G/MI-Business-Associate-Agt-CmA/0.md

Ti	=	BUSINESS ASSOCIATE AGREEMENT
0.sec	=	This Business Associate Agreement (the “Agreement”) is entered into as of %[____, 20__]% (the “Effective Date”), by and between (“Covered Entity”) and %BUSINESS-ASSOCIATE% (“Business Associate”). Covered Entity and Business Associate may each be referred to herein, individually, as a “Party” and, collectively, as the “Parties.”
1.Ti	=	INTRODUCTION
1.1.sec	=	This Agreement supplements and is made a part of that certain [insert agreement name] entered into by and among the Parties on [insert effective date of underlying agreement](the “Underlying Agreement”).
1.2.sec	=	Business Associate provides services to Covered Entity pursuant to the Underlying Agreement. Covered Entity may wish to disclose Protected Health Information (“PHI”) (as that term is defined below), including Electronic Protected Health Information (“ePHI”),to Business Associate pursuant to the terms the Underlying Agreement and this Agreement.
1.3.sec	=	Covered Entity and Business Associate enter into this Agreement to comply with the requirements of Health Insurance Portability and Accountability Act of 1996 (“HIPAA”),as amended, including the privacy, security, breach notification and enforcement rules at 45 C.F.R. Parts 160,162 and 164,as well as the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009 (“HITECH”),as amended, and other applicable federal and state laws (collectively, the “HIPAA Rules”).
1.4.sec	=	This Agreement is intended to ensure that Business Associate will establish and implement appropriate safeguards for Protected Health Information that Business Associate may receive, create, maintain, use or disclose in connection with certain functions, activities and services that Business Associate performs for Covered Entity pursuant to the terms of the Underlying Agreement.
1.	=	[G/Z/ol/s4]
2.Ti	=	DEFINITIONS
2.1.sec	=	Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the HIPAA Rules, which definitions are incorporated in this Agreement by reference.
2.2.0.sec	=	For purposes of this Agreement:
2.2.1.sec	=	“Breach” shall have the meaning given to such term in 45 C.F.R. § 164.402.
2.2.2.sec	=	“Designated Record Set” shall have the meaning given to such term in 45 C.F.R. § 164.501.
2.2.3.sec	=	“Electronic Protected Health Information” or “ePHI” shall mean PHI transmitted by or maintained in Electronic Media, as defined in 45 C.F.R. 160.103.
2.2.4.sec	=	“Individual” shall have the same meaning given to such term in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
2.2.5.sec	=	“Protected Health Information” or “PHI” shall have the meaning given to such term in 45 C.F.R. § 160.103, limited to the information created, received, maintained or transmitted by Business Associate from or on behalf of Covered Entity. PHI includes, without limitation, ePHI.
2.2.6.sec	=	“Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information published in 45 C.F.R. Parts 160 and 164, Subparts A and E.
2.2.7.sec	=	“Required by Law” shall have the meaning given to such term in 45 C.F.R. § 164.103.
2.2.8.sec	=	“Secretary” shall mean the Secretary of the Department of Health and Human Services or his or her designee.
2.2.9.sec	=	“Security Incident” shall have the meaning given to such term under the Security Rule at 45 C.F.R. § 164.304.
2.2.10.sec	=	“Security Rule” shall mean the Security Standards at 45 C.F.R. Part 160 and Part 164, Subparts A and E.
2.2.11.sec	=	“Subcontractor” shall have the meaning given to such term in45 C.F.R. § 160.103.
2.2.12.sec	=	“Unsecured protected health information” shall have the meaning given to such term in 45 C.F.R. § 164.402.
2.2.	=	[G/Z/paras/s12]
2.	=	[G/Z/ol/s2]
3.Ti	=	GENERAL OBLIGATIONS OF BUSINESS ASSOCIATE
3.1.Ti	=	Use and Disclosure.
3.1.sec	=	Business Associate agrees not to use or disclose PHI, other than as permitted or required by this Agreement or as Required By Law. To the extent Business Associate is carrying out one or more of Covered Entity's obligations under the Privacy Rule pursuant to the terms of the Underlying Agreement and/or this Agreement, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation(s).
3.2.Ti	=	Appropriate Safeguards.
3.2.sec	=	Business Associate shall use appropriate physical, technical and administrative safeguards, and shall comply with the Security Rule with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this Agreement or as Required by Law.
