Business Associate Agreement
This Agreement is entered into by and between You, hereinafter referred to as “Customer” and M.D. On-Line, Inc., hereinafter referred to as “Business Associate”, (individually, a “Party” and collectively, the “Parties”).
RECITALS
WHEREAS, Business Associate now and in the future may have relationships with Customer in which Business Associate is entrusted with confidential patient information for use in providing services or products to Customer; and
WHEREAS, Business Associate and Customer (each a “Party” and collectively the “Parties”) desire to meet their obligations under the Health Insurance Portability and Accountability Act of 1996 and its related regulations (“HIPAA”); and
WHEREAS, the Secretary of Health and Human Services issued regulations modifying 45 CFR Parts 160 and 164 (the “HIPAA Security and Privacy Rule”); and
WHEREAS, the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5) pursuant to Title XIII of Division A and Title IV of Division B, called the “Health Information Technology for Economic and Clinical Health (“HITECH”) Act provides modifications to the HIPAA Security and Privacy Rule (hereinafter, all references to the “HIPAA Security and Privacy Rule” are deemed to include all amendments to such rule contained in the HITECH Act and any accompanying regulations, and any other subsequently adopted amendments or regulations); and
WHEREAS, both Parties desire to make technical and procedural arrangements to assure that their business relationships meet these regulatory requirements on or before their respective compliance dates; and
WHEREAS, Business Associate may have access to Protected Health Information (as defined below) in fulfilling its responsibilities under the business relationship with Customer; and.
NOW THEREFORE,, in consideration of the Parties’ ongoing business relationship, compliance with the HIPAA Security and Privacy Rule, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties hereby agree to the provisions of this Agreement in order to address the requirements of the HIPAA Security and Privacy Rule and to protect the interests of both Parties:
I. DEFINITIONS
Except as otherwise defined herein, any and all capitalized terms in this Agreement shall have the definitions set forth in the HIPAA Security and Privacy Rule. In the event of an inconsistency between the provisions of this Agreement and mandatory provisions of the HIPAA Security and Privacy Rule, as amended, the HIPAA Security and Privacy Rule shall control. Where provisions of this Agreement are different than those mandated in the HIPAA Security and Privacy Rule but are nonetheless permitted by the HIPAA Security and Privacy Rule, the provisions of this Agreement shall control.
The term “Protected Health Information” means individually identifiable health information including, without limitation, all information, data, documentation, and materials, including without limitation, demographic, medical and financial information, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual and that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. “Protected Health Information” includes, without limitation, “Electronic Protected Health Information” as defined below.
The term “Electronic Protected Health Information” means Protected Health Information which is transmitted by Electronic Media (as defined in the HIPAA Security and Privacy Rule) or maintained in Electronic Media.
Business Associate acknowledges and agrees that all Protected Health Information that is created or received by Customer and disclosed or made available in any form, including paper record, oral communication, audio recording, and electronic display by Customer or its operating units to Business Associate or is created or received by Business Associate on Customer’s behalf shall be subject to this Agreement.
II. PERMITTED USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION
2.1 Services. Business Associate provides services (which may include transaction services as well as servicing software products) (“Services”) that involve the use and/or disclosure of Protected Health Information. These Services are provided to Customer under one or more various agreements (each, a “Service Agreement and collectively, the “Service Agreements”) that specify the Services to be provided by Business Associate. Except as otherwise specified herein and to the extent consistent with the HIPAA Security and Privacy Rule, Business Associate may make any and all uses of Protected Health Information created by or received from or on behalf of Customer necessary to perform its obligations under the Service Agreement(s); provided, however, that all other uses and disclosures not authorized by this Agreement, the applicable Service Agreement(s), or other written instructions from Customer, are prohibited. Moreover, Business Associate may disclose Protected Health Information created by or received from or on behalf of Customer for the purposes authorized by this Agreement only (i) to its employees, subcontractors and agents in accordance with Section 3.1(b) below, (ii) as directed in writing by Customer (so long as consistent with this Agreement and the HIPAA Security and Privacy Rule), or (iii) as otherwise permitted by the terms of this Agreement including, but not limited to, Section 2.2 and Section 2.3 below. Additionally, Business Associate agrees to use or disclose Protected Health Information created by or received from or on behalf of Customer solely as would be permitted by the HIPAA Security and Privacy Rule if such use or disclosure were made by Customer.
