SUBCONTRACTOR BUSINESS ASSOCIATE APPENDIX
This Subcontractor Business Associate Appendix (“BAA”) adds to and is made a part of the Independent Agent/Agency Agreement (“Agreement”) by and between Company, LLC hereinafter referred to as “Company” and Agent/Agency (hereinafter referred to as “Service Provider” and collectively with Company each a “Party” and collectively the “Parties”). This BAA is an integral part of the Agreement as if fully set forth therein.
A. Company and Service Provider have an arrangement (or arrangements) pursuant to which Service Provider carries out certain activities for or on behalf of Company, which activities may require Service Provider to receive, create, maintain, store, transmit, or otherwise use and/or disclose individually identifiable health information of Individuals for which Company is responsible.
B. Company is a Business Associate, as defined in the HIPAA Rules (as defined below), and, therefore, with respect to the Services (as defined below), Service Provider is considered a Subcontractor of Customer (and thus also a Business Associate), as those terms are defined for purposes of the HIPAA Rules.
C. Consistent with the foregoing statements, and as required by the HIPAA Rules, Company and Service Provider hereby agree to the following terms and conditions in connection with the Services, and intend that this BAA shall serve as the satisfactory written assurance of Service Provider that it will appropriately safeguard the PHI (as defined below).
1. Definitions. Except as otherwise defined in this BAA, capitalized terms used herein shall have the meanings ascribed to those terms under the HIPAA Rules, including without limitation: Breach; Business Associate; Covered Entity; Data Aggregation; Designated Record Set; Disclosure; Electronic Protected Health Information; Health Care Operations; Individual; Protected Health Information; Required by Law; Secretary; Security Incident; Standard Transaction; Subcontractor; Unsecured PHI; and Use. Any reference within this BAA to the HIPAA Rules, or to a specific section thereof, shall mean the statute or regulation in effect and as amended from time to time. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits the Parties to comply with the HIPAA Rules.
a. “HIPAA Rules” means the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and the CFR regulations promulgated under HIPAA and HITECH, including the Privacy, Security, Breach Notification, Electronic Transactions, and Enforcement Rules codified at 45 C.F.R. Parts 160, 162 and 164, all as amended.
b. “Protected Health Information” or “PHI” shall have the meaning ascribed to it in the HIPAA Rules, but shall be specific to that PHI: (1) received by Service Provider from or on behalf of Company; (2) created, maintained, stored, or transmitted by Service Provider for or on behalf of Company; or (3) made accessible to Service Provider by or on behalf of Company. As used herein, the term “PHI” shall include, as applicable, physical PHI and Electronic PHI (“ePHI”).
c. “Services” shall mean those services performed by Service Provider for and/or on behalf of Company, whether under one or more agreement(s), to the extent (and only to the extent) that such services involve the accessing, receipt, creation, maintenance, storage, transmission, or other Use or Disclosure of PHI by Service Provider.
d. “Successful Security Incident” shall mean a Security Incident that actually results in the unauthorized access, Use, Disclosure, modification, or destruction of PHI or any interference with system operations in an Information System.
e. “Unsuccessful Security Incident” shall mean any Security Incident that does not actually result in the unauthorized access, Use, Disclosure, modification, or destruction of PHI or interference with system operations in an Information System, such as pings or other broadcast attacks on a firewall, port scans, attempts to log onto any system or enter a database using an invalid username or password, denial-of-service attacks that do not result in the system being taken off-line, and malware (e.g., worms and viruses).
2. Permitted Uses and Disclosures by Service Provider.
a. Permitted Uses of PHI. Service Provider may use PHI as reasonably necessary: (1) to perform the Services; (2) for its proper management and administration; or (3) to carry out its legal responsibilities. If (and only to the extent) it is a part of the Services, Service Provider may perform Data Aggregation with regards to the Health Care Operations of Company or its customers.
b. Permitted Disclosures of PHI. Service Provider may disclose PHI as reasonably necessary to perform the Services, or for its proper management and administration, or to carry out its legal responsibilities; provided:
(1) the Disclosure is Required by Law or (2) prior to making the Disclosure, Service Provider obtains written assurances from the person or entity to which the PHI is to be disclosed that (i) PHI will be held in confidence and used or further disclosed only as Required by Law or for the lawful purpose for which the PHI is disclosed to such person/entity, and (ii) in the event that the confidentiality of the PHI is compromised, such person/entity will promptly notify Service Provider in writing.
3. Service Provider’s Acknowledgment. Service Provider acknowledges that certain HIPAA Rules apply directly to Service Provider as a matter of federal law and regardless of this BAA. Accordingly, Service Provider acknowledges and agrees that, in addition to the provisions of this BAA, Service Provider must comply with those provisions of the HIPAA Rules that are applicable to it as a Business Associate.
