Customer Business Associate Agreement
THE TERMS AND CONDITIONS IN THIS ADDENDUM (“Addendum”) shall apply to Unique Integrated Communications, Inc. d/b/a UIC Dental in its capacity solely as a provider of the Services (“Business Associate”) to the extent involving the use and/or disclosure of protected health information that Business Associate accesses, creates, receives, maintains or transmits on behalf of Customer (“Customer” or “Covered Entity”).
For purposes of compliance with the Health Insurance Portability and Accountability Act of 1996, and regulations promulgated thereunder by the U.S. Department of Health and Human Services (“HHS”), as amended from time to time including by the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Final Omnibus Rule (collectively “HIPAA”) the parties agree to the terms and conditions set forth in this Addendum.
- Definitions. Terms used, but not otherwise defined, in this Addendum or the Agreement shall have the same meaning as those terms are defined under HIPAA.
- Compliance with Applicable Law. The parties acknowledge and agree that, beginning with the applicable compliance dates, each party shall comply with its obligations under this Addendum and with all related obligations under HIPAA and other applicable laws and regulations, as they exist at the time this Addendum is executed and as they are amended or superseded, for so long as this Addendum is in place.
- Uses and Disclosures of PHI. Except as otherwise limited in the Agreement or this Addendum, Business Associate shall not, and shall ensure that its directors, officers, employees, contractors, and agents do not, use or disclose PHI other than as follows:
- Business Associate may use Covered Entity’s PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
- Business Associate may disclose Covered Entity’s PHI for the proper management and administration, or to carry out the legal responsibilities, of the Business Associate, provided that disclosures are required by HIPAA, or Business Associate obtains reasonable written assurances from the person or entity to whom the PHI is disclosed that it will remain confidential and be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person or entity, and the person or entity notifies the Business Associate of any instances of which it is aware or suspects in which the confidentiality of the PHI has been breached. In such case, Business Associate shall report such known or suspected breaches to Covered Entity as soon as possible and in accordance with timeframes set forth in this Agreement.
- Business Associate, upon written request by Covered Entity, may use Covered Entity’s PHI to provide Data Aggregation services to Covered Entity as permitted by 42 CFR 164.504(e)(2)(i)(B). For purposes of this Section, Data Aggregation means, with respect to Covered Entity’s PHI, the combining of such PHI by Business Associate with the PHI received by Business Associate in its capacity as a Business Associate of another Covered Entity to permit data analyses that relate to the health care operations of the respective Covered Entities.
- Business Associate may de-identify any and all PHI created or received by Business Associate under this Agreement; provided, however, that the de-identification conforms to the requirements of HIPAA and in accordance with any guidance issued by the Secretary. Such resulting de-identified information would not be subject to the terms of this Agreement.
- Business Associate may create a Limited Data Set, as defined in HIPAA, and use such Limited Data Set pursuant to a Data Use Agreement that meets the requirements of HIPAA.
- Required Safeguards To Protect PHI. Business Associate will implement appropriate safeguards to prevent the use or disclosure of PHI other than pursuant to the terms and conditions of the Agreement. To the extent that Business Associate accesses, creates, receives, maintains or transmits Electronic PHI (“ePHI”) in performance of its duties on behalf of Covered Entity, Business Associate shall comply with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C), and accordingly shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the ePHI.
- Reporting to Covered Entity. Business Associate shall promptly report to Covered Entity any information that may indicate that a use or disclosure of PHI not permitted by this Addendum has occurred, including breaches of unsecured PHI in accordance with the Breach Notification Rule (45 C.F.R. Part 164, Subpart D) and any Security Incident. Business Associate shall reasonably cooperate with Covered Entity’s investigation, analysis, notification and mitigation activities.
- Mitigation of Harmful Effects. Business Associate agrees to mitigate, to the extent practicable, any harmful effect of a use or disclosure of PHI by Business Associate in violation of the requirements of this Addendum, including, but not limited to, compliance with any applicable state law or contractual data breach requirements.
- Agreements by Third Parties. Business Associate shall enter into an agreement with any agent or subcontractor of Business Associate that will access, create, receive, maintain or transmit PHI in connection with the services Business Associate provides to or on behalf of Covered Entity. Pursuant to such agreement, the agent or subcontractor shall agree to be bound by the same restrictions, terms, and conditions that apply to Business Associate under this Addendum with respect to such PHI.
- Access to Information. Within fifteen (15) days of a request by Covered Entity for access to PHI about an individual maintained by Business Associate in a Designated Record Set, Business Associate shall make available to Covered Entity such PHI (for so long as Business Associate maintains such PHI in a Designated Record Set), as required by 45 C.F.R. § 164.524. In the event any individual requests access to PHI directly from Business Associate, Business Associate shall, within ten (10) days, forward such request to Covered Entity.
