Business
Associate Agreement
Definitions
Catch-all definition:
The following terms used in this
Agreement shall have the same meaning as those terms in the HIPAA Rules:
Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care
Operations, Individual, Minimum Necessary, Notice of Privacy Practices,
Protected Health Information, Required By Law, Secretary, Security Incident,
Subcontractor, Unsecured Protected Health Information, and Use.
Specific definitions:
(a)
Business Associate. “Business Associate” shall generally have the same
meaning as the term “business associate” at 45 CFR 160.103, and in reference to
the party to this agreement, shall mean IMG Residency LLC.
(b)
Covered Entity. “Covered Entity” shall generally have the same meaning as
the term “covered entity” at 45 CFR 160.103, and in reference to the party to
this agreement, shall mean Appointment Reminder Service Subscriber.
(c)
HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach
Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
Obligations and Activities of
Business Associate
Business Associate agrees to:
(a)
Not use or disclose protected health information other than as permitted or
required by the Agreement or as required by law;
(b)
Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with
respect to electronic protected health information, to prevent use or
disclosure of protected health information other than as provided for by the
Agreement;
(c)
Report to covered entity any use or disclosure of protected health information
not provided for by the Agreement of which it becomes aware, including breaches
of unsecured protected health information as required at 45 CFR 164.410, and
any security incident of which it becomes aware;
(d)
In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable,
ensure that any subcontractors that create, receive, maintain, or transmit
protected health information on behalf of the business associate agree to the
same restrictions, conditions, and requirements that apply to the business
associate with respect to such information;
(e)
Make available protected health information in a designated record set to the
“covered entity” as necessary to satisfy covered entity’s obligations under 45
CFR 164.524;
(f)
Make any amendment(s) to protected health information in a designated record
set as directed or agreed to by the covered entity pursuant to 45 CFR 164.526,
or take other measures as necessary to satisfy covered entity’s obligations under
45 CFR 164.526;
(g)
Maintain and make available the information required to provide an accounting
of disclosures to the “covered entity” as necessary to satisfy covered entity’s
obligations under 45 CFR 164.528;
(h) To the extent the business associate is to
carry out one or more of covered entity's obligation(s) under Subpart E of 45
CFR Part 164, comply with the requirements of Subpart E that apply to the
covered entity in the performance of such obligation(s); and
(i)
Make its internal practices, books, and records available to the Secretary for
purposes of determining compliance with the HIPAA Rules.
Permitted Uses and Disclosures by
Business Associate
(a)
Business associate may only use or disclose protected health information for
the purpose of sending appointment reminders on behalf of the “Covered Entity”.
(b)
Business associate may use or disclose protected health information as required
by law.
(c)
Business associate agrees to make uses and disclosures and requests for
protected health information consistent with covered entity’s minimum necessary
policies and procedures.
(d) Business associate may not use or disclose
protected health information in a manner that would violate Subpart E of 45 CFR
Part 164 if done by covered entity, except for the specific uses and
disclosures set forth below.
(e)
Business associate may use protected health information for the proper
management and administration of the business associate or to carry out the
legal responsibilities of the business associate.
(f)
Business associate may disclose protected health information for the proper
management and administration of business associate or to carry out the legal
responsibilities of the business associate, provided the disclosures are
required by law, or business associate obtains reasonable assurances from the
person to whom the information is disclosed that the information will remain
confidential and used or further disclosed only as required by law or for the
purposes for which it was disclosed to the person, and the person notifies
business associate of any instances of which it is aware in which the
confidentiality of the information has been breached.
Provisions for Covered Entity to
Inform Business Associate of Privacy Practices and Restrictions
(a)
Covered entity shall notify business associate of any limitation(s) in the
notice of privacy practices of covered entity under 45 CFR 164.520, to the
extent that such limitation may affect business associate’s use or disclosure
of protected health information.
(b)
Covered entity shall notify business associate of any changes in, or revocation
of, the permission by an individual to use or disclose his or her protected
health information, to the extent that such changes may affect business
associate’s use or disclosure of protected health information.
(c)
Covered entity shall notify business associate of any restriction on the use or
disclosure of protected health information that covered entity has agreed to or
is required to abide by under 45 CFR 164.522, to the extent that such
restriction may affect business associate’s use or disclosure of protected
health information.
Permissible Requests by Covered
Entity
Covered entity shall not request
business associate to use or disclose protected health information in any manner
that would not be permissible under Subpart E of 45 CFR Part 164 if done by
covered entity.
Term and Termination
(a)
Term. The Term of this Agreement shall be effective as of date of
subscription to the Appointment Reminder Service provided by the “business
associate” via its web site, and shall terminate on the date when “covered
entity” informs the “business associate” or on the date covered entity
terminates for cause as authorized in paragraph (b) of this Section, whichever
is sooner.
(b)
Termination for Cause. Business associate authorizes termination of this
Agreement by covered entity, if covered entity determines business associate
has violated a material term of the Agreement and business associate has not
cured the breach or ended the violation within the time specified by covered
entity.
(c)
Obligations of Business Associate Upon Termination.
Upon
termination of this Agreement for any reason, business associate, with respect
to protected health information received from covered entity, or created,
maintained, or received by business associate on behalf of covered entity,
shall:
(d) Survival. The obligations of
business associate under this Section shall survive the termination of this
Agreement.
Miscellaneous
(a)
Regulatory References. A reference in this Agreement to a section in the
HIPAA Rules means the section as in effect or as amended.
(b)
Amendment. The Parties agree to take such action as is necessary to
amend this Agreement from time to time as is necessary for compliance with the
requirements of the HIPAA Rules and any other applicable law.
(c)
Interpretation. Any ambiguity in this Agreement shall be interpreted to permit
compliance with the HIPAA Rules.