Download
This Business Associate Agreement (“BAA”) applies only to the extent that (1) Client is a “covered entity” as that term is defined in the HIPAA Rules; (2) Issuetrak is a “business associate” as that term is defined in the HIPAA Rules; (3) Client is entering PHI into the Service; and (4) Issuetrak is creating, receiving, transmitting or maintaining ePHI on behalf of Client. If all of the foregoing conditions are met, Client and Issuetrak enter into this Business Associate Agreement pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), to addresses the HIPAA requirements with respect to “business associates,” as defined under the privacy, security, breach notification and enforcement rules at 45 C.F.R. Part 160 and Part 164 (“HIPAA Rules”). A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended. This BAA is effective as of the date that Covered Entity indicates its acceptance of this BAA (the “Effective Date”).
1. Definitions.
(a) This BAA is intended to ensure that Business Associate will establish and implement appropriate safeguards for the Protected Health Information (“PHI”) (as defined under the HIPAA Rules) that Business Associate may receive, create, maintain, use or disclose in connection with the functions, activities and services that Business Associate performs for Covered Entity. The functions, activities and services that Business Associate performs for Covered Entity are defined in Cloud Based Application Agreement (the “Underlying Agreement”).
(b) Pursuant to changes required under the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”) and under the American Recovery and Reinvestment Act of 2009 (“ARRA”), this BAA also reflects federal breach notification requirements imposed on Business Associate when “Unsecured PHI” (as defined under the HIPAA Rules) is acquired by an unauthorized party and the expanded privacy and security provisions imposed on business associates.
(c) Unless the context clearly indicates otherwise, the following terms in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, disclosure, Electronic Media, Electronic Protected Health Information (ePHI), Health Care Operations, individual, Minimum Necessary, Notice of Privacy Practices, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured PHI and use.
(d) A reference in this BAA to the Privacy Rule means the Privacy Rule, in conformity with the regulations at 45 C.F.R. Parts 160-164 (the “Privacy Rule”) as interpreted under applicable regulations and guidance of general application published by the HHS, including all amendments thereto for which compliance is required, as amended by the HITECH Act, ARRA and the HIPAA Rules.
2. General Obligations of Business Associate.
(a) Business Associate agrees not to use or disclose PHI, other than as permitted or required by this BAA or as Required By Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI.
(b) Business Associate agrees to use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by the BAA.
(c) Business Associate agrees to mitigate, to the extent reasonably practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this BAA's requirements or that would otherwise cause a Breach of Unsecured PHI.
(d) Business Associate agrees to report to Covered Entity any Breach of Unsecured PHI not provided for by the BAA of which it becomes aware within ten (10) business days of “discovery” within the meaning of the HITECH Act. Such notice shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed in connection with such Breach. In addition, Business Associate shall provide any additional information reasonably requested by Covered Entity for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. 164.404(c) at the time of notification or promptly thereafter as information becomes delayed. Business Associate's notification of a Breach of Unsecured PHI under this Section shall comply in all respects with each applicable provision of section 13400 of Subtitle D (Privacy) of ARRA, the HIPAA Rules and related guidance issued by the Secretary or the delegate of the Secretary from time to time.
(e) Business Associate agrees, in accordance with 45 C.F.R. 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions and requirements that apply to the Business Associate with respect to such information.
(f) To the extent Business Associate maintains a Designated Record Set, Business Associate agrees to make available PHI in a Designated Record Set to the Covered Entity to enable the Covered Entity to fulfill its obligations under the Privacy Rule, including 45 C.F.R. 164.524.
(g) Business Associate agrees to comply with an individual's written request to restrict the disclosure of their personal PHI in a manner consistent with 45 C.F.R. 164.522, except where such use, disclosure or request is required or permitted under applicable law.
(h) Business Associate agrees that when requesting, using or disclosing PHI in accordance with 45 C.F.R. 502(b)(1) that such request, use or disclosure shall be to the minimum extent necessary to accomplish the intended purpose of such request, use or disclosure, as interpreted under related guidance issued by the Secretary from time to time.
(i) To the extent Business Associate maintains a Designated Record Set, Business Associate agrees to make PHI available to the Covered Entity so that the Covered Entity can make any amendments to PHI in the Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. 164.526.
(j) Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity's obligations under 45 C.F.R. 164.528.
(k) Business Associate agrees to make its internal practices, books and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to the Secretary for the purpose of the Secretary determining the Covered Entity's compliance with the Privacy Rule.
(l) To the extent that Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
(m) Business Associate agrees to account for the following disclosures:
(i) Business Associate agrees to maintain and document disclosures of PHI in a manner as would be required for Covered Entity to respond to a request by an individual for an accounting of PHI disclosures.
(ii) Business Associate agrees to provide to Covered Entity upon written request, information collected in accordance with this Section 2(m), to permit Covered Entity to respond to a request by an individual for an accounting of PHI disclosures.
(iii) Business Associate agrees to account for any disclosure of PHI used or maintained as an Electronic Health Record (as defined in Section 5) (“EHR”) in a manner consistent with 45 C.F.R. 164.528 and related guidance issued by the Secretary from time to time; provided that an individual shall have the right to receive an accounting of disclosures of EHR by the Business Associate made on behalf of the Covered Entity only during the three years prior to the date on which the accounting is requested in writing from Covered Entity.
(iv) In the case of an EHR that the Business Associate acquired on behalf of the Covered Entity as of January 1, 2009, Section 2(m)(iii) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after January 1, 2014. In the case of an EHR that the Business Associate acquires on behalf of the Covered Entity after January 1, 2009, Section 2(m)(iii) above shall apply to disclosures with respect to PHI made by the Business Associate from such EHR on or after the later of January 1, 2011 or the date that it acquires the EHR.
