HIPAA BUSINESS ASSOCIATE AGREEMENT

 

This Business Associate Agreement (“Agreement”) is entered into as of this 14th day of April between the United States Eye Injury Registry (Contractor) the undersigned Medical Provider (Medical Provider).

 

RECITALS

 

WHEREAS, Medical Provider is a Covered Entity under the Health Information Portability and Accountability Act of 1996 (“HIPPA”) and is required to enter into this Agreement to obtain satisfactory assurances that Contractor, will appropriately safeguard all Protected Health Information (“PHI”) that it receives from, or is used on behalf of Medical Provider.

 

WHEREAS, Medical Provider desires to engage Contractor to perform certain functions for, or on behalf of, Medical Practice which may involve the disclosure of PHI by Medical Provider to Contractor, and Contractor desires to perform such functions.

 

In consideration of the mutual promises below and the exchange of information pursuant to this Agreement and in order to comply with all legal requirements for the protection of this information, the parties therefore agree as follows:

 

1.                  Definition of Terms

The defined terms “Protected Health Information” (“PHI”), “Designated Record Set” and “Covered Entity” shall have the same meanings ascribed to them in 45 CFR Sections 164.501 and 45 CFR Section 16.103, respectively.

2.                  Obligations of Contractor.

(a)                Permitted Uses and Disclosures.  Contractor may not use or disclose PHI received or created pursuant to this Agreement except as follows:  Contractor may use PHI to assist Contractor in Contractor’s operations by storing and aggregating eye injury and treatment information for Medical Provider’s use, including, without limitation, assisting in the storage of PHI for Contractor’s use in treatment and operations and assistance with transmitting de-identified information to the United States Eye Injury Registry and facility research with Limited Data Sets in accordance with the Data Use Agreement executed on even date herewith;

(b)               Contractor’s Operations – Permitted Uses of PHI.  Contractor may use the PHI it receives in its capacity as a Business Associate for the proper management and administration of Contractor or to carry out Contractor’s legal responsibilities.

(c)                Contractor’s Operations – Permitted Disclosures of PHI.  Contractor may disclose the PHI it obtains in its capacity as a Business Associate if such disclosure is necessary for the Contractor’s proper management and administration or to carry out the Contractor’s legal responsibilities, and:

(1)               The disclosure is required by law; or

(2)               Contractor obtains reasonable assurances from the person to whom the PHI is disclosed that the PHI will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the Contractor (and Contractor in turn notified Medical Provider) of any instances of which it is aware in which the confidentiality of the PHI has been breached; and

(3)               Except for disclosures of de-identified health information, the Contractor and its agents disclose only the amount of PHI reasonably necessary to achieve the purpose of the disclosure

(d)               Access to PHI by Individuals.  Contractor shall cooperate with Medical Provider to comply with 45 C.F.R. Section 164.524.  If Contractor receives a request from an individual for access to PHI, Contractor immediately shall forward such request to Medical Provider.  Medical Provider shall be solely responsible for determining the scope for access to PHI.

(e)                Access to Contractor’s Books and Records.  Contractor shall make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by Contractor on behalf of Medical Provider available to the Secretary of the Department of Health and Human Services for purposes of determining Medical Provider’s compliance with the HIPAA laws and regulations.

(f)                 Amendment of PHI.  As directed and in accordance with the time frame specified by Medical Provider, Contractor shall incorporate all amendments to PHI received from Medical Provider.  Within five (5) business days following Contractor’s amendment of PHI as directed by Medical Provider, Contractor shall provide written notice to Medical Provider confirming that Contractor has made the amendments to PHI as directed by Medical Provider and containing any other information as may be necessary for Medical Provider to provide adequate notice to the individual in accordance with 45 C.F.R. Section 164.526.

(g)                Disclosure Accounting.  In the event that Contractor makes any disclosures of PHI that are subject to the accounting requirements of 45 C.F.R. Section 164.528, Contractor promptly shall report such disclosures to Medical Provider.  The notice by Contractor to Medical Provider of the disclosure shall include the name of the individual and Medical Provider affiliation to whom the PHI was disclosed and the date of the disclosure.  Contractor shall maintain a record of each such disclosure, including the date of the disclosure, the name and, if available, the address of the recipient of the PHI, a brief description of the PHI disclosed and a brief description of the purpose of the disclosure.  Contractor shall maintain this record for a period of six (6) years and make available to Medical Provider upon request in an electronic format so that Medical Provider may meet its disclosure accounting obligations under 45 C.F.R. Section 164.528.

(h)                Security Safeguards.  Contractor shall implement a documented information security program that includes administrative, technical and physical safeguards designed to prevent the accidental or otherwise unauthorized use or disclosure of PHI.

(i)                  Reporting and Mitigating Unauthorized Uses and Disclosures of PHI.  Immediately upon notice to Contractor, Contractor shall report to Medical Provider any uses or disclosures of PHI not authorized by this Agreement.  Contractor shall use its best efforts to mitigate the deleterious effects of any use or disclosure of PHI not authorized by this Agreement.  Further, in the notice provided to Medical Provider by Contractor regarding unauthorized uses and/or disclosures of PHI, Contractor shall describe the remedial or other actions undertake or proposed to be undertaken regarding the unauthorized use or disclosure of PHI.

(j)                 Affiliates, Agents, Subsidiaries and Subcontractors.  Contractor shall require that any agents, affiliates, subsidiaries or subcontractors, to whom it provides PHI received from, or created or received by Contractor on behalf of Medical Provider, agree in writing to the same use and disclosure restrictions imposed by Contractor by this Agreement.

(k)               Ownership of Information.  All PHI shall be deemed owned by the Medical Provider unless otherwise agreed in writing.  During the term of this Agreement, Contractor and any authorized subcontractors shall have the right to use the PHI solely for the purposes of this Agreement.  Contractor shall have the right to de-identify and use aggregated PHI and to use PHI in accordance with the Data Use Agreement of even date herewith.

3.                  Obligations of Medical Provider.

Medical Provider shall inform Contractor of any of the following changes which affect Contractor changes to its Notice of Privacy Practices that affect Contractor: new or changed authorizations, restrictions on use of PHI agreed to by the Provider; opt-outs concerning fundraising or marketing.

 

4.                  Term and Termination.

(a)                Term.  This Agreement shall be for a term of five years, commencing on April 14, 2003 and ending on April 13, 2008 (“Initial Term”).  This Agreement shall automatically renew for successive five (5) year periods (“Renewal Term”) unless one party notifies the other party of its intent not to renew within sixty (60) days prior to end of the Initial Term or any Renewal Term.

(b)               Termination by Breach.  Medical Provider, at its sole option and without an opportunity to cure, immediately may terminate this Agreement without further liability if Medical Provider determines that Contractor has violated a material term of this Agreement related to the protection or security of the PHI.

(c)                Termination Without Cause.  Either party to this Agreement may terminate the Agreement upon provision of thirty (30) days prior written notice.

(d)               Termination for Cause.  Either party may terminate this Agreement if the other has a receiver or trustee appointed for any or all of its property, becomes insolvent or otherwise is unable to pay its debts as they mature, makes an assignment for benefit of creditors, becomes subject to bankruptcy proceedings or is dissolved or liquidated.

(e)                Effects of Termination; Disposal of PHI.  Upon termination of this Agreement, Contractor shall recover all PHI that is in the possession of Contractor’s agents, affiliates, subsidiaries or subcontractors.  Contractor shall return to Medical Provider or destroy all PHI that Contractor obtained or maintained pursuant to the Agreement on behalf of Medical Practice.  If the parties agree at that time that the return or destruction of PHI is not feasible, Contractor shall extend the protections provided under this Agreement to such PHI, and limit further use or disclosure of the PHI to those purposes that make the return or destruction of the PHI infeasible.  If the parties agree at the time of termination of this Agreement that it is infeasible for the Contractor to recover all PHI in the possession of Contractor’s agents, affiliates, subsidiaries or subcontractors, Contractor shall provide written notice to Medical Provider regarding the nature of the unfeasibility and Contractor shall require that its agents, affiliates, subsidiaries and subcontractors agree to the extension of all protections, limitations and restrictions required of Contractor hereunder.  Notwithstanding any provision herein to the contrary, Contractor may retain information that has been de-identified and data obtained pursuant to the Data Use Agreement of even date herewith.

(f)                 Mitigating Effects of Termination.  In the event of termination of this Agreement, the parties agree to work together to effectuate a smooth transition for both parties and continuous protection of the PHI disclosed or maintained by Contractor.

5.                  Miscellaneous.

(a)                Change in Law.  In the event that there are subsequent changes or clarifications of statutes, regulations or rules relating to this Agreement, Medical Provider shall notify Contractor of any actions it reasonably deems are necessary to comply with such changes, and Contractor promptly shall take such actions.  In the event that there shall be a change in the federal or state laws, rules or regulations, or any interpretation or any such law, rule, regulation or general instructions which may render any of the material terms of this Agreement unlawful or unenforceable, or materially affects the financial arrangement contained in this Agreement, either party may, by providing advanced written notice, propose an amendment to this Agreement addressing such issues.  If, within fifteen (15) days following the notice, the parties are unable to agree upon such amendments, either party may terminate this Agreement by giving the other party at least thirty (30) days written notice.

(b)               Amendments.  By mutual consent of the parties this Agreement may from time to time be modified or amended in writing and such written modifications signed by the parties shall be attached to and become part of this Agreement.

(c)                Severability and Survival.  In the event any provision of this Agreement is held to be unenforceable for any reason, the unenforceability thereof shall not affect the remainder of this Agreement, which shall remain in full force and effect and enforceable in accordance with its terms.  The obligations of the parties to the PHI shall survive the termination of this Agreement.

(d)               Counterparts.  This Agreement may be executed in counterparts, any of which is considered to be an original agreement.

(e)                Governing Law.  This Agreement shall be construed broadly to implement and comply with the requirements relating to the HIPAA laws and regulations.  All other aspects of this Agreement shall be governed under the laws of the State of Alabama, and venue for any actions relating to this Agreement shall be proper in Jefferson County, Alabama.

(f)                 Assignments/Subcontracting.  This Agreement shall inure to the benefit of and be binding upon the parties hereto and their respective legal representatives, successors and assigns.  Contractor may not assign or subcontract the rights or obligations under this Agreement without the express written consent of Medical Provider.  Medical Provider may assign its rights and obligations under this Agreement to any successor or affiliated entity.

(g)                Entire Agreement.  This Agreement contains the entire agreement between the parties and supersedes all prior discussions, negotiations and services for like services.

(h)                No Third Party Beneficiaries.  Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.

(i)                  Intent to Comply with Laws.  This Agreement shall be construed consistently with all Privacy Laws and in favor of the protection of PHI.