THIS BUSINESS ASSOCIATE ADDENDUM (the “Addendum”) adds to and is made part of the Agreement as if set forth therein.
WHEREAS, in connection with Celéri’s performance of certain services under the Agreement, Celéri (“Business Associate”) will create, receive, maintain, or transmit Protected Health Information on behalf of Customer (“Covered Entity”) as a business associate;
WHEREAS, the parties desire to enter into this Addendum to permit Business Associate to Use or Disclose such identifiable health information and to comply with the business associate requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the privacy and security regulations promulgated thereunder, as currently in effect or as hereafter amended (the “HIPAA Privacy and Security Rules”);
WHEREAS, the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of the American Recovery and Reinvestment Act of 2009, Pub. L. 111-5, modified the HIPAA Privacy and Security Rules (hereinafter, all references to the “HIPAA Privacy and Security Rules” shall include all amendments thereto set forth in the HITECH Act and the regulations promulgated thereunder, as currently in effect or as hereafter amended); and
WHEREAS, on January 25, 2013, the United States Department of Health and Human Services published its final omnibus rule modifying the HIPAA Privacy and Security Rules, as set forth in 78 Fed. Reg. 5566 (the “HIPAA/HITECH Omnibus Rule”).
NOW, THEREFORE, in consideration of the mutual promises and covenants made herein by Covered Entity and Business Associate (each a “Party” and, collectively, the “Parties”) and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties hereby agree as follows:
1.1 “Breach” shall have the same meaning as the term “Breach” set forth in 74 Fed. Reg. 42767-68 (Aug. 24, 2009), until codified at 45 C.F.R. § 164.402, upon which “Breach” shall have the meaning as codified at 45 C.F.R. § 164.402 upon the Compliance Date (as defined below).
1.2 “Compliance Date” shall mean the date compliance with the applicable provision is required by HIPAA or the HIPAA Privacy and Security Rules, as applicable, provided that if such date occurs prior to the Effective Date of this Addendum, the Compliance Date shall mean the Effective Date of this Addendum.
1.3 “Electronic Protected Health Information” shall mean Protected Health Information transmitted by or maintained in “electronic media” (as such term is defined in 45 C.F.R. § 160.103).
1.4 “Protected Health Information” or “PHI” shall have the same meaning as the term “Protected Health Information” set forth at 45 C.F.R. § 160.103, limited to the information received from, or created or received by Business Associate on behalf of, Covered Entity.
1.5 “Secretary” shall mean the Secretary of the United States Department of Health and Human Services or his/her designee.
1.6 “Unsecured Protected Health Information” shall mean Protected Health Information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance published at 74 Fed. Reg. 19006 (April 27, 2009), and in annual guidance published thereafter.
All other capitalized terms used, but not otherwise defined, in this Addendum shall have the same meaning for those terms as set forth in the HIPAA Privacy and Security Rules.
2. OBLIGATIONS OF BUSINESS ASSOCIATE
2.1 Not to Use or Disclose PHI Unless Permitted or Required. Business Associate agrees not to Use or Disclose Protected Health Information other than as permitted or required by this Addendum, or as required by law, or as otherwise authorized by Covered Entity.
2.2 Use Safeguards. Business Associate agrees to use appropriate safeguards to prevent the Use or Disclosure of Protected Health Information other than as provided for by this Addendum.
2.3 Mitigate Harmful Effects. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of Protected Health Information by Business Associate in violation of this Addendum.
2.4 Report Unpermitted Disclosures of PHI. Business Associate agrees to report to Covered Entity any Use or Disclosure of Protected Health Information not permitted or required by this Addendum of which Business Associate becomes aware.