4. Service Provider’s Obligations. Service Provider agrees that it shall:
a. Compliance. Not use or disclose PHI other than as permitted by this BAA or as Required by Law and, in any case, not use or disclose PHI in any manner that would violate the HIPAA Rules if done by Company or a Business Associate in general;
b. Minimum Necessary. Unless excepted by 45 C.F.R. § 164.502(b), limit its requests for, and Uses and Disclosures of, PHI to the minimum amount necessary to accomplish the intended purpose(s) of such request, Use or Disclosure;
c. PHI Safeguards. Implement and utilize appropriate safeguards intended to prevent the unauthorized Use and/or Disclosure of PHI, including administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, privacy, integrity, security and availability of ePHI, in accordance with 45
C.F.R. Part 164 Subpart C (the “Security Rule”);
d. Access. If the Services involve maintaining PHI in a Designated Record Set, make such PHI available to Company (or, if directed by Company, to an Individual), in the form and format requested, and at the time and in the manner directed, by Company in writing, as necessary to satisfy Company’s obligations under 45 C.F.R. § 164.524; and, in the event that Service Provider receives an Individual’s request for access to, or a copy of, his or her PHI, Service Provider shall forward the request to Company within three (3) business days;
e. Amendment. If the Services involve maintaining PHI in a Designated Record Set, incorporate any amendment(s) to such PHI as directed by Company in writing, in accordance with 45 C.F.R. § 164.526; and, in the event that Service Provider receives an Individual’s request to amend PHI, Service Provider shall forward the request to Company within three (3) business days;
f. Documentation and Accounting. Document Disclosures of PHI and all information related thereto as necessary for Company to provide an accounting of each Disclosure of PHI by Service Provider in accordance with 45 C.F.R. § 164.528, and make such information available, at the time and in the manner directed by Company in writing; and, in the event that Service Provider receives an Individual’s request for an accounting of Disclosures of PHI, Service Provider shall forward the request to Company within three (3) business days;
g. Confidential Communications. Accommodate reasonable requests for confidential communications of PHI by alternative means or at alternative locations, as directed by Company on behalf on an Individual, in writing, in accordance with 45 C.F.R. § 164.522(b); and, in the event that Service Provider receives an Individual’s
request for such confidential communications of PHI, Service Provider shall forward the request to Company within three (3) business days;
h. Restrictions. Abide by restrictions on Uses/Disclosures of an Individual’s PHI that such Individual requests and Company implements pursuant to 45 C.F.R. § 164.522(a); provided, however, that Service Provider is given timely written notice of such restrictions by Company;
i. Reporting of Unauthorized Disclosures. Report to Company, in writing and as soon as practicable, but in any event within five (5) business days after discovering or becoming aware of, any: (1) Use or Disclosure of PHI by Service Provider or any of its Subcontractors or agents that is not permitted by this BAA; (2) Successful Security Incident impacting Service Provider or any of its Subcontractors or agents; or (3) acquisition, access, use or disclosure of PHI in a manner not permitted by this BAA or 45 C.F.R. Part 164 Subpart E (the “Privacy Rule”), including but not limited to any Breach of Unsecured PHI (each an “Incident”), which report shall include all relevant details then known to Service Provider, and, as soon as practicable thereafter, but in any event within five (5) business days following the initial report, supplement the initial report with such information as necessary for Company to provide notification to affected Individuals, the Secretary, and the media, in accordance with 45
C.F.R. Part 164 Subpart D (the “Breach Notification Rule”) and/or other applicable laws and regulations;
j. Mitigation. Mitigate, to the extent practicable and at Service Provider’s sole cost, any known harmful effect of any Incident, whether caused by Service Provider or any of its agents or Subcontractors, and take immediate steps to prevent any such further Incident or violation, per 45 C.F.R. § 164.530(f);
k. Cooperation. Cooperate with Company in connection with any investigation, risk assessment and analysis, notification and mitigation activities undertaken by Company in response to any Incident; abide by Company’s decisions with respect to whether such Incident is a reportable Breach; and follow Company’s reasonable instructions regarding the response to such Incident;
l. Subcontractors. Ensure that Service Provider’s agents and Subcontractors that may access, create, receive, maintain, store, transmit, or otherwise use or disclose PHI for or on behalf of Service Provider enter into a written agreement with Service Provider pursuant to which such agent or Subcontractor agrees to abide by the restrictions, conditions, and obligations that apply to Service Provider under this BAA, in accordance with 45
C.F.R §§ 164.308(b)(2) and 164.502(e)(1)(ii); provided, Service Provider shall be and remain liable to Company for any and all acts, errors, and omissions of such agents and Subcontractors as if they were Service Provider’s own acts, errors, and omissions, to the extent permitted by law;
m. No De-Identification. Not de-identify any PHI except as necessary to perform the Services and, in such case, Service Provider shall be prohibited from using or disclosing any such de-identified information for its own purposes without Company’s prior written consent;
