that any of its agents, including, but not limited to, subcontractors, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, agrees to substantially the same restrictions and conditions that apply to Business Associate under this Agreement with respect to such Protected Health Information, including the requirement to report security incidents and breaches. Should Business Associate subcontract any responsibilities to a subcontractor, Business Associate will ensure there is an agreement between the parties which ensures that the subcontractor adheres to all of the requirements within this Agreement. Business Associate shall be responsible for monitoring all Business Associate Agreements with their subcontractors.
MISCELLANEOUS
- Regulatory References. A reference in this BA Agreement to a section in the HIPAA Rules means the section as in effect or as amended, and for which compliance is required.
- Amendment. The Parties agree to take such action as is necessary to amend this BA Agreement from time to time for CE and BA to comply with the requirements of the HIPAA Rules.
- Survival. The respective rights and obligations of BA under Section VII of this BA Agreement shall survive the termination of this BA Agreement.
- Interpretation. This BA Agreement shall be interpreted as broadly as necessary to implement and comply with the HIPAA Rules and applicable state laws. The parties agree that any ambiguity in this BA Agreement shall be resolved in favor of a meaning that permits CE and BA to comply with the HIPAA Rules and applicable state laws.
- Entire Agreement; Effect on Services Agreement. This BA Agreement embodies the entire understanding of the parties in relation to the subject matter hereof and supersedes any prior agreement between the parties in relation to the subject matter hereof. Except as specifically required to implement the purposes of this BA Agreement, all terms of the Services Agreement shall remain in full force and effect. To the extent that any provision of this BA Agreement specifically conflicts with the terms of the Services Agreement, the provisions of this BA Agreement shall govern.
- No Third-Party Beneficiaries. Nothing in this BA Agreement shall be construed as creating any rights or benefits to any third parties.
- Indemnification. Each party hereby agrees to indemnify and hold the other party, and such other party's affiliates, officers, directors, members, employees and agents, harmless from and against any and all liability and costs, including reasonable attorneys' fees, arising from any non-permitted or violating use or disclosure of Protected Health Information or breach of this Agreement by such party, its agents or subcontractors. In no event shall either party be liable for indirect or consequential damages.
- Accuracy/Deletion of PII. Parents, teachers, or principals who seek to challenge the accuracy or request deletion of PII will do so by contacting the CE. If a correction to data is deemed necessary, the CE will notify BA. BA agrees to facilitate such corrections within 21 days of receiving the CE's written request.
- General Provisions.
-
- This Agreement shall be governed in all respects, whether as to validity, construction, capacity, performance or otherwise, by the laws of the State of Arizona and applicable federal law.
- All notices or communications required or permitted pursuant to the terms of this Agreement shall be in writing and will be delivered in person or by means of certified or registered mail, postage paid, return receipt requested, to such party at its address as set forth below, or such other person or address as such Party may specify by similar notice to the other party hereto, or be facsimile with a hard copy sent by mail with delivery on the next business day. All such notices will be deemed given upon delivery or delivered by hand, on the third business day after deposit with the U. S. Postal Service, and on the first business day after sending if by email.