Business Associate Agreement
Last updated 7/6/2017
BY USING THE SITE, COVERED ENTITIES AGREE TO BE BOUND BY THE TERMS OF THIS BUSINESS ASSOCIATE AGREEMENT. USE OF THE SITE AND THE SERVICES SHALL CONTSTITUTE AN AGREEMENT TO BE BOUND BY THE TERMS OF THIS BUSINESS ASSOCIATE AGREEMENT. ANY COVERED ENTITIES WHO DO NOT AGREE WITH THIS AGREEMENT SHOULD NOT USE THIS SITE!
Pursuant to the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and any amendments thereto (hereinafter “HIPAA”); and the HIPAA Security and Privacy rule, 45 CFR Parts 160 and 164, and any amendments thereto (hereinafter the “HIPAA Security and Privacy Rule”) as well as other applicable federal and state privacy and confidentiality rules, health care providers who use Arctrieval’s Web site to facilitate the exchange of Protected Health Information and any other services or products that Arctrieval may offer from time-to-time, (each a “Covered Entity”) and Arctrieval, Inc., (“Business Associate”) (jointly “the Parties”) wish to enter into this agreement (“Agreement”) to address the requirements of the HIPAA Security and Privacy Rule with respect to “business associates,” as that term is defined in the HIPAA Security and Privacy Rule.
Business Associate acknowledges that it is required to establish and implement appropriate safeguards (including certain administrative requirements) for “Protected Health Information” (“PHI”) as defined by HIPAA in any form or medium, including electronic, the Business Associate may create, receive, maintain, transmit, use, or disclose in connection with certain functions, activities, or services (collectively “services”) to be provided by Business Associate to or on behalf of Covered Entity.
II. TERMS AND CONDITIONS
2.1 Definitions. All terms used in this Agreement shall have the meanings set forth in the HIPAA Security and Privacy Rule, unless otherwise defined herein.
III. USE AND DISCLOSURE OF PHI
3.2 Other Permissible Use and Disclosures. As permitted by 42 CFR §164.504(e)(4) Business Associate also may use or disclose PHI it receives in its capacity as a Business Associate to the Covered Entity if:
3.2.1. The use relates to: (1) the proper management and administration of the Business Associate or to carry out legal responsibilities of the Business Associate, or (2) data aggregation services relating to the health care operations of the Covered Entity; or
3.2.2. The disclosure of PHI received in such capacity may be made in connection with a function, responsibility, or service identified above in 3.2.1. and such disclosure is (1) required by law, or (2) the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidential, and the person agrees to notify the Business Associate of any breaches of confidentiality; or
3.2.3. The disclosure of PHI is made, if applicable, pursuant to 42 CFR §423.884(b), not withstanding any provisions to the contrary, Covered Entity agrees that the Business Associate (on behalf of the Covered Entity) may disclose PHI to the Center for Medicare and Medicaid Services (“CMS”) to the extent necessary to comply with Subpart R of 42 CFR §423 relating to applications for drug subsidy payments.
IV. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
4.1. General Obligations. Business Associate acknowledges that Business Associate is required by law to comply with sections 164.308, 164.310, 164.312 and 164.316 of the HIPAA Security Rule, and all additional security requirements of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, Title XIII of the American Recovery and Reinvestment Act of 2009 (ARRA), that are applicable to Covered Entities. Business Associate further acknowledges that Business Associate is required by law to comply with the use and disclosure requirements of section 162.504(e) of the HIPAA Privacy Rule and all other privacy requirements of Subtitle D of the HITECH Act that are applicable to Covered Entities. HIPAA compliance requirements include, but are not limited to:
4.1.1. Subcontractors. Business Associate represents to Covered Entity that (i) any disclosure it makes will be permitted or required under applicable laws, (ii) that Business Associate will obtain reasonable written assurances from any person or entity to whom Business Associate discloses the PHI that the PHI will be held confidentially and used or further disclosed only as required and permitted under the HIPAA Security and Privacy Rule and other applicable laws, and (iii) any such person or entity agrees to be governed by the same restrictions and conditions contained in this Agreement, and will notify Business Associate of any breaches of confidentiality of the PHI.
4.1.3. Safeguards. (i) Business Associate shall maintain safeguards as reasonably necessary to ensure that PHI is not used or disclosed except as provided for by this Agreement; notwithstanding the forgoing, Covered Entity agrees and acknowledges that Business Associate is not the author of PHI and maintains no control over the PHI that may be provided via the services of Arctrieval, including but not limited to incomplete or inaccurate PHI and production mistakes caused by the negligence of Covered Entity. (ii) Business Associate shall implement administrative, physical, and technical safeguards that reasonably protect the confidentiality, integrity, and availability of PHI that it creates, receives, maintains or transmits on behalf of Covered Entity as required by the HIPAA Security and Privacy Rule. (iii) Business Associate shall implement administrative, physical, and technical safeguards that reasonably protect the confidentiality, integrity, and availability of electronic PHI (“ePHI”) that it creates, maintains, or transmits on behalf of Covered Entity as required by 45 CFR §164.314. (iv) Business Associate shall insure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it.
4.1.4. Impermissible Use and Disclosure. Business Associate shall report to Covered Entity within ten (10) calendar days of knowledge of any use or disclosure of PHI that is in violation of this Agreement and not permitted under the HIPAA Security and Privacy Rule. Notwithstanding the forgoing, it is Covered Entity’s sole responsibility to monitor and ensure the proper, lawful use of its account with Arctrieval, regardless of whether Covered Entity authorized such access or use. In no event shall Business Associate be liable for the disclosure of PHI that was caused by Covered Entity’s failure to maintain the security of its account.
