The Health Insurance Portability and Accountability Act (HIPAA) shall be incorporated into all services we provide to our business associates, as well as the Service Agreement for clients that provide Protected Health Information (PHI). These terms are entered into in compliance with federal privacy standards for Individually Identifiable Health Information as established in 45 C.F.R. parts 160 and 164 (Security and Privacy), as well as the Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 (HITECH Act).
- Business Associate. Business Associates are such entities as defined by HIPAA — health plans, healthcare clearinghouses, and health care providers. A health information organization, e-prescribing gateway, or other entity or person who provides data transmission services regarding protected health information and that requires access on a routine basis to such protected health information. It also includes a person who offers a personal health record to one or more individuals on behalf of a covered entity and subcontractors who create, receive, maintain, or transmit protected health information on behalf of the business associate.
- C.F.R. This acronym refers to the Code of Federal Regulations.
- Secretary. The term Secretary refers to the Secretary of Health and Human Services and any officer or employee of the Department of Health and Human Services to whom authority has been delegated.
- HIPAA Rules. This shall mean the Privacy, Security, Breach Notification, and Enforcement Rules established by 45 C.F.R. Parts 160 and 164.
- Individually Identifiable Health Information (IIHI). Any information created by a covered entity as defined by HIPAA that includes past, present, and future information regarding the mental and/or physical health of an individual — as well as demographic information and information relating to the payment of healthcare.
- Protected Health Information (PHI). Information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium.
- Privacy Rule. HIPAA establishes national standards to protect patients’ medical records and personal health information. Collectively, they are known as the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule, for short). It is located on the CFR 45, Part 160.
- Electronic Media. Electronic storage material on which data is or may be stored electronically — including hard drives and any removable digital memory medium.
- Agreement. This term refers to the present Business Associate Agreement.
Obligations and Responsibilities of Business Associates
Contractual Obligations. Business Associates shall comply with the terms and conditions of the Service Agreement as well as with the provisions required by HIPAA.
Disclosure of Information. Business Associates may use PHI exclusively to perform the services and obligations as set forth in the Terms of Service Agreement and as required by law. Business Associates may only disclose PHI within its organization — and only to those employees who need to know such information in order to perform their work obligations under the Terms of Service Agreement. Even in such instances, the information shared with such employees should be the minimum amount of PHI as is necessary for such performance.
HIPAA Compliance. Business Associates must comply with the Privacy Rule and with the requirements established by HIPAA in the performance of their duties.
Transmission of Information. Business Associates will protect PHI — whether written or oral — from disclosure. The transmission of such information is only permitted by the Terms of Service Agreement and HIPAA.
Subcontractors. It is the responsibility of Business Associate to ensure that subcontractors that receive, maintain, or transmit PHI on their behalf agree to the same privacy restrictions as required by HIPAA and the Service Agreement.
Monitoring. Business Associate shall track all security incidents and report any breaches as established in paragraph G of this Business Associate Agreement.
Notification of Disclosures. In the event the Business Associate becomes aware of impermissible use or disclosure of PHI, the Business Associate must disclose such disclosure, in writing, within ten (10) days from the disclosure.
Duty to Mitigate. Business Associate has an ongoing duty to mitigate any harmful effect that may be the result of a violation of the Service Agreement, even after notification of impermissible disclosure.
Obligations and Responsibilities of The Symphony Agency
Protect Health Information. The Symphony Agency acknowledges and agrees that any individual’s PHI that comes within its custody, exposure, possession, or knowledge — or is created, maintained, retained, transmitted, derived, developed, compiled, prepared, or used by The Symphony Agency in the course of or in connection with the performance of services under this Agreement is confidential and shall remain the exclusive property of the Business Associate.
Use of protected health information. The Symphony Agency shall not use or disclose protected health information other than as permitted by this Agreement and as required by law.
Forwarding Requests for Disclosure from Government. The Symphony Agency shall forward all requests for disclosure of PHI from a law enforcement agency or government official pursuant to a subpoena or other legal request by a court or administrative order as soon as possible, but no later than five (5) business days following its receipt of such request or order.
Assisting to Requests for Disclosure from Government. The Symphony Agency shall provide all PHI necessary to respond to a request for the disclosure of PHI by a law enforcement agency or government official, or pursuant to a subpoena or other legal request, or by a court or administrative order as soon as possible, but no later than two (2) business days following the receipt of such written request.
Restriction on Use and/or Disclosure of PHI. The Symphony Agency shall comply with all restrictions on the use and/or disclosure of PHI pursuant to 45 C.F.R. § 164.522(a). The Symphony Agency shall forward to Business Associate any requests for confidential communication of PHI within ten (10) business days of receipt.
Appropriate Safeguards. The Symphony Agency shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI that it creates, receives, maintains, or transmits on behalf of the Business Associate, as required by law.
Notification of Breach. If any PHI in the possession, custody, or control of The Symphony Agency becomes unsecured, The Symphony Agency shall provide notification to individuals, the media, and the Secretary, as set forth in 45 C.F.R. §§ 164.404 through 164.408.
Timelines of Notifications. Unless a law enforcement official states to Business Associate or The Symphony Agency that a notification would impede a criminal investigation or cause damage to national security, all notifications shall be made without unreasonable delay, and in no case later than sixty (60) calendar days from discovery of the breach.
