WHEREAS, Business Associate now and in the future may have relationships with Customer in which Business Associate is entrusted with confidential patient information for use in providing services or products to Customer.
WHEREAS, Business Associate and Customer (each a "Party" and collectively the "Parties") desire to meet their obligations under the Health Insurance Portability and Accountability Act of 1996 and its related regulations ("HIPAA"), and as may be applicable to the services rendered by Business Associate to Customer, under the Gramm-Leach-Bliley Act ("GLB") and implementing regulations.
WHEREAS, both Parties desire to make technical and procedural arrangements to assure that their business relationships meet these regulatory requirements on or before their respective compliance dates.
WHEREAS, both Parties desire to set forth the terms and conditions pursuant to which Protected Health Information that is provided by, or created or received by, Business Associate on behalf of Customer ("Protected Health Information"), will be handled between themselves and third parties.
NOW THEREFORE, in consideration of the foregoing and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties hereby agree as follows:
TERMS AND CONDITIONS
1. PERMITTED USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION
1.1 Services. Business Associate provides services (which may include transaction services as well as servicing software products) ("Services") that involve the use and/or disclosure of Protected Health Information. These Services are provided to Customer under various agreements ("Service Agreements") that specify the Services to be provided by Business Associate. Except as otherwise specified herein and subject to HIPAA requirements, Business Associate may make any and all uses of Protected Health Information created or received from or on behalf of Customer necessary to perform its obligations under the Service Agreements; provided, however, that all other uses not authorized by this Agreement, the applicable Service Agreement, or other written instructions from Customer, are prohibited. Moreover, Business Associate may disclose Protected Health Information for the purposes authorized by this Agreement only (i) to its employees, subcontractors and agents in accordance with Section 2.1(e) below, (ii) as directed in writing by Customer, or (iii) as otherwise permitted by the terms of this Agreement including, but not limited to, Section 1.2(a) and Section 1.3(b) below. Business Associate agrees that it will not use or disclose PHI in a manner which would violate HIPAA if similarly done by Covered Entity.
1.2 Data Analysis. Business Associate may:
(a) with prior written notice to Customer, use, analyze, and disclose the Protected Health Information in its possession for the public health activities and purposes set forth at 45 C.F.R. § 164.512(b); and
(b) aggregate the Protected Health Information in its possession with the Protected Health Information of other customers and covered entities that Business Associate has in its possession through its capacity as a business associate to such other entities, provided that the purpose of such aggregation is to provide Customer with data analyses relating to the Health Care Operations of Customer. Periodically, Business Associate will notify Customer of opportunities for such analyses and, provided that Customer does not decline to participate, Business Associate will promptly furnish the results of such analysis to Customer. Customer also may propose analyses that would be useful for its purposes and, to the extent reasonable and permissible by law and its agreements with other covered entities, Business Associate will attempt to prepare such analyses.
1.3 Business Activities of Business Associate. Unless otherwise limited herein and subject to HIPAA requirements, Business Associate may:
(a) use the Protected Health Information in its possession for its proper management and administration and to fulfill any present or future legal responsibilities of Business Associate;
(b) disclose the Protected Health Information in its possession to third parties for the purpose of its proper management and administration or to fulfill any present or future legal responsibilities of Business Associate, provided that (i) the disclosures are "required by law," as defined in 45 C.F.R. § 164.103 or (ii) Business Associate has received from the third party written assurances regarding its confidential handling of such Protected Health Information as required under 45 C.F.R. § 164.504(e)(4); and
(c) de-identify any and all Protected Health Information provided that Business Associate implements de-identification criteria in accord with 45 C.F.R. § 164.514(b). De-identified information does not constitute Protected Health Information and is not subject to the terms of this Agreement; such de-identified information may include information about Customer.
2. RESPONSIBILITIES OF THE PARTIES WITH RESPECT TO PROTECTED HEALTH INFORMATION
2.1 Responsibilities of Business Associate. With regard to its use and/or disclosure of Protected Health Information, Business Associate agrees to:
(a) use and/or disclose the Protected Health Information only as permitted or required by this Agreement or as otherwise required by law;
(b) report to the designated Privacy Officer of Customer, in writing, any use and/or disclosure of the Protected Health Information that is not permitted or required by this Agreement of which Business Associate becomes aware promptly upon Business Associate's discovery of such unauthorized use and/or disclosure;
(c) establish procedures for mitigating, to the greatest extent possible, any deleterious effects from any improper use and/or disclosure of Protected Health Information that Business Associate reports to Customer or that Business Associate becomes aware of;
(d) use commercially reasonable efforts to maintain the security of the Protected Health Information and to prevent the unauthorized use and/or disclosure of such Protected Health Information, which shall in no event be less than the efforts Business Associate applies in protecting its own confidential business information. Without limiting the generality of the foregoing sentence, Business Associate will:
(i) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic Protected Health Information as required by the HIPAA Security Regulations;
(ii) Ensure that any agent, including a subcontractor, to whom Business Associate provides Electronic Protected Health Information agrees to implement reasonable and appropriate safeguards to protect Electronic Protected Health Information; and
(iii) Report to Customer any security incident (as defined by the Security Regulations) of which Business Associate becomes aware;
(e) ensure that all of its subcontractors and agents that receive, use or have access to Protected Health Information under this Agreement agree to adhere to the same restrictions and conditions on the use and/or disclosure of Protected Health Information that apply to Business Associate pursuant to this Agreement and to provide adequate safeguards against improper use or disclosure;
(f) make available all internal practices, records, books, agreements, policies and procedures relating to the use and/or disclosure of Protected Health Information to the Secretary of HHS for purposes of determining Customer's compliance with the Privacy Regulation;
(g) Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Customers to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528. Business Associate also agrees to provide to Customer or an Individual, in the time and manner designated by Customer, information collected in accordance with this paragraph, to permit Customer to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528.