2.5 Requests for Restrictions. Business Associate agrees to comply with any requests for restrictions on certain Disclosures of Protected Health Information to which Covered Entity has agreed in accordance with 45 C.F.R. § 164.522 and of which Business Associate has been notified by Covered Entity. In addition, and notwithstanding 45 C.F.R. § 164.522(a)(1)(ii), Business Associate agrees to comply with an Individual’s request to restrict Disclosures of Protected Health Information, of which Business Associate has been notified by Covered Entity, to a health plan for purposes of carrying out “payment” or “health care operations” (as such terms are defined in 45 C.F.R. § 164.501) if the Protected Health Information pertains solely to a health care item or service for which Covered Entity has been paid in full by the Individual or the Individual’s representative.
2.6 Provide Access. Business Associate will make available Protected Health Information in a Designated Record Set to Covered Entity or, if directed to do so in writing by Covered Entity, to an Individual or the Individual’s designee, in accordance with the requirements of 45 C.F.R. § 164.524. Business Associate will make PHI available in the form and medium directed by Covered Entity, which may include electronic formats or media. Business Associate may not charge a fee for this service and may only charge costs reflective of actual costs incurred that are reasonable in amount and approved in advance by Covered Entity.
2.7 Incorporate Amendments. Business Associate will make available to Covered Entity Protected Health Information requested by Covered Entity as required for amendment of such Protected Health Information, and shall make and incorporate any such amendments, all in accordance with 45 C.F.R. § 164.526, which describes the requirements applicable to an Individual’s request for an amendment to any Protected Health Information relating to the Individual. The obligations of Business Associate in this Section apply only to Protected Health Information in a “Designated Record Set” in Business Associate’s possession or control as such term is defined at 45 C.F.R. § 164.501.
2.8 Document Disclosures. Business Associate will make available Protected Health Information requested by Covered Entity or an Individual as required to provide an accounting of Disclosures in accordance with 45 C.F.R. § 164.528 and Section 13405(c) of the HITECH Act. Such information shall be provided to Covered Entity, unless Covered Entity directs Business Associate in writing to make the accounting directly to the Individual. Business Associate agrees to document such Disclosures of Protected Health Information and information related to such Disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of Disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528 and Section 13405(c) of the HITECH Act.
2.9 Covered Entity Obligations. To the extent Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 C.F.R. Part 164, Business Associate will comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s) as of the Compliance Date.
2.10 Disclose Practices, Books, and Records. If Business Associate receives a request, made on behalf of the Secretary, that Business Associate make its internal practices, books, and records relating to the Use and Disclosure of Protected Health Information available to the Secretary for purposes of determining Covered Entity’s compliance with the HIPAA Privacy and Security Rules, then Business Associate will promptly comply with the request within the time period required for such response as specified in such request.
3. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
3.1 Functions and Activities on Behalf of Covered Entity. Business Associate may Use or Disclose Protected Health Information for the purpose of meeting its obligations as set forth in this Addendum or as required by the Agreement.
3.2 Other Uses and Disclosures. Except as otherwise limited by this Addendum, Business Associate may Use and Disclose Protected Health Information as follows: (a) if necessary, for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that as to any such Disclosure, the following requirements are met, (i) the Disclosure is required by law; or (ii) Business Associate obtains reasonable assurances from the person to whom the information is Disclosed that it will be held confidentially and Used or further Disclosed only as required by law or for the purpose for which it was Disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; and (b) for data aggregation services, if such services are to be provided by Business Associate for the health care operations (as such terms are defined in 45 C.F.R. § 164.501) of Covered Entity pursuant to any agreements between the Parties. For purposes of this Addendum, data aggregation services means the combining of Protected Health Information by Business Associate with the protected health information received by Business Associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities. Business Associate may create de-identified information that may be used and disclosed by Business Associate as Business Associate deems appropriate, provided that the information is de-identified in accordance with the HIPAA Privacy and Security Rules.
3.3 Minimum Necessary. Business Associate shall: (a) to the extent practicable, Use, Disclose, or request only Protected Health Information that is contained in a “limited data set” (as defined in 45 C.F.R. § 164.514(e)(2)); or (b) if needed by Business Associate, Use, Disclose, or request only the minimum necessary amount of Protected Health Information to accomplish the intended purpose of such Use, Disclosure, or request. Business Associate acknowledges that the Secretary is required by the HITECH Act to issue guidance on what constitutes “minimum necessary” for purposes of the HIPAA Privacy and Security Rules. Business Associate agrees to comply with the guidance, once issued by the Secretary, and to only request, use or disclose the minimum amount of Protected Health Information as described in such guidance.
