BUSINESS ASSOCIATE AGREEMENT
THIS BUSINESS ASSOCIATE AGREEMENT (“Agreement”) is between the individual and the entity (“Business Associate”) accepting this document, and XBD, LLC, (d/b/a Referralogix) a Texas limited liability company (“Covered Entity”).
RECITALS:
A. Either contemporaneously with the execution of this Agreement or closely therewith, Covered Entity and Business Associate have entered into one or more agreements (collectively, the “Services Contract”) pursuant to which Business Associate has been engaged to provide professional, consulting or other services (the “Services”) to Covered Entity as set forth in such Services Contract. Because Business Associate may access, retain, be exposed to, or become aware of protected health information in the performance of the Services, the Parties agree to protect the confidentiality of such information in accordance with applicable provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act in Public Law 111-5 (the “HITECH Act”), and the regulations promulgated thereto (collectively, the “HIPAA Regulations”), which include, as amended from time to time, (i) the privacy standards, requirements and specifications promulgated by the Secretary at 45 C.F.R. Parts 160 and 164 subparts A and E, as amended (the “Privacy Rule”), (ii) the security standards, requirements and specifications promulgated by the Secretary at 45 C.F.R. Parts 160 and 164 subparts A and C, as amended (the “Security Rule”), (iii) the breach notification standards, requirements and specifications enacted by Subtitle D of the HITECH Act and 45 C.F.R. Part 164 subpart C (the “Breach Notification Rule), and (iv) the Transactions, Code Sets and Identifiers standards, requirements and specifications promulgated by the Secretary at 45 C.F.R. Parts 160 and 162.
B. Covered Entity is a “covered entity” as defined under the Health Insurance Portability and Accountability Act of 1996, as may be amended from time to time, and the rules and regulations promulgated thereunder (“HIPAA”) and, as such, is required to comply with HIPAA regarding the privacy and security of health information.
C. On or about the date hereof, the Parties entered into that certain Independent Contractor Services Agreement (such agreement, along with any future agreements for services to be provided to Covered Entity by Business Associate, the “Business Agreement”), pursuant to which Business Associate has agreed to provide Covered Entity with certain administrative, sales and marketing services.
E. In connection with the Business Agreement, Business Associate is required to perform functions and activities involving the Use or Disclosure of PHI on behalf of the Covered Entity that is subject to HIPAA.
F. In connection with the obligations imposed upon Covered Entity and Business Associate by HIPAA, the Parties desire to enter into this Agreement in order to reflect the rights and obligations of the Parties in connection with the Use and Disclosure of PHI.
AGREEMENT
NOW, THEREFORE, in consideration of the premises and the mutual covenants in this Agreement, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:
1. Definitions.
1.1 Certain Defined Terms. For purposes of this Agreement:
“Data Aggregation” means the combining of PHI by Business Associate with the PHI received by Business Associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.
“Designated Record Set” means a group of records, or any item, collection, or grouping of information that includes PHI, maintained, collected, Used, or disseminated by or for the Covered Entity that is (i) the medical records and billing records about Individuals maintained by or for a covered health care provider; (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) used, in whole or in part, by or for the Covered Entity to make decisions about Individuals.
“Disclose” or “Disclosure” means the release, transfer, provision of access to, or divulging in another manner, of information outside the entity holding the information.
“EPHI” means electronic protected health information, as defined in 45 C.F.R.
§164.103.
“HHS” means the U.S. Department of Health and Human Services.
“HITECH” means the Health Information Technology for Economic and Clinical Health Act provisions in Title XIII of the American Recovery and Reinvestment Act.
“Individual” means the person who is the subject of PHI and will include a person who qualifies as a personal representative in accordance with 45 C.F.R. §164.502(g).
“PHI” means “protected health information,” as such term is defined in 45 C.F.R.
§160.103, transmitted or maintained in any form or medium, that is created or received by Business Associate from, or on behalf of, the Covered Entity, as permitted hereunder.
