FullContour Business Associate Agreement
This FullContour Business Association Agreement (this “Agreement”) is made effective as of this ____ day of _________________, 20__, by and between Contracting Entity, and FullContour, LLC., an Arizona limited liability company (“FullContour”).
By executing this Agreement, you acknowledge you are either a covered entity (“Covered Entity”), a business associate of a covered entity (“Business Associate”), or a subcontractor of a business associate (“Subcontractor”). From time to time herein, (i) Covered Entity, Business Associate, and Subcontractor shall collectively, and individually be referred to herein as “Contracting Entity,” and FullContour, Business Associate, and Subcontractor shall collectively, and individually be referred to herein as “Downstream Entity.” From time to time herein, Contracting Entity and FullContour shall collectively be referred to as “Parties,” and individually, each is a “Party.”
Whereas, Sections 261 through 264 of the federal Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, known as “the Administrative Simplification provisions,” direct the Department of Health and Human Services to develop standards to protect the security, confidentiality and integrity of health information;
Whereas, pursuant to the Administrative Simplification provisions, the Secretary of Health and Human Services has issued regulations modifying 45 CFR Parts 160 and 164 (the “HIPAA Privacy Rule” and the “HIPAA Security Rule”);
Whereas, Title XIII of the American Recovery and Reinvestment Act, known as “the HITECH Act” has amended HIPAA and the HIPAA regulations, including HIPAA’s Administrative Simplification provisions;
Whereas, amendments to the HIPAA Regulations contained in the HIPAA Omnibus Final Rule became effective on March 26, 2013, and amended HIPAA’s Privacy, Security, Breach Notification and Enforcement Rules;
Whereas, the requirements of the HIPAA Administrative Simplification Regulations (including the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules) implement sections 1171-1180 of the Social Security Act (the Act), sections 262 and 264 of Public Law 104-191, section 105 of 492 Public Law 110-233, sections 13400-13424 of Public Law 111-5, and section 1104 of Public Law 111-148;
Whereas, the Parties wish to enter into or have entered into an arrangement whereby FullContour will provide certain services to Contracting Entity; and
Whereas, Downstream Entity may have access to Protected Health Information (as defined below) in fulfilling its responsibilities under such arrangement.
Now Therefore, in consideration of the Parties’ continuing obligations under the HIPAA Privacy Rule and Security Rule, and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree to the provisions of this Agreement in order to address the requirements of the HIPAA Privacy Rule and Security Rule and to protect the interests of both Parties.
1. Definitions. Except as otherwise defined herein, all terms in this Agreement shall have the definitions set forth in the current HIPAA Rules. In the event of an inconsistency between the provisions of this Agreement and mandatory provisions of the HIPAA Rules, as amended, the HIPAA Rules shall control. Where provisions of this Agreement are different than those mandated in the HIPAA Rules, but are nonetheless permitted by the HIPAA Rules, the provisions of this Agreement shall control.
.1 “Protected Health Information” (abbreviated as “PHI”) shall mean individually identifiable health information including, without limitation, all information, data, documentation, and materials, including without limitation, demographic, medical and financial information, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
1.2 “Covered Entity” shall mean 1.) a health plan; 2.) a health care clearinghouse; 3.) a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.
1.3 “Business Associate” shall mean, with respect to a Covered Entity, a person who: 1.) On behalf of such Covered Entity or of an organized health care arrangement (as defined in this section) in which the Covered Entity participates, but other than in the capacity of a member of the workforce of such Covered Entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or, 2.) Provides, other than in the capacity of a member of the workforce of such Covered Entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such Covered Entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such Covered Entity or arrangement, or from another Business Associate of such Covered Entity or arrangement, to the person.
Business Associates, under the 2013 HIPPA Final Rule amendments, include the following:
· Patient safety organizations.
· HIOs - Health Information Organizations, including Health Information Exchanges (HIEs) and regional Health Information Organizations.
· E-Prescribing gateways.
· PHRs - Personal Health Record vendors that provide services on behalf of a covered entity. PHR vendors that do not offer PHRs on behalf of Covered Entities are not Business Associates.
· Other firms or persons who “facilitate data transmission" that requires routine access to PHI.
1.4 “HIPPA Rules” shall mean the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
Downstream Entity acknowledges and agrees that all Protected Health Information that is created or received by Contracting Entity and disclosed or made available in any form, including paper record, oral communication, audio recording, and electronic media by Contracting Entity or its operating units to Downstream Entity or is created or received by Downstream Entity on Contracting Entity’s behalf shall be subject to this Agreement.