(h) subject to Section 4.5 below, return to Customer or destroy, within ten days of the termination of this Agreement, the Protected Health Information in its possession and retain no copies.
2.2 Responsibilities of Customer. With regard to the use and/or disclosure of Protected Health Information by Business Associate, Customer agrees:
(a) to obtain any consent or authorization that may be required by 45 C.F.R. § 164.506, § 164.508, or applicable state law prior to furnishing Business Associate the protected health information pertaining to an individual; and
(b) that it will not furnish Business Associate protected health information that is subject to any arrangements permitted or required of the Covered Entity under applicable regulations that may impact in any manner the use and/or disclosure of Protected Health Information by Business Associate under this Agreement and the Services Agreement(s), including, but not limited to, restrictions on use and/or disclosure of Protected Health Information as provided for in 45 C.F.R. § 164.522 and agreed to by the Covered Entity.
2.3 Responsibilities of the Parties with Respect to Designated Record Sets. This Section 2.3 applies only if, in the course of performing the Services, Business Associate maintains Designated Records Sets containing Protected Health Information.
(a) Subject to the provisions of HIPAA and its related regulations, Business Associate agrees to: (1) at the request of, and in the time and manner designated by Customer, provide access to the Protected Health Information to Customer, or the individual to whom such Protected Health Information relates, or his or her authorized representative, in order to satisfy a request by such individual under HIPAA; and (2) at the request of, and in the time and manner reasonably designated by Customer, make PHI available to Customer for amendment and incorporate any amendment(s) to the Protected Health Information that Customer directs.
3. REPRESENTATIONS AND WARRANTIES OF THE PARTIES
3.1 General Representations. Each Party represents and warrants to the other Party: (a) that all of its employees, agents, representatives and members of its workforce, whose services may be used to fulfill obligations under this Agreement are or shall be appropriately informed of the applicable terms of this Agreement and are under legal obligation to each Party, respectively, by contract or otherwise, sufficient to enable each Party to fully comply with all applicable provisions of this Agreement; (b) that it will reasonably cooperate with the other Party in the performance of the mutual obligations under this Agreement.
4. TERM AND TERMINATION
4.1 Term. This Agreement shall become effective on the Effective Date and shall continue in effect unless terminated as provided in this Agreement. In addition, certain provisions and requirements of this Agreement shall survive the expiration or termination of this Agreement in accordance with Section 5.4 herein.
4.2 Termination by Customer. As provided for under 45 C.F.R. § 164.504(e)(2)(iii), the Covered Entity may immediately terminate this Agreement and any related Services Agreements if the Covered Entity makes the determination that Business Associate has breached a material term of this Agreement. Alternatively, Covered Entity may choose to: (i) provide Business Associate with seven days written notice of the existence of an alleged material breach; and (ii) afford Business Associate an opportunity to cure said alleged material breach upon mutually agreeable terms. Failure to cure in the manner set forth in this Section 4.2 shall be grounds for the immediate termination of this Agreement.
4.3. Termination by Business Associate. Business Associate may immediately terminate this Agreement and any related Services Agreements if Business Associate makes the determination that Covered Entity has breached a material term of this Agreement. Alternatively, Business Associate may choose to: (i) provide Covered Entity with seven days written notice of the existence of an alleged material breach; and (ii) afford Covered Entity an opportunity to cure said alleged material breach upon mutually agreeable terms. Failure to cure in the manner set forth in this Section 4.3 shall be grounds for the immediate termination of this Agreement.
4.4 Automatic Termination. This Agreement will automatically terminate without any further action of the parties upon the termination or expiration of all Services Agreement(s) between Customer and Business Associate.
4.5 Effect of Termination. Upon the termination of this Agreement pursuant to this Section 4, Business Associate agrees to return or destroy within ten days all Protected Health Information identifiable to Customer, including such information in possession of Business Associate's subcontractors. If return or destruction of said Protected Health Information is not feasible, Business Associate will notify Customer in writing. Said notification shall include: (i) a statement that Business Associate has determined that it is infeasible to return or destroy the Protected Health Information in its possession, and (ii) the specific reasons for such determination. Business Associate further agrees to extend any and all protections, limitations and restrictions contained in this Agreement to Business Associate's use and/or disclosure of any Protected Health Information retained after the termination of this Agreement, and to limit any further uses and/or disclosures to the purposes that make the return or destruction of the Protected Health Information infeasible.
