This Agreement is effective __________________ ("Effective Date") by and between __________________(the HIPAA "Covered Entity"), and BENESAN CORPORATION., ("BENESAN", or, the "Business Associate"), (individually, a "Party" and collectively, the "Parties").
WHEREAS, Sections 261 through 264 of the federal Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, known as "the Administrative Simplification provisions," direct the Department of Health and Human Services to develop standards to protect the security, confidentiality and integrity of health information; and WHEREAS, pursuant to the Administrative Simplification provisions, the Secretary of Health and Human Services has issued regulations modifying 45 CFR Parts 160 and 164 (the "HIPAA Privacy Rule"); and WHEREAS, the Parties wish to enter into or have entered into an arrangement whereby Business Associate will provide certain services to Covered Entity, and, pursuant to such arrangement, Business Associate may be considered a "Business Associate" of Covered Entity as defined in the HIPAA Privacy Rule; and WHEREAS, Business Associate may have access to Protected Health Information (as defined below) in fulfilling its responsibilities under such arrangement; THEREFORE, in consideration of the Parties' continuing obligations under the HIPAA Privacy Rule, and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree to the provisions of this Agreement in order to address the requirements of the HIPAA Privacy Rule and to protect the interests of both Parties.
Except as otherwise defined herein, any and all capitalized terms in this Section shall have the definitions set forth in the HIPAA Privacy Rule. In the event of an inconsistency between the provisions of this Agreement and mandatory provisions of the HIPAA Privacy Rule, as amended, the HIPAA Privacy Rule shall control. Where provisions of this Agreement are different than those mandated in the HIPAA Privacy Rule, but are nonetheless permitted by the HIPAA Privacy Rule, the provisions of this Agreement shall control. The term "Protected Health Information" ("PHI") means individually identifiable health information including, without limitation, all information, data, documentation, and materials, including without limitation, demographic, medical and financial information, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. Business Associate acknowledges and agrees that all PHI that is disclosed or made available in any form to Business Associate shall be subject to this Agreement.
II. CONFIDENTIALITY REQUIREMENTS
(A) Business Associate agrees:
(i) to use or disclose any PHI solely: (1) for meeting its obligations as set forth in any agreements between the Parties evidencing their business relationship, or (2) as required by applicable law, rule or regulation, or by accrediting or credentialing organization to whom Covered Entity is required to disclose such information or as otherwise permitted under this Agreement or the HIPAA Privacy Rule; (ii) at termination of this Agreement, or any similar documentation of the business relationship of the Parties, or upon request of Covered Entity, whichever occurs first, if feasible, Business Associate will return or destroy all PHI received from Covered Entity that Business Associate still maintains in any form and retain no copies of such information, or if such return or destruction is not feasible, Business Associate will extend the protections of this Agreement to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible; and (iii) to ensure that its agents, including a subcontractor, to whom it provides PHI received from or created by Business Associate on behalf of Covered Entity, agrees to the same restrictions and conditions that apply to Business Associate with respect to such information. In addition, Business Associate agrees to take reasonable steps to ensure that its employees' actions or omissions do not cause Business Associate to breach the terms of this Agreement.
(B) Notwithstanding the prohibitions set forth in this Agreement, Business Associate may use and disclose PHI as follows:
(i) if necessary, for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that as to any such disclosure, the following requirements are met:
(a) the disclosure is Required By Law; or (b) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. (c) Business Associate will implement appropriate safeguards to prevent use or disclosure of PHI other than as permitted in this Agreement. The Secretary of Health and Human Services shall have the right to audit Business Associate's records and practices related to use and disclosure of PHI to ensure Covered Entity's compliance with the terms of the HIPAA Privacy Rule. Business Associate shall report to Covered Entity any use or disclosure of PHI which is not in compliance with the terms of this Agreement of which it becomes aware.
III. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
(a) Business Associate agrees to not use or disclose PHI other than as permitted or required by the Agreement or as Required By Law. (b) Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement. (c) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure PHI by Business Associate in violation of the requirements of this Agreement. (d) Business Associate agrees to report to Covered Entity any use or disclosure of the PHI not provided for by this Agreement of which it becomes aware. (e) Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from Covered Entity, agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. (f) Business Associate agrees to make internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI received from Covered Entity available to the Secretary for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule. (g) Business Associate shall promptly report to Covered Entity any unauthorized acquisition, access, use, or disclosure of PHI in violation of the HIPAA Privacy Rule or other applicable law, or in violation of the terms of this Agreement. Such report shall be made as soon as reasonably possible but in no event later than ten (10) business days after discovery by Business Associate of such breach. Each report of a breach shall include, to the extent possible, the following information: (i) a description of the facts pertaining to the breach, including without limitation, the date of the breach and the date of discovery of the breach, (ii) a description of the PHI involved in the breach, (iii) the names of the individuals who committed or were involved in the breach, (iv) the names of the unauthorized individuals or entities to whom PHI has been disclosed, (v) a description of the action taken or proposed by the Business Associate to mitigate the financial, reputational or other harm to the individual who is the subject of the breach, and (vi) provide such other information as Covered Entity may reasonably request including, without limitation, the information, data and documentation required by Covered Entity to timely comply with the Health Information Technology for Economic and Clinical Health Act ("HITECH") and the regulations promulgated thereunder, as amended from time to time (the "Breach Notification Rule") thereunder. (h) Business Associate agrees to comply with the administrative requirements imposed on it, in its capacity as a business associate, by HIPAA, HIPAA Regulations, HITECH and the Breach Notification Regulations thereunder.
