Effective as of January 1, 2023
BACKGROUND
WHEREAS, the Parties have entered into the Underlying Agreement whereby Subcontractor will provide to Business Associate certain services (“Services”) for or on behalf of Business Associate that may involve the creation, maintenance, use, transmission or disclosure or PHI of Business Associate’s clients (each, a “Covered Entity”) within the meaning of the HIPAA Rules and their implementing regulations. When used in this Agreement, the term ‘Underlying Agreement’ also means all current or future agreements between the Parties in which Subcontractor uses and/or discloses PHI in performing Services on behalf of the Business Associate.
WHEREAS, the Subcontractor will use and/or disclose PHI on behalf of the Business Associate pursuant to providing the Services for Business Associate.
WHEREAS, the Parties are committed to complying with the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”) and the Standards for Security of Electronic Protected Health Information (the “Security Rule) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
WHEREAS, this Agreement, in conjunction with the Privacy Rule and Security Rule, sets forth the terms and conditions pursuant to which PHI (electronic and non-electronic) that is created, received, maintained, or transmitted by, the Subcontractor from or on behalf of Business Associate, will be handled between the Subcontractor and Business Associate and with third parties during the term of their Underlying Agreement and after its termination.
NOW, THEREFORE, in consideration of the covenants and agreements set forth herein, the Parties agree as follows:
1. DEFINITIONS. The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules (defined below): Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information (“PHI”), Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. Specific definitions include:
1.1 Business Associate. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR § 160.103, and in reference to the party to this Agreement.
1.2 Covered Entity. “Covered Entity” shall generally have the same meaning as the term “Covered Entity” at 45 CFR § 160.103, and in reference to this Agreement, shall mean Business Associate’s clients with whom it has contracted to perform services related to those clients’ PHI.
1.3 Covered Entity’s Agreement. “Covered Entity’s Agreement” shall mean the business associate agreement between a Covered Entity and Business Associate relating to a Covered Entity’s protected health information.
1.4 HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.
1.5 Electronic Protected Health Information or Electronic PHI. “Electronic Protected Health Information” or “Electronic PHI” shall mean PHI which is transmitted by Electronic Media (as defined in the HIPAA Security and Privacy Rule) or maintained in Electronic Media.
1.6 Privacy Officer. “Privacy Officer” shall have the meaning as set out in its definition at 45 C.F.R. § 164.530(a) (1) as such provision is currently drafted and as it is subsequently updated, amended or revised.
1.7 Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information as outlined at 45 C.F.R. part 160 and part 164.
1.8 PHI. “PHI” shall mean protected health information and have the same meaning as the term “protected health information” at 45 CFR § 160.103, and shall include any individually identifiable information that is created, received, maintained, or transmitted by Subcontractor on behalf of Business Associate or its Covered Entity clients that relates to an individual’s past, present, or future physical or mental health, health care, or payment for health care, whether such information is in oral, hard copy, electronic, or any other form or medium.
1.9 Security Rule. “Security Rule” shall mean the Standards for Security of Electronic Protected Health Information as outlined at 45 CFR Parts 160, 162, and 164.
1.10 Subcontractor. “Subcontractor” shall generally have the same meaning as the term “Subcontractor” at 45 CFR § 160.103, and in reference to the party to this Agreement, shall mean Subcontractor.
2. PERMITTED USES AND DISCLOSURES OF PHI.
2.1 Services. Subcontractor may use or disclose PHI only as follows:
(a) As necessary to perform the Services set forth in the Underlying Agreement, consistent with the requirements of the Covered Entity’s Agreement. All other uses not authorized by this Agreement are prohibited. Moreover, Subcontractor may disclose PHI for the purposes authorized by this Agreement only to its employees, subcontractors and agents.
(b) As required by law.
2.2 Business Activities of the Subcontractor. Unless otherwise limited herein and if such use or disclosure of PHI would not violate the Privacy or Security Rules if done by the Business Associate, the Subcontractor may:
(a) Use the PHI in its possession for its proper management and administration and to fulfill any present or future legal responsibilities of the Subcontractor provided that such uses are permitted under state and federal confidentiality laws.
(b) Disclose the PHI in its possession to third parties for the purpose of its proper management and administration or to fulfill any present or future legal responsibilities of the Subcontractor, provided that the Subcontractor represents to Business Associate, in writing, that (i) the disclosures are required by law, or (ii) the Subcontractor has received from the third party written assurances regarding its confidential handling of such PHI as required under 45 C.F.R. § 164.504(e)(4) and § 164.314, and the third party notifies the Subcontractor of any instances of which it is aware in which the confidentiality of the information has been breached.
3. RESPONSIBILITIES OF THE PARTIES WITH RESPECT TO PHI.
3.1 Responsibilities of the Subcontractor. With regard to its use and/or disclosure of PHI, the Subcontractor hereby agrees to do the following:
(a) Not use or disclose PHI other than as permitted or required by the Agreement or as required by law.
(b) Use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by the Agreement.
