<p> American Association for Laboratory Accreditation Document Revised: F911 – ISO 15189 Program HIPAA Business June 16, 2015 Associate Agreement Page 1 of 4</p><p>This BUSINESS ASSOCIATE AGREEMENT (“Agreement”) is entered into by and between ______, (“Covered Entity”) and the American Association for Laboratory Accreditation (“A2LA”) (each, a “Party” and collectively, the “Parties”). </p><p>Introduction and Definitions</p><p>Unless otherwise defined in this Agreement, all capitalized terms used in this Agreement shall have the same meaning as those terms in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), found in 45 CFR Parts 160 and 164: Breach, Designated Record Set, Disclosure, Notice of Privacy Practices, Protected Health Information, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, Use, as amended by Subtitle D of the HITECH Act (Title XIII of the American Recovery and Reinvestment Act of 2009) and as clarified by guidance issued pursuant thereto (collectively, “HIPAA Rules”).</p><p>A. Obligations & Activities</p><p>In order to comply with the HIPAA Rules A2LA agrees to: </p><p>1. Not use or disclose protected health information (PHI) other than as permitted or required by the Agreement or as required by law;</p><p>2. Use appropriate safeguards, including with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by the Agreement. Without limiting the generality of the foregoing, A2LA will implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic PHI (or EPHI) that it receives from, or creates, maintains or transmits on behalf of Covered Entity.</p><p>3. Report to the Covered Entity any use or disclosure of PHI not provided for by the Agreement of which it becomes aware, including breaches of unsecured PHI, and any successful security incident of which it becomes aware.</p><p>4. Ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of A2LA agree to substantially the same restrictions, conditions and requirements that apply to A2LA with respect to such information.</p><p>5. Make available PHI in a designated record set to the Covered Entity as necessary to satisfy the Covered Entity’s obligations. Any requests for access received directly from the individual or the individual’s designee will be forwarded to the covered entity for response.</p><p>6. Make any amendment(s) to PHI in a designated record set as directed or agreed to by the Covered Entity. Any requests for amendment(s) received directly from the individual or the individual’s designee will be forwarded to the Covered Entity for response.</p><p>7. Maintain and make available the information required to provide an accounting of disclosures to the Covered Entity. Any requests for an accounting of disclosures received directly from the individual or the individual’s designee will be forwarded to the Covered Entity.</p><p>8. Document any and all disclosures of PHI by A2LA or its agents, including subcontractors, as well as any other information related to such disclosures of PHI that would be required for A2LA to </p><p>L:\Medical-CLIA and 15189 – 900 Series\ISO 15189 Forms\F911 – ISO 15189 Program HIPAA Business Associate Agreement American Association for Laboratory Accreditation Document Revised: F911 – ISO 15189 Program HIPAA Business June 16, 2015 Associate Agreement Page 2 of 4</p><p> respond to an Individual’s request for an accounting of disclosures in accordance with 45 C.F.R. 164.528.</p><p>9. Make its internal practices, books and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.</p><p>B. Permitted Uses and Disclosures by A2LA</p><p>1. To the extent that, in the course of inspecting the laboratory facilities at the Covered Entity, A2LA gains access to PHI, A2LA may use and disclose such PHI as necessary to evaluate the Covered Entity for accreditation purposes.</p><p>2. A2LA will not take any action to de-identify the information contained within the PHI.</p><p>3. A2LA may use PHI as necessary for the proper management and administration of A2LA or to carry out A2LA’s legal responsibilities. A2LA may disclose such information to third Parties for these purposes only if (A) the disclosure is required by law; or (B) A2LA obtains reasonable assurances from the recipient of the PHI that (1) the information will be held in confidence and used or further disclosed only as required by law or for the purpose for which it was disclosed to the third party; and (2) the recipient will notify A2LA of any breach in the confidentiality of the information.