4. SECURITY RULE SAFEGUARDS
4.1 Implement Safeguards. Business Associate shall implement the administrative, physical, and technical safeguards set forth in 45 C.F.R. §§ 164.308, 164.310, and 164.312 that reasonably and appropriately protect the confidentiality, integrity, and availability of any Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity; in accordance with 45 C.F.R. § 164.316, implement and maintain reasonable and appropriate policies and procedures to enable it to comply with the requirements set forth in Sections 164.308, 164.310, and 164.312; and, as of the Compliance Date, comply with Subpart C of 45 C.F.R. Part 164, where applicable, with respect to Electronic Protected Health Information.
4.2 Compliance of Subcontractors. In accordance with 45 C.F.R. § 164.308(b)(2), Business Associate agrees to ensure that any subcontractors that create, receive, maintain or transmit Electronic Protected Health Information on behalf of Business Associate agree to the same restrictions, conditions and requirements that apply to Business Associate with respect to such information.
4.3 Report Security Incidents. Business Associate shall report to Covered Entity any Security Incident of which it becomes aware. For purposes of this Addendum, “Security Incident” means the successful unauthorized access, Use, Disclosure, modification, or destruction of Electronic Protected Health Information or interference with system operations in an information system, excluding: (a) “pings” on an information system firewall; (b) port scans; (c) attempts to log on to an information system or enter a database with an invalid password or user name; (d) denial-of-service attacks that do not result in a server being taken offline; (e) malware (e.g., a worm or virus); or (f) other events that are immaterial and that do not result in unauthorized access, Use, Disclosure, modification, or destruction of Electronic Protected Health Information. Business Associate agrees to mitigate, to the extent practicable, any harmful effect resulting from such Security Incident.
5. BREACH NOTIFICATION
5.1 Timing of Notification. Following the discovery of a Breach of Unsecured Protected Health Information, Business Associate shall notify Covered Entity of such Breach without unreasonable delay, but in no event later than forty-five (45) calendar days following the discovery of the Breach. A Breach shall be treated as discovered by Business Associate as of the first day on which such Breach is known to Business Associate or, through the exercise of reasonable diligence, would have been known to Business Associate.
5.2 Law Enforcement Delay. Notwithstanding the provisions of Section 5.1, above, if a law enforcement official states to Business Associate that notification of a Breach would impede a criminal investigation or cause damage to national security, then:
a. if the statement is in writing and specifies the time for which a delay is required, Business Associate shall delay such notification for the time period specified by the official; or
b. if the statement is made orally, Business Associate shall document the statement, including the identity of the official making the statement, and delay such notification for no longer than thirty (30) days from the date of the oral statement unless the official submits a written statement during that time.
5.3 Contents of Notification. The Breach notification provided to Covered Entity shall include, to the extent possible:
a. the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, Used, or Disclosed during the Breach;
b. a brief description of what happened, including the date of the Breach and the date of discovery of the Breach, if known;
c. a description of the types of Unsecured Protected Health Information that were involved in the Breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
d. any steps Individuals should take to protect themselves from potential harm resulting from the Breach;
e. a brief description of what Business Associate is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any further Breach; and
f. contact procedures for Individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
Business Associate shall provide the information specified in this Section to Covered Entity at the time of the Breach notification, if possible, or promptly thereafter as information becomes available. Business Associate shall not delay notification to Covered Entity that a Breach has occurred in order to collect the information described in this Section, and shall provide such information to Covered Entity even if the information becomes available after the forty-five (45) day period provided in Section 5.1, above.
6. OBLIGATIONS OF COVERED ENTITY
6.1 Limitations in Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity under 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s Use or Disclosure of Protected Health Information.
