Brevium HIPAA Business Associate Terms And Conditions
EXHIBIT B
Business Associate Agreement
The following Business Associate Agreement (referred to hereafter as the “HIPAA Agreement”) is part of the Brevium Software License and Consulting Agreement (the “Agreement”) to which this Exhibit B is attached, and capitalized terms not otherwise defined herein have the meanings set forth in the Agreement. By signing the Agreement, the Customer and Brevium also agree to the terms set forth herein.
Pursuant to the Agreement, Brevium, its employees, subcontractors, agents and affiliates, if any (individually and collectively, the “Business Associate”) performs functions or activities on behalf of Customer involving the use and/or disclosure of PHI. Customer is a covered entity under HIPAA and its implementing regulations.
- Definitions. For purposes of this HIPAA Agreement, the following terms shall have the designated meanings. All other terms shall have the same meanings as in HIPAA or HITECH.
- “Administrative Safeguards” shall mean administrative actions, policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect Electronic PHI and to manage the conduct of the Business Associate’s workforce in relation to the protection of that information.
- “Breach” shall have the same meaning as provided in 45 C.F.R. 164.
- “Designated Record Set” shall have the same meaning provided in 45 C.F.R. §164.501(a).
- “Electronic PHI” shall have the same meaning provided in 45 C.F.R. § 160.103.
- “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996, and any amendments thereto.
- “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and Part 164.
- “HITECH” shall mean the Health Information Technology for Economic and Clinical Health Act, which is Title XIII of the American Recovery and Reinvestment Act, and any amendments, regulations, rules and guidance issued thereto and the relevant dates for compliance.
- “Individually Identifiable Health Information” shall mean information that is a subset of health information, including genetic and demographic information collected from an individual, and is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual; and (i) identifies the individual, or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
- “Part 2 Patient” means any individual who has applied for or been given diagnosis, treatment, or referral for treatment for a substance use disorder at a Part 2 Program, including any individual who, after arrest on a criminal charge, is identified as an individual with a substance use disorder in order to determine that individual’s eligibility to participate in a Part 2 Program.
- “Part 2 Program” shall have the meaning given in applicable Public Health Act regulations at Title 42, Chapter I, Subchapter A, Part 2, Code of Federal Regulations, which includes (i) an individual or entity (other than a general medical facility) who holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment; or (ii) an identified unit within a general medical facility that holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment, in either case if being carried out under a license, certification, registration, or other authorization granted by any department or agency of the United States including (A) a participating provider in the Medicare program; (B) authorization to conduct maintenance treatment or withdrawal management; or (C) registration to dispense a substance under the Controlled Substances Act to the extent the controlled substance is used in the treatment of substance use disorders.
- “Part 2 Program Records” means any information, whether recorded or not, created by, received, or acquired by a Part 2 Program relating to a Part 2 Patient (e.g., diagnosis, treatment and referral for treatment information, billing information, emails, voice mails, and texts) which (i) would identify a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person; (ii) contains drug abuse information or alcohol abuse information or information obtained for the purpose of treating a substance use disorder, making a diagnosis for that treatment, or making a referral for that treatment; or (iii) contains patient identifying information (the name, address, social security number, fingerprints, photograph, or similar information by which the identity of a patient, as defined in this section, can be determined with reasonable accuracy either directly or by reference to other information).
- “Physical Safeguards” shall mean physical measures, policies and procedures to protect Business Associate’s electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.
- “Privacy Standards” shall mean the Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Parts 160 and 164.
- “Protected Health Information” or “PHI” shall have the meaning provided in 45 C.F.R. § 160.103, limited to the information created or received by the Business Associate from or on behalf of the Customer.
- “Secretary” shall mean the Secretary of the United States Department of Health and Human Services.
- “Security Incident” shall have the same meaning provided in 45 C.F.R. § 164.304.
- “Security Standards” shall mean the regulations with regard to security standards for health information, 45 C.F.R. Parts 160 and 164.
- “Technical Safeguards” shall mean the technology, and the policy and procedures for its use, which protects Electronic PHI and controls access to it.
- “Transaction Standards” shall mean the Standards for Electronic Transactions, 45 C.F.R. Parts 160 and 162.
