This BUSINESS ASSOCIATE AGREEMENT (this “Agreement”) is entered into on this day by and between the above named Company or Individual (hereinafter referred to as “Covered Entity”) and RETROSPECT CONSULTING GROUP, LLC, (hereinafter referred to as “Business Associate”).
RECITALS
- Covered Entity is a covered entity under the Health Insurance Portability and Accountability Act of 1996 et sec.(“HIPAA”).
- Business Associate is a “business associate” under HIPAA.
- Covered Entity is interested in Business Associate furnishing consulting services to Covered Entity and Business Associate has the expertise necessary to provide such services.
- In order for Business Associate to furnish services to Covered Entity in accordance with the Agreement, Covered Entity intends to disclose certain Protected Health Information (“PHI”) of Covered Entity’s patients to Business Associate and expects Business Associate to use or disclose the PHI to perform its obligations under the Agreement.
- In using or disclosing such PHI, Covered Entity and Business Associate are required to comply with the Standards for Privacy of Individually Identifiable Health Information and for the Security of Electronic Protected Heath Information, pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing rules and regulations, 42 CFR Part 2, and the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) of the American Recovery and Reinvestment Act of 2009 et sec. (“ARRA”) and its implementing rules and regulations, each as may be amended from time to time, including those regulatory amendments of the Department of Health and Human Services published at 78 Fed. Reg. 5566 et sec.(Jan. 25, 2013). Both parties are committed to complying with these statutes, rules, and regulations.
NOW, THEREFORE, the parties, in consideration of the mutual agreements herein contained and for other good and valuable consideration, the receipt and adequacy of which are hereby acknowledged, do hereby agree as follows:
Article 1: Definitions
1.1 HIPAA Rules. HIPAA Rules shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164 and 42 CFR Part 2.
1.2 Terms in HIPAA Rules. The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: breach, business associate, covered entity, data aggregation, designated record set, disclosure, health care operations, individual, minimum necessary, notice of privacy practices, protected health information, required by law, secretary, security incident, subcontractor, unsecured protected health information, and use.
1.3 Business Associate. Business Associate shall generally have the same meaning as the term “business associate” at 45 CFR §160.103, and in reference to the party to this Agreement, shall mean Retrospect Consulting Group, LLC.
1.4 Covered Entity. Covered Entity shall generally have the same meaning as the term “covered entity” at 45 CFR §160.103.
Article 2: Business Associate Use and Disclosure of PHI
2.1 Purpose. The purposes for use and disclosure of PHI by the Business Associate are as necessary for Business Associate to perform the services set forth in the Contract For Services and/or any incidental services provided for the Covered Entity.
2.2 Receipt and Use of PHI.
2.2.1 Satisfactory completion of these services by Business Associate will require Business Associate to receive and use PHI obtained from Covered Entity, particularly, medical records and billing and payment records.
2.2.2 Business Associate may use PHI internally to carry out its legal responsibilities, for proper management, internal auditing, and administration.
2.3 Disclosure of PHI.
2.3.1 Satisfactory completion of these services by Business Associate may require Business Associate to disclose PHI to third parties, such as governmental licensing agencies or accrediting agencies.
2.3.2 Business Associate also may disclose PHI to its subcontractors to carry out its legal responsibilities, for proper management, internal auditing, and administration.
Article 3: Duties of Business Associate
3.1 Limitations on Use and Disclosure of PHI. Business Associate shall not use PHI except as permitted or required by this Agreement or as required by law.
3.2 Use Minimum Necessary. Business Associate agrees to limit the request, use, and disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request in order to fulfill the purpose described above.]
3.3 De-Identification. Business Associate may use PHI to create de-identified information consistent with the standards set forth at 45 CFR §164.514(a)-(c).
3.4 Use and Disclosure Cannot Violate Subpart E. Business Associate may not use or disclose PHI in a manner that would violated Subpart E of 45 CFR Part 164 if done by Covered Entity, except:
3.4.1 Use of PHI for Administration and Legal Responsibilities. Business Associate may use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities.