Indemnification. The Symphony Agency shall defend, indemnify, and hold harmless the Business Associate from and against any or all costs, loss, interest, damage, liability, claim, legal action, or demand by third parties — including costs, expenses, and reasonable attorney’s fees on account thereof — arising out of the Symphony Agency’s activities under this Agreement relating to any breach of unsecured PHI or failure to provide breach notifications as required by 45 C.F.R. §§ 164.404 through 164.408, except to the extent that such losses, interests, damage, liability, claim, legal action, or demand was incurred as a result of the negligence or willful misconduct of Business Associate. As a condition precedent to The Symphony Agency’s obligation to indemnify Business Associate under the Agreement, Business Associate must notify The Symphony Agency within a reasonable amount of time upon learning of any claim or liability, in order to provide The Symphony Agency an opportunity to present any appropriate defense on behalf of Business Associate. The Symphony Agency shall have the right — but not the obligation — to participate in any defense at its own cost and with its own counsel. The provisions of this paragraph will survive the termination of this Agreement.
Sale of Protected Health Information. The Symphony Agency shall — except pursuant to and in compliance with 45 C.F.R. S 164.508(a)(4) — not engage in the sale of Protected Health Information.
Compliance and Enforcement. The Symphony Agency is subject to the compliance, enforcement and civil monetary penalties provisions at 45 C.F.R., Part 160, Subparts C and D.
Individual’s Access to PHI. The Symphony Agency shall cooperate with Business Associate on a timely basis, consistent with 45 C.F.R. S 164.524(b)(2), to fulfill all requests by individuals for access to the individual’s Protected Health Information that is approved by Business Associate. The Symphony Agency shall make available PHI in a designated record set to Business Associate as necessary to satisfy Business Associate’s obligations under 45 C.F.R.S 164.524(c). The Symphony Agency further agrees that to the extent The Symphony Agency maintains PHI of Business Associate in an electronic health record (“EHR”), Business Associate must comply with patients’ requests for access to their PHI by giving them, or any entity that they designate clearly, conspicuously and specifically, the information in an electronic format, and must not charge the requestor more than the labor costs in responding to the request for the copy (or summary or explanation).
Implement Information Security Program. The Symphony Agency shall implement a documented information security program that includes administrative, technical, and physical safeguards designed to prevent the accidental or otherwise unauthorized use or disclosure of Protected Health Information and the integrity and availability of electronic Protected Health Information it creates, receives, maintains or transmits on behalf of Business Associate. The security program shall include reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, and other requirements of the HIPAA Privacy Rule. In addition, The Symphony Agency agrees to (1) maintain written documentation of its policies and procedures, and any action, activity or assessment which the HIPAA Privacy Rule requires to be documented, (2) retain this documentation for six years from the date of its creation or the date when it last was in effect, whichever is later, (3) make this documentation available to those persons responsible for implementing the procedures to which the documentation pertains, and (4) review this documentation periodically, and update it as needed in response to environmental or operational changes affecting the security of the electronic Protected Health Information. The Symphony Agency agrees to encrypt all electronic Protected Health Information and destroy all paper Protected Health Information such that it is unusable, unreadable, or indecipherable to unauthorized users. Upon request, The Symphony Agency shall make available The Symphony Agency’s security program, including the most recent electronic Protected Health Information risk analysis, policies, procedures, security incidents, and responses and evidence of training.
Amendments to Protected Health Information. The Symphony Agency shall make any amendment(s) to Protected Health Information in a designated record set as directed or agreed to by Business Associate pursuant to 45 C.F.R.S 164.526, or take other measures as necessary to satisfy Business Associate’s obligations under 45 C.F.R.S 164.526. The Symphony Agency must act on an individual’s request for an amendment in a manner and within the time period set forth in 45 C.F.R. S 164.526(b)(2).
Marketing. The Symphony Agency shall not use or disclose Protected Health Information for marketing purposes without the individual’s authorization, except as provided in 45 C.F.R. SS 164.508(a)(3)(A) and (B).
Permitted Uses and Disclosures by Business Associate
The Business Associate shall notify The Symphony Agency of any limitation(s) in its privacy practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitations may affect The Symphony Agency’s use or disclosure of PHI. The Business Associate shall notify The Symphony Agency of any changes in — or revocation of — permission by individuals to use or disclose PHI, to the extent that such changes may affect The Symphony Agency’s use or disclosure of PHI.
Permitted Uses and Disclosures by The Symphony Agency
Except as otherwise limited in this Agreement, The Symphony Agency may use or disclose Protected Health Information only to perform its obligations and services to Business Associate or as required by law, provided that such use or disclosure would not violate the Privacy or Privacy Rule if done by Business Associate.
Except as otherwise limited in this Agreement, The Symphony Agency may use Protected Health Information for the proper management and administration of The Symphony Agency, or to carry out its legal responsibilities.
The Symphony Agency may use PHI to provide data aggregation services to Business Associate, as permitted by 42 C.F.R.S 164.504(e)(2)O(B).
The Symphony Agency may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. S 164.51(f).
A reference to a section in HIPAA means the section as in effect or as amended.