BUSINESS ASSOCIATE AGREEMENT
THIS BUSINESS ASSOCIATE AGREEMENT (this “Agreement”) by and between Yale New Haven Health Services Corporation (“YNHHS”), acting on behalf of Bridgeport Hospital, Greenwich Hospital, Yale New Haven Hospital, Lawrence + Memorial Hospital Inc., LMW Healthcare Inc., d/b/a Westerly Hospital and/or Northeast Medical Group, Inc. (each individually, a “Provider” and together, the “Providers”) and the Vendor (“Business Associate”) is effective as of the effective date of the Compliance Addendum (“Effective Date”). The Providers and Business Associate are each sometimes referred to individually as a “Party” and together as the “Parties.”
-
Purpose. The purpose of this Agreement is to comply with the Business Associate requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and implementing regulations, 45 C.F.R. parts 142 and 160-164, as may be amended, including the Privacy Rule and the Security Rule (together, the “Rules”). Unless otherwise defined in this Agreement, capitalized terms have the meanings given in HIPAA or the Rules.
B. Relationship. Certain Providers, or YNHHS on behalf of certain Providers, have entered into one or more relationships with Business Associate under which Business Associate creates, receives, uses, obtains, accesses, maintains, or transmits Protected Health Information (“PHI”) from or on behalf of a Provider in the course of providing services (the “Services”) for that Provider under a services agreement (“Services Agreement”). PHI includes, when applicable, Electronic Protected Health Information (“EPHI”). Effective March 26, 2013, Business Associate has direct compliance obligations under the Rules, and is bound to comply with all requirements of the Rules made applicable to business associates pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH Act), Pub. L. No. 111-5, Title XIII.
Therefore, the Parties agree as follows:
-
Permitted Uses and Disclosures. Business Associate may use or disclose PHI only as permitted or required by this Agreement, the Services Agreement, or as otherwise Required by Law. Business Associate may disclose PHI to, and permit the use of PHI by, its employees, contractors, agents, or other representatives only to the extent directly related to and necessary for the performance of the Services. Disclosure of PHI to and use of PHI by subcontractors, agents and other representatives is also subject to Section 4 below. When requesting PHI from Provider, Business Associate will request no more than the Limited Data Set, unless such limitation is not practicable for the purposes of providing the Services, in which case Business Associate will request only the minimum PHI necessary to perform the Services. Business Associate will not use or disclose PHI in a manner that is: (i) inconsistent with Provider’s obligations or Business Associate’s obligations under the Rules, or (ii) that would violate the Rules if disclosed or used in such a manner by Provider.
2. Safeguards for the Protection of PHI. Business Associate shall comply with Subpart C of 45 CFR Part 164. Business Associate shall maintain commercially appropriate security safeguards to ensure that PHI obtained from or on behalf of Provider is not used or disclosed by Business Associate in violation of this Agreement. The safeguards must be designed to protect the confidentiality and integrity of PHI obtained from, accessed or created on behalf of Provider. Security measures maintained by Business Associate must comply with the Rules, and must include those administrative, physical, and technical security safeguards necessary to protect PHI, including, without limitation, safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of all EPHI that Business Associate creates, receives, maintains, or transmits on behalf of Provider. Business Associate shall provide a written description of its safeguards upon request by Provider or YNHHS.
3. Reporting and Mitigating the Effect of Unauthorized Uses and Disclosures.
3.1 Business Associate shall establish and implement procedures and other reasonable efforts to mitigate, to the greatest extent possible, any harmful effects arising from any improper use or disclosure of PHI.
3.2 Business Associate shall comply with Section 13402 of the HITECH Act and implementing regulations, 45 CFR Part 164, Subpart D, as may be amended (collectively, the “Breach Notification Rules”), and shall report any breach of unsecured PHI to Provider within two (2) business days of completing its assessment and concluding that a breach has occurred. Business Associate shall provide all information regarding each breach and the assessment conducted by Business Associate that is reasonably requested by Provider.
3.3 If a breach is caused by Business Associate or its subcontractors or agents, Provider, in its sole discretion, may either: (i) require Business Associate to notify affected Individuals in accordance with Breach Notification Rules; or (ii) notify the affected Individuals directly, in which case Business Associate shall reimburse Provider for all reasonable expenses associated with the notifications. 7
4. Subcontractors, Agents, and Representatives – Use and Disclosure of PHI. Business Associate must enter into a written Business Associate Agreement with any subcontractor, agent, or other representative that creates, receives, uses, obtains, accesses, maintains, or transmits PHI obtained from Provider or created by Business Associate on behalf of Provider. The Business Associate Agreement between Business Associate and its subcontractors, agents or other representatives must contain the same restrictions, conditions and requirements regarding the use and/or disclosure of PHI and safeguarding of PHI that apply to Business Associate under this Agreement. Business Associate shall terminate any business associate relationship with a subcontractor, agent or representative if it knows of a pattern of activity or practice that constitutes a material breach or violation of the subcontractor's, agent’s or representative’s obligations, unless such material breach or violation has been cured to the reasonable satisfaction of Business Associate.
5. Individual Rights. Pursuant to the Privacy Rule, Business Associate shall provide the following Individual rights with respect to PHI:
5.1 Right of Access. Business Associate shall provide an Individual or Provider access to PHI, at the request of Provider and in the time and manner designated by Provider as required under 45 C.F.R. § 164.524.
5.2 Right of Amendment. Business Associate shall make any amendment(s) to PHI that Provider directs or agrees to pursuant to 45 C.F.R. § 164.526 in the time and manner designated by Provider.
5.3 Right to Accounting of Disclosures. Business Associate shall document any disclosures of PHI that would be required for Provider to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528, and shall forward a copy of such documentation to Provider within ten (10) business days of Provider’s request for such documentation. Business Associate shall provide to Provider or an Individual, in the time and manner designated by Provider, any further information requested by Provider in order for Provider to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. To the extent Business Associate makes any disclosures on behalf of Provider through an electronic health record as defined in Section 13400 of the HITECH Act, Business Associate will document all such disclosures of PHI as required under the HITECH Act and any implementing regulations, and to provide an accounting of disclosures directly to an Individual upon his/her request. Business Associate’s obligation to document disclosures made through an electronic health record and provide an accounting of such disclosures directly to Individuals upon request shall be effective as of the date by which business associates are required to comply with Section 13405(c) of the HITECH Act or such later date specified by the Secretary of HHS.
6. Use and Disclosure for Business Associate’s Purposes.
6.1 Use. Except as otherwise limited in this Agreement, Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
6.2 Disclosure. Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration of Business Associate, provided the disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that it will remain confidential and be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached.
7. Audit, Inspection and Enforcement by Provider. With reasonable notice, Provider may audit Business Associate to monitor compliance with this Agreement. Business Associate will promptly correct any violation of this Agreement found by Provider and will certify in writing that the correction has been made. Provider’s failure to detect any unsatisfactory practice does not constitute acceptance of the practice or a waiver of Provider’s enforcement rights under this Agreement. Business Associate will make its internal practices, books, records, and policies and procedures relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Provider, available to the federal Department of Health and Human Services (“HHS”), the Office for Civil Rights (“OCR”), or their agents or to Provider for purposes of monitoring compliance with HIPAA.
8. Term and Termination.
8.1 Term and Termination. This Agreement commences on the Effective Date. Unless terminated earlier pursuant to this Section 8, this Agreement will remain in effect for the duration of all Services provided by Business Associate and for so long as Business Associate shall remain in possession of any PHI received from Provider, or created or received by Business Associate on behalf of Provider, unless Provider has agreed in accordance with Paragraph 8.2 that it is infeasible to return or destroy all PHI. Provider may immediately terminate this Agreement if Provider determines that Business Associate has breached a material term of this Agreement. Provider may also report the material breach to the Secretary of HHS or OCR.
8.2 Effect of Termination. Upon termination of this Agreement, Business Associate will recover any PHI relating to the Agreement in the possession of its subcontractors, agents, or representatives. Business Associate will return to Provider or destroy all such PHI plus all other PHI relating to the Agreement in its possession, and will retain no copies. If Business Associate believes that it is not feasible to return or destroy the PHI as described above, Business Associate shall notify Provider in writing. The notification shall include: (i) a statement that Business Associate has determined that it is infeasible to return or destroy the PHI in its possession, and (ii) the specific reasons for such determination. If Provider agrees in its sole discretion that Business Associate cannot feasibly return or destroy the PHI, Business Associate will ensure that any and all protections, requirements and restrictions contained in this Agreement will be extended to any PHI retained after the termination of the Agreement, and that any further uses and/or disclosures will be limited to the purposes that make the return or destruction of the PHI infeasible.
9. Indemnification. Business Associate agrees to hold harmless and indemnify YNHHS, Provider, and their respective officers, directors, employees and agents, from and against any loss, suit, claim, action, damage, obligation, demand, liability, penalty, fine, judgment, verdict, settlement, cost or expense (including without limitation reasonable attorneys’ and other consultants’ fees and court costs) arising out of or relating to any breach of this Agreement by Business Associate, any violation of the Rules by Business Associate or otherwise related to the acts or omissions of Business Associate or its subcontractors or agents.
10. Miscellaneous.
10.1 Survival. The respective rights and obligations of the Parties under Sections 7 (Audit and Inspection Rights), 8.2 (Effect of Termination), and 10 (Miscellaneous) will survive termination of the Agreement indefinitely.
10.2 Amendments; Waiver. This Agreement constitutes the entire agreement between the Parties with respect to its subject matter. It may not be modified, nor will any provision be waived or amended, except in a writing duly signed by authorized representatives of the Parties or as specified in Paragraph 10.3 below. A waiver with respect to one event will not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.
10.3 Compliance with Privacy and Security Rules. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Provider to comply with HIPAA and the Rules. To the extent HIPAA and the Rules are revised, this Agreement shall be deemed automatically amended to the extent necessary to comply with such revisions, upon notice to Business Associate from the Provider.
10.4 No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors and permitted assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.
10.5 Notices. Any notice to be given under this Agreement to a Party shall be made via U.S. Mail, commercial courier or hand delivery to such Party at its address given below, and/or via facsimile to the facsimile telephone number listed below, or to such other address or facsimile number as shall hereafter be specified by notice from the Party. Any such notice shall be deemed given when so delivered to or received at the proper address.
If to Business Associate: If to YNHHS:
Yale New Haven Health Services Corp.
SCWorx Legal & Risk Services Department
590 Madison Avenue 789 Howard Avenue, CB230
New York, NY 10022 New Haven, CT 06510
Attention: Legal Attention: General Counsel
Click here to enter text. Fax: (203) 688-3162
10.6 Independent Contractors. Except if otherwise agreed to in writing in a separate agreement between Business Associate and Provider for services that give rise to this Agreement, the relationship between Business Associate and Provider is an independent contractor relationship. None of the provisions of this Agreement shall be construed to create an agency, partnership, employer/employee, master/servant or joint venture relationship between the parties.