BUSINESS ASSOCIATE AGREEMENT -AMMENDED
Effective Date: ________________
|
“Customer”
or “Covered Entity”: Name: ____________________________________________________ Address: ____________________________________________________ City: Fax: ____________________________________________________ Attention: ____________________________________________________ |
“Business Associate”: Name: Quantum
Health Automation, Inc., an Address: Fax: (812) 468-8478 Attention: HIPAA CONTRACT ADMINISTRATOR |
This
Agreement is entered into by and between Customer and Business Associate (each
a “Party” and collectively the “Parties”) to set forth the terms and conditions
under which "protected health information", as defined by the Health
Insurance Portability and Accountability Act of 1996 (HIPAA) and Regulations
enacted thereunder, created or received by
"Business Associate” on behalf of Customer may by used or disclosed.
This
Agreement shall commence on the “Effective Date” – or, if no date is entered,
the date this document is signed by Business Associate - and the obligations
herein shall continue in effect so long as Business Associate uses, discloses,
creates or otherwise possesses any protected health information created or
received on behalf of Customer and until all protected health information
created or received by Business Associate on behalf of Customer is destroyed or
returned to Customer pursuant to Paragraph 15 herein.
Definitions:
Privacy Rule.
“Privacy Rule” shall mean the Standards for Privacy of Individually
Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and
E (of the HIPAA regulations).
Protected Health Information. “Protected Health Information: shall have the
same meaning as the term “protected health information” in 45 CFR & 164.501 (of the HIPAA regulations),
limited to the information created or received by Business Associate from or on
behalf of Covered Entity.
Required By Law. “Required By Law” shall have the same meaning
as the term “required by law” in 45 CFR & 164.501 (of the HIPAA
regulations).
1)
Customer and Business Associate hereby agree that Business Associate shall be
permitted to use and/or disclose protected health information created or
received on behalf of Customer for the following purpose(s):
(i)
Health care claims or equivalent encounter information.
(ii)
Health care payment and remittance advice.
(iii)
Health care claim status.
(iv)
Eligibility for a health plan.
(v)
Health plan premium payments.
(vi)
Referral certification and authorization.
(vii)
Health claims attachments.
(viii)
Other transactions that the Secretary may prescribe by regulation.
1.1
Moreover, Business Associate may disclose Protected Health
Information for the purposes authorized by this Agreement including, but not
limited to, Section 1.2 below and Section 5 and 6 of this Agreement below.
(i)
to its employees; and
(ii)
subcontractors and agents
(iii)
as directed by the Customer
1.2 Business Associate may use and disclose
Protected Health Information for the proper management and administration of
the Business Associate, as provided in Business Associate’s then said
Electronic Claims and Transaction Service Agreement; and to provide data
aggregation/analysis services relating to the health care operations of the
Customer.
2.)
Business Associate may use and disclose protected health information created or
received by Business Associate on behalf of Customer if necessary for the proper management and
administration of Business Associate or to carry out Business Associate's legal
responsibilities, provided that any disclosure is:
a)
Required by law, or
b)
Business Associate obtains reasonable assurances from the person to
whom the protected health information is disclosed that (i)
the protected health information will be held confidentially and used or
further disclosed only as required by law or for the purpose for which it was
disclosed to the person; and (ii) the Business Associate will be notified of
any instances of which the person is aware in which the confidentiality of the
information is breached.
3.)
Business Associate hereby agrees to maintain the security and privacy of all
protected health information in a manner consistent with Indiana and federal
laws and regulations, including the Health Insurance Portability and
Accountability Act of 1996 ("HIPAA") and Regulations thereunder, and all other applicable law.
4.)
Business Associate further agrees not to use or disclose protected health
information except as expressly permitted by this Agreement, applicable law, or
for the purpose of managing Business Associate's own internal business
processes consistent with Paragraph 2 herein.
5.)
Business Associate shall not disclose protected health information to any
member of its workforce unless Business Associate has advised such person of
Business Associate's privacy and security obligations under this Agreement,
including the consequences for violation of such obligations. Business
Associate shall take appropriate disciplinary action against any member of its
workforce who uses or discloses protected health information in violations of
this Agreement and applicable law.
6.)
Business Associate shall not disclose protected health information created or
received by Business Associate on behalf of Customer to a person, including any
agent or subcontractor of Business Associate but not including a member of
Business Associate's own workforce, until such person agrees in writing to be
bound by the provisions of this Agreement and applicable Indiana or Federal
law.
7.)
Business Associate agrees to use appropriate safeguards to prevent use or
disclosure of protected health information not permitted by this Agreement or
applicable law.
8.)
Business Associate agrees to maintain a record of all disclosures of protected
health information, including disclosures not made for the purposes of this
Agreement. Such record shall include the date of the disclosure, the name and,
if known, the address of the recipient of the protected health information, the
name of the individual who is the subject of the protected health information,
a brief description of the protected health information disclosed, and the
purpose of the disclosure. Business Associate shall make such record available
to an individual who is the subject of such information or Customer within ten
(10) days of a request and shall include disclosures made on or after the date
which is six (6) years prior to the request or April 14, 2003, whichever is
later.
9.)
Business Associate agrees to report to Customer any unauthorized use or
disclosure of protected health information by Business Associate or its
workforce or subcontractors and the remedial action taken or proposed to be
taken with respect to such use or disclosure.
10.)
Business Associate agrees to make its internal practices, books, and records
relating to the use and disclosure of protected health information received
from Customer, or created or received by Business Associate on behalf of
Customer, available to the Secretary of the United States Department of Health
and Human Services, for purposes of determining the Covered Entity's compliance
with HIPAA.