- “Unsecured PHI” shall mean protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary under section 13402(h)(2) of Public Law 111-5.
- Compliance with Applicable Law. The parties acknowledge and agree that as of the Effective Date, Business Associate shall comply with its obligations under this HIPAA Agreement and with all obligations of a business associate under HIPAA, HITECH and other related laws and any implementing regulations, as they exist at the time this HIPAA Agreement is executed and as they are amended. In addition, if Customer (or any component of Customer) is a Part 2 Program, Business Associate shall comply with its obligations under the Public Health Act and implementing regulations at Title 42, Chapter I, Subchapter A, Part 2, Code of Federal Regulations.
- Uses and Disclosures of PHI. Business Associate shall not, and shall ensure that its directors, officers, employees, and agents do not, use or disclose PHI received from Customer in any manner that is not permitted or required by the Agreement or required/permitted by law. All uses and disclosures of and requests by Business Associate for PHI are subject to the minimum necessary rule of the Privacy Standards and shall be limited to the information contained in a limited data set, to the extent practical, unless additional information is needed to accomplish the intended purpose, or as otherwise permitted in accordance with Section 13405(b) of HITECH and any implementing regulations. Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided: (a) the disclosures are required or permitted by law; or (b) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required/permitted by law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances in which it is aware in which the confidentiality of the information has been breached.
- Required Safeguards to Protect PHI. Business Associate agrees that it will implement any and all necessary Administrative Safeguards, Physical Safeguards, Technical Safeguards or other safeguards, policies and procedures in accordance with the Privacy Standards, Security Standards and Transaction Standards, including but, not limited to Subpart C of 45 C.F.R. Part 164, to prevent the use or disclosure of PHI other than pursuant to the terms and conditions of the Agreement or as required/permitted by law.
- Notification in Case of Breach. In the event of an impermissible acquisition, access, use or disclosure of Unsecured PHI created or maintained by Business Associate, Business Associate shall determine if a Breach has occurred. If Business Associate determines that a Breach of Unsecured PHI created or maintained by Business Associate has occurred, Business Associate shall notify Customer of such Breach, in accordance with Section 13402 of HITECH and 45 C.F.R. §164.410, without unreasonable delay and, in no case later than twenty (20) calendar days after discovery of the Breach. Discovery of a Breach by Business Associate shall be deemed to have occurred as of the first day on which such a Breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. Business Associate shall be deemed to have knowledge of a Breach if the Breach is known, or, by exercising reasonable diligence would have been known, to any person, other than the person committing the Breach, who is a workforce member or agent of Business Associate.
- Part 2 Programs (Substance Use Disorder Clinics). Only if, and then solely to the extent that, Customer is a Part 2 Program, the following provision shall apply to Brevium: Notwithstanding anything to the contrary in this HIPAA Agreement or the Agreement, Brevium acknowledges that it is a “qualified service organization” under the Public Health Act by virtue of its Agreement with Customer and expressly acknowledges that in receiving, storing, processing or otherwise dealing with any Part 2 Program Records from Customer or its programs, it is fully bound by and agrees to comply with applicable Public Health Act regulations at Title 42, Chapter I, Subchapter A, Part 2, Code of Federal Regulations. Brevium, if necessary, will resist in judicial proceedings any efforts to obtain access to Part 2 Program Records except as permitted by such regulations.
- Agreements by Third Parties. In accordance with 45 C.F.R. 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate shall enter into an agreement with any agent or subcontractor of Business Associate that will have access to PHI that is received from, or is created or received by, Business Associate on behalf of Customer. Pursuant to such agreement, the agent or subcontractor shall agree to be bound by the same restrictions, terms, and conditions that apply to Business Associate under this HIPAA Agreement with respect to such PHI.
- Access to Information. Within twenty (20) calendar days of a request by Customer for access to PHI about an individual contained in a Designated Record Set, Business Associate shall make available to Customer such PHI for so long as such information is maintained by Business Associate in the Designated Record Set, as required by 45 C.F.R. § 164.524. In the event any individual delivers directly to Business Associate a request for access to PHI, Business Associate shall within ten (10) calendar days forward such request to Customer.
