HIPAA BUSINESS ASSOCIATE ADDENDUM
A. Covered Entity wishes to disclose certain information to Business Associate pursuant to the terms of the Underlying Agreement, some of which information may constitute Protected Health Information as defined below.
B. Covered Entity and Business Associate intend to protect the privacy and provide for the security of PHI disclosed to Business Associate pursuant to the Underlying Agreement in compliance with the Privacy Rule and Security Standards (defined below) promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 as modified by the Health Information Technology for Economic and Clinical Health Act, found in Title XIII of the American Recovery and Reinvestment Act of 2009, Public Law 111-005.
In consideration of the mutual premises and the covenants and agreements contained in this Addendum, the Parties agree as follows:
1. DEFINITIONS. Terms used in this Addendum that are specifically defined in HIPAA shall have the same meaning as set forth in HIPAA. A change to HIPAA which modifies any defined HIPAA term, or which alters the regulatory citation for the definition shall be deemed incorporated into this Addendum.
1. “Business Associate” shall mean the entity described above. Where the term “business associate” appears without an initial capital letter, it shall have the meaning given to such term under the Privacy Rule, including, but not limited to, 45 CFR § 160.103.
2. “Covered Entity” means the entity identified as such in the caption above.
3. “Data Aggregation” shall have the meaning given to the term under the Privacy Rule, including, but not limited to, 45 CFR § 164.501.
4. “Designated Record Set” shall have the meaning given to the term under the Privacy Rule, including, but not limited to, 45 CFR §164.501.
5. “Electronic Protected Health Information” and/or “EPHI” shall have the same meaning as the term “electronic protected health information” in 45 CFR § 160.103, and shall include, without limitation, any EPHI provided by Covered Entity or created or received by Business Associate on behalf of Covered Entity.
6. “Effective Date”. For purposes of this Agreement, the “Effective Date” shall be the Effective Date as such term is defined in the Underlying Agreement.
7. “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-91, as amended, and related HIPAA regulations (45 CFR. Parts 160-1 64).
8. “HITECH” means the Health Information Technology for Economic and Clinical Health Act, found in Title XIII of the American Recovery and Reinvestment Act of 2009, Public Law 111-005.
9. “Individual” shall have the meaning given to the term under the Privacy Rule, including, but not limited to, 45 CFR § 160.103. It shall also include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
10. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information, and Security Standards for the Protection of Electronic Protected Health Information (the “Security Rule”), that are codified at 45 CFR parts 160 and 164, Subparts A, C, and E and any other applicable provision of HIPAA, and any amendments thereto, including HITECH.
11. “Protected Health Information” and/or “PHI” shall have the meaning given to the term under the Privacy Rule, including but not limited to, 45 CFR § 164.103, and shall include, without limitation, any PHI provided by Covered Entity or created or received by Business Associate on behalf of Covered Entity. Unless otherwise stated in this Addendum, any provision, restriction, or obligation in this Addendum related to the use of PHI shall apply equally to EPHI. PHI does not include any information independently given to or sourced by Business Associate directly from third parties.
12. “Required By Law” shall have the meaning given to the term under the Privacy Rule, including but not limited to, 45 CFR § 164.103, and any additional requirements created under HITECH.
13. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his designee.
14. “Security Incident” shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system as provided in 45 CFR § 164.304.
15. “Underlying Agreement” shall mean the underlying agreement(s) that outline the terms of the services that Business Associate agrees to provide to Covered Entity and that fall within the functions, activities or services described in the definition of “Business Associate” at 45 CFR § 160.103.
16. “Unsecured PHI” shall have the same definition that the Secretary gives the term in guidance issued pursuant to § 13402 of HITECH.
2. BUSINESS ASSOCIATE OBLIGATIONS.
1. Business Associate agrees that it shall only use and disclose PHI in accordance with the terms of this Addendum or as is Required By Law.