3.4.2 Disclosure of PHI for Administration and Legal Responsibilities. Business Associate may disclose PHI for the proper management and administration of Business Associate and to carry out its legal responsibilities, provided (i) the disclosure is required by law or (ii) the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person and the person notifies Business Associate of any breach of the confidentiality of the information of which it becomes aware.
3.4.3 Data Aggregation Services. Business Associate may use PHI to provide data aggregation services related to the health care operations of the Covered Entity.
3.5 Safeguarding PHI. Business Associate shall use appropriate safeguards to prevent the use or disclosure of PHI other than as permitted by this Agreement. With respect to electronic PHI, Business Associate shall comply with Subpart C of 45 CFR Part 164.
3.6 Report Inappropriate Uses or Disclosures, Security Incidents, and Breaches of Unsecured PHI. Upon discovery, Business Associate agrees to report to Covered Entity in writing any use or disclosure of PHI by Business Associate not permitted by this Agreement; any Security Incident; and any breach of unsecured PHI as required by 45 CFR §164.410 as follows:
In the event that Business Associate discovers a breach of unsecured PHI, Business Associate agrees to notify Covered Entity without unreasonable delay, and in no case later than 60 calendar days after Business Associate first becomes aware of the incident. Business Associate is deemed to have become aware of the breach as of the first day such breach is known or, with the exercise of reasonable diligence, would have been known to any person, other than the person committing the breach, who is an employee, officer, or other agent of Business Associate. The notice must include, to the extent possible, the identification of each individual whose unsecured PHI was the subject of the breach; a brief description of what happened; the date of the breach and the date of the discovery of the breach, if known; a description of the types of unsecured PHI that were involved in the breach (such as full name, social security number, date of birth, and home address); any steps the individuals should take to protect themselves from potential harm resulting from the breach; and a brief description of what Business Associate is doing to investigate the breach, mitigate losses, and protect against further breaches.
3.7 Mitigate Harmful Effects. To the extent practicable, Business Associate agrees to mitigate any harmful effects known to Business Associate that are caused by the use or disclosure of PHI in violation of this Agreement.
3.8 Require Compliance of Subcontractors. In compliance with CFR §§164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to obtain from any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate satisfactory assurances that the subcontractor will appropriately safeguard the PHI and agree to the same restrictions and conditions that apply to Business Associate with respect to such information.
3.9 Access to Information. Within twenty (20) days of Covered Entity’s written request, Business Associate shall provide Covered Entity with access to PHI in a designated record set as necessary for Covered Entity to satisfy its obligations under 45 CFR §164.524. If Business Associate receives a request for access to PHI in a designated record set directly from an individual, Business Associate will promptly forward the individual’s request to Covered Entity to fulfill the request.
3.10 Incorporate Amendments. The parties acknowledge that the Privacy Standards permit an individual who is the subject of PHI to request certain amendments of their records. Upon Covered Entity’s written request, Business Associate agrees to make any amendment(s) to PHI in a designated record or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR §164.526. If Business Associate receives a request for amendment to PHI in a designated record set directly from an individual, Business Associate will promptly forward the individual’s request to Covered Entity to fulfill the request.
3.11 Accounting of Disclosures. Upon Covered Entity’s written request, Business Associate shall make available information to Covered Entity concerning Business Associate’s disclosure of PHI for which Covered Entity needs to provide an individual with an accounting of disclosures as necessary to satisfy Covered Entity’s obligations under 45 CFR §164.528. Should an accounting of the PHI of a particular individual be requested more than once in any twelve-month period, Business Associate may charge Covered Entity a reasonable, cost-based fee. If Business Associate receives a request for an accounting of disclosures directly from an individual, Business Associate will promptly forward the individual’s request to Covered Entity to fulfill the request.
3.12 Availability of Practices, Books, and Records. Unless otherwise prohibited by applicable law, Business Associate agrees to make available to the secretary its internal practices, books, and records relating to the use and disclosure of PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity for purposes of determining compliance with the HIPAA Rules.
3.13 Compliance with Subpart E. To the extent Business Associate is to carry out one or more of Covered Entity’s obligations under Subpart E of 45 CFR Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligations.
Article 4: Duties of Covered Entity
4.1 Covered Entity shall not agree to any restrictions on the use or disclosure of PHI that might adversely affect Business Associate’s ability to perform the services described above.
