Covered Entity may disclose to Business Associate data which may constitute protected health information (“PHI”) that is subject to protection under privacy and security standards implemented pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (as amended, “HIPAA”); and the parties intend to protect the privacy and provide for the security of PHI disclosed to Business Associate pursuant to the Terms in compliance with HIPAA, and all implementing regulations, including, but not limited to, the “Privacy Rule,” “Security Rule,” and the “Breach Notification Rule,” 45 C.F.R. Parts 160 and 164 (collectively, the “HIPPA Rules”).
OBLIGATIONS OF BUSINESS ASSOCIATE
Scope of Use and Disclosure of PHI. Unless otherwise limited herein, Business Associate may: (i) use and/or disclose PHI to perform functions, activities, or services for, or on behalf of Covered Entity as specified herein or in the Underlying Agreement, provided that such use or disclosure would not violate the HIPAA Rules if done by Covered Entity, except as set forth in Section 2.1(3-5); (ii) use and/or disclose PHI as required or permitted by applicable law, rule, regulation, or regulatory agency; (iii) use PHI for the proper management and administration of Business Associate; (iv) disclose PHI for the proper management and administration of Business Associate, provided that the disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person (which purpose must be consistent with the limitations imposed on a Business Associate pursuant to this BAA), and that the person agrees to notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached, (v) provide data analytics and Data Aggregation services related to the Health Care Operations of the Covered Entity; and (vi) create (a) De-Identified Customer Data such that it is not considered PHI, and use or disclose such De-Identified Customer Data for any purpose, and (b) Limited Data Sets, as each is defined and permitted under the HIPAA Rules, for the purpose of improving Business Associate’s Services (Business Associate may only disclose such Limited Data Sets in cases in which it enters into a HIPAA-compliant data use agreement with each recipient of a limited data set). In addition, to the extent Business Associate is carrying out one or more of Covered Entity’s obligations under the Privacy Rule pursuant to the terms of the Terms or this BAA, Business Associate will comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligation.
Disclosure of PHI. Business Associate agrees not to use or disclose Covered Entity’s PHI other than as permitted or required by this BAA, the Underlying Agreement, or as Required by Law.
Safeguards. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of Covered Entity’s PHI or other than as provided for by this BAA or the Underlying Agreement, and to otherwise comply with all applicable provisions of the Security Rule.
Use of Subcontractors. Business Associate agrees to provide any of its agents, including, but not limited to, its subcontractors, only the minimum PHI necessary to perform the services or other activities required hereunder. To the extent Business Associate uses one or more subcontractors or agents, and such subcontractors or agents receive or have access to PHI, Business Associate agrees that it will ensure that each such subcontractor or agent shall agree to substantially the same restrictions and conditions that apply through this BAA with respect to such information.
Designated Record Sets. If and to the extent Business Associate maintains Covered Entity’s PHI in a Designated Record Set, Business Associate shall make such information available to Covered Entity pursuant to 45 C.F.R. § 164.524 within ten business (10) days of Business Associate’s receipt of such written request from Covered Entity; provided, however, that Business Associate is not required to provide such access where the PHI contained in a Designated Record Set is duplicative of the PHI contained in a Designated Record Set possessed by Covered Entity. If an Individual makes a request for access to PHI about the individual pursuant to 45 C.F.R. § 164.524, directly to Business Associate, or inquires about his or her right to access, Business Associate shall direct the Individual to Covered Entity.
Amendment of PHI. If and to the extent Business Associate maintains Covered Entity’s PHI in a Designated Record Set, Business Associate shall make such information available to Covered Entity pursuant to 45 C.F.R. § 164.526 within twenty business (20) days of Business Associate’s receipt of such written request from Covered Entity. If an Individual makes a request for access to PHI about the individual pursuant to 45 C.F.R. § 164.526, directly to Business Associate, or inquires about his or her right to access, Business Associate shall direct the Individual to Covered Entity.
Access to Books and Records. Business Associate shall make its own internal practices, books, and records, including policies and procedures relating to the use and disclosure of PHI received from, or created, or received by Business Associate on behalf of, Covered Entity available to the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule.