5. MISCELLANEOUS
5.1 Entire Agreement. This Agreement constitutes the entire agreement of the Parties with respect to the Parties' compliance under the business associate provisions of 45 C.F.R. parts 160 and 164. This Agreement supersedes all prior or contemporaneous written or oral memoranda, arrangements, contracts or understandings between the Parties hereto relating to the Parties' compliance with the Parties' health information confidentiality and security obligations under 45 C.F.R. parts 160 through 164.
5.2 Change of Law. In the event of any amendment to any provision of HIPAA, or its implementing regulations set forth at 45 C.F.R. parts 160 through 164, which materially alters either Party's or both Parties' obligations under this Agreement, the Parties agree to negotiate in good faith mutually acceptable and appropriate amendment(s) to this Agreement to give effect to such revised obligations; provided, however, that if the Parties are unable to agree on mutually acceptable amendment(s) within 90 days of the relevant change of law, either Party may terminate this Agreement consistent with sections 4.5 and 5.4.
5.3 Construction of Terms. The terms of this Agreement shall be construed in light of any interpretation and/or guidance on HIPAA and its related regulations issued by HHS from time to time.
5.4 Survival. Section 6 and this Section 5.4 shall survive termination of this Agreement. The respective rights and obligations of Business Associate and Customer under the provisions of Sections 2.1, 2.2, and 4.5, solely with respect to Protected Health Information Business Associate retains in accordance with Section 4.5 because it is not feasible to return or destroy such Protected Health Information, shall survive termination of this Agreement for so long as such information is retained.
5.5 Amendment; Waiver; Assignment. This Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.
5.6 Notices. Any notices to be given hereunder to a Party shall be made via U.S. Mail or express courier to such Party's address given above, and/or via facsimile to the facsimile telephone numbers listed above. Each Party may change its address and that of its representative for notice by the giving of notice thereof in the manner herein above provided.
5.7 Counterparts; Facsimiles. This Agreement may be executed in any number of counterparts, each of which shall be deemed an original. Facsimile copies hereof shall be deemed to be originals.
5.8 Disputes. If any controversy, dispute or claim arises between the Parties with respect to this Agreement, the Parties shall make good faith efforts to resolve such matters informally.
6. LIMITATION OF LIABILITY
NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY FOR ANY INCIDENTAL, CONSEQUENTIAL, SPECIAL, OR PUNITIVE DAMAGES OF ANY KIND OR NATURE, WHETHER SUCH LIABILITY IS ASSERTED ON THE BASIS OF CONTRACT, TORT (INCLUDING NEGLIGENCE OR STRICT LIABILITY), OR OTHERWISE, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGES.
7. DEFINITIONS
Regulatory citations in this Agreement are to the United States Code of Federal Regulations, as interpreted and amended from time to time by HHS, for so long as such regulations are in effect. Unless otherwise specified in this Agreement, all terms not otherwise defined shall have the meaning established for purposes of Title 45 parts 160 through 164 of the United States Code of Federal Regulations, as amended from time to time.
8. GOVERNING LAW/FORUM
This Agreement and performance hereunder shall be governed by and construed in accordance with the laws of the State of New Jersey, exclusive of conflict of laws rules, and the federal law of the United States of America as applicable in the Courts of the State of New Jersey and all disputes relating to or arising out of this Agreement are to be filed in the Supreme Court of New Jersey, venued only in Morris County and both Customer and Business Associate hereby consent to such jurisdiction and waive any rights they may to claim that such dispute is to be governed by the Laws of another jurisdiction.
9. COMPLIANCE WITH HIPAA STANDARDS
9.1 When providing its services and/or products, Business Associate shall comply with all applicable HIPAA transaction standard regulations with respect to the transmission of health information in electronic form in connection with any transaction for which the Secretary has adopted a standard under HIPAA ("Covered Transactions"). Business Associate represents and warrants that it is aware of all current HIPAA standards and requirements regarding Covered Transactions, and Business Associate shall comply with any modifications to HIPAA standards and requirements which become effective from time to time. Business Associate agrees that such compliance shall be at its sole cost and expense, which expense shall not be passed on to Customer in any form, other than as may be reflected in any increase in the fees Business Associate may charge to all its customers.
9.2 Business Associate shall require all of its agents and subcontractors (if any) who assist Business Associate in providing its services and/or products to comply with all applicable requirements of HIPAA, including, without limitation, compliance with 45 CFR Part 162.
IN WITNESS WHEREOF, each of the undersigned has caused this Business Associate Agreement to be duly executed in its name and on its behalf effective as of the Effective Date.