Encryption. Business Associate must encrypt all PHI stored in or transmitted using the Services in accordance with the Secretary of HHS’s Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals, available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html, as it may be updated from time to time, and as may be made available on any successor or related site designated by HHS.	=
3.3.Ti	=	Compliance.
3.3.sec	=	Comply with each applicable requirements of 45 C.F.R. Part 162 if the Business Associate conducts Standard Transactions for or on behalf of the Covered Entity
3.4.Ti	=	Mitigation.
3.4.sec	=	Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate as a result of a use or disclosure of PHI by Business Associate in violation of this Agreement's requirements.
3.5.Ti	=	Breaching.
3.5.sec	=	Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted under this Agreement, including Breach of Unsecured PHI or Security Incident, without unreasonable delay.
3.6.Ti	=	Reporting of Breaches.
3.6.sec	=	Business Associate will report any Breach of Unsecured PHI that Business Associate may discover to the extent required by 45 C.F.R. § 164.410. Business Associate will make such report without unreasonable delay, and in no case later than 60 calendar days after discovery of such breach
3.7.Ti	=	Reporting of Security Incidents.
3.7.sec	=	Business Associate will report on no less than a quarterly basis any Security Incidents involving PHI of which Business Associate becomes aware in which there is a successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an Information System in a manner that risks the confidentiality, integrity, or availability of such information. Notice is hereby deemed provided, and no further notice will be provided, for unsuccessful attempts at such unauthorized access, use, disclosure, modification, or destruction, such as pings and other broadcast attacks on a firewall, denial of service attacks, port scans, unsuccessful login attempts, or interception of encrypted information where the key is not compromised, or any combination of the above.
3.8.Ti	=	Notification.
3.8.sec	=	Business Associate's notification shall be supplemented as soon as practicable, and will include, as information becomes available: (i) a brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; (ii) to the extent possible, the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired or disclosed during the Breach; (iii) a description of the types of Unsecured PHI that were involved in the Breach, (iv) any steps individuals should take to protect themselves from potential harm resulting from the Breach; and (v) a brief description of what the Business Associate is doing to investigate the breach, mitigate harm to individuals, and protect against any further Breaches.
3.9.Ti	=	Acknowledgment.
3.9.sec	=	The Parties acknowledge and agree that this Section 3.9 constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no further notice to Covered Entity by Business Associate shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, interception of encrypted information where the key is not compromised, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.
3.10.Ti	=	Subcontractors.
3.10.sec	=	Business Associate shall require any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of the Business Associate for services provided to Covered Entity, to agree, in writing, to restrictions, conditions and requirements at least as restrictive as those restrictions, conditions and requirements that apply to the Business Associate under this Agreement.
3.11.Ti	=	Access to PHI.
3.11.sec	=	Within fifteen (15) days of receiving a written request from Covered Entity, Business Associate shall provide access to PHI in a Designated Record Set to the Covered Entity in accordance with 45 C.F.R. § 164.524. If an Individual makes a request for access pursuant to directly to Business Associate, or inquiries about his or her right to access, Business Associate shall forward it to Covered Entity. Any response to such request shall be the responsibility of Covered Entity.
3.12.Ti	=	Amendment of PHI.
3.12.sec	=	Within fifteen (15) days of receiving a written request from Covered Entity, Business Associate shall make PHI contained in a Designated Record Set available to Covered Entity for amendment pursuant to 45 C.F.R. § 164.526. If an Individual makes a request for amendment directly to Business Associate, or inquires about his or her right to access, Business Associate shall forward the request or inquiry to Covered Entity. Any response to such request or inquiry shall be the responsibility of Covered Entity.
3.13.Ti	=	Accounting of Disclosures.
3.13.sec	=	Within fifteen (15) days of receiving a written request from Covered Entity, Business Associate shall provide to Covered Entity information collected in accordance with Section 3.15 of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. If any Individual requests an accounting of disclosures of PHI directly from Business Associate, Business Associate shall forward such request to Covered Entity. Any response to such request shall be the responsibility of Covered Entity.
3.14.Ti	=	Access to Policies and Records.
3.14.sec	=	Business Associate agrees to make its internal practices, books and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity, or created or received by the Business Associate on behalf of Covered Entity, available to the Secretary for the purpose of Covered Entity or the Secretary determining compliance with the HIPAA Rules.
3.15.Ti	=	Documentation of Disclosures.
