This Agreement is entered into, by and between Opportunities Unlimited, an Iowa company ("Covered Entity"), and (Business Associate Name) a "Business Associate".
Business Associate. "Business Associate" shall mean (Business Associate Name).
Covered Entity. "Covered Entity" shall mean Opportunities Unlimited.
HIPAA Rules. "HIPAA Rules" shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
Individual. "Individual" shall have the same meaning as the term "individual" in 45 CFR § 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
Privacy Rule. "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.
Protected Health Information. "Protected Health Information" shall have the same meaning as the term "protected health information" in 45 CFR § 164.501, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
Required By Law. "Required By Law" shall have the same meaning as the term "required by law" in 45 CFR § 164.501.
Secretary. "Secretary" shall mean the Secretary of the Department of Health and Human Services or his designee.
Electronic protected health information. Shall mean individually identifiable health information that is transmitted by or maintained in electronic media. It includes devices in computers and any removable/transportable digital memory medium.
Other terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the Privacy Rule and the Security Rule.
(a) Business Associate agrees to not use or disclose Protected Health Information other than as permitted or required by the Agreement or as Required By Law.
(b) Business Associate agrees to use appropriate safeguards, and to comply with the HIPAA regulations at Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement.
(c) Business Associate shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic protected heath information that it creates, receives, maintains or transmits on behalf of Covered Entity.
(d) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement.
(e) Business Associate agrees to report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement, of which it becomes aware, including breaches of unsecured protected health information as required by the HIPAA Breach Notification Rule. Such notification shall be made within (5) days of discovery by Business Associate. Business Associate shall undertake a risk assessment considering the following factors and report the results of such assessment to Covered Entity:
(f) Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity agrees, in writing, to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. Business Associate shall ensure that any agent, including a subcontractor, to whom it provides electronic protected health information, agrees to implement reasonable and appropriate safeguards to protect the electronic protected health information.
(g) Business Associate agrees to provide access, at the request of Covered Entity, and in a reasonable time and manner, to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR § 164.524.
(h) Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 at the request of Covered Entity or an Individual, and in a reasonable time and manner.
(i) Business Associate agrees to make internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Covered Entity, or to the Secretary, in a reasonable time and manner or designated by the Secretary, in order to allow Secretary to determine Covered Entity's compliance with the Privacy Rule.
(j) Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528.
(k) Business Associate agrees to provide to Covered Entity or an Individual, in a reasonable time and manner, information collected in accordance with Section (2)(i) of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528.
(l) Business Associate agrees to return to Covered Entity or destroy (and not retain a copy) all PHI in its possession, upon the termination of the Services Agreement or as soon as such PHI is no longer needed by Business Associate to perform its responsibilities hereunder, whichever comes first and require its agents and subcontractors to do likewise. To the extent that return or destruction is not feasible, the protections of this Agreement shall remain in effect for so long as Business Associate or its agents or subcontractors have possession of or access to such PHI, and Business Associate agrees to limit further uses and disclosures of the PHI to those purposed which make return or destruction infeasible.
(a) Except as otherwise limited in this Agreement, Business Associate may disclose Protected Health Information for the proper management and administration or to carry out the legal responsibilities of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
(b) Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 42 CFR § 164.504(e)(2)(i)(B).
(c) Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with § 164.502(j)(1).
(d) Business Associate may de-identify any and all Protected Health Information created or received by Business Associate under this Agreement; provided, however, that the de-identification conforms to the requirements of the Privacy Rule. Such resulting de-identified information would not be subject to the terms of this Agreement.
(e) Business Associate may create a Limited Data Set and use such Limited Data Set pursuant to a Data Use Agreement that meets the requirements of the Privacy Rule.
(a) Covered Entity shall notify Business Associate of any limitation(s) in its Notice of Privacy Practices of Covered Entity in accordance with 45 CFR § 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of Protected Health Information.
(b) Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate's use or disclosure of Protected Health Information.
(c) Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of Protected Health Information.
(d) Covered Entity shall obtain any consent, authorization or permission that may be required by the Privacy Rule or applicable state laws and/or regulations prior to furnishing Business Associate the Protected Health Information pertaining to an Individual.
(e) Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
(a) In the event of its discovery of a breach of unsecured protected health information disclosed or made available to it by Covered Entity, Business Associate shall provide notification of such breach to Covered Entity as required by the HIPAA Breach Notification Rule. Such notice shall be given to Covered Entity as soon as possible after Business Associate's discovery of the breach, but in no case more than 5 days after its discovery of the breach.
(b) Whether or not notification of the breach shall be given to affected individuals and, if so, the method by which the notification shall be given shall be determined by Covered Entity, in its sole discretion. If required by Covered Entity, Business Associate shall give any such notices at such times and in such manner as determined by Covered Entity. In all cases, Business Associate shall pay to Covered Entity the cost incurred by Covered Entity due to the breach.
(c) In the event of a breach of secured protected health information, Business Associate shall notify Covered Entity of the breach as stated above, and, within 5 days of giving such notice to Covered Entity, provide proof satisfactory to Covered Entity that such protected health information was not unsecured protected health information and was encrypted.
(a) Term. The Term of this Agreement shall be effective as of September 12, 2013, and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section.
(b) Termination for Cause. Upon Covered Entity's knowledge of a material breach by Business Associate, Covered Entity shall either:
1. Provide an opportunity for Business Associate to cure the breach or end the violation, and terminate this Agreement and any related agreements between Covered Entity and Business Associate if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity; or
2. Immediately terminate this Agreement any related agreements between Covered Entity and Business Associate if Business Associate has breached a material term of this Agreement and cure is not possible; or
3. If neither termination nor cure is feasible, Covered Entity shall report the violation to the Secretary.
(c) Effect of Termination.
(a) Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended.
(b) Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for either Party or both Parties to comply with the requirements of the Privacy Rule and the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191.
(c) Survival. The respective rights and obligations of Business Associate under Section 5(c) of this Agreement shall survive the termination of this Agreement.
(d) Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the Privacy Rule.
(e) Construction of Terms. The terms of this Agreement shall be construed in light of any applicable interpretation or guidance on HIPAA and/or the Privacy Regulation issued by HHS or the Office of Civil Rights from time to time.
(f) No Third Party Beneficiaries. Nothing in this Agreement shall confer upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
(g) Debarment. Business Associate further represents none of its employees, principals, owners, officers, directors or managing employees have been excluded or subject to debarment and are not therefore excluded from participation in federal or state health care programs.
(h) Indemnification. Business Associate shall indemnify and hold Covered Entity harmless from and against any and all loss, cost, damage, or expense, including reasonable attorney's fees that arise out of: any breach by Business Associate of this contract; the HIPAA privacy regulations; the HIPAA security regulations, or the HIPAA Breach Notification Rule, or the need for Covered Entity to enforce any provision of this contract.