6.2 Changes in Permission. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to Use or Disclose his or her Protected Health Information, to the extent that such changes may affect Business Associate’s Use or Disclosure of Protected Health Information.
6.3 Restriction on Use of Protected Health Information. Covered Entity shall notify Business Associate of any restriction on the Use or Disclosure of Protected Health Information that Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s Use or Disclosure of Protected Health Information.
6.4 Minimum Necessary. Covered Entity shall Disclose, and direct its other business associates to Disclose, to Business Associate only the minimum amount of Protected Health Information necessary to accomplish the intended purpose of the permissible Use, Disclosure, or request in compliance with 45 C.F.R. § 164.502(b) and applicable guidance issued by the Secretary.
7. TERM AND TERMINATION
7.1 Term. The Term of this Addendum shall commence as of the Effective Date of this Addendum. This Addendum shall terminate upon the earlier of termination of the Agreement or termination in accordance with Section 7.2 below.
7.2 Termination for Cause. Upon Covered Entity’s knowledge of a material breach or violation hereof by Business Associate, Covered Entity shall provide written notice to Business Associate of the breach or violation, and Covered Entity shall provide an opportunity for Business Associate to cure the breach or end the violation. If Business Associate does not cure the breach or end the violation within thirty (30) days of receiving notice of the breach or violation and Covered Entity has taken reasonable steps to cure such breach or end such violation during such thirty (30) day period, and such steps are unsuccessful, Covered Entity may terminate this Addendum. If Business Associate has breached a material term of this Addendum and cure is not possible, Covered Entity may immediately terminate this Addendum.
7.3 Effect of Termination. Upon termination of this Addendum for any reason, Business Associate will return or destroy all Protected Health Information received from Covered Entity or created or received by Business Associate on behalf of Covered Entity that Business Associate still maintains in any form, and shall retain no copies of such information. If such return or destruction is not feasible, as reasonably supported by competent records and other written evidence of Business Associate, Business Associate will extend the protections of this Addendum to the information retained and limit further Uses and Disclosures to those purposes that make the return or destruction of the information infeasible.
8.1 Amendment. This Addendum cannot be amended except by the mutual written agreement of Business Associate and Covered Entity. In the event either Party believes in good faith that any provision of this Addendum fails to comply with the then-current requirements of the HIPAA Privacy and Security Rules, such Party shall so notify the other Party in writing. For a period of up to thirty (30) days, the Parties shall address in good faith such concern and shall amend the terms of this Addendum, if necessary, to bring it into compliance. If after such thirty (30) day period this Addendum fails to comply with the HIPAA Privacy and Security Rules with respect to the concern(s) raised pursuant to this Section, then either Party may terminate this Addendum upon written notice to the other Party.
8.2 No Third-Party Beneficiary Rights. This Addendum is intended for the sole benefit of Business Associate and Covered Entity and does not create any third-party beneficiary rights.
8.3 Headings. The section headings contained in this Addendum are for reference purposes only and will not affect the meaning of this Addendum.
8.4 Survival. The rights and obligations of Business Associate under Section 7.3 of this Addendum shall survive the termination of this Addendum.
8.5 Interpretation. Any ambiguity in this Addendum shall be resolved in favor of a meaning that permits the Parties to comply with the HIPAA Privacy and Security Rules. In the event of inconsistency between the provisions of this Addendum and mandatory provisions of the HIPAA Privacy and Security Rules, the HIPAA Privacy and Security Rules in effect at the time shall control. In the event of inconsistency between this Addendum and the Agreement, the terms and conditions of this Addendum shall control.
8.6 Integration. This Addendum is incorporated into and made a part of the Agreement. Except as amended by this Addendum, the Agreement will remain in full force and effect. This Addendum, together with the Agreement as amended by this Addendum, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes any and all written or oral agreements heretofore made, including, but not limited to, any business associate agreements or addenda or agreements related to patient data and the access, Use, privacy, security, and confidentiality of patient data previously entered into between the Parties.