(c) Immediately report (and in no event more than 5 days), in writing, to Business Associate any use or disclosure of PHI not provided for by the Agreement of which it becomes aware, including breaches of unsecured PHI as required at 45 CFR § 164.410, and any security incident of which it becomes aware, and cooperate with the Business Associate in any mitigation or breach reporting efforts.
(d) Fully cooperate with Business Associate’s efforts to promptly investigate, mitigate, and notify third parties of breaches of unsecured protected health information or security incidents as required by the HIPAA Rules. Subcontractor shall pay for or reimburse Business Associate for Business Associate’s expenses, costs, losses, payments, or damages resulting from any violation of the HIPAA Rules or breach of this Agreement by Subcontractor or Subcontractor’s members, employees, agents or subcontractors.
(e) In accordance with 45 CFR § 164.502(e)(1)(ii) and § 164.308(b)(2), if applicable, to ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Subcontractor agree to the same restrictions, conditions, and requirements that apply to the Subcontractor with respect to such information. Subcontractor may fulfill this requirement by executing a written agreement with the subcontractor incorporating the terms of this Agreement.
(f) Ensure that any agent or subcontractor to whom the Subcontractor provides PHI, as well as Subcontractor, not export PHI for storage beyond the borders of the United States of America.
(g) With respect to any agent or subcontractor who has access to PHI from beyond the borders of the United States of America:
(i) Ensure that any such individuals are bound by the terms and conditions of this Agreement or a subcontractor Agreement containing substantially similar terms and conditions; and
(ii) Ensure that any such individuals with access to PHI beyond the borders of the United States of America are subject to the jurisdiction of the courts in the United States of America; and
(iii) Ensure that any such persons with access to PHI have received current HIPAA Privacy & Security training.
(h) Within ten (10) business days request of Business Associate or a Covered Entity, make available PHI in a designated record set, if applicable, to Business Associate or Covered Entity, as necessary to satisfy its obligations under 45 CFR § 164.524.
(i) Within ten (10) business days, make any amendment(s) to PHI, if applicable, in a designated record set as directed or agreed to by the Business Associate or Covered Entity pursuant to 45 CFR § 164.526, or take other measures as necessary to satisfy Business Associate’s or Covered Entity’s obligations under 45 CFR § 164.526.
(j) As applicable, maintain information concerning Subcontractor’s disclosures of protected health information as required by 45 CFR § 164.528 and, within ten (10) days following Business Associate’s or Covered Entity’s request, make such information available to Business Associate and Covered Entity as necessary to enable Covered Entity to render an accounting of disclosures pursuant to 45 CFR § 164.528. In addition to any other such information, Subcontractor shall document the following as to any impermissible disclosure: (i) the date of the disclosure; (ii) the name and address of the person or entity to whom the disclosure was made; (iii) a brief description of the protected health information disclosed; and (iv) a brief statement of the purpose of the disclosure.
(k) To the extent the Subcontractor is to carry out one or more of Business Associate's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Business Associate in the performance of such obligations.
(l) Make its internal practices, books, and records available to the Secretary and to the Business Associate or Covered Entity for purposes of determining compliance with the HIPAA Rules. In addition, if and to the extent requested by Business Associate or Covered Entity, provide to Business Associate and Covered Entity such proof of Subcontractor’s compliance with the requirements of this Agreement as Business Associate or Covered Entity shall reasonably require.
(m) Comply with minimum necessary requirements under the HIPAA Rules, and fully comply with all relevant laws relating to the privacy or security of PHI applicable to Subcontractor.
4. TERMS AND TERMINATION.
4.1 Term. The Term of this Agreement shall commence on the Effective Date and shall terminate on the termination date of the Agreement or on the date Business Associate terminates this Agreement for cause as authorized in paragraph 4.2 of this Section, whichever is sooner.
4.2 Termination for Cause. Subcontractor authorizes termination of this Agreement by Business Associate, if Business Associate determines Subcontractor has violated a material term of the Agreement and Subcontractor has not cured the breach or ended the violation within the time specified by Business Associate. Business Associate may further terminate this Agreement immediately if Subcontractor or any of its subcontractors engages in any conduct that Business Associate reasonably believes may result in adverse action against Business Associate by any governmental agency or third party.
4.3 Obligations of Subcontractor upon Termination. Subcontractor agrees to return or destroy all PHI pursuant to 45 C.F.R. § 164.504(e) (2) (ii)(J), if it is feasible to do so. If it is not feasible for the Subcontractor to return or destroy said PHI, the Subcontractor will notify Business Associate in writing. Said notification shall include: (i) a statement that the Subcontractor has determined that it is not feasible to return or destroy the PHI in its possession, and (ii) the specific reasons for such determination. Subcontractor further agrees to extend any and all protections, limitations and restrictions contained in this Agreement to the Subcontractor’s use and/or disclosure of any PHI retained after the termination of this Agreement, and to limit any further uses and/or disclosures to the purposes that make the return or destruction of the PHI infeasible. If it is infeasible for the Subcontractor to obtain, from a subcontractor or agent any PHI in the possession of the subcontractor or agent, the Subcontractor must provide a written explanation to Business Associate of the reasons therefore, and require the subcontractors and agents to agree to extend any and all protections, limitations and restrictions contained in this Agreement to the subcontractors’ and/or agents’ use and/or disclosure of any PHI retained after the termination of this Agreement, and to limit any further uses and/or disclosures to the purposes that make the return or destruction of the PHI infeasible.