n. No Remuneration. Not receive remuneration, directly or indirectly, in exchange for PHI, other than from or on behalf of Company as consideration for the Services rendered by Service Provider or as otherwise expressly permitted by the terms of the service agreement(s) in effect between Company and Service Provider governing the Services;
o. Subpoenas. Unless prohibited by applicable law or court order, notify Company in writing within three (3) business days following the receipt of any subpoena or comparable legal process served upon Service Provider (or any of its agents or Subcontractors) that relates to PHI;
p. Compliance with Privacy Rule. To the extent that Service Provider carries out any of Company’s obligations under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to Company in the performance thereof;
q. State Laws/Regulations. Comply with the requirements of applicable state laws, rules and regulations pertaining to the confidentiality, privacy, security, availability, right of access to, and retention of a natural person’s individually identifiable information;
r. Access to Books/Records. Make its internal policies, procedures, practices, books, and records pertaining to the safeguarding and Use/Disclosure of PHI available to the Secretary (or Company), in the time and manner as specified by the Secretary (or Company), for purposes of determining compliance with the HIPAA Rules;
s. Retention. Retain all documentation required by this BAA, the HIPAA Rules, and applicable state laws for the time periods required by the HIPAA Rules and applicable state laws, but in any case for no less than six
(6) years following the expiration or termination of this BAA.
5. Reporting of Unsuccessful Security Incidents. The Parties acknowledge and agree that this BAA serves as written notice by Service Provider to Company that Unsuccessful Security Incidents may occur, from time to time, and that no further notice need be given by Service Provider to Company unless there is a Successful Security Incident, as required above in Section 4.i. Service Provider shall nevertheless maintain a reasonably detailed log documenting all Unsuccessful Security Incidents, to the extent known to Service Provider, and shall make a copy of such log available to Company promptly upon request.
6. Standard Transactions. To the extent that Service Provider conducts, in whole or in part, any Standard Transaction on behalf of Company, Service Provider shall comply, and will require its agents and Subcontractors involved with the conduct of such Standard Transaction (if any) to comply, with each applicable requirement of 45
C.F.R. Part 162 and any standards as may be mandated by applicable federal or state agencies. Service Provider will not enter into, or permit its agents or Subcontractors to enter into, any trading partner agreement in connection with the conduct of Standard Transactions that: (i) changes the definition, data condition, or use of a data element or segment in such Standard Transaction; (ii) adds any data element or segment to the maximum defined data set; (iii) uses any code or data element marked “not used” or that is not included in the Standard Transaction’s implementation specification; or (iv) changes the meaning or intent of the Standard Transaction’s implementation specification.
7. Costs of Notification. Service Provider shall, at the direction of Company, directly pay or reimburse the reasonable costs incurred by or on behalf of Company in response to any Incident caused by Service Provider or any of its agents or Subcontractors, including, without limitation: (a) the reasonable costs of providing notification to affected Individuals, the Secretary, the media, and/or other state or federal government agencies as may be required pursuant to 45 C.F.R. Part 164 Subpart D and/or other applicable law; (b) the reasonable costs associated with operation of a call center, for up to ninety (90) days, to handle inquiries/complaints regarding the Incident; and (c) the reasonable costs of providing affected Individuals with identity theft and/or credit morning services for up to twelve (12) months, if deemed appropriate by Company, in reasonable consultation with Service Provider, based on the nature and scope of the Incident.
8. Obligations of Company. Company shall: (a) promptly notify Service Provider of changes in or revocation of the permissions given by an Individual to use and/or disclose the Individual’s PHI, if such changes may affect Service Provider’s Use or Disclosure of PHI; and (b) not request Service Provider to use or disclose PHI in any manner that is not permitted under the HIPAA Rules if undertaken by Company.
9. Term and Termination. The terms and conditions contained in this BAA shall be effective as of the Effective Date and shall remain in full force and effect until the later of (a) expiration or termination of all contracts between Company and Service Provider that govern the Services or (b) when all PHI is either destroyed or returned to Company or, in the event that it is reasonably infeasible to return or destroy certain PHI, when protections are extended to such PHI as described in Section 10, below. Either Party may terminate this BAA and discontinue the Services, upon written notice to the other Party, if such Party determines, in its sole but reasonable discretion, that the other Party has violated a material provision of this BAA or the HIPAA Rules, which violation is not (or cannot be) cured and ended within a reasonable period of time, not to exceed thirty (30) days (the “Cure Period”), following its receipt of a written notice specifying the violation. Failure (or inability) of the breaching Party to satisfactorily cure such violation within the Cure Period shall be grounds for immediate termination of this BAA and discontinuation of the Services, subject to the provisions of Section 10, below.
