LindaCare Business Associate Agreement

Whereas, 

 

(A)    LindaCare and the Provider have entered into a service agreement which includes the processing of personal health information (hereafter referred to as PHI);

 

(B)    pursuant to the Health Insurance Portability and Accountability Act of 1996 (hereafter referred to as HIPAA), the Health Information Technology for Economic and Clinical Health Act (hereafter referred to as HITECH) and the Privacy Rule, the security rule, the enforcement and the breach notification rule as issued by the Department of Health and Human Service (hereafter referred to as HHS), parties are required to enter into an agreement to detail the use and disclosure of personal health information;

 

(C)    parties hereby wish to enter into a Business Associate Agreement (hereafter referred to as a BAA) to define their obligations and detail the use and disclosure of PHI.

        

The following has been agreed

 

1.      Definitions

 

with regards to the Business Associate Agreement, the following words shall have the following meanings:

 

a)      a Business Associate means a person or organization that (i) performs, or assists in the performance of, a function or activity on behalf of the Provider; involving the use or disclosure of PHI, as defined herein, including, without limitation, claims processing or administration, data analysis, processing or administration, utilisation review, quality assurance, billing, benefit management, practice management and repricing; or (ii) provides legal, accounting, consulting, data aggregation, management, administrative, accreditation or financial services to or for the Provider, where provision of the services involves the use or disclosure of PHI. Business Associate includes a subcontractor that creates, receives, maintains, or transmits PHI on behalf of a Business Associate. A Business Associate does not include a member of the Provider workforce in his/her capacity as a member of such workforce;

 

b)     a Breach means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which comprises the security or privacy of the PHI. Breach shall not include:

 

·       any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of LindaCare, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule; or

·       any inadvertent disclosure by a person who is authorized to access PHI at LindaCare to another person authorized to access PHI at LindaCare, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule; or

 

·       a disclosure of PHI where LindaCare has good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information;

 

c)      a Covered Entity means a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a standard transaction;

 

d)     a Protected Health Information means information, including demographic information, that (1) relates to (i) a past, present, or future physical or mental health or condition; (ii) the past, present, or future provision of health care; or (iii) the past, present, or future payment for the provision of health care; and (2) identifies the person who is the subject of the information or with respect to which there is a reasonable basis to believe the information can be used to identify such person. PHI is limited to the information created or received (directly or indirectly) by LindaCare from or on behalf of the Provider;

 

e)      a Subcontractor means a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such Business Associate;

 

2.      Applicability

 

with regards to the applicability, the BAA will apply when the Provider is acting as a Covered Entity or Business Associate to create, receive, maintain or transmit PHI where LindaCare is a Business Associate or Subcontractor of the Provider;

 

3.      Term

 

with regards to the duration, this agreement shall take effect from the date mentioned below and shall remain in place until the expiration or termination of the Service Agreement;

 

4.      Scope of use and disclosure of PHI

 

with regards to the scope of use and disclosure parties have agreed that

 

a)      PHI shall only be used or disclosed as permitted by this BAA, the Services Agreement or as required by law;

b)     PHI may only be used or disclosed to a party not privy to this agreement, after a written assurance that PHI shall be kept confidential and used or disclose solely for the purpose for which it was collected in accordance with all legal requirements;

c)      LindaCare may create de-identified information of PHI for purely administrative in accordance with standards provided in HIPAA;

 

5.      LindaCare’s obligations

 

with regards to LindaCare’s obligations, LindaCare commits to

 

a)      put in place appropriate organizational, technical and physical safeguards to prevent unauthorized use and disclosure of PHI as required by HIPAA;

b)     notify the Provider of any restriction, change or revocation that may affect the Provider’s permission or requirement for use and disclosure of PHI;

c)      not request the Provider, if the Provider is a Business Associate, to use or disclose PHI in a manner inconsistent with the rules under HIPAA;

 

6.      Provider’s obligations

 

with regards to the Provider’s obligations, the Provider commits to

 

a)      put in place appropriate organizational, technical and physical safeguards to prevent unauthorized use and disclosure of PHI as required by HIPAA;

b)     warrant that it will obtain consent, authorization and other legal permission required under HIPAA and any other applicable laws that govern the use and disclosure of PHI;

c)      promptly notify LindaCare if there are any changes, revocations of permission by an individual to use or disclose of his or her PHI that may affect the performance of the agreement;

 

7.      Subcontractors

 

with regards to subcontractors, LindaCare or the Provider (when the Provider is a Business Associate) shall ensure that subcontractors engage in performing specific duties in accordance with the same restrictions, conditions and requirements required under this agreement;

 

8.      Minimization

 

with regards to minimization, LindaCare and the Provider, where the Provider is a Business Associate, agree to limit requests, uses or discloses of PHI to the minimum necessary to achieve the intended purpose;

 

9.      Termination

 

with regards to termination, either party may terminate this agreement where there is a material breach of any provision of this agreement and the offending party fails to cure the breach within eight days of notice of breach, or the breach cannot reasonability be expected to be cured;

 

10.   Obligations after Termination

 

with regards to the obligations after termination LindaCare or the Provider, where the Provider is a Business Associate, shall

 

a)      return or destroy all PHI received due to the performance of the agreement;

b)     continue to use appropriate safeguards and prevent further use or disclosure of the PHI;

 

11.   Reporting of unauthorized disclosures

 

with regards to the reporting of unauthorized disclosures, LindaCare or the Provider, where the Provider is a Business Associate, shall promptly notify the Provider upon the discovery of any security incident, no less than 15 days after notice of the breach and in accordance with the HIPAA requirement;

 

12.   Mitigation

 

With regards to mitigation, the parties agree to take all reasonable steps to mitigate the effect of any harm caused by the use or disclosure of PHI in violation with agreement or requirement set out by HIPAA;

 

13.   Access and Amendments

 

with regards to the rights of access and amendments, LindaCare shall provide access to the Provider’s PHI, where the Provider is a Covered Entity, to ensure that the Provider is able to meet all requirements under HIPAA; if an individual requests an accounting of disclosures of PHI directly from LindaCare or the Provider, where the Provider is a Business Associate, such request shall be forwarded to the Covered Entity and any response to such request shall be the responsibility of the Covered Entity.

 

14.   Disclosure

 

With regards to the disclosure, LindaCare shall document all disclosures of PHI by LindaCare and provide an account of all such disclosures to the Provider to the extent and manner required by a Business Associate under the HIPAA regulation;

 

15.   General Provisions

 

with regards to the general provisions, this agreement represents the entire agreement between both parties, all other prior agreements whether oral or written relating to the use and disclosure of PHI in the performance of a service shall be superseded by this agreement; the agreement may only be modified when done in writing and signed by the authorized representatives of both parties; this Agreement may not be assigned, in whole or in part, to a third party without the written consent of LindaCare; any ambiguity shall be resolved in favor of compliance with HIPAA requirements; this agreement may be executed in two or more counterparts, each of which shall be deemed an original; if any provision of this agreement, or part thereof, is found to be invalid, the remaining provisions shall remain in effect.