</p><p>4. A2LA shall not use or disclose such PHI except as the Covered Entity itself may and except that A2LA shall use and disclose PHI only to the extent necessary for a permitted purpose. </p><p>5. A2LA shall report to the Covered Entity any use or disclosure of PHI which is not provided for by this Agreement of which A2LA becomes aware. </p><p>C. Provisions for Covered Entity to Inform A2LA of Privacy Practices and Restrictions</p><p>1. The Covered Entity shall notify A2LA of any changes in, or revocation of, the permission by an individual to use or disclose his or her PHI, to the extent that such changes may affect A2LA’s use or disclosure of PHI.</p><p>2. The Covered Entity shall not request A2LA to use or disclose PHI in any manner that would not be permissible if done by the Covered Entity itself, except as A2LA will use or disclose PHI for the purposes of the accreditation process and in response to legal responsibilities as provided for within this Agreement.</p><p>D. Term and Termination</p><p>1. The term of this Agreement shall be effective as of the date it is signed by the Covered Entity. </p><p>2. This Agreement shall terminate when the Covered Entity no longer utilizes A2LA to inspect its laboratory facilities. The Covered Entity may terminate its relationship with A2LA if it determines that A2LA has violated a material term of this Agreement. The rights and responsibilities of A2LA under this Agreement shall survive termination.</p><p>E. Obligations of A2LA Upon Termination</p><p>L:\Medical-CLIA and 15189 – 900 Series\ISO 15189 Forms\F911 – ISO 15189 Program HIPAA Business Associate Agreement American Association for Laboratory Accreditation Document Revised: F911 – ISO 15189 Program HIPAA Business June 16, 2015 Associate Agreement Page 3 of 4</p><p>1. Upon termination of this Agreement for any reason, A2LA shall, if feasible, return or destroy all PHI that A2LA still maintains in any form and shall retain no copies of such information. If such return or destruction is not feasible, A2LA shall extend the protections of this Agreement to the PHI and shall limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. </p><p>F. Miscellaneous</p><p>1. Regulatory References: A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.</p><p>2. Amendment: The parties shall amend this Agreement to bring it into compliance with any changes in the HIPAA Rules and any other applicable laws that are made after the date of execution of this Agreement. If the parties are unable to agree on an amendment to this Agreement, this Agreement may be terminated by either Party upon 30 days written notice to the other party, or such lesser notice as may be required by applicable law. </p><p>3. Interpretation: Any ambiguity in this Agreement shall be resolved in a manner that brings the Agreement into compliance with the then most current version of the HIPAA Rules. </p><p>4. Amendment. This Agreement shall not be amended except by mutual written consent of the parties.</p><p>5. Assignment. Neither Party may assign any of its rights or obligations under this Agreement without the prior written consent of the other Party.</p><p>6. Counterparts. This Agreement may be executed in any numer of counterparts, each of which shall be deemed an original. </p><p>L:\Medical-CLIA and 15189 – 900 Series\ISO 15189 Forms\F911 – ISO 15189 Program HIPAA Business Associate Agreement American Association for Laboratory Accreditation Document Revised: F911 – ISO 15189 Program HIPAA Business June 16, 2015 Associate Agreement Page 4 of 4</p><p>IN WITNESS WHEREOF, the parties hereto have duly executed this Agreement as of this _____ day of ______, 20__.</p><p>Covered Entity Name: American Association for Laboratory Accreditation ______CLIA Certificate # ______By:______By: ______Printed Name:______Printed Name:______Title:______Title:______</p><p>List any exceptions (by section and number) for which the agreement does not apply. Unless indicated otherwise below, the Agreement in its entirety will be enforced. </p><p>______</p><p>Please indicate where A2LA should send a copy of the final, signed agreement and indicate transmission preference:</p><p>Name:______</p><p>Institution:______</p><p>Address:______</p><p>______</p><p>Phone #______Fax # ______</p><p>Email Address ______</p><p>DOCUMENT REVISION HISTORY</p><p>DATE DESCRIPTION 5/9/14 Initial publication of document. 6/16/15  Removed duplicate definitions.  Added to A2; Added A8.  Added to F2; Added F4, F5, F6.</p><p>L:\Medical-CLIA and 15189 – 900 Series\ISO 15189 Forms\F911 – ISO 15189 Program HIPAA Business Associate Agreement </p>