2.2 Data Analysis. Business Associate may:
(a) with prior written notice to Customer, use, analyze, and disclose the Protected Health Information created by or received from or on behalf of Customer that is in its possession for the public health activities and purposes set forth at 45 C.F.R. § 164.512(b); and
(b) aggregate the Protected Health Information in its possession with the Protected Health Information of other customers and covered entities that Business Associate has in its possession through its capacity as a business associate to such other entities, provided that the purpose of such aggregation is to provide Customer with data analyses relating to the Health Care Operations of Customer. Periodically, Business Associate will notify Customer of opportunities for such analyses and, provided that Customer does not decline to participate, Business Associate will promptly furnish the results of such analysis to Customer. Customer also may propose analyses that would be useful for its purposes and, to the extent reasonable and permissible by law and its agreements with other covered entities, Business Associate will attempt to prepare such analyses.
(c) use, analyze, and/or aggregate the Protected Health Information created by or received from or on behalf of Customer that is in its possession to provide Customer with targeted messages relevant to Customer's practice and its patients, including but not limited to messages regarding product manufacturer-sponsored disease education, product education, diagnosis/procedure codes, patient reminder information, and insurance information.
2.3 Business Activities of Business Associate. Unless otherwise limited herein and subject to the HIPAA Security and Privacy Rule requirements, Business Associate may:
(a) use the Protected Health Information in its possession for its proper management and administration and to fulfill any present or future legal responsibilities of Business Associate;
(b) disclose the Protected Health Information in its possession to third parties for the purpose of its proper management and administration or to fulfill any present or future legal responsibilities of Business Associate, provided that (i) the disclosures are “required by law,” as defined in 45 C.F.R. § 164.103 or (ii) Business Associate has received from the third party written assurances regarding its confidential handling of such Protected Health Information as required under 45 C.F.R. § 164.504(e)(4); and
(c) de-identify any and all Protected Health Information provided that Business Associate implements de-identification criteria in accord with 45 C.F.R. § 164.514(b). De-identified information does not constitute Protected Health Information and is not subject to the terms of this Agreement; such de-identified information may include information about Customer.
III. RESPONSIBILITIES OF THE PARTIES WITH RESPECT TO PROTECTED HEALTH INFORMATION
3.1 Responsibilities of Business Associate. With regard to its use and/or disclosure of Protected Health Information created by or received from or on behalf of Customer, Business Associate agrees as follows:
(a) Business Associate will use and/or disclose the Protected Health Information only (1) as permitted or required by this Agreement or as otherwise required by applicable law, rule or regulation, or by accrediting or credentialing organization to whom Customer is required to disclose such information; or (2) as otherwise permitted under this Agreement, the Services Agreement(s) (if consistent with this Agreement and the HIPAA Security and Privacy Rule), or the HIPAA Security and Privacy Rule, and (3) as would be permitted by the HIPAA Security and Privacy Rule if such use or disclosure were made by Customer. All such uses and disclosures shall be subject to the limits set forth in 45 CFR § 164.514 regarding limited data sets and 45 CFR § 164.502(b) regarding the minimum necessary requirements;
(b) Business Associate will ensure that its agents, including subcontractors, to whom it provides Protected Health Information received from or created by Business Associate on behalf of Customer, agree to the same restrictions and conditions that apply to Business Associate with respect to such information, and agree to implement reasonable and appropriate safeguards to protect any of such information which is Electronic Protected Health Information. In addition, Business Associate agrees to take reasonable steps to ensure that its employees’ actions or omissions do not cause Business Associate to breach the terms of this Agreement;