“Privacy Standards” means the Standards for Privacy of Individually Identifiable Health Information promulgated under HIPAA, 45 C.F.R. Part 160 and 164, subparts A and E.
“Required By Law” means a mandate contained in law that compels an entity to make a Use or Disclosure of PHI and that is enforceable in a court of law. Required By Law includes, but is not limited to, court orders and court-ordered warrants; subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits.
“Secretary” means the Secretary of HHS or any other officer or employee of HHS to whom the authority involved has been delegated.
“Security Incident” means a security incident, as defined in 45 C.F.R. § 164.304.
“Security Standards” means the Security Standards promulgated under HIPAA, 45 C.F.R. Part 160, 162 and 164.
“Use” means the sharing, employment, application, utilization, examination, or analysis of “individually identifiable health information,” as such term is defined in 45 C.F.R. §160.103, within the entity that maintains such information.
1.2 Definitions. The following terms have the meanings set forth in the Sections set forth
below:
Definition Location
Agreement.........................................Preamble
Business Agreement..........................Recitals
Business Associate............................Preamble
Covered Entity..................................Preamble HIPAA
1.3 All other terms used, but not otherwise defined, in this Agreement will have the same meaning as those terms set forth in 45 C.F.R. Parts 160, 162 and 164.
2. Permitted Uses and Disclosures. Except as otherwise limited in this Agreement, Business Associate may:
2.1 Use or Disclose PHI to perform functions, activities, or services for, or on behalf of, the Covered Entity, as specified in the Business Agreement;
2.2 Create, receive, maintain or transmit EPHI on behalf of the Covered Entity, but only if such action would not violate the Privacy Standards or Security Standards if done by the Covered Entity, and would not violate the minimum necessary policies and procedures of the Covered Entity;
2.3 Use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate (including Disclosure to other business associates of the Covered Entity);
2.4 Use PHI to provide Data Aggregation services to the Covered Entity as permitted under 45 C.F.R. §164.504(e)(2)(i)(B) and pursuant to the Business Agreement;
2.5 Disclose PHI for the proper management and administration of Business Associate; provided, that, (i) the Disclosures are Required By Law, or (ii) Business Associate obtains reasonable assurances from the person to whom the information is Disclosed that it will remain confidential and Used or further Disclosed as Required By Law or for the purpose for which it was Disclosed to the person, and that person will notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; and
2.6 Use PHI to report violations of law to appropriate Federal and State authorities consistent with 45 C.F.R. §164.502(j)(1).
3. Permitted Requests by the Covered Entity. The Covered Entity will not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under the Privacy Standards and Security Standards if done by the Covered Entity.
4. Responsibilities of Covered Entity with Respect to PHI and EPHI. To the extent that such limitation, change or restriction may affect the Business Associate’s Use or Disclosure of PHI, the Covered Entity hereby agrees to notify the Business Associate of:
4.1 Any limitations in its Notice of Privacy Practices that the Covered Entity produces in accordance with 45 C.F.R. §164.520, as well as any changes to such notices;
4.2 Any changes in, or withdrawals of, the consent or authorization provided to the Covered Entity by Individuals to Use or Disclose PHI; and
4.3 Any restrictions to the Use or Disclosure of PHI to which the Covered Entity has agreed in accordance with 45 C.F.R. §164.522, including any restrictions which Covered Entity is required to comply with in accordance with Section 13405(a) of HITECH.