4.4 Automatic Termination. This Agreement will automatically terminate without any further action of the Parties upon the termination or expiration of the Underlying Agreement.
5. INSURANCE.
5.1 Insurance. Subcontractor will procure and maintain in effect during the term of this Agreement: (1) general liability insurance coverage with minimum limits of One (1) Million dollars per claim and Three (3) Million dollars aggregate; and (2) cyber liability coverage sufficient to ensure Subcontractor against its obligations and risks undertaken in connection with this Agreement, with amounts of coverage of at least TOne Million dollars per claim. If requested, Subcontractor will provide a certificate of insurance as evidence of continuous coverage of the insurance policy required above.
5.2 Mutual Indemnification. The Parties agree to indemnify and defend the other Party for any costs, fees, fines, settlements, judgments, including attorney’s fees and court costs incurred as a result of the breach of this Agreement by the other Party or its agents or subcontractors, or as a result of any act or omission by a Party or its agents or subcontractors.
5.3 Limitation of Liability. NOTWITHSTANDING ANY PROVISION OF THIS AGREEMENT, IN NO EVENT SHALL EITHER PARTY (OR ITS RESPECTIVE AFFILIATES, OFFICERS, EMPLOYEES AND AGENTS) HAVE ANY LIABILITY TO THE OTHER FOR ANY INDIRECT, PROXIMATE, SPECIAL, PUNITIVE, INCIDENTAL OR CONSEQUENTIAL DAMAGES OR CONTINGENT LIABILITIES UNDER ANY CONTRACT, TORT, STIRCT LIABILITY, NEGLIGENCE OR OTHER LEGAL OR EQUITABLE CLAIM OR THEORY OR CIRCUMSTANCE.
6. MISCELLANEOUS.
6.1 Business Associate. For purposes of this Agreement, Business Associate shall include the named Business Associate herein. However, in the event that the Business Associate is otherwise a Covered Entity under the Privacy or Security Rule, that entity may appropriately designate a health care component of the entity, pursuant to 45 C.F.R. § 164.504(a), as the Business Associate for purposes of this Agreement.
6.2 Survival. The respective rights and obligations of Business Associate and Business Associate under this Agreement shall survive termination of this Agreement indefinitely.
6.3 Amendments; Waiver. This Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.
6.4 Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.
6.5 No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.
6.6 Cooperation. The parties agree to cooperate with each other’s efforts to comply with the requirements of the HIPAA Rules and other applicable laws; to assist each other in responding to and mitigating the effects of any breach of protected health information in violation of the HIPAA Rules or this Agreement; and to assist the other party in responding to any investigation, complaint, or action by any government agency or third party relating to the performance of this Agreement. In addition to any other cooperation reasonably requested by Business Associate, Subcontractor shall make its officers, members, employees, agents, and subcontractors available without charge for interview or testimony.
6.7 Entire Agreement. This Agreement contains the entire agreement between the parties as it relates to the use or disclosure of protected health information, and supersedes all prior discussions, negotiations and services relating to the same to the extent such other prior communications are inconsistent with this Agreement.
6.8 Relation to Underlying Agreement. This Agreement supplements the Underlying Agreement. The terms and conditions of the Underlying Agreement shall continue to apply to the extent not inconsistent with this Agreement. If there is a conflict between this Agreement and the Underlying Agreement, this Agreement shall control. Notwithstanding any limitation on liability or other term in the Underlying Agreement to the contrary, Subcontractor’s obligations pursuant to 3.1(d) and section 5.2 shall apply in the event of any violation of the HIPAA Rules or breach of this Agreement by Subcontractor or its members, employees, agents or subcontractors.
6.9 Relationship of the Parties. Subcontractor is and at all times during this Agreement shall be acting as an independent contractor to Business Associate, and not as Business Associate’s agent. Business Associate shall not have authority to control the method or manner in which Subcontractor performs its services on behalf of Business Associate, provided that Subcontractor complies with the terms of this Agreement and the HIPAA Rules. Subcontractor shall not have authority to bind Business Associate to any liability unless expressly authorized by Business Associate in writing, and Business Associate shall not be liable for the acts or omissions of Subcontractor. Subcontractor shall not represent itself as the agent of Business Associate. Nothing in this Agreement shall be deemed to establish an agency, partnership, joint venture or other relationship except that of independently contracting entities.
6.10 Notices. Any notices to be given hereunder to a Party shall be made via U.S. Mail or express courier to such Party’s address given below.