This Business Associate Agreement (this “Agreement”) is entered into effective as of _______________________ (effective date), by and among _____________________________ (herein “Covered Entity”) and Privacy Data Systems, LLC (herein “Business Associate”) in order to comply with 45 C.F.R. §164.502(e) and §164.504(e), governing protected health information (“PHI”) and business associates under the Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191), 42 U.S.C. Section 1320d, et. seq., and regulations promulgated thereunder, as amended from time to time (statute and regulations hereafter collectively referred to as “HIPAA”) [Covered Entity and Business Associate may be referred to herein individually as a “Party” or collectively as the “Parties”].
§2. Use and Disclosure; Rights. Business Associate agrees that it shall not to use or disclose PHI except as permitted under this Agreement or as required by law. Business Associate acknowledges that this Agreement does not in any manner grant Business Associate any greater rights than Covered Entity enjoys, nor shall it be deemed to permit or authorize Business Associate to use or further disclose PHI in a manner that would otherwise violate the requirements of HIPAA if done by Covered Entity.
§3. Required or Permitted Uses. Business Associate agrees that it is not permitted to use or disclose PHI without an authorization or consent, if in accordance with 45 C.F.R. §164.506, §164.510, §164.512, §164.514(e), §164.514(f), §164.514(g), or as otherwise permitted or required by agreement or law. However, Business Associate may use PHI received in its capacity as a business associate to Covered Entity, if necessary, for Business Associate’s proper management and administration of its business or if the disclosure is required by law or the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person and the person notifies Business Associate of any instances of which it is aware that the confidentiality of the information has been breached.
§4. Safeguards; Location. Business Associate agrees to develop and use appropriate procedural, physical, and electronic safeguards to prevent misuse of PHI other than as provided by this Agreement. Business Associate agrees to notify Covered Entity of the location of any PHI disclosed by Covered Entity or created by Business Associate on behalf of Covered Entity and held by or under the control of Business Associate or those to whom Business Associate has disclosed such PHI.
§5. Minimum Necessary. Business Associate must limit any use, disclosure, or request for use or disclosure to the minimum amount necessary to accomplish the intended purpose of the use, disclosure, or request in accordance with the requirements of HIPAA. Business Associate represents that all uses, disclosures, and requests it will make shall be the minimum necessary in accordance with HIPAA requirements. Covered Entity may, pursuant to HIPAA, reasonably rely on any requested disclosure as the minimum necessary for the stated purpose when the information is requested by Business Associate. Business Associate acknowledges that if Business Associate is also a covered entity, as defined by HIPAA, Business Associate is required, independent of Business Associate’s obligations under this Agreement, to comply with the HIPAA minimum necessary requirements when making any request for PHI from Covered Entity.
§6. Records; Covered Entity Access. Business Associate shall maintain such records of PHI received from, or created or received on behalf of, Covered Entity and shall document subsequent uses and disclosures of such information by Business Associate as may be deemed necessary and appropriate in the sole discretion of Covered Entity. Business Associate shall provide the Covered Entity with reasonable access to examine and copy such records and documents of Business Associate during normal business hours. Business Associate agrees to fully cooperate in good faith with and to assist Covered Entity in complying with the requirements of HIPAA and any investigation of Covered Entity regarding compliance with HIPAA conducted by the U.S. Department of Health and Human Services (“DHHS”), Office of Civil Rights, or any other administrative or judicial body with jurisdiction.
§7. DHHS Access to Books, Records, and Other Information. Business Associate shall make available to DHHS its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity for purposes of determining the Covered Entity’s or Business Associate’s compliance with HIPAA.
§8. Designated Record Set; Individual Access. Business Associate shall maintain a designated record set, as defined by HIPAA, for each individual patient for which it has PHI. In accordance with an individual’s right to access to their own PHI under HIPAA, Business Associate shall make available all PHI in that designated record set to the individual to whom that information pertains, or such individual’s representative, all PHI in that designated record set, upon a request by such individual or such individual’s representative.
§9. Accounting. Business Associate shall make available PHI or any other information required to provide, or assist in preparing, an accounting of disclosures in accordance with HIPAA.
§10. Report of Improper Use or Disclosure. Business Associate shall report to Covered Entity any information of which it becomes aware concerning any use or disclosure of PHI that is not provided for by this Agreement.
