DOCSLIB.ORG

Big Bend Regional Health Information Participant

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Big Bend Regional Health Information Participant

BUSINESS ASSOCIATE AGREEMENT

THIS BUSINESS ASSOCIATE AGREEMENT (“Agreement”) is entered into on this ______day of ______, 20___, between the ______., together with all of its divisions and subsidiaries (“COVERED ENTITY”), and HIE Networks, LLC, a Florida limited liability company (“HIE Networks”).

RECITALS

Pursuant to the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and Standards for the Privacy and Security of Individually Identifiable Health Information, found at 45 C.F.R. Parts 160, 162 and 164, COVERED ENTITY is required to protect certain individually identifiable health information (“Protected Health Information”, or “PHI”) that it uses and/or discloses in the performance of services to entities covered by the requirements of HIPAA;

COVERED ENTITY is also required to protect PHI that is in electronic format (“Electronic Protected Health Information” or “EPHI”);

Pursuant to the provisions of the Health Information Technology for Economic and Clinical Health Act of 2009 and the regulations promulgated thereunder from time to time (the “HITECH Act”), COVERED ENTITY and HIE Networks are required to comply with additional privacy and security obligations, as well as obligations related to the breach of unsecured PHI or EPHI;

In order to protect the privacy and security of PHI, including EPHI, created or maintained by or on behalf of its covered entity clients, HIPAA requires COVERED ENTITY to enter into “business associate agreements” with certain individuals or entities providing services for or on behalf of COVERED ENTITY if such services require the use or disclosure of PHI or EPHI of the COVERED ENTITY;

COVERED ENTITY and HIE Networks have entered into, or are entering into, or may subsequently enter into, agreements or other documented arrangements (collectively, the “Business Arrangements”) which require or may require HIE Networks to access, create, receive, use, disclose, or maintain PHI and/or EPHI on behalf of COVERED ENTITY;

COVERED ENTITY requires that HIE Networks protect the privacy and provide for the security of PHI in compliance with the HIPAA’s privacy rule and security rule and the HITECH Act;

COVERED ENTITY and HIE Networks desire to enter into this Business Associate Agreement to enable both parties to comply with HIPAA, the HITECH Act and other applicable law. The Parties for good and valuable consideration agree as follows:

1. Definitions.

a. Business Associate – Shall mean HIE Networks. b. Business Arrangements – Shall mean documented arrangements by and between COVERED ENTITY and HIE Networks whereby HIE Networks will access, create, receive, use, disclose, or maintain PHI and/or EPHI on behalf of COVERED ENTITY. c. HIPAA – Shall mean the Health Insurance Portability and Accountability Act of 1996 and those regulations found at 45 C.F.R. Parts 160, 162, and 164. d. HITECH Act – Shall mean the Health Information Technology for Economic and Clinical Health Act.

HIE Networks-ParticipantBAA-20120911 1 e. HHS – Shall mean the United States Department of Health and Human Services. f. PHI – Shall mean “protected health information” as defined in 45 C.F.R. § 160.103 including but not limited to EPHI. g. EPHI – Shall mean “electronic protected health information” as defined in 45 C.F.R. § 160.103. h. Any terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms have under HIPAA and the HITECH Act.

2. Purpose. COVERED ENTITY and HIE Networks have entered into certain Business Arrangements whereby HIE Networks may access, create, receive, use, disclose, or maintain PHI and/or EPHI on behalf of COVERED ENTITY. Such Business Arrangements shall be conducted in a manner that ensures the privacy and security of PHI and EPHI in accordance with HIPAA, the HITECH Act and with all applicable federal and state laws and regulations.

3. Term and Termination.

3.1 The term of this Agreement shall commence the earlier of ______or the date upon which HIE Networks first accessed, created, received, used, disclosed, or maintained PHI on behalf of COVERED ENTITY.

3.2 In the event of a material breach by HIE Networks of any of HIE Networks’ obligations hereunder, COVERED ENTITY shall have the right, as specifically recognized by HIE Networks, to terminate this Agreement and the Business Arrangements between the parties, at any time by providing HIE Networks with written notice of termination setting forth a description of the breach and the effective date of termination.