- Availability of PHI for Amendment. Within fifteen (15) days of receipt of a request from Covered Entity for amendment of an individual’s PHI or a record regarding an individual maintained by Business Associate in a Designated Record Set (for so long as Business Associate maintains such PHI in a Designated Record Set), Business Associate shall provide such information to Covered Entity for amendment and incorporate any such amendments in the PHI as required by 45 C.F.R. § 164.526. In the event an individual makes a request for an amendment to PHI directly to Business Associate, such request shall be forwarded to Covered Entity within ten (10) days.
- Documentation/Accounting of Disclosures. Business Associate agrees to document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to an individual’s request for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. At a minimum, Business Associate shall provide Covered Entity with the following information within fifteen (15) days of request by Covered Entity: (i) the date of the disclosure; (ii) the name of the entity or person who received the PHI, and if known, the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of such disclosure which includes an explanation of the basis for such disclosure. Covered Entity shall be responsible for providing the accounting to individuals as required by 45 C.F.R. § 164.528. In the event the request for an accounting is delivered directly to Business Associate, such request shall be forwarded to the Covered Entity within ten (10) days.
- Other Obligations. Business Associate shall not use or disclose PHI in a manner that would violate HIPAA if done by Covered Entity. To the extent that Business Associate is responsible for performing Covered Entity’s obligations under the Privacy Rule (45 C.F.R. Part 164, Subpart E), under the Agreement or otherwise, Business Associate shall comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligations.
- Minimum Necessary. All uses and disclosures of, and requests by Business Associate for, PHI are subject to the minimum necessary rule of HIPAA, as specified in 45 C.F.R. § 164.514(d), as applicable.
- Availability of Books and Records. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining Covered Entity’s compliance with HIPAA.
- Obligations and Activities of Covered Entity. With regard to the use and disclosure of PHI, Covered Entity hereby agrees as follows:
(a) Covered Entity represents and warrants to Business Associate that it has obtained, and will obtain, from Individuals, any required consents, authorizations and other permissions necessary under applicable laws to enable Covered Entity and Business Associate to fulfill their obligations under this Addendum and the Agreement.
(b) Covered Entity shall promptly notify Business Associate in writing of any restrictions on the use and disclosure of PHI or changes in, revocation of, or permission by an Individual to use or disclose PHI about Individuals that Covered Entity has agreed to, that could reasonably be expected to affect Business Associate’s ability to perform its obligations under this Addendum or the Agreement.
(c) Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.
(d) Covered Entity shall disclose to Business Associate only the minimum necessary amount of PHI to accomplish the purpose of the disclosures, in accordance with 45 C.F.R. § 164.514(d).
- Breach of Contract; Termination. In addition to any other rights either party may have under the Agreement, this Addendum or by operation of law or in equity, and notwithstanding any provisions in the Agreement, either party may: (i) immediately terminate the Agreement and this Addendum if the party is aware of a pattern of activity or practice of the other party in violation of HIPAA or this Addendum or if the party determines that the other party has violated a material term of this Addendum; or (ii) permit the other party to cure or end any such violation within the time specified by the non-violating party. A party’s option to permit the other party to cure a breach of this Addendum shall not be construed as a waiver of any other rights either party has in the Agreement, this Addendum or by operation of law or in equity.
- Effect of Termination of Agreement. Upon the termination of the Agreement or this Addendum for any reason, Business Associate shall, if feasible, return to Covered Entity, or destroy, all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, that Business Associate maintains in any form, recorded on any medium, or stored in any storage system. In the event that Business Associate reasonably determines that returning or destroying the PHI is not feasible, Business Associate shall notify Covered Entity of the conditions that make return or destruction infeasible, and shall extend the protections required by HIPAA and this Addendum and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
- Indemnification. Each party shall be legally and financially responsible for the acts and omissions of itself and its employees, directors, officers, representatives and agents and will pay all losses and damages attributable to such acts or omissions for which it is legally liable. This Addendum shall not be construed to create a contractual obligation for one party to indemnify the other party for loss or damage resulting from any act or omission of such other party or its employees, directors, officers, representatives or agents, nor to constitute a waiver by either party of any rights to indemnification, contribution or subrogation that the party may have by operation of law.
- No Agency. This Addendum is not intended to create an agency or joint venture arrangement between the parties.
- Judicial and Administrative Proceedings. In the event Business Associate receives a subpoena, court or administrative order or other discovery request or mandate for release of PHI, Business Associate shall notify Covered Entity of the request or mandate as soon as reasonably practicable, but in any event within five (5) days of receipt of such request or mandate and prior to responding to any such request or mandate.
- Third Party Rights. The terms of this Addendum are not intended, nor should they be construed, to grant any rights to any parties other than Business Associate and Covered Entity.
- Changes in the Law. In the event of new or revised legislation, rules and regulations to which Covered Entity or Business Associate are subject now or in the future including, without limitation, HIPAA, the Parties agree to negotiate in good faith to amend the Agreement, and/or this Addendum, as necessary to conform to such new or revised requirements. In the event that the Parties are not able to agree to appropriate amendments within thirty (30) days of written notice by a Party of a necessary change, either party may terminate the Agreement and this Addendum.
- Conflicts. If there is any direct conflict between the Agreement and this Addendum, the terms and conditions of this Addendum shall control.