(i) Business Associate shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic Protected Health Information (ePHI) that Business Associate creates, receives, maintains or transmits on behalf of the Covered Entity. Said safeguards shall include, without limitation:
(a) Encryption of ePHI stored and/or transmitted by Business Associate; (b) Implementation of secure access controls, including physical locks, firewalls and secure passwords; (c) Adoption and implementation of contingency planning policies and procedures, including data backup and disaster recovery plans; and (d) Periodic security training for its employees.
IV. AVAILABILITY OF PROTECTED HEALTH INFORMATION (PHI)
(a) Covered Entity acknowledges and agrees that Business Associate, due to the nature of the technology utilized by Business Associate, has no access, direct or indirect, to the PHI supplied by Covered Entity to Business Associate. (b) The parties agree that, due to the nature of the technology utilized by Business Associate, Business Associate cannot make available PHI to the extent and in the manner required by Section 164.524 of the HIPAA Privacy Rule. This requirement shall be the sole responsibility of Covered Entity. (c) The parties agree that, due to the nature of the technology utilized by Business Associate, Business Associate cannot make PHI available for amendment and incorporate any amendments to PHI in accordance with the requirements of Section 164.526 of the HIPAA Privacy Rule. This requirement shall be the sole responsibility of Covered Entity. (d) The parties agree that, due to the nature of the technology utilized by Business Associate, Business Associate cannot make PHI available for purposes of accounting of disclosures, as required by Section 164.528 of the HIPAA Privacy Rule. This requirement shall be the sole responsibility of Covered Entity.
Termination of Covered Entity's business relationship with Business Associate shall be under the terms set forth in BENESAN's "USER AGREEMENT", available to Covered Entity from BENESAN's website and incorporated herein by reference. Notwithstanding anything in this Agreement, or in BENESAN's "USER AGREEMENT" to the contrary, Covered Entity shall have the right to terminate this Agreement immediately if Covered Entity determines that Business Associate has violated any material term of this Agreement.
By reference, this Business Associate Agreement incorporates, but does not supersede or replace, BENESAN's "USER AGREEMENT", available to Covered Entity from BENESAN's website. Except as expressly stated herein or in the HIPAA Privacy Rule, the parties to this Agreement do not intend to create any rights in any third parties. The obligations of Business Associate under this Section shall survive the expiration, termination, or cancellation of this Agreement, until such time as all PHI stored or copied by Business Associate has been returned to Covered Entity or destroyed. This Agreement may be amended or modified only in a writing signed by the Parties. No Party may assign its respective rights and obligations under this Agreement without the prior written consent of the other Party. None of the provisions of this Agreement are intended to create, nor will they be deemed to create any relationship between the Parties other than that of independent parties contracting with each other solely for the purposes of effecting the provisions of this Agreement and any other agreements between the Parties evidencing their business relationship. This Agreement shall be governed by the laws of the State of California. No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation, on any other occasion. The parties agree that, in the event that any documentation of the arrangement pursuant to which Business Associate provides services to Covered Entity contains provisions relating to the use or disclosure of PHI which are more restrictive than the provisions of this Agreement, the provisions of the more restrictive documentation will control. The provisions of this Agreement are intended to establish the minimum requirements regarding Business Associate's use and disclosure of PHI. In the event that any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Agreement will remain in full force and effect. In addition, in the event a party believes in good faith that any provision of this Agreement fails to comply with the then-current requirements of the HIPAA Privacy Rule, such party shall notify the other party in writing, For a period of up to thirty days, the parties shall address in good faith such concern and amend the terms of this Agreement, if necessary to bring it into compliance. If, after such thirty-day period, the Agreement fails to comply with the HIPAA Privacy Rule, then either party has the right to terminate upon written notice to the other party. IN WITNESS WHEREOF, the Parties have executed this Agreement as of the day and year written above.
REGISTER NOW!EARLYBIRD DISCOUNT ENDS MAY 1
Did you know that many common personnel policies in home care are now illegal? This free eBook was written by an attorney and will help protect your agency.Get this important eBook and protect your agency!
Kinnser ADL Support:
Kinnser Software2600 Via Fortuna Suite 150 Austin, TX 78746
Call us toll-free: 877.399.6538
MOBILE HOMECARE SOFTWARE | PRIVATE DUTY SOFTWARE | HOME CARE SOFTWARE FOR STARTUPS | PAPERLESS HOMECARE OFFICE