5. Responsibilities of Business Associate with Respect to PHI and EPHI. Business Associate hereby covenants and agrees:
5.1 Not to Use or Disclose PHI, other than as permitted or required by this Agreement or as Required By Law;
5.2 To report to the Covered Entity, in writing, any Use and/or Disclosure of the PHI that is not permitted by this Agreement and/or any Security Incident relating to EPHI of which Business Associate becomes aware within two (2) days of the discovery;
5.3 To report to the Covered Entity any “breach” (as defined in HITECH) of unsecured PHI held by or under the control of Business Associate, including the identity of the affected Individuals and all other relevant information, within two (2) days of becoming aware of such breach;
5.4 To mitigate, to the extent practicable, any harmful effect that is known, or should be known, to Business Associate resulting from a Use or Disclosure of PHI by Business Associate in violation of the requirements of this Agreement;
5.5 To use appropriate safeguards to prevent the Use or Disclosure of the PHI other than as provided for by this Agreement;
5.6 To ensure that all of its subcontractors and agents to whom Business Associate provides PHI received from, or created or received by Business Associate on behalf of, the Covered Entity, agree to enter into a contract which requires restrictions and conditions at least as stringent as those that apply to Business Associate pursuant to this Agreement. Moreover, Business Associate will ensure that any and all of such subcontractors and agents to whom Business Associate provides EPHI agree in writing to implement reasonable and appropriate safeguards to protect such EPHI;
5.7 Within three (3) days after receiving a written request by the Covered Entity for such information, to provide access to all PHI maintained in a Designated Record Set in accordance with 45 C.F.R. § 164.524;
5.8 Within three (3) days after receiving a written request by the Covered Entity for amendments to PHI maintained in a Designated Record Set, to make such amendments to such PHI in accordance with 45 C.F.R. §164.526;
5.9 Within five (5) days after receiving a written request by the Covered Entity for such information, or such shorter period as required by the Secretary, to make internal practices, books, and records, including policies and procedures, relating to the Use and Disclosure of PHI received from, or created or received by Business Associate on behalf of, the Covered Entity, available to the Covered Entity or the Secretary, for purposes of the Secretary determining the Covered Entity’s compliance with the Privacy Standards. To the extent Business Associate receives a written request for such information directly from the Secretary, Business Associate will promptly notify the Covered Entity and will reasonably cooperate with the Covered Entity in complying with the Secretary's requests;
5.10 To document Disclosures of PHI and information related to such Disclosures as would be required for the Covered Entity to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 C.F.R. §164.528 and Section 13405(c) of HITECH;
5.11 Within five (5) days after receiving a written request by the Covered Entity for such information, to provide to the Covered Entity information collected in accordance with subsection (j) above, to permit the Covered Entity to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 C.F.R. §164.528;
5.12 Otherwise to abide by the provisions of the Privacy Standards and the Security Standards, as such are made applicable to Business Associate by the operation of HITECH, including without limitation restrictions on marketing and requirements relating to limited data sets and minimum necessary disclosures; and
5.13 To the extent Business Associate receives a written request directly from an Individual for access or amendment to PHI maintained in a Designated Record Set or for the information collected in accordance with subsection (j), to immediately notify the Covered Entity and reasonably cooperate with the Covered Entity in meeting the requirements under 45 C.F.R. §164.524, 45 C.F.R. §164.526 and 45 C.F.R. §164.528, as the case may be, with respect to such Individual. Unless Business Associate receives, within three (3) days of the date of such notice to the Covered Entity, a written direction from the Covered Entity to the contrary, Business Associate agrees to respond directly to the Individual and to (i) provide access to such Individual in accordance with 45 C.F.R. §164.524; (ii) make any such proper amendment in accordance with 45 C.F.R. §164.526, or (iii) provide such accounting in accordance with 45 C.F.R. §164.528, within five (5) days of the date of the Individual’s request, unless otherwise agreed upon by the Covered Entity.
6. Term and Termination.
6.1 Term. This Agreement will become effective on the date of this Agreement and will terminate on the date of which the Business Agreement between Covered Entity and Business Associate is terminated; provided, however, that the terms and conditions of this Agreement will continue in effect until all PHI provided by the Covered Entity to Business Associate, or created or received by Business Associate on behalf of the Covered Entity, is destroyed or returned to the Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with subsection (b) below.
6.2 Return of PHI. Upon termination of this Agreement, Business Associate will return or destroy all PHI then in its possession which was received from, or created or received by, Business Associate on behalf of the Covered Entity. Business Associate will retain no copies of the PHI. This provision will apply to PHI that is in the possession of subcontractors or agents of Business Associate. In the event that Business Associate reasonably determines that returning or destroying PHI is not feasible, Business Associate will extend the protections of this Agreement to the PHI and will limit further Use and Disclosure of the PHI for so long as Business Associate maintains such PHI but in no event less than six (6) years after the creation or last Use or Disclosure of such PHI. Business Associate may charge a reasonable fee if it is required to maintain any such records following termination of this Agreement. This subsection will survive any termination or expiration of this Agreement and the Business Agreement.