4.2 Covered Entity shall notify business associate of any limitation(s) in the notice of privacy practices of covered entity under 45 CFR §164.520, to the extent that such limitation may affect business associate’s use or disclosure of protected health information.
4.3 Covered Entity shall notify business associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her protected health information, to the extent that such changes may affect business associate’s use or disclosure of protected health information.
4.4 Covered Entity shall notify business associate of any restriction on the use or disclosure of protected health information that covered entity has agreed to or is required to abide by under 45 CFR §164.522, to the extent that such restriction may affect business associate’s use or disclosure of protected health information.
4.5 Covered Entity shall not request that Business Associate use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity except for those activities described in 3.4 above.”]
Article 5: Term and Termination
5.1 Basic Term. This Agreement shall be effective as of the date set forth above (“Effective Date”). Except as otherwise provided herein, the term of this Agreement shall be in perpetuity.
5.2 Termination for Cause. Upon Covered Entity’s knowledge of a violation of a material term of the Agreement by Business Associate, Covered Entity shall provide an opportunity for Business Associate to cure the breach or end the violation. Covered Entity may terminate this Agreement if Business Associate has violated a material term of this Agreement and cure is not possible.
5.3 Return of PHI at Termination.
5.3.1 Upon termination of the Agreement, Business Associate shall, where feasible, destroy or return to Covered Entity all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity in connection with the performance of its services. Where such return or destruction is not feasible, the duties of Business Associate under this Agreement shall be extended to protect the PHI retained by Business Associate. Business Associate agrees to limit further uses and disclosures of the information retained to those purposes which made the return or destruction infeasible.
5.3.2 Notwithstanding any other limitation in this section, Covered Entity agrees that it is not necessary for Business Associate to return or destroy PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity if patient authorizations permitting such retention have been executed.
5.4 Survival. The obligations of Business Associate under this Section shall survive the termination of this Agreement.
Article 6: General Provisions
6.1 Governing Law. This Agreement shall be governed in all respects, whether as to validity, construction, capacity, performance or otherwise, by the laws of the State of NC notwithstanding any conflict of interest rules that might otherwise apply.
6.2 Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.
6.3 Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits compliance with the HIPAA Rules and other applicable law.
6.4 Enforceability. If any provision of this Agreement shall be held invalid or unenforceable, such invalidity or unenforceability shall attach only to such provision and shall not in any way affect or render invalid or unenforceable any other provision of this Agreement.
6.5 Waiver. The waiver by either party of a breach or violation of any provision of this Agreement shall not operate as, or be construed to be, a waiver of any subsequent breach of the same or other provisions of this Agreement.
6.6 Independent Contractors. In the performance of the duties and obligations of the parties pursuant to this Agreement, each of the parties shall at all times be acting and performing as an independent contractor, and nothing in this Agreement shall be construed or deemed to create a relationship of employer and employee, or partner, or joint venture, or principal and agent between the parties.
6.7 The Agreement. This Agreement, including any exhibits attached hereto, constitutes the entire Agreement among the parties hereto with respect to the subject matter hereof, and supersedes any and all prior agreements or statements among the parties hereto, both oral and written, concerning the subject matter hereof. This Agreement may not be amended, modified, or terminated except by a writing signed by both parties. The parties agree to take such action as is necessary to amend this Agreement from time to time for the parties to comply with the requirements of the HIPAA Rules. This Agreement may be executed in any number of counterparts, all of which together shall constitute one and the same instrument. This Agreement shall be binding upon and inure to the benefit of the parties hereto and their respective successors and assigns. Neither party shall assign or delegate its rights, duties, or obligations under this Agreement, without the prior written consent of the other party.
6.8 Notice. All notices or communications required or permitted pursuant to the terms of this Agreement shall be in writing and will be delivered in person or by means of encrypted electronic means with an audit trail or certified mail to such party at its address as set forth below, or such other person or address as such party may specify by similar notice to the other party hereto, or by telephone facsimile with a hard copy sent by mail with delivery on the next business day. All such notices will be deemed given upon proof of delivery.
.