§11. Amendment of and Access to PHI; Notification. Business Associate shall make available PHI for amendment and shall incorporate any amendments to PHI accordingly. Business Associate shall make reasonable efforts to notify persons, organizations, or other entities, including other business associates, known by Business Associate to have received the erroneous or incomplete information and who may have relied, or could foreseeably rely, on such information to the detriment of the individual patient. Business Associate must update this information when notified by Covered Entity.
§12. Termination Rights. Business Associate acknowledges and agrees that Covered Entity shall have the right to immediately terminate this Agreement in the event Business Associate fails to comply with HIPAA requirements concerning PHI and the above requirements. This Agreement authorizes Covered Entity to terminate the Agreement, if Covered Entity determines, in its sole discretion, that Business Associate has violated a material term of the Agreement required by HIPAA.
§13. Breach or Violation; Knowledge. If Covered Entity knows of a pattern of activity or practice of Business Associate that constitutes a material breach or violation of Business Associate’s obligations under this Agreement, Covered Entity shall take any steps reasonably necessary to cure such breach or end such violation, and, if such steps are unsuccessful, shall either (a) terminate this Agreement, if feasible, pursuant to §12, or (b) if termination is not feasible, report the breach or violation to DHHS. If Business Associate as a covered entity, defined by HIPAA, violates the terms and conditions of this Agreement in its capacity as a business associate of another covered entity, Business Associate will be in noncompliance with the standards, implementation specifications, and requirements of HIPAA.
§14. Return of PHI. Business Associate agrees that upon termination of this Agreement, and if feasible, Business Associate shall (a) return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity that Business Associate still maintains in any form and retain no copies of such information or, (b) if such return or destruction is not feasible, extend the protection of this Agreement to such PHI and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.
§15. Notices. All notices and other communications under this Agreement to any Party shall be in writing and shall be deemed given when delivered personally, telecopied (which is confirmed) to that Party at the telecopy number for that Party set forth at the end of this Agreement, mailed by certified mail (return receipt requested) to that Party at the address for that Party set forth at the end of this Agreement (or at such other address for such Party as such Party shall have specified in a notice to the other Parties), or delivered to Federal Express, UPS, or any similar express delivery service for delivery to that Party at that address.
§16. Non-Waiver. No failure by any Party to insist upon strict compliance with any term or provision of this Agreement, to exercise any option, to enforce any right, or to seek any remedy upon any default of any other Party shall affect, or constitute a waiver of, any Party’s right to insist upon such strict compliance, exercise that option, enforce that right, or seek that remedy with respect to that default or any prior, contemporaneous, or subsequent default. No custom or practice of the Parties at variance with any provision of this Agreement shall affect or constitute a waiver of, any Party’s right to demand strict compliance with all provisions of this Agreement.
§17. Gender and Numbers; Headings. Where permitted by the context, each pronoun used in this Agreement includes the same pronoun in other genders and numbers, and each noun used in this Agreement includes the same noun in other numbers. The headings of the various sections of this Agreement are not part of the context of this Agreement, are merely labels to assist in locating such sections, and shall be ignored in construing this Agreement.
§18. Counterparts. This Agreement may be executed in multiple counterparts, each of which shall be deemed to be an original, but all of which taken together shall constitute one and the same Agreement.
§19. Entire Agreement. This Agreement constitutes the entire agreement and supersedes all prior agreements and understandings, bot written and oral, among the Parties with respect to the subject matter of this Agreement.
§20. Binding Effect. This Agreement shall be binding upon, inure to the benefit of and be enforceable by and against the Parties and their respective heirs, personal representatives, successors, and assigns. Neither this Agreement nor any of the rights, interests or obligations under this Agreement shall be transferred or assigned by Business Associate without the prior written consent of Covered Entity.
§21. Severability; Governing Law. With respect to any provision of this Agreement finally determined by a court of competent jurisdiction to be unenforceable, such court shall have jurisdiction to reform such provision so that it is enforceable to the maximum extent permitted by applicable law, and the Parties shall abide by such court’s determination. In the event that any provision of this Agreement cannot be reformed, such provision shall be deemed to be severed from this Agreement, but every other provision of this Agreement shall remain in full force and effect. This Agreement shall be governed by and construed in accordance with the laws of the State of Indiana.
§22. Survival. All representations, covenants, and agreements in or under this Agreement or any other documents executed in connection with the transactions contemplated by this Agreement, shall survive the execution, delivery, and performance of this Agreement and such other documents.
§23. Further Assurances. Each Party shall execute, acknowledge or verify, and deliver any and all documents which may from time to time be reasonably requested by the other Party to carry out the purpose and intent of this Agreement. Acknowledged and agreed to by: