HIPAA Business Associate Agreement

Hotwire Networks

 

   

 

 

Hotwire Networks defines a "business associate" as an entity or person that carries out certain activities or functions that involve the disclosure or use of PHI (Protected Health Information) on behalf of, or provides services to, a covered entity. A member of the covered entity.s workforce is not a business associate. A covered health plan, health care provider, or health care clearinghouse can be a business associate of another covered entity.

THIS BUSINESS ASSOCIATE AGREEMENT (this "Agreement") is recognized between Hotwire Networks (the "Business Associate") and Hotwire Networks' Customer ("the customer").

RECITALS

WHEREAS, the United States Department of Health and Human Services has promulgated regulations at 45 C.F.R. Parts 160, 162, and 164 relating to standards for privacy and security of individually identifiable health information (the "Privacy and Security Rules") pursuant to Subtitle F (Administrative Simplification) of the Health Insurance Portability and Accountability Act of 1996, (Pub. L. 104-191, August 21, 1996, 110 Stat. 1936), 42 U.S.C. ¤ 1320d Ð320d-8 (collectively with the Privacy and Security Rules, as each may be amended from time to time, "HIPAA");

WHEREAS, the Customer has been engaged by various Covered Entities, as defined below, as a business associate to carry out and perform certain services and, in the course of such engagement, the customer may receive PHI (Protected Health Information), as defined below, from Covered Entities;

WHEREAS, the Covered Entities have entered into business associate agreements with "the Customer"; and

WHEREAS, the customer has engaged the Business Associate to carry out certain services and, in the course of such engagement, the Business Associate may receive PHI from "the customer" or from such Covered Entities.

AGREEMENT

NOW, THEREFORE, for good and valuable consideration, the receipt and adequacy of which is hereby acknowledged, the customer and the Business Associate, intending to be legally bound, agree as follows.

Section 1.
DEFINITIONS

  • 1.1 "Covered Entity" shall have the meaning given in 45 C.F.R. 160.103.
  • 1.2 "Individual" shall have the meaning given in 45 C.F.R. 160.103 and shall encompass a person who qualifies as a personal representative in agreement with 45 C.F.R. 164.502(g).
  • 1.3 "Protected Health Information" or "PHI" shall have the meaning given in 45 C.F.R. 160.103, limited to the information received by the customer and/or the Business Associate from or on behalf of the Covered Entity. "Electronic Protected Health Information" or "PHI" is a subset of PROTECTED HEALTH INFORMATION and shall have the meaning given in 45 C.F.R. 160.103.
  • 1.4 "Required by Law" shall have the same meaning given in 45 C.F.R. 164.103.
  • 1.5 "Secretary" shall mean the Secretary of the United States Department of Health and Human Services.
  • 1.6 "Security Incident" means the attempted or successful unauthorized access, disclosure, use, modification, or destruction of information or interference with system operations in an information system.
  • 1.7 "Security Regulations" means the Standards for Security of Electronic Protected Health Information at 45 C.F.R. Parts 160, 162 and 164, as they apply to Covered Entity.

Sections 2.

THE BUSINESS ASSOCIATE ACTIVITIES AND OBLIGATIONS

2.1 Uses and Disclosures by the Business Associate.

The Business Associate may disclose or use PHI only as authorized by this Agreement or as required by law. Unless otherwise limited by this Agreement, the Business Associate may: (a) use the Protected Health Information in its possession to carry out the responsibilities of the Business Associate to the customer, and (b) use the Protected Health Information as necessary to help the customer in providing services to the Covered Entity. Notwithstanding any express condition or term of this Agreement, the Business Associate shall be governed and abide by the terms and conditions of HIPAA and the rules and regulations promulgated pursuant to it. To the extent that a condition or term of this Agreement conflicts with or differs from HIPAA, HIPAA will prevail.

2.2 Specific Use and Disclosure Restrictions.

a. Business Associate will restrict the disclosure of an Individual.s Protected Health Information upon the Individual.s request to the Covered Entity, in agreement with 45 C.F.R. 164.522(a)(1)(i)(A) and 164.522(a)(1)(ii), when the customer notifies the Business Associate that the Individual has made such a restriction request and each of the following conditions is satisfied: 1. the disclosure would be to a health plan for the purposes of carrying out health care payment or health care operations as that term may be amended from time to time, and 2. the Protected Health Information pertains solely to a health care item or service for which the health care provider involved has been paid out-of-pocket in full. b. Business Associate will limit to the extent practicable the disclosure, use or request of Protected Health Information to the minimum necessary to accomplish the intended purposes of such disclosure, use or request, respectively.

At such time when the Secretary issues further guidance on disclosure limitations, as mandated by Section 13405(b) of the American Reinvestment and Recovery Act of 2009 ("ARRA"), Business Associate shall comply with the applicable limitations established in the guidance.

2.3 Business Associate Activities and Responsibilities.

With respect to the Protected Health Information, the Business Associate agrees to: a. Use all reasonable efforts to preserve the security of the Protected Health Information and to prevent unauthorized use and/or disclosure of the Protected Health Information by the Business Associate, its agents, employees and subcontractors. b. Report to the customer any unauthorized disclosure and/or use of the Protected Health Information within ten (10) calendar days of the Business Associate.s discovery of any such unauthorized disclosure and/or use. c. Require all subcontractors or other agents of the Business Associate that receive, have access to, or use PROTECTED HEALTH INFORMATION to agree to comply with to the same conditions and restrictions on the use and/or disclosure of PROTECTED HEALTH INFORMATION that apply to the Business Associate under this Agreement. d. Upon prior request and during normal business hours, make available to the Secretary or his/her designee, all internal procedures and policies and records relating to the disclosure and/or use of PROTECTED HEALTH INFORMATION by the Business Associate and the PROTECTED HEALTH INFORMATION in the Business Associate.s possession, for purposes of determining the Business Associate.s compliance with the Privacy and Security Rules. e. Document disclosures of PROTECTED HEALTH INFORMATION as would be required for the customer and/or a Covered Entity to respond to a request by an Individual for an accounting of disclosures of PROTECTED HEALTH INFORMATION, to the extent required by 45 C.F.R. 164.528. f. Provide to the customer, within ten (10) days of receipt of a request from the customer, such information as is requested by the customer to permit the customer to respond to a request by an Individual for an accounting of the disclosures of the Individual.s PROTECTED HEALTH INFORMATION, including those disclosures by the Business Associate, to the extent required by 45 C.F.R. ¤164.528. g. Provide the customer or, as directed by the customer, an Individual with access to PROTECTED HEALTH INFORMATION, to the extent required by 45 C.F.R. 164.524. Such access shall be in a reasonable and timely manner, as agreed upon by the parties. h. Make any amendment(s) to PROTECTED HEALTH INFORMATION that the customer directs, to the extent required by 45 C.F.R. 164.526, at the request of Covered Entity or an Individual, in a reasonable and timely manner, as agreed upon by the parties.. i. Subject to Section 4.3 of this Agreement, return to the customer, within thirty (30) days of the termination of this Agreement, the PROTECTED HEALTH INFORMATION in the Business Associate.s possession and retain no backup tapes, copies, or any other reproduction, electronic or otherwise, of the PROTECTED HEALTH INFORMATION. j. Disclose to subcontractors, agents or other third parties only the minimum Protected Health Information necessary to perform or fulfill a specific function required hereunder.

2.4 Electronic Protected Health Information.

With respect to Electronic Protected Health Information, the Business Associate agrees that: a. Business Associate will ensure that its physical, administrative, technical safeguards reasonably and appropriately safeguard the integrity, confidentiality and availability of the Electronic Protected Health Information that it receives, creates, transmits or maintains on behalf of the customer. b. Business Associate has implemented the data security measures of the Security Regulations set forth at 45 C.F.R. 164.308, 164.310, 164.312, and 164.316, as they may be amended from time to time. Such compliance shall include the implementation of written data security procedures and policies that satisfy the implementation specifications, standards and other requirements of the Security Regulations. Those implementation specifications, standards and other requirements encompass: 1. Administrative safeguards, which include risk management security measures; risk assessment and periodic reassessments; information system activity risk reviews; workforce training and sanctions; an assigned security official; data access controls; data back-up and disaster recovery plans; and security incident management. 2. Physical safeguards, which include workstation and facility access controls; removable and portable device and media management; re-use, back-up and storage controls. 3. Technical safeguards, which include access, data integrity and transmission security and authentication and audit controls; c. Business Associate is required to do the following: 1. Business Associate will notify the customer within five (5) days of when Business Associate discovers a Breach of Unsecured PROTECTED HEALTH INFORMATION or when such a discovery should have been known. i. "Unsecured PROTECTED HEALTH INFORMATION" means PROTECTED HEALTH INFORMATION that is not secured through the use of a methodology or technology specified by the Secretary in guidance, as such guidance may be amended from time to time, as required by Section 13402 of ARRA. ii. For purposes of this section, a "Breach of Unsecured PROTECTED HEALTH INFORMATION" shall be discovered by the Business Associate as of the first day on which such breach is known to Business Associate (including any person, other than the individual committing the breach, that is an officer, employee, or other agent of Business Associate) or should reasonably have been known to Business Associate to have occurred. Business Associate must provide evidence demonstrating the need for delay in the event of notice is not provided in compliance with this provision. 2. Business Associate will, at a minimum, identify each Individual whose Unsecured PROTECTED HEALTH INFORMATION has been breached, or Business Associate reasonably believes has been breached, and, if requested by the customer, supply the customer with each Individual.s contact information and such other information as the customer may reasonably request from Business Associate in order for the customer to meet its notification requirements for Breaches of Unsecured PROTECTED HEALTH INFORMATION. 3. Ensure that any agent, including a subcontractor, to whom it provides PROTECTED HEALTH INFORMATION, agrees to implement reasonable and appropriate safeguards to protect it. 4. Business Associate shall comply with the disclosure obligations related to accountings for treatment, payment and health care operations disclosures made through electronic health records in agreement with the specifications and time frames established by the Secretary. 5. Report to the customer any Security Incident of which it becomes aware.

Section 3.

OBLIGATIONS OF the customer

3.1 The customer hereby agrees:

a. To notify the Business Associate of any changes of authorizations including any withdrawals of authorization, if any, by Individuals provided to the Business Associate that are applicable to the Protected Health Information.

b. To notify the Business Associate of any limitation(s), if any, developed in agreement with 45 C.F.R. 164.520 to the extent that such limitation(s) may affect the Business Associate.s use or disclosure of Protected Health Information.

c. To notify the Business Associate of any restriction(s), if any, on the disclosure and/or use of Protected Health Information as provided for in 45 C.F.R. 164.522, which may affect the Business Associate.s use or disclosure of Protected Health Information.

Section 4.

TERM AND TERMINATION

4.1 Term.

This term of this Agreement shall commence on the Effective Date and shall terminate either concurrently with the termination of any other agreement between the parties that requires the parties to maintain in full force and effect this Agreement or, if no such agreement exists, when the matters requiring the transmission of Protected Health Information are ended. Certain provisions and requirements of this Agreement shall survive its termination in agreement with Section 4.3 herein.

4.2 Termination for Cause. In the event that the customer believes the Business Associate has breached a material term of this Agreement, the customer shall either, in its sole discretion: (a) provide the Business Associate with written notice of the existence of the alleged breach, or (b) terminate this Agreement and the underlying agreement, if any. Upon receipt of such notice, the Business Associate shall promptly take all reasonable and timely steps necessary to resolve the breach and end the violation to the customer.s reasonable satisfaction as soon as possible. If the breach has not been resolved to the customer.s reasonable satisfaction within a reasonable period of time not to exceed thirty (30) days from the date of receipt of the original notice, the customer may immediately terminate this Agreement and the underlying Agreement, if any. At any time, if neither termination nor resolution is feasible, the customer may report the breach to the Secretary.

4.3 Obligations of the Business Associate upon termination. a. Upon the termination of this Agreement, the Business Associate agrees to return all PROTECTED HEALTH INFORMATION in its possession or in the possession of its agents or subcontractors, if it is feasible to do so. b. If it is not feasible for the Business Associate to return the PROTECTED HEALTH INFORMATION, the Business Associate will notify the customer of the reasons why it is not feasible and will retain the information in a manner consistent with this section. c. If the information is not returned upon termination, the Business Associate agrees to extend the protections set forth in this Agreement to the Protected Health Information, to limit further uses or disclosures of the PROTECTED HEALTH INFORMATION to the purposes that make the return of the PROTECTED HEALTH INFORMATION infeasible for as long as the PROTECTED HEALTH INFORMATION is maintained by the Business Associate, and to abide by all applicable terms and conditions HIPAA, as amended from time to time.

Section 5.

MISCELLANEOUS

5.1 Regulatory References. A reference in this Agreement to a section in the Privacy and Security Rules means the section as in effect at the relevant time.

5.2 Amendments; Waiver. This Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to additional or subsequent events. The customer and the Business Associate agree to discuss any need to amend this Agreement from time to time as is necessary for the customer and the Business Associate to conform to the requirements of HIPAA.

5.3 Survival. The provisions of Section 4.3 shall survive expiration or termination of this Agreement.

5.4 No Third Party Beneficiaries. Nothing implied or express in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the parties and the respective successors or assigns of the parties, any rights, liabilities, obligations or remedies, whatsoever.

5.5 Incorporation. The recitals set forth above are correct and true and are incorporated into this Agreement by this reference.

5.6 Notices. Any notices to be given hereunder to a party shall be made via hand delivery, U.S.P.S. Certified Mail Return Receipt Requested, or nationally recognized express courier with proof of delivery, to such party.s address as set forth below and shall be effective upon actual delivery.

5.7 Counterparts; Facsimiles. This Agreement may be executed in any number of counterparts, which may be delivered by facsimile or other electronic transmission, including email, each of which shall be deemed an original.

5.8 Further Assurances. Each party hereto agrees to do all acts and things and to make, execute and deliver such written instruments as shall from time to time be reasonably required to carry out the terms, provisions and conditions of HIPAA, as promulgated from time to time. Such amendment shall be entered into on or before the date on which covered entities are required to be in compliance with such law and the regulations published pursuant thereto.

5.9 Enforcement Costs. If any legal action or other proceeding is brought for the enforcement or interpretation of this Agreement, or because of an alleged dispute, default, breach or misrepresentation in connection with any provision of this Agreement, the substantially prevailing party shall be entitled to recover reasonable attorneys. fees, court costs and all expenses incurred in that action or proceeding and at all levels of trial and appeal, in addition to any other relief to which such party may be entitled.

 

Back to Policies