3.3. Upon the termination of all Business Arrangements, this Agreement shall automatically terminate.

3.4 As of the effective date of termination of this Agreement, neither party shall have any further rights or obligations hereunder except: (a) as otherwise provided herein or in the Agreement between the parties; (b) for continuing rights and obligations accruing under the Privacy Rule; or (c) arising as a result of any breach of this Agreement, including, but not limited to, any rights and remedies available at law or equity. Upon termination of this Agreement for any reason, HIE Networks agrees either to return to COVERED ENTITY or to destroy all PHI (regardless of form or medium and including any copies thereof), received from COVERED ENTITY or otherwise through the performance of services for COVERED ENTITY, that is in the possession or control of HIE Networks or its subcontractors or agents. If HIE Networks elects to destroy the PHI, HIE Networks shall notify COVERED ENTITY in writing that such PHI has been destroyed. In the case of PHI which is not feasible to “return or destroy,” HIE Networks shall provide written notification to COVERED ENTITY of the conditions that make return or destruction not feasible. Upon mutual agreement of the parties that return or destruction of PHI is not feasible, HIE Networks shall continue extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as HIE Networks maintains such PHI. HIE Networks further agrees to comply with HIPAA, the HITECH Act and other applicable state and federal law, which may require a specific period of retention, redaction, or other treatment of such PHI.

4. Use or Disclosure of Protected Health Information. Except as otherwise required by law, HIE Networks shall use or disclose PHI in compliance with 45 C.F.R. § 164.504(e). Furthermore, HIE

HIE Networks-ParticipantBAA-20120911 2 Networks shall use or disclose PHI (i) solely for the benefit of COVERED ENTITY and only for the purpose of performing services, including data aggregation services, for COVERED ENTITY as such services are defined in the Business Arrangements between COVERED ENTITY and HIE Networks, (ii) as necessary for the proper management and administration of HIE Networks to carry out its legal responsibilities, provided that such uses are permitted under federal and state law. HIE Networks agrees that all disclosures of PHI shall be the minimum necessary to accomplish the intended purpose of the disclosure. Except to the extent necessary to perform its obligations under the Business Arrangements, HIE Networks may not de-identify PHI received from, or created on behalf of, COVERED ENTITY without the express written authorization of COVERED ENTITY.

5. Appropriate Safeguards. HIE Networks will use appropriate safeguards to prevent use or disclosure of PHI other than as expressly provided by this Agreement. HIE Networks will implement administrative, physical and technical safeguards that reasonably protect the confidentiality, integrity and availability of the PHI that it creates, receives, maintains or transmits on behalf COVERED ENTITY. HIE Networks acknowledges and agrees that the HITECH Act requires HIE Networks to comply with 45 C.F.R. §§ 164.308, 164.310, 164.312 and 164.316 to the same extent as if it were a HIPAA covered entity. To the extent feasible, HIE Networks will use commercially reasonable efforts to ensure that the technology safeguards used by HIE Networks to secure PHI will render such PHI unusable, unreadable and indecipherable to individuals that are not authorized to acquire or have access to such PHI. Such technology safeguards should meet or exceed security guidance issued by HHS.

6. Reporting of Improper Use or Disclosure. HIE Networks agrees that it shall report to the COVERED ENTITY any use or disclosure of protected health information not provided for by this Agreement. Such report shall be made within five (5) business days of discovery. Further, HIE Networks shall report any successful “security incident” of which it becomes aware within five (5) business days of discovery. A “security incident” includes, but is not limited to a successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations. In addition to HIE Networks’ obligations under Section 7, HIE Networks agrees to mitigate to the extent practical any harmful effect that is known to HIE Networks and is a result of a use or disclosure of PHI by HIE Networks in violation of this Agreement.

7. Data Breach Notification and Mitigation.

7.1 HIE Networks agrees to implement reasonable systems for the discovery and prompt reporting of any “breach” of “unsecured PHI” as those terms are defined by 45 C.F.R. § 164.402 F.S., (collectively referred to as a “HIPAA Breach”). In addition to the notification set forth in Section 6, HIE Networks will, following the discovery of a HIPAA Breach, notify COVERED ENTITY immediately and in no event later than fifteen (15) days after HIE Networks discovers such HIPAA Breach, unless HIE Networks is prevented from doing so by 45 C.F.R. § 164.412 concerning law enforcement investigations. For purposes of reporting a HIPAA Breach to COVERED ENTITY, the discovery of a HIPAA Breach shall occur as of the first day on which such HIPAA Breach is known to HIE Networks or, by exercising reasonable diligence or inquiry, should have been known to HIE Networks. No later than fifteen (15) days following a HIPAA Breach, HIE Networks shall provide COVERED ENTITY with sufficient information to permit COVERED ENTITY to comply with the HIPAA Breach notification requirements set forth at 45 C.F.R. § 164.400 et seq. Following a HIPAA Breach, HIE Networks will have a continuing duty to inform COVERED ENTITY of new information learned by HIE Networks regarding the HIPAA Breach.

