Skip to main menu Skip to main content Skip to footer content

Brevium HIPAA Business Associate Terms And Conditions

EXHIBIT B
Business Associate Agreement

The following Business Associate Agreement (referred to hereafter as the “HIPAA Agreement”) is part of the Brevium Software License and Consulting Agreement (the “Agreement”) to which this Exhibit B is attached, and capitalized terms not otherwise defined herein have the meanings set forth in the Agreement.  By signing the Agreement, the Customer and Brevium also agree to the terms set forth herein.

Pursuant to the Agreement, Brevium, its employees, subcontractors, agents and affiliates, if any (individually and collectively, the “Business Associate”) performs functions or activities on behalf of Customer involving the use and/or disclosure of PHI.  Customer is a covered entity under HIPAA and its implementing regulations.

  1. Definitions. For purposes of this HIPAA Agreement, the following terms shall have the designated meanings.  All other terms shall have the same meanings as in HIPAA or HITECH.
    1. “Administrative Safeguards” shall mean administrative actions, policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect Electronic PHI and to manage the conduct of the Business Associate’s workforce in relation to the protection of that information.
    2. “Breach” shall have the same meaning as provided in 45 C.F.R. 164.
    3. “Designated Record Set” shall have the same meaning provided in 45 C.F.R. §164.501(a).
    4. “Electronic PHI” shall have the same meaning provided in 45 C.F.R. § 160.103.
    5. “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996, and any amendments thereto.
    6. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and Part 164.
    7. “HITECH” shall mean the Health Information Technology for Economic and Clinical Health Act, which is Title XIII of the American Recovery and Reinvestment Act, and any amendments, regulations, rules and guidance issued thereto and the relevant dates for compliance.
    8. “Individually Identifiable Health Information” shall mean information that is a subset of health information, including genetic and demographic information collected from an individual, and is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual; and (i) identifies the individual, or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
    9. Part 2 Patient” means any individual who has applied for or been given diagnosis, treatment, or referral for treatment for a substance use disorder at a Part 2 Program, including any individual who, after arrest on a criminal charge, is identified as an individual with a substance use disorder in order to determine that individual’s eligibility to participate in a Part 2 Program.
    10. Part 2 Program” shall have the meaning given in applicable Public Health Act regulations at Title 42, Chapter I, Subchapter A, Part 2, Code of Federal Regulations, which includes (i) an individual or entity (other than a general medical facility) who holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment; or (ii) an identified unit within a general medical facility that holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment, in either case if being carried out under a license, certification, registration, or other authorization granted by any department or agency of the United States including (A) a participating provider in the Medicare program; (B) authorization to conduct maintenance treatment or withdrawal management; or (C) registration to dispense a substance under the Controlled Substances Act to the extent the controlled substance is used in the treatment of substance use disorders.
    11. Part 2 Program Records” means any information, whether recorded or not, created by, received, or acquired by a Part 2 Program relating to a Part 2 Patient (e.g., diagnosis, treatment and referral for treatment information, billing information, emails, voice mails, and texts) which (i) would identify a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person; (ii) contains drug abuse information or alcohol abuse information or information obtained for the purpose of treating a substance use disorder, making a diagnosis for that treatment, or making a referral for that treatment; or (iii) contains patient identifying information (the name, address, social security number, fingerprints, photograph, or similar information by which the identity of a patient, as defined in this section, can be determined with reasonable accuracy either directly or by reference to other information).
    12. “Physical Safeguards” shall mean physical measures, policies and procedures to protect Business Associate’s electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.
    13. “Privacy Standards” shall mean the Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Parts 160 and 164.
    14. “Protected Health Information” or “PHI” shall have the meaning provided in 45 C.F.R. § 160.103, limited to the information created or received by the Business Associate from or on behalf of the Customer.
    15. “Secretary” shall mean the Secretary of the United States Department of Health and Human Services.
    16. “Security Incident” shall have the same meaning provided in 45 C.F.R. § 164.304.
    17. “Security Standards” shall mean the regulations with regard to security standards for health information, 45 C.F.R. Parts 160 and 164.
    18. “Technical Safeguards” shall mean the technology, and the policy and procedures for its use, which protects Electronic PHI and controls access to it.
    19. “Transaction Standards” shall mean the Standards for Electronic Transactions, 45 C.F.R. Parts 160 and 162.
    20. Unsecured PHI” shall mean protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary under section 13402(h)(2) of Public Law 111-5.
  2. Compliance with Applicable Law. The parties acknowledge and agree that as of the Effective Date, Business Associate shall comply with its obligations under this HIPAA Agreement and with all obligations of a business associate under HIPAA, HITECH and other related laws and any implementing regulations, as they exist at the time this HIPAA Agreement is executed and as they are amended.  In addition, if Customer (or any component of Customer) is a Part 2 Program, Business Associate shall comply with its obligations under the Public Health Act and implementing regulations at Title 42, Chapter I, Subchapter A, Part 2, Code of Federal Regulations.
  3. Uses and Disclosures of PHI. Business Associate shall not, and shall ensure that its directors, officers, employees, and agents do not, use or disclose PHI received from Customer in any manner that is not permitted or required by the Agreement or required/permitted by law.  All uses and disclosures of and requests by Business Associate for PHI are subject to the minimum necessary rule of the Privacy Standards and shall be limited to the information contained in a limited data set, to the extent practical, unless additional information is needed to accomplish the intended purpose, or as otherwise permitted in accordance with Section 13405(b) of HITECH and any implementing regulations.  Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided: (a) the disclosures are required or permitted by law; or (b) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required/permitted by law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances in which it is aware in which the confidentiality of the information has been breached.
  4. Required Safeguards to Protect PHI. Business Associate agrees that it will implement any and all necessary Administrative Safeguards, Physical Safeguards, Technical Safeguards or other safeguards, policies and procedures in accordance with the Privacy Standards, Security Standards and Transaction Standards, including but, not limited to Subpart C of 45 C.F.R. Part 164, to prevent the use or disclosure of PHI other than pursuant to the terms and conditions of the Agreement or as required/permitted by law.
  5. Notification in Case of Breach. In the event of an impermissible acquisition, access, use or disclosure of Unsecured PHI created or maintained by Business Associate, Business Associate shall determine if a Breach has occurred.  If Business Associate determines that a Breach of Unsecured PHI created or maintained by Business Associate has occurred, Business Associate shall notify Customer of such Breach, in accordance with Section 13402 of HITECH and 45 C.F.R. §164.410, without unreasonable delay and, in no case later than twenty (20) calendar days after discovery of the Breach.  Discovery of a Breach by Business Associate shall be deemed to have occurred as of the f