This Agreement by and between ImpiricusHealth, LLC (“Business Associate”) and the undersigned physician practice (“Covered Entity”), is entered into on this day, for the purposes of complying with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Public Law 104-191, the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), Public Law 111-005, and the regulations promulgated thereunder; 45 C.F.R. Parts 160 and Part 164, Subparts A, C, D and E (Subpart E, together with the definitions in Subpart A is known as the “Standards for Privacy of Individually Identifiable Health Information” (the “Privacy Rule”) and Subpart C, together with the definitions in Subpart A, is known as the “Security Standards for the Protection of Electronic Protected Health Information” (the “Security Rule”) Subpart D, together with the definitions in Subpart A is known as the “Breach Notification Rule” (“Breach Notification Rule”) (the Privacy Rule, Breach Notification Rule and the Security Rule are collectively called the “Privacy and Security Rules”) Business Associate and Covered Entity are collectively referred to as the “Parties.”
WHEREAS, the undersigned physician practice is a “Covered Entity” as that term is defined under HIPAA, which requires Covered Entities and certain of their service providers to enter into confidentiality agreements;
WHEREAS, Business Associate may create on behalf of, or receive from, the Covered Entity or the Covered Entity’s other service providers protected health information (“PHI”); and
WHEREAS, upon creation or receipt of such PHI, Business Associate would be a “Business Associate” in relation to the Covered Entity, as that term is defined under HIPAA.
NOW, THEREFORE, in consideration of the premises and the mutual promises contained herein, Covered Entity and Business Associate hereby agree as follows:
1. Capitalized Terms. All capitalized terms herein not otherwise defined shall have the meaning ascribed to such terms under HIPAA, the HITECH Act and the Privacy and Security Rules, as may be amended from time to time.
2. Business Associate’s Responsibilities with Respect to Use and Disclosure of PHI . Business Associate hereby agrees, with regard to its Use and/or Disclosure of the PHI, to do the following:
a. to Use and/or Disclose the PHI only: (i) in conjunction with the services it provides to Covered Entity (“the Services”); (ii) consistent with the manner in which Covered Entity is permitted to Use and Disclose by 45 C.F.R. 164.502 (as amended from time to time) and/or 45 C.F.R. § 164.512; (iii) for Business Associate’s proper management and administration; (vi) to fulfill any present or future legal responsibilities; (v) as otherwise permitted or required by this Agreement; or (vi) as otherwise permitted or required by law.
b. to report to Covered Entity, in writing, any material Use and/or Disclosure of the PHI by Business Associate that is not permitted or required by this Agreement of which Business Associate becomes aware;
c. to use commercially reasonable efforts to maintain the security of the PHI and to prevent its Use and/or Disclosures contrary to this Agreement;
d. to the extent that Business Associate creates, receives, maintains or transmits Electronic Protected Health Information as that term is defined by the Security Rule, on behalf of Covered Entity to report to Covered Entity any Security Incident of which Business Associate becomes aware to the extent such incidents represent successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an Information System that contains or has access to the Electronic Protected Health Information of Covered Entity, and upon request by Covered Entity, report all unsuccessful attempts for which Business Associate has records; and
e. to require all of Business Associate’s subcontractors and agents utilized in providing the Services which Use and/or Disclose the PHI, to agree, in writing, to adhere to equivalent restrictions and conditions on the Use and/or Disclosure of the PHI that apply to Business Associate pursuant to this Agreement.
3. Safeguards. Business Associate shall employ appropriate administrative, technical and physical safeguards, consistent with the size and complexity of Business Associate’s operations, to protect the confidentiality of PHI and to prevent the use or disclosure of PHI in any manner inconsistent with the terms of this Agreement, including meeting the requirements of 45 C.F.R. §§ 164.308, 164.310, 164.312, 164.314, and 164.316, which includes Business Associate’s obligation to have written policies and procedures in place to document its administrative, technical and physical safeguards.
4. Access Requests. Business Associate shall process Covered Entity’s requests to access records in the Designated Record Set and identified by Covered Entity so that Covered Entity can comply with 45 C.F.R. § 164.524.
5. Amendment Requests. Business Associate shall process Covered Entity’s requests for amendment of the PHI in Business Associate’s possession, solely upon Covered Entity’s request and in a manner that allows Covered Entity to comply with 45 C.F.R. § 164.526 and in a manner that is consistent with the manner in which Covered Entity is amending the PHI in Covered Entity’s possession.
6. Accounting of Disclosures. The Parties agree that Business Associate shall track and keep a record of all Disclosures of PHI, and that Business Associate shall provide to Covered Entity the information necessary for Covered Entity to provide an accounting of Disclosures, in a manner compliant with 45 C.F.R. §164.528, to individuals who request an accounting. In each case Business Associate shall provide at least the following information with respect to each such Disclosure: (a) the date of the Disclosure; (b) the name of the entity or person who received the PHI; (c) a brief description of the PHI disclosed; (d) a brief statement of the purpose of such Disclosure which includes an explanation of the basis for such Disclosure. In the event that Business Associate receives a request for an accounting directly from an individual, Business Associate shall forward such request to Covered Entity in writing.
7. De-Identification. Business Associate may de-identify PHI for lawful purposes, so long as such de-identification conforms to the requirements of 45 C.F.R. § 164.514, as may be amended from time to time and may use the PHI to provide data aggregation services relating to Covered Entity’s health care operations.