4.1.5. Accounting of Disclosures. Business Associate shall respond to Covered Entity’s request for the information it has which would be appropriate for an accounting of disclosures of PHI as provided for in CFR §164.528 of the HIPAA Security and Privacy Rule within ten calendar days of receipt of request. Business Associate shall not be required to maintain a record of disclosures of PHI: (a) made to an individual who is the subject of the PHI, or (b) made pursuant to an authorization that is valid under HIPAA.
4.1.6 Access to PHI. Business Associate shall report to Covered Entity a request from an individual for PHI as provided for in 45 CFR § 164.524 as soon as reasonable after receiving said request. In the event Covered Entity fails to object to such a request and deny the same within thirty (30) calendar days, and where said denial is made pursuant to CFR §164.524 of the HIPAA Privacy Rule, Business Associate shall respond to the individual requesting access to PHI. Notwithstanding the forgoing, in the event Covered Entity has retained the professional services of Business Associate for the complete facilitation of record production Covered Entity agrees and acknowledges that Business Associate may respond to requests for PHI without further notice to Covered Entity.
4.1.7. Disclosures Required by Law. Business Associate may disclose PHI to report violations of law to appropriate Federal or State authorities, consistent with CFR §164.502.
4.1.8. Access to Secretary of Health and Human Services (“HHS”). Business Associate shall make available to the Covered Entity, HHS, or its agents, the Business Associate’s internal practices, books, and records relating to the use and disclosure of PHI as required in CFR §164.504 of the HIPAA Security and Privacy Rule.
4.1.10. Electronic Transactions. Business Associate, its agents, and subcontractors shall comply with applicable requirements of Standards for Electronic Transactions (45 CFR §§160 and 162).
4.1.11. Security Incidents. Business Associate shall report to Covered Entity any security incident, as defined in 45 CFR § 164.304, of which it becomes aware within ten (10) calendar days of knowledge of such incident.
4.1.12. Breaches. Pursuant to 45 CFR § 164.410, in the event of a breach by Business Associate of unsecured PHI, as the terms “breach” and “unsecured PHI” are defined in 45 CFR § 164.402, Business Associate shall report such breach to Covered Entity within ten calendar days of knowledge of such breach. Business Associate’s report shall include all information available to allow Covered Entity to provide a notification of breach consistent with 45 CFR § 164.404.
V. OBLIGATIONS OF COVERED ENTITY
5.1. Receipt of PHI. If Covered Entity wishes to receive PHI, it shall create and maintain a user account for such persons authorized to represent Covered Entity who can receive and disclose PHI for set forth in Section 4.1 above the same. By creating and maintaining such a user account, Covered Entity represents to Business Associate that all individuals with access to said account are authorized to represent Covered Entity and can receive and disclose PHI for set forth in Section 4.1 above.
5.3. Restrictions of Use. Covered Entity is solely responsible for ensuring that any PHI made available via the Arctrieval services complies with any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR §164.522. Business Associate shall not be held liable for disclosures of PHI that violate this provision.
5.4. Accounting of Disclosures. Covered Entity shall cooperate with Business Associate to provide Accounting of Disclosures when requested.
6.1. Term. The term of this Agreement shall be effective as of the date Covered Entity registers to use the Services. Unless otherwise terminated, this Agreement shall end when all of the PHI provided by Covered Entity to Business Associate is destroyed, returned to the Covered Entity, or protected as described in (c) below.
6.2. Termination for Cause. Upon Covered Entity’s knowledge of a material breach of Business Associate’s obligation under this Agreement or of HIPAA, or upon Business Associate’s knowledge of a material breach of Covered Entity’s obligation under this Agreement or of HIPAA, and subject to (6.3) below, Covered Entity or Business Associate may commence termination of this Agreement by providing written Notice of Termination to the other Party.
6.3. Termination not feasible. If termination would cause irreparable business interruption or harm to a patient, or is otherwise not feasible, Parties shall make all efforts reasonable to cure breach or mitigate harm to individuals caused by such breach. If this occurs and this Agreement is not terminated, Covered Entity or Business Associate shall report the situation to the Secretary of Health and Human Services.
7.1. Indemnification. Covered Entity shall, to the fullest extent permitted by law, protect, defend, indemnify, and hold harmless Business Associate as well as its respective directors, officers, employees, contractors, parents, subsidiaries, agents, third-party content providers, and (“Indemnitees”) from and against any and all losses, costs, claims, penalties, fines, demands, liabilities, legal actions, judgments, and expenses of every kind (including reasonable attorneys’ fees, including at trial and on appeal) asserted or imposed against any Indemnitees arising out of or related to the acts or omissions of the Covered Entity and any individual or entity using its account to access the Arctrieval services as well as its respective directors, officers, employees, contractors, parents, subsidiaries, agents, third-party content providers related to material breach of this Agreement; use of the services; the unauthorized use of the services by any entity or individual using Covered Entity’s account; and/or the failure to comply with HIPAA.
7.2. Severability. If any provision of this Agreement is held invalid or unenforceable, such invalidity or non-enforceability shall not invalidate or render unenforceable any other portion of this Agreement. The entire Agreement will be construed as if it did not contain the particular invalid or unenforceable provision(s), and the rights and obligations of Business Associate and Covered Entity will be construed and enforced accordingly.
7.3. Waiver. The failure by one Party to require performance of any provision of this Agreement shall not affect that Party’s right to require performance at any time thereafter, nor shall a waiver of any breach or default of this Agreement constitute a waiver of any subsequent breach or default or a waiver of the provision itself.
7.4. Amendment. Business Associate may amend this Agreement at any time in its sole discretion where the same shall become effective following the posting of a notice to the Website and notification of Covered Entity via email.