HIE Networks-ParticipantBAA-20120911 3 7.2. HIE Networks shall indemnify, defend and hold COVERED ENTITY, and their officers, directors, members, managers, employees, agents, successors and assigns harmless, from and against any and all losses, claims, actions, demands, penalties, assessments, judgments, liabilities, damages, costs and expenses (including costs of complying with applicable breach notification requirements, judgments, settlements, court costs, expert witness fees, costs of investigation, litigation or dispute resolution, and reasonable attorneys’ fees actually incurred), or any kind or nature whatsoever, arising from or related to: (i) the use or disclosure of Individually Identifiable Information (including PHI) in violation of the terms of this Agreement or applicable law, (ii) whether in oral, paper or electronic media, any HIPAA Breach of unsecured PHIThe obligations set forth in this Section 7.2 shall survive termination of this Agreement, regardless of the reasons for termination.

8. Sub-Contractors and Agents. HIE Networks may disclose PHI to its sub-contractors and agents only as necessary for HIE Networks to perform its obligations under the Business Arrangements with COVERED ENTITY. HIE Networks agrees that anytime PHI is provided or made available to any sub- contractors or agents, HIE Networks must obtain satisfactory written assurances from the sub-contractor or agent that contains the same terms, conditions, restrictions on the use and disclosure of, and security of PHI as contained in this Agreement. HIE Networks, upon request by COVERED ENTITY, agrees to provide COVERED ENTITY with a listing of sub-contractors and agents that may use or disclose PHI obtain, directly or indirectly, from COVERED ENTITY.

9. Right of Access to Designated Record Sets. If HIE Networks maintains any PHI that is part of the “Designated Record Set” as that term is defined under HIPAA, HIE Networks shall make such PHI available, for inspection and copying, to an individual as required under 45 C.F.R. 164.524. Prior to providing access, but within the time frame specified in 45 C.F.R. 164.524, HIE Networks shall notify the COVERED ENTITY of the request for access and ascertain if there are any legitimate reasons that access should not be granted.

10. Amendment and Incorporation of Amendments. If HIE Networks maintains any PHI that is part of the “Designated Record Set” as that term is defined under HIPAA, HIE Networks shall make such PHI available for amendment as required under 45 C.F.R. 164.526 and shall, within fifteen (15) days, provide COVERED ENTITY with a copy of the Amendment. Prior to allowing the amendment, HIE Networks shall notify COVERED ENTITY within five (5) days of the request to amend and ascertain if there are any legitimate objections to the amendment. In the event that COVERED ENTITY accepts an amendment to the Designated Record Set, HIE Networks agrees to incorporate any amendments to PHI in accordance with 45. C.F.R. 164.526.

HIE Networks-ParticipantBAA-20120911 4 11. Accounting of Disclosures. HIE Networks agrees to document disclosures of PHI and information related to such disclosures as would be required for COVERED ENTITY to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. At the request of COVERED ENTITY, HIE Networks shall make available all information required for COVERED ENTITY to provide an accounting of disclosures of PHI with respect to an individual requesting such accounting in accordance with 45 C.F.R. §164.528, as amended by Section 13405(c) of the HITECH Act and any related regulations or guidance in accordance with such provision. HIE Networks shall provide COVERED ENTITY such information necessary to provide an accounting within five (5) business days of COVERED ENTITY’s request or such shorter time as may be required by state or federal law. Such accounting obligations shall survive termination of this Agreement and shall continue as long as HIE Networks maintains PHI. In the event that HIE Networks receives a request for an accounting it shall notify COVERED ENTITY as soon as possible, but no later than five (5) business days after receipt of such request.

12. Records and Audit. If HIE Networks receives a request, made by or on behalf of HHS, requiring HIE Networks to make available its internal practices, books, and records relating to the use and disclosure of the PHI to HHS for the purpose of determining the compliance of COVERED ENTITY with HIPAA, then HIE Networks shall promptly notify COVERED ENTITY that HIE Networks has received such a request. HIE Networks shall make its books and records relating to the use and disclosure of PHI by COVERED ENTITY available to HHS and its authorized representatives for purposes of determining the compliance of COVERED ENTITY with HIPAA, and shall provide COVERED ENTITY access to or a copy of any PHI or other information that HIE Networks makes available to HHS.

13. Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits COVERED ENTITY and HIE Networks to comply with HIPAA, the HITECH Act and other applicable law.

14. Regulatory References. A reference in this Agreement to a section of HIPAA or the HITECH Act shall mean the section as currently in effect or as amended.

15. Amendment. This Agreement may only be amended or modified by mutual written agreement of the parties; provided, however, that in the event provisions of this Agreement shall conflict with the requirements of the HIPAA’s privacy rule and/or security rule, or the HITECH Act, this Agreement shall automatically be deemed amended as necessary to comply with such legal requirements.

16. Governing Law and Venue. This Agreement shall be governed by the laws of Florida. The parties agree that exclusive venue shall be in the courts of LeonCounty, Florida for all disputes arising out of this Agreement. The parties each hereby consent to the jurisdiction of such courts, agree to accept service of process by mail, and hereby waive any jurisdictional or venue defenses otherwise available to them.

17. Binding Nature and Assignment. This Agreement shall be binding on the Parties hereto and their successors and assigns, but HIE Networks may not assign, delegate, or otherwise transfer this Agreement and its rights and obligations hereunder without the prior written consent of COVERED ENTITY, which consent shall not be unreasonably withheld.

18. Notices. Whenever under this Agreement one party is required to give notice to the other, such notice shall be deemed to have been given if in writing and sent by (i) personal delivery; (ii) certified or

HIE Networks-ParticipantBAA-20120911 5 registered mail, return receipt requested; (iii) overnight delivery service with proof of delivery; or (iv) facsimile with return facsimile acknowledging receipt to the address listed below:

COVERED ENTITY HIE Networks ______ATTEN: Privacy Officer ______3411 Capital Medical Blvd. ______Tallahassee, FL 32308

Either Party may at any time change its address for notification purposes by providing the other party written notice stating the change and setting forth the new address.

19. Entire Agreement. This Agreement consists of this document, and constitutes the entire agreement between the Parties. There are no understandings or agreements relating to this Agreement which are not fully expressed in this Agreement and no change, waiver or discharge of obligations arising under this Agreement shall be valid unless in writing and executed by the Party against whom such change, waiver or discharge is sought to be enforced.

20. Waiver. The failure of either Party at any time to enforce any right or remedy available hereunder with respect to any breach or failure shall not be construed to be a waiver of such right or remedy with respect to any other breach or failure by the other Party.

21. Severability. In the event that any provision or part of this Agreement is found to be totally or partially invalid, illegal, or unenforceable, then the provision will be deemed to be modified or restricted to the extent and in the manner necessary to make it valid, legal, or enforceable, or it will be excised without affecting any other provision of this Agreement, with the Parties agreeing that the remaining provisions are to be deemed to be in full force and effect as if they had been executed by both parties subsequent to the expungement of the invalid provision.

22. Third Party Beneficiaries. Nothing in this Agreement shall be considered or construed as conferring any right or benefit on a person not a party to this Agreement nor imposing any obligations on either Party hereto to persons not a party to this Agreement.

23. Attorney’s Fees. In the event an arbitration, suit or action is brought by any party under this Agreement to enforce any of its terms, or in any appeal therefrom, it is agreed that the prevailing Party shall be entitled to reasonable attorneys fees’ and other professional fees and costs incurred in connection with any litigation hereunder, whether before or at trial, or on appeal.

24. Counterparts. This Agreement may be executed in any number of counterparts, including facsimile or an e-mail of a PDF file containing a copy of the signature page of the person executing this document, each of which shall be an original, but all of which together shall constitute one in the same instrument.

25. Recitals. The Parties acknowledge and agree that the recitals in the preamble to this Agreement are true and correct and are hereby incorporated herein by this reference.

IN WITNESS WHEREOF, HIE Networks and COVERED ENTITY have executed this Business Associate Agreement on the date set forth below.

COVERED ENTITY HIE NETWORKS

HIE Networks-ParticipantBAA-20120911 6 Signature: ______Signature:

Printed Name: ______Printed Name: Allen Byington

Title: ______Title: Chief Executive Officer

Date: ______

HIE Networks-ParticipantBAA-20120911 7

Load more

Recommended publications