BUSINESS ASSOCIATE AGREEMENT
This BUSINESS ASSOCIATE AGREEMENT (“BAA”) is made by and between you (“Covered Entity” or “CE”) and BREAKTHROUGH BEHAVIORAL, INC., a Delaware “C” corporation (“Business Associate” or “BA”) (each a “party” and, collectively, the “parties”) upon your indication that you understand and accept all of the terms and conditions herein (the “Effective Date”).
A. CE is a “covered entity” under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”) and, as such, must enter into so-called “business associate” contracts with certain contractors that may have access to certain patient medical information.
B. Pursuant to the terms of one or more agreements between the parties, whether oral or in writing (collectively, the “Agreement”), BA shall provide certain services to CE. To facilitate BA’s provision of such services, CE wishes to disclose certain information to BA, some of which may constitute Protected Health Information (“PHI”) (defined below).
C. CE and BA intend to protect the privacy and provide for the security of PHI disclosed to BA pursuant to the Agreement in compliance with HIPAA, the Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 (“HITECH Act”), and regulations promulgated thereunder by the U.S. Department of Health and Human Services (“HIPAA Regulations”) and other applicable laws, including without limitation state patient privacy laws, as such laws may be amended from time to time.
D. As part of the HIPAA Regulations, the Privacy Rule and the Security Rule (defined below) require CE to enter into a contract containing specific requirements with BA prior to the disclosure of PHI (defined below), as set forth in, but not limited to, Title 45, Sections 164.314(a), 164.502(e) and 164.504(e) of the Code of Federal Regulations (“C.F.R.”) and contained in this BAA.
NOW, THEREFORE, in consideration of the mutual promises below and the exchange of information pursuant to this BAA, CE and BA agree as follows:
1.1. Breach shall have the meaning given to such term under 42 U.S.C. § 17921(1) and 45 C.F.R. § 164.402.
1.2. Business Associate shall have the meaning given to such term under 42 U.S.C. § 17938 and 45 C.F.R. § 160.103.
1.3. Covered Entity shall have the meaning given to such term under 45 C.F.R. § 160.103.
1.4. Data Aggregation shall have the meaning given to such term under 45 C.F.R. § 164.501.
1.5. Designated Record Set shall have the meaning given to such term 45 C.F.R. § 164.501.
1.6. Electronic Protected Health Information or EPHI means Protected Health Information that is maintained in or transmitted by electronic media.
1.7. Electronic Health Record shall have the meaning given to such term under 42 U.S.C. § 17921(5).
1.8. Health Care Operations shall have the meaning given to such term under 45 C.F.R. § 164.501.
1.9. Privacy Rule shall mean the HIPAA Regulation that is codified at 45 C.F.R. Parts 160 and 164, Subparts A and E.
1.10. Protected Health Information or PHI means any information, whether oral or recorded in any form or medium: (i) that relates to the past, present or future physical or mental condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and (ii) that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual, and shall have the meaning given to such term under 45 C.F.R. § 160.103. Protected Health Information includes Electronic Protected Health Information.
1.11. Protected Information shall mean PHI provided by CE to BA or created or received by BA on CE’s behalf.
1.12. Security Rule shall mean the HIPAA Regulation that is codified at 45 C.F.R. Parts 160 and 164, Subparts A and C.
1.13. Unsecured PHI shall have the meaning given to such term under 42 U.S.C. § 17932(h), 45 C.F.R. § 164.402 and guidance issued pursuant to the HITECH Act including, but not limited to that issued on April 17, 2009 and published in 74 Federal Register 19006 (April 27, 2009), by the Secretary of the U.S. Department of Health and Human Services (“Secretary”).
2. Obligations of Business Associate.
2.1. Permitted Access, Use or Disclosure. BA shall neither permit the unauthorized or unlawful access to, nor use or disclose, PHI other than as permitted or required by the Agreement, this BAA, or as permitted or required by law. Except as otherwise limited in the Agreement or this BAA, BA may access, use, or disclose PHI (i) to perform its services as specified in the Agreement; and (ii) for the proper administration of BA, provided that such access, use, or disclosure would not violate HIPAA, the HITECH Act, the HIPAA Regulations, or applicable state law if done or maintained by CE. If BA discloses Protected Information to a third party, BA must obtain, prior to making any such disclosure, (i) reasonable written assurances from such third party that such Protected Information will be held confidential as provided pursuant to this BAA and only disclosed as required by law or for the purposes for which it was disclosed to such third party, and (ii) a written agreement from such third party to promptly notify BA of any Breaches of confidentiality of the Protected Information, to the extent it has obtained knowledge of such Breach.