(n) Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by the covered entity
3. Permitted Uses and Disclosures by Business Associate.
(a) Business Associate agrees to use or disclose PHI only in a manner that is consistent with this BAA, the Privacy Rule or Security Rule (as defined in Section 5) and only in connection with providing services to Covered Entity; provided that the use or disclosure would not violate the Privacy Rule, including 45 C.F.R. 164.504(e), if the use or disclosure would be done by Covered Entity.
(b) Business Associate may use and disclose PHI as permitted in the Underlying Agreement or as Required By Law.
(c) Business Associate may use and disclose PHI for the proper management and administration of Business Associate to carry out the legal responsibilities of Business Associate, provided that such uses or disclosures are permitted under state and federal confidentiality laws.
4. Obligations of Covered Entity.
(a) Covered Entity shall:
(i) Provide Business Associate with the Notice of Privacy Practices that Covered Entity produces in accordance with the Privacy Rule, and any changes or limitations to such notice under 45 C.F.R. 164.520, to the extent that such changes or limitations may affect Business Associate's use or disclosure of PHI.
(ii) Notify Business Associate in writing of any restriction to the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI under this BAA.
(iii) Notify Business Associate in writing of any changes in or revocation of permission by an individual to use or disclose PHI, if such change or revocation may affect Business Associate's permitted or required uses and disclosures of PHI under this BAA.
(b) Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy and Security Rule if done by Covered Entity, except as provided under Section 3 of this BAA.
5. Compliance with Security Rule.
(a) Business Associate shall comply with the HIPAA Security Rule, which shall mean the Standards for Security of Electronic Protected Health Information at 45 C.F.R. Part 160 and Subparts A and C of Part 164, as amended by ARRA and the HITECH Act. The term “Electronic Health Record” or “EHR” as used in this BAA shall mean an electronic record of health-related information on an individual that is created, gathered, managed and consulted by authorized health care clinicians and staff.
(b) In accordance with the Security Rule, Business Associate agrees to:
(i) Implement administrative, physical and technical safeguards to reasonably and appropriately protect the confidentiality, integrity and availability of the ePHI that it creates, receives, maintains or transmits on behalf of Covered Entity as required by the Security Rule; and
(ii) Report to the Covered Entity any Security Incident of which it becomes aware. Covered Entity acknowledges and agrees that this Section 5(b)(ii) constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence or attempts of unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required. Unsuccessful Security incidents means, without limitation, pings and other attacks on firewall, port scans, unsuccessful log-on attempts, denial of service attacks and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.
6. Term and Termination.
(a) This BAA shall become effective on the Effective Date and shall continue in effect until all obligations of the parties have been met, including return or destruction of all PHI in Business Associate‘s possession (or in the possession of Business Associate’s agents and/or contractors) as necessary, unless sooner terminated as provided herein. It is expressly agreed that the terms and conditions of this BAA designed to safeguard PHI shall survive expiration or other termination of the Underlying Agreement(s) and shall continue in effect until Business Associate has performed all obligations under this BAA.
(b) Upon either party's knowledge of material breach by the other party, the non-breaching party shall provide an opportunity for the breaching party to cure the breach or end the violation. If the breaching party does not cure the breach or end the violation within a reasonable period of time from the notification of the breach, or if a material term of the BAA has been breached and a cure is not possible, the non-breaching party may terminate this BAA, upon written notice to the other party. If termination is not feasible, the non-breaching party may report the breach to the Secretary.
(c) Upon termination of this BAA for any reason, the parties agree that Business Associate shall return to Covered Entity or, if agreed to by Covered Entity, destroy all PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, that the Business Associate still maintains in any form. In the event Business Associate determines that returning or destroying PHI is infeasible, Business Associate shall provide Covered Entity with notification of the conditions that make return or destruction infeasible. Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. Business Associate shall only be required to return or destroy PHI when it is feasible to do so.
7. Miscellaneous.
(a) The parties agree to take such reasonable action as is necessary to amend this BAA to comply with the requirements of the Privacy Rule, the Security Rule, HIPAA, ARRA, the HITECH Act, the HIPAA Rules and any other applicable law.
(b) The respective rights and obligations of Business Associate under Section 6 and Section 7 of this BAA shall survive the termination of this BAA.
(c) This BAA shall be interpreted such that any ambiguity shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules. Any provision of this BAA that differs from those mandated by the HIPAA Rules, but is nonetheless permitted by the HIPAA Rules, shall be adhered to as stated in this BAA.
(d) This BAA may only be modified in a writing signed by both parties.
(e) This BAA constitutes the entire agreement between the parties related to the subject matter of this BAA. This BAA supersedes all prior negotiations, discussions, representations or proposals, whether oral or written. This BAA may not be modified unless done so in writing and signed by a duly authorized representative of both parties. If any provision of this BAA, or part thereof, is found to be invalid, the remaining provisions shall remain in effect.
(f) This BAA will be binding on the successors and assigns of the Covered Entity and the Business Associate. However, this BAA may not be assigned, in whole or in part, without the written consent of the other party. Any attempted assignment in violation of this provision shall be null and void.
(g) For avoidance of doubt, and not to the exclusion of another other provision, Section 13(f) shall apply to this BAA.
(h) Notices shall be given as specified in the Underlying Agreement.
(i) Except to the extent preempted by federal law, this BAA shall be governed by and construed in accordance with the laws of the Commonwealth of Virginia.