3.15.sec	=	Business Associate shall document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45C.F.R. § 164.528. Business Associate shall Account for PHI disclosures for up to the past six (6) years as requested by Covered Entity, which shall include: (“Disclosure Information”): (i) the date of the disclosure, (ii) the name and, if known, the address of the recipient of the PHI, (iii) a brief description of the PHI disclosed, (iv) a brief statement of the purpose of and basis for the disclosure, and (v) any additional information Required by Law.
3.	=	[G/Z/ol/15]
4.Ti	=	PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
4.1.Ti	=	General Uses and Disclosures.
4.1.sec	=	Business Associate agrees to receive, create, use or disclose PHI only as permitted by this Agreement and the HIPAA Rules, and only in connection with providing services to Covered Entity pursuant to the terms of the Underlying Agreement; provided, however, that such use or disclosure of PHI would not violate the Privacy Rule if done by Covered Entity, except for the specific uses and disclosures set forth in this Article 4.
4.2.Ti	=	As Required By Law.
4.2.sec	=	Business Associate may use or disclose PHI as Required By Law.
4.3.Ti	=	General.
4.3.0.sec	=	Except as otherwise provided in this Agreement, Business Associate may:
4.3.1.sec	=	Use PHI for the proper management and administration of Business Associate, or to carry out its legal responsibilities.
4.3.2.sec	=	Make available PHI in accordance with the individual’s rights as required under the HIPAA regulations and Incorporate any amendments or corrections to PHI when notified by Customer or enter into a Business Associate Agreement or other necessary Agreements to comply with HIPAA.
4.3.3.sec	=	Use PHI to provide Data Aggregation Services to Covered Entity as permitted under the HIPAA Rules.
4.3.4.sec	=	De-Identified Data. Notwithstanding the provisions of this Agreement, Business Associate and its subcontractors may disclose non-personally identifiable information provided that the disclosed information does not include a key or other mechanism that would enable the information to be identified in accordance with 45 C.F.R. § 164.514(a)-(c) and covered entity is informed.
4.4.Ti	=	Term.
4.4.sec	=	This Article 4 of the Agreement shall survive the termination or expiration of the Underlying Agreement or the Agreement
4.3.	=	[G/Z/ol/s4]
4.	=	[G/Z/ol/4]
5.Ti	=	OBLIGATIONS OF COVERED ENTITY
5.1.Ti	=	Limitation, Restriction, and Permission.
5.1.0.sec	=	Covered Entity shall:
5.1.1.sec	=	Promptly notify Business Associate, in writing, of any limitation(s) in its Notice of Privacy Practices in accordance with 45 C.F.R. 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of PHI.
5.1.2.sec	=	Promptly notify Business Associate, in writing, of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such changes may affect Business Associate's use or disclosure of PHI.
5.1.3.sec	=	Promptly notify Business Associate, in writing, of any changes in or revocation of permission by an individual to use or disclose his or her PHI, to the extent that such change or revocation may affect Business Associate's permitted or required uses and disclosures of PHI.
5.2.Ti	=	Permissible Use.
5.2.sec	=	Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.
5.3.Ti	=	Required Patient Authorizations or Consents.
5.3.sec	=	Covered Entity shall obtain and maintain any patient authorizations or consents that may be required under state or federal law in order to transmit PHI to Business Associate and to enable Business Associate to use and disclose PHI as contemplated by the Underlying Agreement and this Agreement.
5.4.Ti	=	Survival.
5.4.sec	=	This Article 5 of the Agreement shall survive the termination or expiration of the Underlying Agreement or the Agreement.
5.1.	=	[G/Z/ol/s3]
5.	=	[G/Z/ol/4]
6.Ti	=	TERM AND TERMINATION.
6.1.Ti	=	Term.
6.1.0.sec	=	This Agreement shall be in effect as of the Effective Date and shall terminate on the earlier of the date that:
6.1.1.sec	=	Either Party terminates for cause as authorized under Section 6.2.
6.1.2.sec	=	All PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity. If it is determined, to be infeasible to return or destroy PHI, protections are extended to such information in accordance with Section 6.3.
6.2.Ti	=	Termination for Cause.