2. Confidentiality Requirements.
2.1 Downstream Entity agrees: (i) to use or disclose any Protected Health Information solely: (1) for meeting its obligations as set forth in any agreements between the Parties evidencing their business relationship, or (2) as required by applicable law, rule or regulation, or by accrediting or credentialing organization to whom Contracting Entity is required to disclose such information or as otherwise permitted under this Agreement, or the HIPAA Privacy Rule or Security Rule; (ii) at termination of this Agreement, or any similar documentation of the business relationship of the Parties, or upon request of Contracting Entity, whichever occurs first, if feasible, Downstream Entity will return or destroy all Protected Health Information received from or created or received by Downstream Entity on behalf of Contracting Entity that Downstream Entity still maintains in any form and retain no copies of such information, or if such return or destruction is not feasible, Downstream Entity will extend the protections of this Agreement to the information in perpetuity and limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible; and (iii) to ensure that its agents, including a subcontractor, to whom it provides Protected Health Information received from or created by Downstream Entity on behalf of Contracting Entity, agrees to the same restrictions and conditions that apply to Downstream Entity with respect to such information. In addition, Downstream Entity agrees to take reasonable steps to ensure that its employees’ actions or omissions do not cause Downstream Entity to breach the terms of this Agreement or the mandatory requirements of the HIPAA Privacy Rule and Security Rule that may apply to Downstream Entity.
2.2 Notwithstanding the prohibitions set forth in this Agreement, Downstream Entity may use and disclose Protected Health Information as follows: (i) if necessary, for the proper management and administration of Downstream Entity or to carry out the legal responsibilities of Downstream Entity, provided that as to any such disclosure, the following requirements are met:
(a) the disclosure is required by law, not merely permitted by law; or
(b) Downstream Entity obtains reasonable written assurances from the person or party to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person or party, and the person or party notifies Downstream Entity of any instances of which it is aware in which the confidentiality of the information has been breached; (ii) for data aggregation services, if to be provided by Downstream Entity for the health care operations of Contracting Entity pursuant to any agreements between the Parties evidencing their business relationship. For purposes of this Agreement, data aggregation services means the combining of Protected Health Information by Downstream Entity with the Protected Health Information received by Downstream Entity in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.
(c) Downstream Entity will implement appropriate safeguards to prevent use or disclosure of Protected Health Information other than as permitted in this Agreement. The Secretary of Health and Human Services shall have the right to audit Downstream Entity’s records and practices related to uses and disclosures of Protected Health Information to ensure Contracting Entity’s compliance with the terms of the HIPAA Privacy Rule and Security Rule. Downstream Entity shall timely report to Contracting Entity any use or disclosure of Protected Health Information which is not in compliance with the terms of this Agreement of which it becomes aware.
3. Obligations and Activities of Downstream Entity.
3.1 Downstream Entity agrees that it is required under the amended HIPAA regulations to comply with, and shall comply with, the HIPPA Security Rule, including the Security Rule’s Administrative, Physical, and Technical safeguard requirements.
3.2 Downstream Entity agrees that it is required under the amended HIPPA regulations to comply with, and shall comply with, the use and disclosure provisions of the HIPPA Privacy Rule.
3.3 Downstream Entity agrees to not use or disclose Protected Health Information other than as permitted or required by the Agreement or as required by law.
3.4 Downstream Entity agrees that it may not use or disclose Protected Health Information in a manner that would violate Subpart E of 45 CFR Part 164 if done by Contracting Entity.
3.5 Downstream Entity agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of Protected Health Information other than as provided for by this Agreement.
3.6 Downstream Entity agrees to mitigate, to the extent practicable, any harmful effect that is known to Downstream Entity of a use or disclosure of Protected Health Information by Downstream Entity in violation of the requirements of this Agreement.
3.7 Breach Disclosures to Contracting Entity: Downstream Entity agrees to immediately report to Contracting Entity any use or disclosure of Protected Health Information not provided for by this Agreement of which it becomes aware; and any security incident of which it becomes aware. Further, Downstream Entity agrees to notify the Contracting Entity of any individual whose Protected Health Information has been inappropriately or unlawfully released, accessed, or obtained. Downstream Entity agrees that such notification will meet the requirements of 45 CFR 164.410 of the amended HIPAA regulations. Specifically, the following shall apply:
(a) A breach is considered discovered on the first day the Downstream Entity knows or should have known about it.
(b) In no case shall Downstream Entity notify Contracting Entity of any breach later than 24 hours after a breach is discovered.
(c) Downstream Entity shall notify the Contracting Entity of any and all breaches of Protected Health Information, and provide detailed information to Contracting Entity about the breach, along with the names and contact information of all individuals whose Protected Health Information was involved.
(d) For breaches determined to be caused by Downstream Entity, where such breaches require notifications to patients or consumers, the cost of such breach notifications shall be borne by Downstream Entity.