2.2. Prohibited Uses and Disclosures Under HITECH. Notwithstanding any other provision in this BAA, BA shall comply with the following requirements: (i) BA shall not use or disclose Protected Information for fundraising or marketing purposes, except as provided under the Agreement and consistent with the requirements of 42 U.S.C. § 17936; (ii) BA shall not disclose Protected Information to a health plan for payment or health care operations purposes if the patient has requested this special restriction, and has paid out of pocket in full for the health care item or service to which the PHI solely relates, 42 U.S.C. § 17935(a); (iii) BA shall not directly or indirectly receive remuneration in exchange for Protected Information, except with the prior written consent of CE and as permitted by the HITECH Act, 42 U.S.C. § 17935(d)(2); however, this prohibition shall not affect payment by CE to BA for services provided pursuant to the Agreement.
2.3. Appropriate Safeguards. BA shall implement appropriate safeguards designed to prevent the access, use or disclosure of Protected Information other than as permitted by the Agreement or this BAA. BA shall use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of EPHI. BA shall comply with each of its obligations under the applicable requirements of 45 C.F.R. §§ 164.308, 164.310, and 164.312 and the policies and procedures and documentation requirements of the HIPAA Security Rule set forth in 45 C.F.R. § 164.316.
2.4. Reporting of Improper Access, Use, or Disclosure.
(a) Generally. BA shall promptly notify CE of any Breach of security, intrusion or unauthorized access, use, or disclosure of PHI of which BA becomes aware and/or any access, use, or disclosure of data in violation of the Agreement, this BAA, or any applicable federal or state laws or regulations. BA shall take (i) prompt corrective action to cure any deficiencies in its policies and procedures that may have led to the incident, and (ii) any action pertaining to such unauthorized access, use, or disclosure required of BA by applicable federal and state laws and regulations.
(b) Breaches of Unsecured PHI. Without limiting the generality of the reporting requirements set forth in Section 2.4(a), BA also shall, following the discovery of any Breach of Unsecured PHI, notify CE in writing of such Breach without unreasonable delay and in no case later than sixty (60) days after discovery. The notice shall include the following information if known (or can be reasonably obtained) by BA: (i) contact information for the individuals who were or who may have been impacted by the Breach (e.g., first and last name, mailing address, street address, phone number, email address); (ii) a brief description of the circumstances of the Breach, including the date of the Breach and date of discovery (as defined in 42 U.S.C. § 17932(c)); (iii) a description of the types of Unsecured PHI involved in the Breach (e.g., names, social security numbers, date of birth, addresses, account numbers of any type, disability codes, diagnostic and/or billing codes and similar information); (iv) a brief description of what the BA has done or is doing to investigate the Breach and to mitigate harm to the individuals impacted by the Breach.
(c) Mitigation. BA shall establish and maintain safeguards to mitigate, to the extent practicable, any deleterious effects known to BA of any unauthorized or unlawful access or use or disclosure of PHI not authorized by the Agreement, this BAA, or applicable federal or state laws or regulations; provided, however, that unless otherwise agreed in writing by the parties or required by applicable federal or state laws or regulations, such mitigation efforts by BA shall not require BA to bear the costs of notifying individuals impacted by such unauthorized or unlawful access, use, or disclosure of PHI; provided, further, however, that BA shall remain fully responsible for all aspects of its reporting duties to CE under Section 2.4(a) and Section 2.4(b).
2.5. Business Associate’s Subcontractors and Agents. BA shall ensure that any agents or subcontractors to whom it provides Protected Information agree to the same restrictions and conditions that apply to BA with respect to such PHI. To the extent that BA creates, maintains, receives or transmits EPHI on behalf of the CE, BA shall ensure that any of BA’s agents or subcontractors to whom it provides Protected Information agree to implement the safeguards required by Section 2.3 above with respect to such EPHI.