2. Business Associate shall not use or disclose PHI except for the purpose of performing Business Associate’s obligations to Covered Entity, as such use or disclosure is limited by this Addendum. These obligations are as set forth or necessary and appropriate to Business Associate’s performance of its activities under the Underlying Agreement.
3. Business Associate shall not use or disclose PHI in any manner that would constitute a violation of the Privacy Rule. So long as such use or disclosure does not violate the Privacy Rule or this Addendum, Business Associate may use PHI: (a) as is necessary for the proper management and administration of Business Associate’s organization, or (b) to carry out the legal responsibilities of Business Associate, as provided in 45 CFR § 164.504(e)(4).
4. Business Associate will ensure that any agents, including subcontractors, to whom it provides PHI agree in writing to the same restrictions and conditions, including but not limited to those relating to termination of the contract for improper disclosure, that apply to Business Associate with respect to such information. Further, Business Associate shall implement and maintain sanctions against agents and subcontractors, if any, that violate such restrictions and conditions. Business Associate shall terminate any agreement with an agent or subcontractor, if any, who fails to abide by such restrictions and obligations, subject to cure opportunities as available.
5. Business Associate shall develop, implement, maintain, and use appropriate safeguards to prevent any use or disclosure of the PHI or EPHI other than as provided by this Addendum, and to implement administrative, physical, and technical safeguards as required by sections 164.308 (Administrative Safeguards), 164.310 (Physical Safeguards), 164.312 (Technical Safeguards), and 164.316 (Policies and Documentation) of title 45, Code of Federal Regulations and HITECH in order to protect the confidentiality, integrity, and availability of EPHI or PHI that Business Associate creates, receives, maintains, or transmits, to the same extent as if Business Associate were a Covered Entity.
6. The additional requirements of Title XIII of HITECH that relate to privacy and security and that are made applicable with respect to covered entities shall also be applicable to Business Associate and shall be and by this reference hereby incorporated into this Addendum.
7. Business Associate agrees to adopt the technology and methodology standards provided in any guidance issued by the Secretary pursuant to HITECH §§ 13401-13402.
8. Business Associate agrees to mitigate any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Addendum and to notify Covered Entity of any breach of unsecured PHI, as required under HITECH § 13402.
9. Business Associate shall report, in writing, to Covered Entity any use or disclosure of PHI that is not authorized by the Underlying Agreement or this Addendum. Such written notice shall be provided to Covered Entity within five (5) business days of becoming aware of such use or disclosure.
10. In the case of a breach of Unsecured PHI, Business Associate shall, following the discovery of a breach of such information, promptly notify the Covered Entity of such breach in accordance with the specific statutory and regulatory requirements. For example, the notice shall include the identification of each individual whose Unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during the breach.
11. Business Associate will obtain, prior to making any permitted disclosure as set forth in Section 2.2, reasonable assurances from such third party that such PHI will be held secure and confidential as provided pursuant to this Addendum and only disclosed as required by law or for the purposes for which it was disclosed to such third party, and that any breaches of confidentiality of the PHI which becomes known to such third party will be promptly reported to Business Associate. As part of obtaining this reasonable assurance, Business Associate agrees to enter into a Business Associate Agreement with each of its subcontractors pursuant to 45 CFR § 164.308(b)(1) and HITECH § 13401.
12. Business Associate shall make PHI in Designated Record Sets that are maintained by Business Associate or its agents or subcontractors, if any, available to Covered Entity for inspection and copying within ten (10) business days of a request by Covered Entity to enable Covered Entity to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 CFR § 164.524.
13. Within ten (10) business days of receipt of a request from Covered Entity for an amendment of PHI or a record about an Individual contained in a Designated Record Set, Business Associate or its agents or subcontractors, if any, shall make such PHI available to Covered Entity for amendment and shall incorporate any such amendment to enable Covered Entity to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 CFR § 164.524. If an Individual requests an amendment of PHI directly from Business Associate or its agents or subcontractors, if any, Business Associate will notify Covered Entity in writing within five (5) business days of the request. Any denial of amendment of PHI maintained by Business Associate or its agents or subcontractors, if any, shall be the responsibility of Covered Entity. Upon the approval of Covered Entity, Business Associate shall appropriately amend the PHI maintained by it, or any agents or subcontractors.