7. Miscellaneous.
7.1. Further Assurances. Upon a Party’s reasonable request, the other Party will, at the requesting Party’s sole cost and expense, execute and deliver all such documents and instruments, and take all such further actions, necessary to give full effect to this Agreement.
7.2. Notice. Any notice or communication required under this Agreement shall be provided in accordance with the Notice provisions set forth in Section 9.1 of the Independent Contractor’s Agreement above.
7.3. Assignment. Covered Entity will not assign or otherwise transfer any of its rights, or delegate or otherwise transfer any of its obligations or performance, under this Agreement, in each case whether voluntarily, involuntarily, by operation of law or otherwise, without Business Associate’s prior written consent. Business Associate may assign this Agreement, in whole or in part, to a successor entity or to any current or subsequently formed affiliate of Business Associate.
7.4. Relationship of Parties. The relationship between the Parties is that of independent contractors. Nothing contained in this Agreement will be construed as creating any agency, partnership, joint venture or other form of joint enterprise, employment or fiduciary relationship between the Parties.
7.5. No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor will anything herein confer, upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
7.6. Governing Law; Venue. The relationship of the Parties and all claims arising out of or related to that relationship, including, but not limited to, the construction and interpretation of any written agreements, including this Agreement, will be governed by HIPAA. Where not covered by HIPAA or other federal law, this Agreement will be governed by and construed in accordance with the laws of the State of Texas, without regard to its conflicts of law principles. All disputes concerning any and all matters related to or arising under this Agreement will be construed exclusively in either the state or federal courts located in Tarrant County, Texas, and venue of any such action will rest exclusively in Dallas, Texas.
7.7. Amendments; Waiver. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is required for the Covered Entity to comply with the requirements of the Privacy Standards, the Security Standards, and HIPAA. This Agreement may not be modified, nor any provision amended, except in a writing duly signed by both Parties. No waiver of any of the provisions of this Agreement will be effective unless explicitly set forth in writing and signed by the Party so waiving. A waiver with respect to one event will not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.
7.8. Entire Agreement; Conflicts. This Agreement and the Business Agreement contain the entire agreement between the Parties regarding privacy of PHI and security of EPHI, and supersedes all prior and contemporaneous proposals, communications and understandings, oral or written. In the event there is a conflict between the terms of this Agreement and the terms of any of the Business Agreements, the terms of this Agreement will control.
7.9. Interpretation. Any ambiguity in this Agreement will be resolved in favor of a meaning that permits the Covered Entity to comply with the Privacy Standards and the Security Standards. When this Agreement calls for Business Associate to respond to a request from the Covered Entity in conjunction with a regulation specifically cited in the section, Business Associate may rely on the Covered Entity’s request as verification by the Covered Entity that the request is made in compliance with the regulation. Business Associate is not responsible for confirming that the Covered Entity’s request is made in compliance with the specific regulation.
7.10. Regulatory Reference. A reference in this Agreement to a section in the Privacy Standards, the Security Standards or to a section of the Code of Federal Regulations will be read to include and require all subsequent, updated, amended or revised provisions relating to such regulations.
7.11. Binding Agreement; Severability. This Agreement will be binding upon and inure to the benefit of the Parties and their respective successors and permitted assigns. If any provision of this Agreement is determined to be invalid under any applicable law, it is to that extent to be deemed omitted, and the balance of the Agreement will remain enforceable. Upon such determination, the Parties will negotiate in good faith to modify this Agreement so as to affect the original intent of the Parties as closely as possible in a mutually acceptable manner.
7.12. Counterparts. This Agreement may be executed in several counterparts, each of which will be deemed an original and all of which taken together will constitute one single agreement between the Parties.