10. Obligations Upon Termination. Upon termination of this BAA, Service Provider shall, at Company’s option, return or destroy all PHI in Service Provider’s possession, including in the possession of its
Subcontractors and agents. In the event that Service Provider reasonably determines that the return or destruction of certain PHI is infeasible, Service Provider shall extend all of the protections, limitations, restrictions, reporting requirements, and other obligations set forth in this BAA to such PHI and shall limit all further Use and Disclosure of such PHI to those purposes that make its return or destruction infeasible for as long as Service Provider maintains such PHI. Furthermore, in the event it is infeasible for any agent or Subcontractor of Service Provider to return or destroy certain PHI, Service Provider shall require such agent or Subcontractor to extend all protections, limitations and restrictions set forth in this BAA to such PHI and to limit all further Use and Disclosure of such PHI to those purposes that make the PHI’s return or destruction infeasible for as long as such agent or Subcontractor maintains such PHI.
11. Indemnification. Service Provider shall indemnify, defend and hold harmless Company, its parents, subsidiaries, and affiliates, and its and their respective directors, officers, employees, contractors, agents and representatives from and against every claim, suit, action, cause of action, proceeding, demand, damage, loss, penalty, assessment, settlement, judgment, fine, cost, expense, including, but not limited to, reasonable attorneys’ fees, and other liability to the extent arising from or related to: (a) Service Provider’s breach of any representation, warranty, or covenant contained in this BAA; and/or (b) Service Provider’s or any of its agents’ or Subcontractors’
(i) violation of the HIPAA Rules or (ii) Use or Disclosure of PHI other than as permitted under this BAA (each a “Claim”).
1. General Provisions.
a. Entire Agreement. This BAA constitutes the entire agreement and understanding of the Parties concerning the subject matter hereof, and supersedes and replaces any and all prior and contemporaneous agreements and understandings of the Parties, written or oral, concerning the subject matter hereof. This BAA may not be supplemented, modified or amended, except in a separate writing as agreed to and signed by each Party hereto. The Parties hereby agree to take such action as is necessary to amend this BAA as necessary for compliance with the requirements of the HIPAA Rules as they are amended from time to time.
b. Reformation and Severability. If any provision of this BAA is found to be invalid or unenforceable by any court of competent jurisdiction, such court should reform such provision to such narrower scope as it determines to be valid and enforceable and, if such provision cannot be reformed as anticipated above, then such provision shall be deemed separate and severable and shall not invalidate or render unenforceable the remaining provisions hereof, the Parties’ intent being to effectuate this BAA to the fullest extent permitted by law.
c. Waiver. No waiver of any provision of this BAA shall be binding upon a Party unless consented to in writing by such Party. No waiver by either Party of any breach or provision of this BAA shall operate as, or be construed as, a waiver of any subsequent breach of this BAA or of any other provision contained in this BAA.
d. Assignability. Neither Party may assign or delegate, in whole or in part, this BAA or any rights or obligations provided for in this BAA, without the prior written consent of the other Party; provided, however, Company may assign this BAA to a successor in interest in the event of a merger, consolidation, combination or sale of all (or substantially all) of its assets or equity, upon prior written notice to (but without the consent of) Service Provider. Any assignment or delegation in contravention of this Section shall be void. This BAA is binding upon, and shall inure to the benefit of, the Parties hereto and to their respective successors and permitted assigns.
e. No Private Cause of Action/Third Party Beneficiaries. This BAA is not intended to, and does not, create a private cause of action by any individual, other than the Parties to this BAA, as a result of any claim arising out of the breach of this BAA, the HIPAA Rules or other state or federal law or regulation relating to patients’ health information. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than the Parties hereto any rights, remedies, obligations, or liabilities whatsoever.
f. Ownership of PHI. The Parties acknowledge and agree that, as between the Parties, all PHI subject to this BAA shall at all times be and remain the property of Company.
g. Survival. The terms and conditions of this BAA which, by their express language or their nature and context, are intended to survive the expiration or termination of this BAA shall survive any such expiration or termination. Without limiting the generality of the foregoing, the following Sections of this BAA shall survive its expiration or termination: 7, 10, 11, 12, 13 and 14.
i. No HIPAA Agency Relationship. The Parties do not intend an agency relationship (as defined under the Federal common law of agency) to be established hereby, expressly or by implication, for purposes of liability under HIPAA. No terms or conditions contained in this BAA shall be construed to make or render either Party an agent of the other Party.