14. Within ten (10) business days of notice by Covered Entity of a request for an accounting of disclosures of PHI, Business Associate shall make available to Covered Entity the information required to provide an accounting of disclosures to enable Covered Entity to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 CFR §164.528. Except in the case of a direct request from an Individual for an accounting related to treatment, payment or healthcare operations disclosures through an electronic health record, if the request for an accounting is delivered directly to Business Associate or its agents or subcontractors, if any, Business Associate shall within five (5) business days of a request notify Covered Entity about such request. Covered Entity shall either inform Business Associate to provide such information directly to the Individual, or it shall request the information to be promptly forwarded to Covered Entity for compilation and distribution to such Individual. In the case of a direct request for an accounting from an Individual related to treatment, payment or healthcare operations disclosures through electronic health records, Business Associate shall provide such accounting to the Individual in accordance with HITECH § 13405(c), but only after the applicable effective date of such HITECH provision. Business Associate shall not disclose any PHI unless such disclosure is Required by Law or is in accordance with this Addendum. Business Associate shall document such disclosures.
15. Business Associate shall make its internal practices, books and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining Covered Entity’s compliance with the Privacy Rule. Business Associate shall notify Covered Entity regarding any PHI that Business Associate provides to the Secretary concurrently with providing such PHI to the Secretary, and upon request by Covered Entity, shall provide Covered Entity with a duplicate copy of such PHI.
16. Business Associate and its agents or subcontractors, if any, shall only request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure. Business Associate agrees to comply with the Secretary’s guidance on what constitutes minimum necessary.
17. Business Associate and its subcontractors or agents, if any, shall retain any PHI throughout the term of the Underlying Agreement and this Addendum.
18. During the term of this Addendum, Business Associate shall notify Covered Entity within twenty-four (24) hours of any suspected or actual Security Incident or breach of security, intrusion or unauthorized use or disclosure of PHI or EPHI and/or any actual or suspected use or disclosure of data in violation of any applicable federal or state laws or regulations, or any legal action against Business Associate arising from an alleged HIPAA violation . Business Associate shall take (i) prompt action to correct any such deficiencies and (ii) any action pertaining to such unauthorized disclosure required by applicable federal and state laws and regulations.
3. COVERED ENTITY OBLIGATIONS.
1. Covered Entity shall provide Business Associate with notice of any changes to, revocation of, or permission by Individual to use or disclose PHI, if such changes affect Business Associate’s permitted uses or disclosures, promptly after Covered Entity becomes aware of such changes to or revocation of permission.
2. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that has been agreed to or must be complied with in accordance with 45 CFR § 164.522 and HITECH § 13405(a).
3. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
4. Covered Entity shall at all times comply with HIPAA, HITECH and state privacy laws and regulations and shall indemnify and hold harmless Business Associate and its owners, employees, agents, affiliates and successors from and against any allegations, claims, actions, investigations, losses, liabilities, fines, penalties and costs (including reasonable attorneys’ fees) arising from violation of federal and state privacy laws and regulations, including HIPAA and HITECH, by Covered Entity, its owners, employees, agents and affiliates, including following termination of the Underlying Agreement. This obligation shall survive termination of this Addendum and the Underlying Agreement.
5. If Business Associate knows of a pattern of activity or practice by the Covered Entity that constitutes a material breach or violation of the Covered Entity’s obligations under this Addendum, Covered Entity will take reasonable steps to cure the breach or end the violation. If such steps are unsuccessful, Business Associate will either: 1) terminate the Underlying Agreement and this Addendum, if feasible; or 2) report the problem to the Secretary.