2.6. Access to Protected Information. To the extent BA maintains a Designated Record Set on behalf of the CE, BA shall make Protected Information maintained by BA or its agents or subcontractors in Designated Record Sets available to CE for inspection and copying within ten (10) days of a request by CE to enable CE to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 C.F.R. § 164.524. If BA maintains an Electronic Health Record, BA shall provide such information in electronic format to enable CE to fulfill its obligations under the HITECH Act, including, but not limited to, 42 U.S.C. § 17935(e).
2.7. Amendment of PHI. To the extent BA maintains a Designated Record Set on behalf of CE, within ten (10) days of receipt of a request from the CE for an amendment of Protected Information or a record about an individual contained in a Designated Record Set, BA or its agents or subcontractors shall make PHI available to CE so that CE may make any amendments that CE directs or agrees to in accordance with the Privacy Rule.
2.8. Accounting Rights. Within ten (10) days of notice by CE of a request for an accounting of disclosures of Protected Information, BA and its agents or subcontractors shall make available to CE the information required to provide an accounting of disclosures to enable CE to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 C.F.R. § 164.528, and its obligations under the HITECH Act, including but not limited to 42 U.S.C. § 17935(c), as determined by CE. BA agrees to implement a process that allows for an accounting to be collected and maintained by BA and its agents or subcontractors for at least six (6) years prior to the request. However, accounting of disclosures from an Electronic Health Record for treatment, payment, or health care operations purposes are required to be collected and maintained for only three (3) years prior to the request, and only to the extent BA maintains an electronic health record and is subject to this requirement. At a minimum, the information collected and maintained shall include, to the extent known to BA: (i) the date of the disclosure; (ii) the name of the entity or person who received PHI and, if known, the address of the entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure, or a copy of the individual’s authorization, or a copy of the written request for disclosure. The accounting must be provided without cost to the individual or the requesting party if it is the first accounting requested by such individual within any twelve (12) month period. For subsequent accountings within a twelve (12) month period, BA may charge the individual or party requesting the accounting a reasonable fee based upon BA’s labor costs in responding to the request and a cost-based fee for the production of non-electronic media copies, so long as BA informs the individual or requesting party in advance of the fee and the individual or requesting party is afforded an opportunity to withdraw or modify the request. BA shall notify CE within five (5) business days of receipt of any request by an individual or other requesting party for an accounting of disclosures. The provisions of this Section 2.8 shall survive the termination of this BAA.
2.9. Governmental Access to Records. BA shall make its internal practices, books and records relating to the use and disclosure of Protected Information available to CE and to the Secretary for purposes of determining BA’s compliance with the Privacy Rule.
2.10. Minimum Necessary. To the extent feasible in the performance of services under the Agreement, BA (and its agents or subcontractors) shall request, use, and disclose only the minimum amount of Protected Information necessary to accomplish the purpose of the request, use, or disclosure. Because the definition of “minimum necessary” is in flux, BA shall keep itself informed of guidance issued by the Secretary with respect to what constitutes “minimum necessary.” Notwithstanding the foregoing, the parties agree that based on the nature of the services provided to CE by BA under the Agreement, BA may be unable to determine what constitutes “minimum necessary” under HIPAA, and thus BA shall be entitled to rely on CE’s direction as to what constitutes “minimum necessary” with respect to the access, use, or disclosure of CE’s PHI in the possession or under the control of BA.
2.11. Permissible Requests by Covered Entity. CE shall not request BA to use or disclose PHI in any manner that would not be permissible under HIPAA or the HITECH Act if done by CE or BA. CE shall not direct BA to act in a manner that would not be compliant with the Security Rule, the Privacy Rule, or the HITECH Act.
2.12. Breach Pattern or Practice by CE. Pursuant to 42 U.S.C. § 17934(b), if BA knows of a pattern of activity or practice of CE that constitutes a material breach or violation of CE’s obligations under the Agreement, this BAA, or other arrangement, BA must take reasonable steps to cure the breach or end the violation. If the steps are unsuccessful, BA must terminate the applicable Agreement to which the breach and/or violation relates if feasible, or if termination is not feasible, report the problem to the Secretary of the Department of Health and Human Services.
3. Term and Termination.
3.1. Term. The term of this BAA shall be effective as of the Effective Date and shall terminate when all of the PHI provided by CE to BA, or created or received by BA on behalf of CE, is destroyed or returned to CE.
