BUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“Agreement”) is entered into in connection with provision of Underlying Services under a Billing and Revenue
Cycle Management Agreement or similar service agreement (the “Underlying Service Agreement”) between the Client (referred to this BAA
Agreement as the “Covered Entity”) and Nobility, LLC, an Arizona limited liability company (referred to in this BAA Agreement as the “Business
Associate”). Each of Covered Entity and Business Associate may be referenced in this BAA Agreement as a “Party” and collectively as the “Parties.”
This BAA Agreement is effective upon Business Associate’s first rendering of Underlying Services to Covered Entity under the Underlying Agreement
(the “Effective Date”).
If Covered Entity has entered into an agreement with Business Associate relating to HIPAA matters other than in the form set forth in this BAA
Agreement, such other agreement shall control.
The Parties, intending to be legally bound, hereby agree as follows:
Definition
- Except as otherwise defined in this BAA Agreement, all capitalized terms used in this BAA Agreement shall have the meanings set forth in HIPAA.
- “Breach” has the meaning set forth in 45 CFR § 162.402.
- “Disclose” has the same meaning as the term “disclosure” in 45 C.F.R. § 160.103.
- “Electronic Protected Health Information” shall mean Protected Health Information that is created, received, transmitted, or maintained by Business Associate in Electronic Media for or on behalf of Covered Entity.
- “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended and supplemented by the HITECH Act and its implementing regulations, as each is amended from time to time.
- “HIPAA Breach Notification Rule” shall mean the federal breach notification regulations, as amended from time to time, issued under HIPAA and set forth in 45 CFR Part 164 (Subpart D).
- “HIPAA Privacy Rule” shall mean the federal privacy regulations, as amended from time to time, issued under HIPAA and set forth in 45 CFR Parts 160 and 164 (Subparts A & E).
- “HIPAA Security Rule” shall mean the federal security regulations, as amended from time to time, issued under HIPAA and set forth in 45 CFR parts 160 & 164 (Subparts A & C).
- “HITECH Act” shall mean Subtitle D of the Health Information Technology for Economic and Clinical Health Act provisions of the American Recovery and Reinvestment Act of 2009, 42 U.S.C. 17921-17954, and all its implementing regulations, when and as each is effective, and compliance is required.
- “Protected Health Information” or “PHI” shall mean Protected Health Information, as defined in 45 CFR 160.103, and is limited to the PHI received, maintained, created or transmitted on behalf of, Covered Entity by Business Associate in performance of the Underlying Services.
- “Underlying Services” shall mean, to the extent and only to the extent they involve the creation, maintenance, Use, Disclosure or transmission of PHI, the services performed by Business Associate for Covered Entity pursuant to the Underlying Services Agreement.
- “Underlying Services Agreement” shall mean the written agreement(s) (other than this BAA Agreement) by and between the Parties as amended by and between the Parties pursuant to which Business Associate receives, maintains, creates or transmits PHI for or on behalf of Covered Entity in connection with the provision of the Underlying Services described in the Underlying Services Agreement by Business Associate to Covered Entity.
Permitted and Required Uses and Disclosures of Protected Health Information by Business Associate
- Business Associate may Use or Disclose PHI:
- As necessary to perform the Underlying Services under the Underlying Services Agreement and this Agreement, and
- As Required by Law, provided that such Use or Disclosure complies with HIPAA.
- To provide Data Aggregation services relating to Covered Entity’s Health Care Operations, and
- Pursuant to Covered Entity’s separate written consent, deidentify PHI in accordance with 45 C.F.R. §164.502(d).
- Business Associate may Use and Disclose PHI for the proper management and administration of Business Associate and to carry out the legal responsibilities of Business Associate, provided that:
- Any Disclosure is Required by Law, or
- Business Associate obtains reasonable advance written assurances from the person or party to whom the PHI is Disclosed that the PHI will be held confidentially and used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed to the person or party, and the person or party notifies Business Associate of any instances in which it is aware that the confidentiality of the information has been breached.
Obligations of Business Associate.
- Business Associate shall implement safeguards it deems appropriate to prevent the Use or Disclosure of PHI, except as set forth in this Agreement.
- Business Associate shall use appropriate safeguards designed to protect the Confidentiality, Integrity, and Availability of PHI and comply, where applicable, with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, to prevent Use or Disclosure of the information other than as provided for in this BAA Agreement.
- Business Associate shall mitigate any harmful effect of a Use or Disclosure of PHI by Business Associate in violation of the requirements of HIPAA.
- Business Associate shall timely report to Covered Entity:
- Any Use or Disclosure of PHI by Business Associate not provided for by this BAA Agreement of which it becomes aware, and
- Any Security Incident involving PHI of which it becomes aware. Following discovery of a Breach of Unsecured PHI, Business Associate’s notification will include, to the extent known and possible, the requirements of the HIPAA Breach Rule set forth in 45 CFR 164.410.
- Business Associate shall require that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions and conditions, in writing, that apply to Business Associate with respect to such Protected Health Information. This includes requiring Subcontractors to comply with the HIPAA Security Rule. Business Associate may use Subcontractors and subsidiaries located outside the United States, provided such Subcontractors and subsidiaries agree to comply with HIPAA and be subject to the jurisdiction of the United States.
- To the extent Business Associate has been delegated under the Underlying Services Agreement to carry out Covered Entity’s obligations under the HIPAA Privacy Rule, Business Associate shall comply with the requirements of the HIPAA Privacy Rule that apply to the Covered Entity in the performance of such obligations.
- To the extent Business Associate maintains PHI in a Designated Record Set on behalf of Covered Entity, Business Associate shall timely make available to Covered Entity, no later than fifteen (15) days after receipt of a written request from Covered Entity, PHI in a Designated Record Set, or, if requested by Covered Entity, to an Individual, all in accordance with the requirements under 45 CFR 164.524.