1. The term of this Addendum shall be effective as of the date of this Addendum and continue until terminated by either party or until the Underlying Agreement expires or is terminated. Any provision related to the use, disclosure, access, or protection of EPHI or PHI or that by its terms should survive termination of this Addendum shall survive termination.
2. A breach by either party, or their agents or subcontractors, if any, of any provision of this Addendum shall constitute a material breach of the Addendum. If a party breaches this Addendum, the non-breaching party may, in its discretion: (i) immediately terminate this Addendum; (ii) provide an opportunity for the breaching party to cure the breach or end the violation and terminate this Addendum if the breaching party does not promptly cure the breach or end the violation within a period not to exceed 30 days; or (iii) report the violation to the Secretary if neither termination nor cure is feasible. Notwithstanding the foregoing, Business Associate shall in all events have a cure opportunity of up to 30 days unless it is in willful violation of law and regulation.
3. Upon termination of this Addendum for any reason, Business Associate shall return, or at Covered Entity’s request, destroy all PHI that Business Associate or its agents or subcontractors, if any, still maintain in any form, and shall retain no copies of such PHI. If return or destruction is not feasible, Business Associate shall explain to Covered Entity why conditions make the return or destruction of such PHI not feasible. If Covered Entity agrees that the return or destruction of PHI is not feasible, Business Associate shall retain the PHI, subject to all of the protections of this Addendum, and shall make no further use of such PHI.
1. A reference in this Addendum to a section in the Privacy or Security Rule or any other HIPAA regulatory or statutory provision means the applicable statutory or regulatory provision as in effect or as amended.
2. Nothing express or implied in this Addendum is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate, or their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
3. The parties are independent contractors and nothing in this Addendum shall be deemed to make them partners or joint venturers.
4. If any modification to this Addendum is Required By Law or required by HITECH or any other federal or state law affecting this Addendum, or if either party reasonably concludes that an amendment to this Addendum is needed because of a change in federal or state law or changing industry standards, such party shall notify the other of such proposed modification(s) (“Legally-Required Modifications”). Such Legally Required Modifications shall be deemed accepted by each party to the extent required to comply with the Legally Required Modification, and this Addendum so amended, if either party does not, within thirty (30) calendar days following the date of the notice (or within such other time period as may be mandated by applicable state or federal law), deliver to the other party its written rejection of such Legally-Required Modifications.
5. All notices which are required or permitted to be given pursuant to this Addendum shall be in writing and provided in such manner as set forth in the Underlying Agreement.
6. If any provision of this Addendum is determined by a court of competent jurisdiction to be invalid, void, or unenforceable, the remaining provisions hereof shall continue in full force and effect.
7. This Addendum supplements the Underlying Agreement between them. No modification, addition to or waiver of any right, obligation or default shall be effective unless in writing and signed by the party against whom the same is sought to be enforced. No delay or failure of either party to exercise any right or remedy available hereunder, at law or in equity, shall act as a waiver of such right or remedy, and any waiver shall not waive any subsequent right, obligation, or default. Notwithstanding anything herein to the contrary, this Addendum is subject to modification by Business Associate in accordance with the terms of the Underlying Agreement.
8. All questions concerning the validity, operation, interpretation, and construction of this Agreement shall be governed by and determined in accordance with the laws of the State of New York (without regard to any forum’s conflict of law principles).
9. The provisions of this Addendum are severable. If any provision is determined to be invalid, illegal, or unenforceable, in whole or in part, the remaining provisions and any partially enforceable provisions shall remain in full force and effect.
10. In the event of litigation relating to this Addendum, the substantially prevailing party shall be entitled to recover costs and attorneys’ fees in addition to all other remedies available at law or in equity.
11. This Addendum may be executed by electronic, facsimile or e-mail signature and in any number of counterparts, each of which shall be an original, and all such counterparts shall together constitute but one in the same agreement.
IN WITNESS WHEREOF, the parties have caused this Agreement to be executed by their duly authorized representative.
[Name of Lab/Imaging Center}
Name of Authorized Representative