(a) Material Breach by BA. Upon any material breach of this BAA by BA, CE shall provide BA with written notice of such breach and such breach shall be cured by BA within thirty (30) business days of such notice. If such breach is not cured within such time period, CE may immediately terminate this BAA and the applicable Agreement.
(b) Effect of Termination. Upon termination of any of the agreements comprising the Agreement for any reason, BA shall, if feasible, return or destroy all PHI relating to such agreements that BA or its agents or subcontractors still maintain in any form, and shall retain no copies of such PHI. If return or destruction is not feasible, BA shall continue to extend the protections of this BAA to such information, and limit further use of such PHI to those purposes that make the return or destruction of such PHI infeasible.
4. Compliance with State Law. Nothing in this BAA shall be construed to require BA to use or disclose Protected Information without a written authorization from an individual who is a subject of the Protected Information, or without written authorization from any other person, where such authorization would be required under state law for such use or disclosure.
5. Amendment to Comply with Law. Because state and federal laws relating to data security and privacy are rapidly evolving, amendment of the Agreement or this BAA may be required to provide for procedures to ensure compliance with such developments. BA and CE shall take such action as is necessary to implement the standards and requirements of HIPAA, the HITECH Act, the Privacy Rule, the Security Rule and other applicable laws relating to the security or confidentiality of PHI. BA shall provide to CE satisfactory written assurance that BA will adequately safeguard all PHI. Upon the request of either party, the other party shall promptly enter into negotiations concerning the terms of an amendment to this BAA embodying written assurances consistent with the standards and requirements of HIPAA, the HITECH Act, the Privacy Rule, the Security Rule or other applicable laws. CE may terminate the applicable Agreement upon thirty (30) days written notice in the event (i) BA does not promptly enter into negotiations to amend the Agreement or this BAA when requested by CE pursuant to this Section or (ii) BA does not enter into an amendment to the Agreement or this BAA providing assurances regarding the safeguarding of PHI that CE, in its reasonable discretion, deems sufficient to satisfy the standards and requirements of applicable laws, within thirty (30) days following receipt of a written request for such amendment from CE.
6. No Third-Party Beneficiaries. Nothing express or implied in the Agreement or this BAA is intended to confer, nor shall anything herein confer upon any person other than CE, BA and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
7. Notices. All notices hereunder shall be in writing, delivered personally, by certified or registered mail, return receipt requested, or by overnight courier, and shall be deemed to have been duly given when delivered personally or when deposited in the United States mail, postage prepaid, or deposited with the overnight courier addressed as follows:
If to CE, to the address set forth in your Breakthrough profile, as such may be amended from time-to-time.
If to BA: Breakthrough Behavioral, Inc.
702 Marshall Street, Suite 340
Redwood City, CA 94063
Attn: Security Officer
or to such other persons or places as either party may from time to time designate by written notice to the other.
8. Interpretation. The provisions of this BAA shall prevail over any provisions in the Agreement that may conflict or appear inconsistent with any provision in this BAA. This BAA and the Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA, the HITECH Act, the Privacy Rule and the Security Rule. Any ambiguity in this BAA shall be resolved in favor of a meaning that complies and is consistent with HIPAA, the HITECH Act, the Privacy Rule and the Security Rule. Except as specifically required to implement the purposes of this BAA, or to the extent inconsistent with this BAA, all other terms of the Agreement shall remain in force and effect.
9. Entire Agreement of the Parties. This BAA supersedes any and all prior and contemporaneous business associate agreements or addenda between the parties and constitutes the final and entire agreement between the parties hereto with respect to the subject matter hereof. Each party to this BAA acknowledges that no representations, inducements, promises, or agreements, oral or otherwise, with respect to the subject matter hereof, have been made by either party, or by anyone acting on behalf of either party, which are not embodied herein. No other agreement, statement or promise, with respect to the subject matter hereof, not contained in this BAA shall be valid or binding.
10. Regulatory References. A reference in this BAA to a section of regulations means the section as in effect or as amended, and for which compliance is required.
11. Counterparts. This BAA may be executed in one or more counterparts, each of which shall be deemed to be an original, and all of which together shall constitute one and the same instrument.