8. Meet Covered Entity Obligations where Appropriate. If Business Associate will perform a service for Covered Entity that is an obligation of Covered Entity under the Privacy Rule, to meet the applicable requirements in the performance of that service;
9. Requests from Secretary of Health and Human Services. If Business Associate receives a request, made by or on behalf of the Secretary of the United States Department of Health and Human Services (the “Secretary”), requiring Business Associate to make its internal practices, books, and records relating to the Use and Disclosure of the PHI created or received by Business Associate on behalf of Covered Entity available to the Secretary for the purpose of determining Covered Entity’s and/or Business Associate’s compliance with HIPAA, then Business Associate shall make its internal practices, books and records available to the Secretary or the Secretary’s authorized representative.
10. Minimum Necessary. Covered Entity shall provide, and Business Associate shall request, Use and Disclose, only the minimum amount of PHI necessary to accomplish the purpose of the request, Use or Disclosure. The Parties acknowledge that the Secretary may issue guidance with respect to the definition of “minimum necessary” from time to time, and agree to stay informed of any relevant changes to the definition.
11. Reporting of Security Breaches. In the event of a “Breach” of any “Unsecured” PHI that Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds or uses on behalf of Covered Entity, Business Associate shall report such Breach to Covered Entity as soon as practicable, but in no event later than ten (10) business days after the date on which the Breach is discovered. “Breach” shall mean the unauthorized acquisition, access, Use, or Disclosure of PHI which compromises the security or privacy of such information, except where an unauthorized person to whom the information is disclosed would not reasonably have been able to retain such information. “Unsecured PHI” shall mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary (e.g., encryption). Notice of a Breach shall include, to the extent such information is available: (i) the identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during the Breach, (ii) the date of the Breach, if known, and the date of discovery of the Breach, (iii) the scope of the Breach, and (iv) Business Associate’s response to the Breach.
12. Responsibilities of Covered Entity. With regard to the Use and/or Disclosure of the PHI by Business Associate, Covered Entity hereby agrees:
a. that the Uses and Disclosures of the PHI by Business Associate pursuant to this Agreement are, at the time of execution and throughout the term of this Agreement will be, consistent with the form of notice of privacy practices (the “Notice”) that Covered Entity provides to individuals pursuant to 45 C.F.R. § 164.520.
b. to notify Business Associate, in writing and in a timely manner, of any arrangements permitted or required of Covered Entity under 45 C.F.R. parts 160 and 164 that may impact in any manner the Use and/or Disclosure of the PHI by Business Associate under this Agreement including, but not limited to, restrictions on Use and/or Disclosure of the PHI as provided for in 45 C.F.R. § 164.522 agreed to by Covered Entity, and to hold Business Associate harmless from the financial impact of any such agreement by Covered Entity; and
c. to obtain any consent or authorization that may be required under HIPAA or state law prior to furnishing the PHI to Business Associate.
13. Term. Unless otherwise terminated as provided in Section 14, this Agreement shall become effective on the Effective Date and shall have a term that shall run concurrently with that of any oral or written agreement by Business Associate to provide Services to Covered Entity and will terminate without any further action of the Parties upon the termination of all such agreements.
a. If either Party determines that the other Party has engaged in a pattern of activity that constitutes a material breach of the other Party’s obligations under this Agreement, the non-breaching Party shall, within twenty (20) days of that determination, notify the breaching Party and the breaching Party shall have thirty (30) days from receipt of that notice to cure the breach or end the violation. If the breaching Party fails to take reasonable steps to effect such a cure within such a time period, the non-breaching Party may terminate all or part of the service relationship. In no event shall such termination have any effect on sums due from Covered Entity for any services provided by Business Associate under the engagement.
b. Where either Party has knowledge of a material breach by the other Party, and cure is not possible, the non-breaching Party shall terminate the portion of the arrangement for Services affected by the breach.
15. Effect of Termination. Upon the event of termination of this Agreement, Business Associate agrees, where feasible, to return or destroy the PHI, which Business Associate still maintains in any form. Prior to doing so, Business Associate further agrees, to the extent feasible, to request the destruction of the PHI that is in the possession of its subcontractors or agents. If in Business Associate’s opinion, it is not feasible for Business Associate or any subcontractors to return or destroy portions of the PHI, Business Associate shall, upon Covered Entity’s written request, inform Covered Entity as to the specific reasons that make such return or destruction infeasible and limit any further use or disclosures to the purposes that make the return or destruction of those portions of the PHI infeasible and provide the protections described herein to that PHI.
16. Third Party Beneficiaries. Nothing in this Agreement shall be construed to create any third party beneficiary rights in any person.
17. Counterparts. This Agreement may be executed in any number of counterparts, each of which shall be deemed an original. Facsimile copies thereof shall be deemed to be originals.
18. Informal Resolution. If any controversy, dispute or claim arises between the Parties with respect to this Agreement, the Parties shall make good faith efforts to resolve such matters informally.
19. Limitation on Liability. Neither Party shall be liable to the other party for any incidental, consequential or punitive damages of any kind or nature, whether such liability is asserted on the basis of contract, tort (including negligence or strict liability), or otherwise, even if the other Party has been advised of the possibility of such loss or damages.
20. Notices. All notices, requests, approvals, demands and other communications required or permitted to be given under this Agreement shall be in writing and delivered either personally, or by certified mail with postage prepaid and return receipt requested, or by overnight courier to the party to be notified. All communications will be deemed given when received
21. Interpretation. The provisions of this Agreement shall prevail over any provisions in any other agreements between Business Associate and Covered Entity that may conflict or appear inconsistent with any provision of this Agreement. This Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA and the HITECH Act. The Parties agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies with and is consistent with HIPAA and the HITECH Act.
22. Survival. Sections 4, 6, 15, 19, and 22 shall survive the termination of this Agreement.