(c) Business Associate, following the discovery of a breach of unsecured PHI, as defined in the HITECH Act or accompanying regulations, will notify the Customer of such breach pursuant to the terms of 45 CFR § 164.410 and cooperate in the Customer’s breach analysis procedures, including risk assessment, if requested. A breach shall be treated as discovered by Business Associate as of the first day on which such breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. Business Associate will provide such notification to Customer without unreasonable delay and in no event later than thirty (30) calendar days after discovery of the breach. Such notification will contain the elements required in 45 CFR § 164.410;
(d) Business Associate, pursuant to the HITECH Act and its implementing regulations, will comply with all additional applicable requirements of the Privacy Rule, including those contained in 45 CFR §§ 164.502(e) and 164.504(e)(1)(ii), at such time as the requirements are applicable to Business Associate. Business Associate will not directly or indirectly receive remuneration in exchange for any PHI, subject to the exceptions contained in the HITECH Act, without a valid authorization from the applicable individual. Business Associate will not engage in any communication which might be deemed to be “marketing” under the HITECH Act. In addition, Business Associate will, pursuant to the HITECH Act and its implementing regulations, comply with all applicable requirements of the Security Rule, contained in 45 CFR §§ 164.308, 164.310, 164.312 and 164.316, at such time as the requirements are applicable to Business Associate.
(e) Business Associate will implement appropriate safeguards to prevent use or disclosure of Protected Health Information other than as permitted in this Agreement. Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Customer as required by the HIPAA Security and Privacy Rule.
(f) The Secretary of Health and Human Services shall have the right to audit Business Associate’s records and practices related to use and disclosure of Protected Health Information to ensure Customer’s compliance with the terms of the HIPAA Security and Privacy Rule.
(g) Business Associate will report to Customer any use or disclosure of Protected Health Information which is not in compliance with the terms of this Agreement of which it becomes aware. Business Associate shall report to Covered Entity any Security Incident of which it becomes aware. For purposes of this Agreement, “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. In addition, Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement.
(h) Business Associate agrees to comply with any requests for restrictions on certain disclosures of Protected Health Information pursuant to Section 164.522 of the HIPAA Security and Privacy Rule to which Customer has agreed and of which Business Associate is notified by Customer. Business Associate agrees to make available Protected Health Information to the extent and in the manner required by Section 164.524 of the HIPAA Security and Privacy Rule. If Business Associate maintains Protected Health Information electronically, it agrees to make such Protected Health Information electronically available to the applicable individual. Business Associate agrees to make Protected Health Information available for amendment and incorporate any amendments to Protected Health Information in accordance with the requirements of Section 164.526 of the HIPAA Security and Privacy Rule. In addition, Business Associate agrees to make Protected Health Information available for purposes of accounting of disclosures, as required by Section 164.528 of the HIPAA Security and Privacy Rule and Section 13405(c)(3) of the HITECH Act. Business Associate and Customer shall cooperate in providing any accounting required on a timely basis.
(h) Subject to Section 5.5 below, at the termination of this Agreement, the Services Agreement(s) (or any similar documentation of the business relationship of the Parties), or upon request of Customer, if feasible, Business Associate will return to Customer or destroy all Protected Health Information received from or created or received by it on behalf of Customer that is in its possession and retain no copies of such information; or if such return or destruction is not feasible, Business Associate will extend the protections of this Agreement to such information and limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible.