Accounting of Disclosures. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an Accounting of Disclosures of PHI in accordance with 45 C.F.R. § 164.528. Business Associate agrees to provide Covered Entity, within twenty (20) business days of a written request from Covered Entity, information collected in accordance with 45 C.F.R. § 164.528, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. If an Individual makes a request for access to PHI about the individual pursuant to 45 C.F.R. § 164.528, directly to Business Associate, or inquires about his or her right to access, Business Associate shall direct the Individual to Covered Entity.
Obligations in the Event of Improper Use, Disclosure, Security Incident or Breach.
- Business Associate agrees to implement and maintain, to the extent practicable, appropriate policies and procedures to protect and safeguard against a disclosure of Covered Entity’s PHI in violation of the requirements of this BAA, or a Breach of Unsecured PHI.
- Business Associate will promptly report to the designated Privacy Officer of Covered Entity any use or disclosure of Covered Entity’s PHI not permitted under this BAA, Security Incident, or Breach of Unsecured PHI without unreasonable delay and, in no case, later than 10 (10) business days after the date of discovery of such Breach, and comply with all concerning Breach Notification requirements under 45 C.F.R. §164.410; provided, however, Business Associate shall not be required to report pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in the defeat or circumvention of any security control, or in the unauthorized use or disclosure of PHI. Such use or disclosure, Security Incident, or Breach shall be treated as discovered by Business Associate as of the first day on which such use or disclosure, Security Incident or Breach is known to Business Associate or, through the exercise of reasonable diligence, would have been known to Business Associate.
- Business Associate agrees to comply with all requirements concerning Breach Notification as required by the HIPAA Rules.
Reporting. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities.
OBLIGATIONS OF COVERED ENTITY
Provision of Data. Covered Entity agrees to provide Business Associate accurate and timely copies of all PHI necessary for Business Associate to perform its Services as contemplated between the parties and as described in this BAA and the Underlying Agreement.
Limitations in Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitations in the Notice of Privacy Practices pursuant to 45 C.F.R. § 164.520, to the extent that such limitations may affect Business Associate’s use or disclosure of PHI.
Withdrawal of Consent or Authorization. Covered Entity shall notify Business Associate of any changes in or revocations of the consent or authorization provided to Covered Entity by Individuals pursuant to 45 C.F.R. § 164.506 or § 164.508, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
Restrictions on Use or Disclosure. Covered Entity agrees to notify Business Associate of any restrictions or limitations on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522 to the extent such restrictions may affect the Business Associate’s use or disclosure of PHI.
Permissible Use by Covered Entity. Covered Entity agrees not to request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity itself, except as permitted pursuant to this BAA.
RETURN/DESTRUCTION OF PHI
- Except as set forth in (b) below, Business Associate agrees that, upon termination, cancellation, expiration or other conclusion of Terms this BAA, for whatever reason, it shall, if feasible, return or destroy all PHI received from, or created or received by it on behalf of Covered Entity, and shall retain no copies of such information.
- To the extent such return or destruction of PHI is not feasible (as reasonably determined by Business Associate), Business Associate shall extend the precautions of this BAA to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible, until such time as all PHI has been returned or otherwise destroyed as provided in (a) above
SECTION VI – MISCELLANEOUS
Modification. The parties recognize this BAA may need to be modified from time to time to ensure consistency with amendments to and changes in applicable federal and state laws and regulations, including, but not limited to, HIPAA. Except as otherwise specifically stated herein, this BAA shall not be waived or altered, in whole or in part, except in writing signed by the parties.
Governing Law. This BAA shall be governed by, and interpreted in accordance with, the internal laws of the Commonwealth of Massachusetts, without giving effect to its conflict of laws provisions.
Independent Contractor Status. Both parties expressly acknowledge and agree that Business Associate is at all times acting and performing as an independent contractor. No relationship, other than independent contract, is or has been created between the parties. Neither party has any right as an agent, employee, joint venture or partner in the business of the other. Neither party shall combine its business operations in any way, but instead, both parties shall maintain their own independent operations as separate and distinct businesses.