6.2.sec	=	Notwithstanding any other provision under the Agreement, and in accordance with HIPAA, each Party agrees that this Agreement may be terminated by the other Party without penalty should the Party reasonably determine that the other Party has materially breached an obligation under HIPAA and that continued performance of the Party's obligations under the Underlying Agreement and/or this Agreement would constitute further violation of HIPAA; provided, however, that the Party alleging a material breach must provide the other Party (i) with ten (10) days written notice of the existence of an alleged material breach and (ii) afford the Party an opportunity to cure said alleged material breach upon mutually agreeable terms. Nonetheless, in the event that mutually agreeable terms cannot be achieved within thirty (30) days, the breaching Party must cure said breach to the reasonable satisfaction of the other Party within ten (10) days following the expiration of the thirty (30) day negotiation period. Failure to cure in the manner set forth in this paragraph is grounds for the immediate termination of this Agreement. Alternatively, Covered Entity may give written notice to Business Associate in the event of a breach and give Business Associate five (5) business days to cure such breach
6.3.Ti	=	Obligations of Business Associate Upon Termination.
6.3.0.sec	=	Upon termination of this Agreement for any reason, Business Associate shall:
6.3.1.sec	=	Return or Destruction of Protected Health Information upon Termination. Upon the termination of this Agreement, unless otherwise directed by Covered Entity, Business Associate shall either return or destroy all PHI received from the Covered Entity or created or received by Business Associate on behalf of the Covered Entity in which Business Associate maintains in any form. Business Associate shall not retain any copies of such PHI. Notwithstanding the foregoing, in the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible upon termination of this Agreement, Business Associate shall provide to Covered Entity notification of the condition that makes return or destruction infeasible. To the extent that it is not feasible for Business Associate tore turn or destroy such PHI, the terms and provisions of this Agreement shall survive such termination or expiration and such PHI shall be used or disclosed solely as permitted by law for so long as Business Associate maintains such Protected Health Information;
6.3.2.sec	=	Retain only that PHI that is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
6.3.3.sec	=	Return to Covered Entity or, if agreed to by Covered Entity in writing, destroy the remaining PHI that the Business Associate still maintains in any form;
6.3.4.sec	=	Return to Covered Entity or destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities;
6.3.5.sec	=	Should the return or destruction of the PHI be determined by Business Associate, in its sole discretion, to be infeasible, the Parties hereby agree that the terms of this Agreement shall extend to such PHI until otherwise indicated by Covered Entity, and any further use or disclosure of the PHI by Business Associate shall be limited to that purpose which renders the return or destruction of the PHI infeasible.
6.4.Ti	=	Survival.
6.4.sec	=	This Article 6 of the Agreement shall survive the termination or expiration of the Underlying Agreement or the Agreement.
6.1.	=	[G/Z/ol/s2]
6.3.	=	[G/Z/ol/s5]
6.	=	[G/Z/ol/4]
7.Ti	=	MISCELLANEOUS.
7.1.Ti	=	Limited Liability.
7.1.sec	=	In no event shall Business Associate be liable to Covered Entity for any losses or costs of Covered Entity for any matters relating to its obligations as a Covered Entity under HIPAA, including, without limitation, any lost reimbursement or revenues or lost profits, or special, incidental, punitive or consequential damages. Furthermore, in no event shall Business Associate's liability to Covered Entity under any circumstances exceed the amount of compensation actually received by Business Associate from Covered Entity under the Underlying Agreement. This Section 7.1 of the Agreement shall survive the termination or expiration of the Underlying Agreement or the Agreement.
7.2.Ti	=	Indemnification.
7.2.sec	=	Covered Entity shall indemnify, defend and hold Business Associate harmless Business Associate and its owners, officers, employees, subcontractors and agents, from and against any and all third party claims, liability, suits, losses, damages and judgments, joint or several, and shall pay all costs and expenses, including counsel's fees and expenses, as they are incurred in connection with the investigation of, preparation for or defense of any pending or threatened claim or any action or proceeding arising therefrom that (a) Business Associate incurs as a result of having performed services on behalf of Covered Entity under the Underlying Agreement or this Agreement or (b) arise from or based upon any violation of this Agreement and/or HIPAA by Covered Entity or any of its owners, officers, employees, subcontractors or agents. This Section 7.2 of the Agreement shall survive the termination or expiration of the Underlying Agreement or the Agreement.
7.3.Ti	=	Amendment.
7.3.sec	=	The Parties acknowledge that state and federal laws relating to electronic data security and privacy are rapidly evolving and that amendment of this Agreement may be required to ensure compliance with such developments. The Parties agree to take such action as is necessary to comply with the standards and requirements of the HIPAA Rules and any other applicable laws and regulations relating to the security or confidentiality of the PHI.Upon either Party’s request, the other Party agrees to promptly enter into good faith negotiations concerning the terms of an amendment to this Agreement.