11.)
Within thirty (30) days of a written request by Customer, Business Associate
shall allow a person who is the subject of protected health information, such
person's legal representative, or Customer to have access to and to copy such
person's protected health information maintained by Business Associate. Business
Associate shall provide protected health information in a feasible format
requested by such person, legal representative, or practitioner unless it is
not readily producible in such format, in which case it shall be produced in
standard hard copy format.
12.)
Business Associate and Customer agrees to amend,
pursuant to a request by Customer or Business Associate, protected health
information maintained and created or received by Business Associate on behalf
of Customer. Business Associate further
agrees to complete such amendment within thirty (30) days of a written request
by Customer, and to make such amendment as directed by Customer.
13.)
In the event Business Associate or Customer fails to perform the obligations
under this Agreement, Customer or Business Associate may, at its option:
a) Require Business Associate or Customer to submit to a plan of compliance, including monitoring by Customer or Business Associate and reporting by Business Associate or Customer, as Customer or Business Associate, in its sole discretion, determines necessary to maintain compliance with this Agreement and applicable law. Such plan shall be incorporated into this Agreement by amendment hereto; and
b) Business
Associate agrees to mitigate, to the extent reasonably practicable, any harmful
effect, that is known
to Business Associate, of a
use or disclosure of PHI by Business Associate in violation of this Agreement.
c)
Immediately discontinue providing protected health information to
Business Associate with or without written notice to Business Associate.
14.)
Customer or Business Associate may immediately terminate this Agreement and
related agreements if Customer or Business Associate determines that the
Business Associate or Customer has breached a material term of this Agreement.
Alternatively, Customer or Business Associate may choose to: (i)
provide Business Associate or Customer with ten (10) days written notice of the
existence of an alleged material breach; and (ii) afford the Business
Associate or Customer an opportunity to cure said alleged material breach to
the satisfaction of Customer or Business Associate within ten (10) days. The
Business Associate's or Customer’s failure to cure shall be grounds for
immediate determination of this Agreement.
Customer's and Business Associate’s remedies under this Agreement are
cumulative, and the exercise of any remedy shall not preclude the exercise of
any other.
15.)
Upon termination of this Agreement, Business Associate shall return or destroy
all protected health information received from Customer, or created or received
by Business Associate on behalf of Customer and that Business Associate
maintains in any form, and shall retain no copies of such information. If the
parties mutually agree that return or destruction of protected health
information is not feasible, Business Associate shall continue to maintain the
security and privacy of such protected health information in a manner
consistent with the obligations of this Agreement and as required by applicable
law, and shall limit further use of the information to those purposes that make
the return or destruction of the information infeasible. The duties hereunder
to maintain the security and privacy of protected health information shall
survive the discontinuance of this Agreement.
16.)
Customer or Business Associate may amend this Agreement by providing ten (10)
days prior written notice to Business Associate or Customer in order to
maintain compliance with Indiana or Federal law. Such amendment shall be binding
upon Business Associate or Customer at the end of the ten (10) day period and
shall not require the consent of Business Associate or Customer. Business Associate may elect to discontinue
the Agreement within the ten (10) day period, but Business Associate's duties
hereunder to maintain the security and privacy of PROTECTED HEALTH INFORMATION
shall survive such discontinuance. Customer and Business Associate may
otherwise amend this Agreement by mutual written agreement.
17.)
Force Majeure.
Neither party shall be liable to the other party for any interruption or
delay in fulfilling the party’s obligations under this Agreement if such
interruption or delay arises solely from causes beyond such party’s reasonable
control, including without limitation, acts of God, acts of any government, war
or other hostility, civil disorder, the elements, fire, explosion, power
failure, telecommunications service failure or interruption, equipment failure,
industrial or labor dispute, or inability to access necessary supplies.
18.)
The parties of this
Agreement agree that this agreement may be executed simultaneously or in two or
more counterparts, each of which shall be deemed an original, but all of which
together shall constitute one and the same instrument. The parties agree that this agreement may be
transmitted between them by facsimile machine and electronic mail. The parties intend that faxed signatures
constitute original signatures and are binding on the parties. The original document shall be promptly executed
and/or delivered, if requested.
19.) If any
controversy, dispute or claim arises between the Parties with respect to this
Agreement, each Party shall make good faith efforts to resolve such matters
informally.
20.) Business Associate is responsible for its own
compliance. Customer is responsible for its own HIPAA Compliance.
21.) Notices, changes in address or contact
information shall be made via U.S. Mail, express couriers, facsimile to each
parties information listed above on this Agreement.
22.) The parties acknowledge that their obligations
hereunder may be subject to regulation under federal, state and local
laws. Each party agrees that it will at
all times conform its actions to all applicable legal
requirements and will, to the extent commercially reasonable, assist the other
in compliance with such requirements.
Each party acknowledges that it has read this Agreement, understands it,
and agrees to be bound by its terms and further agrees that it is the complete
and exclusive statement of the Agreement between the parties, which supersedes
and merges all prior proposals, understandings and all other commercial claims
agreements, oral and written, between the parties relating to this
Agreement. This Agreement and
performance hereunder shall be governed by and construed in accordance with the
internal laws of the State of
IN WITNESS
WHEREOF, the undersigned have duly executed THIS AGREEMENT as of the date first
above written as Effective Date.
CUSTOMER QUANTUM
HEALTH AUTOMATION, INC.
By: ____________________________________ By:
___________________________________
Name:
__________________________________ Name:
_________________________________
Title: ___________________________________ Title: __________________________________
Date: ___________________________________ Date: __________________________________