- To the extent Business Associate maintains PHI in a Designated Record Set on behalf of Covered Entity, Business Associate shall make available to Covered Entity and make any amendments to PHI in the Designated Record Set as agreed to by Covered Entity within fifteen (15) days after receipt of a written request from Covered Entity.
- To the extent no Disclosure exceptions apply under 45 CFR § 164.528, Business Associate shall maintain and make available to Covered Entity such information as would be required for Covered Entity to respond to a request for an accounting of disclosures of PHI in accordance with 45 CFR 164.528.
- Business Associate shall notify Covered Entity in writing within three (3) days after Business Associate’s receipt directly from an Individual of any request for access to or amendment of PHI, or an accounting of disclosures, as contemplated in Sections III(f), III(g), III(h) of this BAA Agreement.
- Business Associate agrees to make its internal practices, books, and records, including policies, procedures, and PHI, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with HIPAA.
- Business Associate shall make reasonable efforts to request, Use and/or Disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, Use, or Disclosure.
- Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI in violation of 45 CFR 164.502(a)(5)(ii).
- Business Associate shall not make or cause to be made any communication about a product or service that is prohibited by 45 CFR 164.501 and 164.508(a)(3).
- Business Associate shall not make or cause to be made any written fundraising communication that is prohibited by 45 CFR 164.514(f).
Obligations of Covered Entity.
- To the extent such limitation(s), change(s), or restriction(s) may affect Business Associate’s Use, Disclosure, or access to PHI, Covered Entity shall notify Business Associate of any:
- Limitation(s) in Covered Entity’s notice of privacy practices pursuant to HIPAA, including without limitation, 45 CFR § 164.520;
- Changes in, or revocation of, the permission by an Individual to Use or Disclose his or her PHI; and
- Restriction(s) on the Use or Disclosure of PHI that Covered Entity has agreed to or is required to abide by pursuant to HIPAA, including without limitation, 45 CFR § 164.522.
- Except with regard to data aggregation and management and administration and legal responsibilities of Business Associate, Covered Entity shall not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under HIPAA or the HITECH Act if done by Covered Entity.
- Covered Entity shall make reasonable efforts to minimize the Disclosure of PHI to Business Associate where the Disclosure of that information is not needed for Business Associate to provide Underlying Services pursuant to the Underlying Services Agreement.
Term and Termination.
- The term of this BAA Agreement shall commence as of the Effective Date and shall terminate concurrently with the Underlying Service Agreement unless earlier terminated by mutual written agreement of the Parties, or in accordance with this Section.
- Notwithstanding anything in this BAA Agreement to the contrary, this BAA Agreement may be terminated by either Party if the other Party breaches a material provision of this BAA Agreement and the breach is not cured within thirty (30) days after receipt of the non-breaching Party’s written notice of such breach that sets forth all the specific facts necessary for the breaching Party to evaluate and cure such alleged breach.
- Upon the termination or expiration of this BAA Agreement, Business Associate will retain only that PHI that is necessary for Business Associate to continue its proper management and administration and to carry out its legal responsibilities and shall return or destroy, if feasible, the remaining PHI that Business Associate maintains.
- To the extent return or destruction of the PHI is not feasible, Business Associate shall extend the protections, limitations, and restrictions contained in this BAA Agreement to the Business Associate’s use and/or disclosures of any PHI retained after the expiration or termination of this BAA Agreement and shall limit further uses and disclosures to those purposes that make the return or destruction of the information feasible.
- This obligation for Business Associate to return or destroy PHI shall not apply to PHI in the possession of Business Associate as archived data secured and maintained with safeguards consistent with industry standards for the type of entity in Business Associate’s industry and the amount and type of data at issue.
- To the extent Business Associate maintains PHI as archived data, the terms of this BAA shall remain in effect for as long as Business Associate maintains such PHI as archived data.
Miscellaneous
- The Parties to this BAA Agreement do not intend to create any rights in any third parties. The obligations of Business Associate under Section V(c) of this BAA Agreement shall survive the expiration, termination, or cancellation of this BAA Agreement.
- Business Associate may modify the provisions of this BAA Agreement from time to time by posting modifications on its website, notifications contained in the invoices sent to Covered Entity for its services, or by other means. It is important that Covered Entity reviews this BAA Agreement whenever Business Associate modifies it because Covered Entity’s continued use of Business Associate’s services indicates agreement to such modifications.
- No Party may assign its respective rights and obligations under this BAA Agreement without the prior written consent of the other Party, except that Business Associate may assign this BAA Agreement without the written consent of Covered Entity to any affiliate or third party that acquires all or substantially all of Business Associate’s assets or equity. None of the provisions of this BAA Agreement are intended to create, nor will they be deemed to create, a relationship between the Parties other than that of independent parties contracting with each other solely for the purposes of effecting the provision of this BAA Agreement and any other agreements between the Parties evidencing their business relationship.
- This BAA Agreement shall be governed by the laws of the State of Arizona. No change, waiver, or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, nor shall it prohibit enforcement of any obligation on any other occasion. This BAA Agreement, together with the Underlying Services Agreement, constitutes the entire agreement of the Parties relating to Business Associate’s Use or Disclosure of PHI.
- The terms of this BAA Agreement, to the extent they are unclear, shall be construed to allow for compliance by the Parties with HIPAA and the HITECH Act. If any provision of this BAA Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this BAA Agreement will remain in full force and effect.
- Business Associate’s provision of Underlying Services to Covered Entity under the Underlying Services Agreement constitutes execution and acceptance by the Parties of this BAA Agreement.