- Availability of PHI for Amendment. Within twenty (20) calendar days of receipt of a request from Customer for the amendment of an individual’s PHI or a record regarding an individual contained in a Designated Record Set (for so long as the PHI is maintained in the Designated Record Set), Business Associate shall provide such information to Customer for amendment and incorporate any such amendments in the PHI as required by 45 C.F.R. § 164.526.
- Documentation of Disclosures. Business Associate agrees to document all disclosures of PHI and information related to such disclosures as would be required for Customer to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. At a minimum, Business Associate shall provide Customer with the following information: (i) the date of the disclosure; (ii) the name of the entity or person who received the PHI, and if known, the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of such disclosure which includes an explanation of the basis for such disclosure.
- Accounting of Disclosures. Within twenty (20) calendar days of notice by Customer to Business Associate that it has received a request for an accounting of disclosures of PHI regarding an individual during the six (6) years prior to the date on which the accounting was requested, Business Associate shall make available to Customer information collected in accordance with this HIPAA Agreement, to permit Customer to respond to the request for an accounting of disclosures of PHI, as required by 45 C.F.R. § 164.528. In the case of an electronic health record maintained or hosted by Business Associate on behalf of Customer, the accounting period shall be three (3) years and the accounting shall include disclosures for treatment, payment and healthcare operations, in accordance with the applicable effective date of Section 13402(a) of HITECH. In the event the request for an accounting is delivered directly to Business Associate, Business Associate shall within ten (10) calendar days forward such request to Customer. Business Associate hereby agrees to implement an appropriate record keeping process to enable it to comply with the requirements of this Section.
- Availability of Books and Records. Business Associate hereby agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Customer available to the Secretary for purposes of determining Customer’s compliance with the HIPAA Rules.
- Electronic PHI. To the extent that Business Associate creates, receives, maintains or transmits Electronic PHI on behalf of Customer, Business Associate shall comply with the Security Standards as of the relevant effective date and further, shall:
- Implement Administrative, Physical and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI, in accordance with Section 13401(a) of HITECH;
- Ensure that any agent, including a Business Associate, to whom it provides Electronic PHI agrees to implement reasonable and appropriate safeguards to protect it; and
- Report to Customer any Security Breaches of which Business Associate becomes aware.
- Termination for Cause. In addition to any other rights Customer may have in the Agreement, Business Associate authorizes the termination of the Agreement by Customer, if Customer determines Business Associate has violated a material term of this HIPAA Agreement and Business Associate has not cured such breach or ended the violation within thirty (30) calendar days written notice from the Customer to the Business Associate.
- Effect of Termination. Upon termination of the Agreement for any reason, Business Associate, with respect to PHI received from Customer, or created, maintained, or received by Business Associate on behalf of Customer, shall:
- Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
- Return to Customer or destroy the remaining PHI that the Business Associate still maintains in any form;
- Continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI to prevent use or disclosure of the protected health information, other than as provided for in this Section, for as long as Business Associate retains the PHI;
- Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out in Section 3 of this HIPAA Agreement which applied prior to termination; and
- Return to Customer or destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.
The obligations of Business Associate under this Section shall survive termination of the Agreement.
- Obligations of Customer. Customer will provide Business Associate with the notice of privacy practices that Customer produces in accordance with 45 C.F.R. 164.520, as well as any changes to such notice. Customer will be responsible for the notification of patients and obtaining any consent or authorization that may be required by HIPAA, or applicable state law related to PHI. Customer shall also provide Business Associate with any changes in, or revocation of permission by an individual to use or disclose PHI, if such changes affect Business Associate’s permitted or required uses and disclosures under this HIPAA Agreement. In addition, Customer will notify Business Associate of any additional restriction agreed upon with an individual relating to the use or disclosure of PHI, in accordance with 45 C.F.R. 164.522. Customer further agrees that it shall not require Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Customer.
- This HIPAA Agreement may be executed in any number of counterparts, all of which together shall constitute one and the same instrument.
- The parties hereto will make good faith efforts to resolve informally any disputes under this HIPAA Agreement. Neither party will be liable to the other party for any incidental, consequential, special or punitive damages with respect to the matters addressed in this HIPAA Agreement.
*** END OF BUSINESS ASSOCIATE AGREEMENT ***