3.8 Downstream Entity agrees, in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to ensure that any subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of Downstream Entity agree to the same restrictions, conditions, and requirements that apply to the Downstream Entity with respect to such information;
3.9 Downstream Entity agrees to apply HIPAA’s Minimum Necessary Standard to all uses, disclosures, and requests for Protected Health Information, and to make reasonable efforts to limit the Protected Health Information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
3.10 If applicable, Downstream Entity agrees to provide access, at the request of Contracting Entity, and in a reasonable time and manner, to Protected Health Information in a Designated Record Set, to Contracting Entity or, as directed by Contracting Entity, to an Individual in order to meet the requirements of 45 CFR § 164.524.
3.11 If applicable, Downstream Entity agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that Contracting Entity directs or agrees to pursuant to 45 CFR § 164.526 at the request of Contracting Entity or an Individual, and in a reasonable time and manner.
3.12 Downstream Entity agrees to make internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Downstream Entity on behalf of, Contracting Entity available to the Contracting Entity or to the Secretary or designate of the Secretary, in a reasonable time and manner, for purposes of the Secretary determining Contracting Entity's compliance with the HIPAA Privacy Rule and Security Rule.
3.13 Downstream Entity agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Contracting Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528.
3.14 Downstream Entity agrees to provide to Contracting Entity or an Individual, in a reasonable time and manner, information collected in accordance with any Agreement between the Parties, to permit Contracting Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528.
3.15 If applicable, Downstream Entity agrees to comply with the requirements of the “Red Flags” Rule and implement a compliant identity theft prevention program by or before the required “Red Flags” Rule compliance date, and ongoing thereafter.
4. Availability of PHI.
4.1 Downstream Entity agrees to make available Protected Health Information to the extent and in the manner required by Section 164.524 of the HIPAA Privacy Rule.
4.2 Downstream Entity agrees to make Protected Health Information available for amendment and incorporate any amendments to Protected Health Information in accordance with the requirements of Section 164.526 of the HIPAA Privacy Rule.
4.3 In addition, Downstream Entity agrees to make Protected Health Information available for purposes of accounting of disclosures, as required by Section 164.528 of the HIPAA Privacy Rule.
5. Termination. Notwithstanding anything in this Agreement to the contrary, Contracting Entity shall have the right to terminate this Agreement immediately if Contracting Entity determines that Downstream Entity has violated any material term of this Agreement. If Contracting Entity reasonably believes that Downstream Entity will violate a material term of this Agreement and, where practicable, Contracting Entity gives written notice to of such belief within a reasonable time after forming such belief, and Downstream Entity fails to provide adequate written assurances to Contracting Entity that it will not breach the cited term of this Agreement within a reasonable period of time given the specific circumstances, but in any event, before the threatened breach is to occur, then Contracting Entity shall have the right to terminate this Agreement immediately.
Upon termination of this Agreement for any reason, Downstream Entity agrees to return to Contracting Entity or certify destruction of all Protected Health Information received from Contracting Entity, or created, maintained, or received by Downstream Entity on behalf of Contracting Entity, that Downstream Entity still maintains in any form. Downstream Entity shall retain no copies of the Protected Health Information in any form or medium.
6. Miscellaneous. Except as expressly stated herein or in the HIPAA Rules, the parties to this Agreement do not intend to create any rights in any third parties. The obligations of Downstream Entity under this Section shall survive the expiration, termination, or cancellation of this Agreement, and/or the business relationship of the parties, and shall continue to bind Downstream Entity, its agents, employees, contractors, successors, and assigns as set forth herein.
This Agreement may be amended or modified only in a writing signed by the Parties. No Party may assign its respective rights and obligations under this Agreement without the prior written consent of the other Party. None of the provisions of this Agreement are intended to create, nor will they be deemed to create any relationship between the Parties other than that of independent parties contracting with each other solely for the purposes of effecting the provisions of this Agreement and any other agreements between the Parties evidencing their business relationship. This Agreement shall be governed by the laws of the State of Arizona. No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation, on any other occasion. The Parties agree that, in the event that any documentation of the arrangement pursuant to which Downstream Entity provides services to Contracting Entity contains provisions relating to the use or disclosure of Protected Health Information which are more restrictive than the provisions of this Agreement, the provisions of the more restrictive documentation will control. The provisions of this Agreement are intended to establish the minimum requirements regarding Downstream Entity’s use and disclosure of Protected Health Information.
In the event that any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Agreement will remain in full force and effect. In addition, in the event a Party believes in good faith that any provision of this Agreement fails to comply with the then-current requirements of the HIPAA Privacy Rule or Security Rule, such Party shall notify the other Party in writing, For a period of up to thirty days, the Parties shall address in good faith such concern and amend the terms of this Agreement, if necessary to bring it into compliance. If, after such thirty-day period, the Agreement fails to comply with the requirements of the HIPAA Privacy Rule and Security Rule, then either Party has the right to terminate upon written notice to the other Party.