7.4.Ti	=	Survival.
7.4.sec	=	The respective rights and obligations of the Parties under Articles 4, 5 and 6 and Sections 7.1, 7.2 and 7.10 shall survive the expiration or termination of this Agreement.
7.5.Ti	=	Regulatory References.
7.5.sec	=	Regulatory References. A reference in this Agreement to a section of the HIPAA Rules means the section as in effect or amended.
7.6.Ti	=	Interpretation.
7.6.0.sec	=	This Agreement shall be interpreted in the following manner:
7.6.1.sec	=	Any ambiguity shall be resolved in favor of a meaning that permits the Parties to comply with the HIPAA Rules.
7.6.2.sec	=	Any inconsistency between the Agreement provisions and the HIPAA Rules, including all amendments, shall be interpreted to permit compliance with the HIPAA Rules.
7.6.3.sec	=	Any provision of this Agreement that differs from those mandated by the HIPAA Rules, but is nonetheless permitted by the HIPAA Rules, shall be adhered to as stated in this Agreement.
7.7.Ti	=	Entire Agreement, Severability.
7.7.sec	=	This Agreement constitutes the entire agreement between the Parties related to the subject matter of this Agreement, except to the extent that the Underlying Agreement imposes more stringent requirements related to the use and protection of PHI. This Agreement supersedes all previous and contemporaneous oral and written negotiations, commitments, and understandings relating thereto. This Agreement may not be modified unless done so in writing and signed by a duly authorized representative of both Parties. If any provision of this Agreement, or part thereof, is found to be invalid, the remaining provisions shall remain in effect.
7.8.Ti	=	Assignment.
7.8.sec	=	This Agreement will be binding on the successors and assigns of Covered Entity and Business Associate.
7.9.Ti	=	No Third Party Beneficiaries.
7.9.sec	=	The parties agree that the terms of this Agreement shall apply only to themselves and are not for the benefit of any third party beneficiaries.
7.10.Ti	=	Intellectual Property.
7.10.sec	=	All intellectual property, including, without limitation, products relating to Business Associate's business, is the property of Business Associate, and Covered Entity shall not be allowed to possess or use such intellectual property except as authorized under the terms of the Underlying Agreement or this Agreement. Covered Entity's right to use Business Associate’s intellectual property in accordance with the terms of the Underlying Agreement and, as applicable, this Agreement, shall expire upon the termination of the Underlying Agreement and Provider shall not have any further right to use such intellectual property. This Section 7.10 of the Agreement shall survive the termination or expiration of the Underlying Agreement or the Agreement.
7.11.Ti	=	Multiple Counterparts.
7.11.sec	=	This Agreement may be executed in two or more counterparts, each of which shall be deemed an original.
7.12.Ti	=	Interpretation.
7.12.sec	=	Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the then most current version of HIPAA and the HIPAA privacy regulations.
7.13.Ti	=	Governing Law.
7.13.sec	=	This Agreement shall be governed by and construed in accordance with the internal laws (and not the law of conflicts) of California, USA.
7.14.Ti	=	Arbitration Clause.
7.14.sec	=	ANY CONTROVERSY OR CLAIM ARISING OUT OF OR RELATING TO THIS CONTRACT, OR THE BREACH THEREOF, SHALL BE SETTLED BY ARBITRATION ADMINISTERED BY THE AMERICAN ARBITRATION ASSOCIATION OR THE AMERICAN HEALTH LAWYERS ASSOCIATION ALTERNATIVE DISPUTE RESOLUTION SERVICE UNDER ITS COMMERCIAL ARBITRATION RULES; HEALTHCARE PAYOR PROVIDER RULES; OR THE RULES OF PROCEDURE FOR ARBITRATION BY THE AMERICAN HEALTH LAWYERS ASSOCIATION. THE NUMBER OF ARBITRATORS SHALL BE ONE. THE PLACE OF ARBITRATION SHALL BE SAN FRANCISCO, CALIFORNIA. CALIFORNIA LAW SHALL APPLY. JUDGMENT ON THE AWARD RENDERED BY THE ARBITRATOR(S) MAY BE ENTERED IN ANY COURT HAVING JURISDICTION THEREOF.
7.6.	=	[G/Z/ol/s3]
7.	=	[G/Z/ol/14]
	=	[G/AgtForm/US/0.md]
	=	[G/Z/ol/7]