3.2 Responsibilities of Customer. With regard to the use and/or disclosure of Protected Health Information by Business Associate, Customer agrees:
(a) to obtain any consent or authorization that may be required by 45 C.F.R. § 164.506, § 164.508, or applicable state law prior to furnishing Business Associate the Protected Health Information pertaining to an individual; and
(b) that it will not furnish Business Associate Protected Health Information that is subject to any arrangements permitted or required of the Customer under applicable regulations that may impact in any manner the use and/or disclosure of Protected Health Information by Business Associate under this Agreement and the Services Agreement(s), including, but not limited to, restrictions on use and/or disclosure of Protected Health Information as provided for in 45 C.F.R. § 164.522 and as agreed to by the Customer.
IV. REPRESENTATIONS AND WARRANTIES OF THE PARTIES
4.1 General Representations. Each Party represents and warrants to the other Party: (a) that all of its employees, agents, representatives and members of its workforce, whose services may be used to fulfill obligations under this Agreement are or shall be appropriately informed of the applicable terms of this Agreement and are under legal obligation to each Party, respectively, by contract or otherwise, sufficient to enable each Party to fully comply with all applicable provisions of this Agreement; (b) that it will reasonably cooperate with the other Party in the performance of the mutual obligations under this Agreement.
V. TERM AND TERMINATION
5.1 Term. This Agreement shall become effective on the Effective Date and shall continue in effect unless terminated as provided in this Agreement. In addition, certain provisions and requirements of this Agreement shall survive the expiration or termination of this Agreement in accordance with Section 6.4 herein.
5.2 Termination by Customer. Customer may immediately terminate this Agreement and any related Services Agreement(s) if Customer determines that Business Associate has breached a material term of this Agreement. If Customer reasonably believes that Business Associate will violate a material term of this Agreement and, where practicable, Customer gives written notice to Business Associate of such belief within a reasonable time after forming such belief, and Business Associate fails to provide adequate written assurances to Customer that it will not breach the cited term of this Agreement within a reasonable period of time given the specific circumstances, but in any event, before the threatened breach is to occur, then Customer shall have the right to terminate this Agreement and the Services Agreement(s) immediately.
5.3. Termination by Business Associate. Business Associate may immediately terminate this Agreement and any related Services Agreement(s) if Business Associate determines that Covered Entity has breached a material term of this Agreement. . If Business Associates reasonably believes that Customer will violate a material term of this Agreement and, where practicable, Business Associate gives written notice to Customer of such belief within a reasonable time after forming such belief, and Customer fails to provide adequate written assurances to Business Associate that it will not breach the cited term of this Agreement within a reasonable period of time given the specific circumstances, but in any event, before the threatened breach is to occur, then Business Associate shall have the right to terminate this Agreement and the Services Agreement(s) immediately.
5.4 Automatic Termination. This Agreement will automatically terminate without any further action of the Parties upon the termination or expiration of all Services Agreement(s) between Customer and Business Associate.
5.5 Effect of Termination. Upon the termination of this Agreement pursuant to this Section 5, Business Associate agrees to return or destroy within ten days all Protected Health Information identifiable to Customer, including such information in possession of Business Associate’s subcontractors. If return or destruction of said Protected Health Information is not feasible, Business Associate will notify Customer in writing. Said notification shall include: (i) a statement that Business Associate has determined that it is infeasible to return or destroy the Protected Health Information in its possession, and (ii) the specific reasons for such determination. Business Associate further agrees to extend any and all protections, limitations and restrictions contained in this Agreement to Business Associate’s use and/or disclosure of any Protected Health Information retained after the termination of this Agreement, and to limit any further uses and/or disclosures to the purposes that make the return or destruction of the Protected Health Information infeasible.
VI. MISCELLANEOUS
6.1 Entire Agreement. This Agreement constitutes the entire agreement of the Parties with respect to the Parties’ compliance with the HIPAA Security and Privacy Rule and supersedes all prior or contemporaneous written or oral memoranda, arrangements, contracts or understandings between the Parties hereto relating to same.
6.2 Severability; Change of Law. In the event that any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Agreement will remain in full force and effect. In addition, in the event a Party believes in good faith that any provision of this Agreement fails to comply with the then-current requirements of the HIPAA Security and Privacy Rule, including any then-current requirements of the HITECH Act or its regulations, such Party shall notify the other Party in writing. For a period of up to thirty (30) days, the Parties shall address in good faith such concern and amend the terms of this Agreement, if necessary to bring it into compliance. If, after such thirty-day period, the Agreement fails to comply with the HIPAA Security and Privacy Rule, including the HITECH Act, then either Party has the right to terminate upon written notice to the other Party, consistent with sections 5.5 and 6.4.
6.3 Construction of Terms. The terms of this Agreement shall be construed in light of any interpretation and/or guidance on the HIPAA Security and Privacy Rule and its related regulations issued by the Secretary of Health and Human Services from time to time.
6.4 Survival. Section 7 and this Section 6.4 shall survive termination of this Agreement. The respective rights and obligations of Business Associate and Customer under the provisions of Sections 3.1, 3.2, and 5.5, solely with respect to Protected Health Information Business Associate retains in accordance with Section 5.5 because it is not feasible to return or destroy such Protected Health Information, shall survive termination of this Agreement for so long as such information is retained.
6.5 Amendment; Waiver; No Third Party Beneficiaries. This Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events. Except as expressly stated herein or the HIPAA Security and Privacy Rule, the Parties to this Agreement do not intend to create any rights in any third parties. None of the provisions of this Agreement are intended to create, nor will they be deemed to create any relationship between the Parties other than that of independent parties contracting with each other solely for the purposes of effecting the provisions of this Agreement.
6.6 Assignment. Neither Party shall have the right to assign, delegate, or otherwise transfer (“Transfer”) any or all of its rights and/or obligations under this Agreement to any third party without the other Party’s prior written consent. The foregoing notwithstanding, either Party shall have the unrestricted right to Transfer, upon prior written notice to the other Party, any or all of its rights and/or obligations under this Agreement to any parent, subsidiary, or other affiliate, or to any entity that is a successor in interest to any phase of such Party’s business. Any purported Transfer in violation of this provision shall be null and void and shall entitle the non-breaching Party to terminate this Agreement effective immediately upon notice to the breaching Party. This Agreement shall be binding upon and shall inure to the benefit of the Parties and their respective affiliates, successors and permitted assigns.
6.7 Notices. Any notices to be given hereunder to a Party shall be made via U.S. Mail or express courier to such Party’s address set forth in the Services Agreement(s) or in the manner set forth in the Services Agreement(s) between the Parties. Each Party may change its address and that of its representative for notice by the giving of notice thereof in the manner herein above provided.
VII. LIMITATION OF LIABILITY
NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY FOR ANY INCIDENTAL, CONSEQUENTIAL, SPECIAL, OR PUNITIVE DAMAGES OF ANY KIND OR NATURE, WHETHER SUCH LIABILITY IS ASSERTED ON THE BASIS OF CONTRACT, TORT (INCLUDING NEGLIGENCE OR STRICT LIABILITY), OR OTHERWISE, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGES.
VIII. GOVERNING LAW/FORUM
This Agreement and performance hereunder shall be governed by and construed in accordance with the laws of the State of New Jersey, exclusive of conflict of laws rules, and the federal law of the United States of America as applicable in the Courts of the State of New Jersey and all disputes relating to or arising out of this Agreement are to be filed in the Supreme Court of New Jersey, venued only in Morris County and both Customer and Business Associate hereby consent to such jurisdiction and waive any rights they may to claim that such dispute is to be governed by the laws of another jurisdiction.
IX. EXECUTION and EFFECTIVE DATE.
This Agreement has been executed electronically by the duly authorized representative of Customer. By executing this Agreement, Customer agrees to the terms and conditions set forth herein. This Agreement reflects the terms and conditions under which Business Associate has conducted business since February 17, 2010 and amends and restates in its entirety effective as of such date any business associate agreement that may have been entered into between the Parties before today.
