business associates & your practice. - hipaa compliance kit 2 business... · 2018-05-17 ·...

Business Associates & Your Practice.

PRIVACY & SECURITY REQUIREMENTS FOR BUSINESS ASSOCIATESThe HITECH Act applies the HIPAA Security Rules to business associates. • Administrative safeguards (45 C.F.R. § 164.308) • Physical safeguards (45 C.F.R. § 164.310) • Technical safeguards (45 C.F.R. § 164.312) • Policies and documentation (45 C.F.R. § 164.316), and • The new security breach reporting requirement.

• Expanded individual rights: The revised contracts must incorporate expanded rights granted to individuals, such as: to the extent PHI is maintained in an electronic health record (EHR), the right to obtain an electronic copy of one’s health record and have it sent to a third party; the right to an accounting of disclosures of PHI for purposes of treatment, payment and healthcare operations through an EHR; and the right to request certain restrictions on disclosure of PHI to a health plan, if paid in full.• Further restrictions on uses and disclosures of PHI: The agreements must also comply with the further restrictions on uses and disclosures of PHI imposed by HITECH, such as: additional restrictions with respect to marketing; the prohibition on the exchange of PHI for remuneration; updated best practices for de-identifi cation of PHI; and compliance with the Privacy Rule’s clarifi ed “minimum necessary”

rule, addressing the determination of the minimum amount of PHI that must be disclosed for a particular purpose. Reciprocal Obligation to Cure: Under HITECH, a business associate is deemed to have violated HIPAA if the BA knows of a “pattern of activity or practice” by a covered entity that breaches their business associate agreement (“BAA”), but fails to cure the breach, terminate the BAA or report the non-compliance to HHS. • BA Compliance with the Security Rule: HITECH requires business associates to comply not only with its enhanced privacy requirements, but directly with portions of the HIPAA Security Rule, including implementation of administrative, physical and technical safeguards for electronic PHI. BAs must also develop and enforce related policies, procedures and documentation standards (including designation of a security offi cial). As such, to the extent that you engage in the handling of electronic PHI, your BAAs will require updating.

• Breach Notifi cation Requirements:Pursuant to HITECH, HHS released a regulation implementing a new federal breach notifi cation requirement. The HHS Breach Notifi cation Rule applies to covered entities and their business associates, and explains that a “breach,” subject to certain exceptions, is the “acquisition, access, use or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule, that compromises the security or privacy of the PHI.”This rule also contains what is known as a “risk of harm” standard, meaning that notifi cation of affected individuals is only necessary if the unauthorized access, use or disclosure poses a “signifi cant risk of fi nancial, reputational or other harm to the individual.” In the event of a breach, individuals whose PHI was affected, the Secretary of HHS, and in limited circumstances the media (if a breach involves 500 or more individuals of a particular state or jurisdiction) must be notifi ed.

Current Business Associate Agreements must be updated and amended in order to incorporate the expanded requirements of the HITECH Act. Most Business Associates are unaware of the new requirements that went into effect on February 20, 2010. You as the “data owner” are responsible and are required to perform due diligence to ensure your Business Associates comply with HITECH.HIPAA laws and that their staff is properly trained on security and privacy of PHI. The penalties are severe: $10,000, $50,000: up to 1.5 million dollars. Make sure your business associates are up-to-date on:

What is a Business Associate?A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Business associate functions and activities include: IT services; billing companies; EMR vendors; Practice Management vendors, administration service companies; data analysis, utilization review; quality assurance; and benefi t management. Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and fi nancial.

My practice does not currently have EMR. Is our offi ce covered under the HITECH Act?YES! All Covered Entities (physician practices) are subject to the HITECH Act. Offi ces with paper records are subject to the same HIPAA Privacy Provisions, Breach Notifi cation Requirements and Contingency Planning. In fact, paper records may make your compliance more diffi cult to achieve.

My IT professional said our system is secure, are we HITECH compliant?Our experience is that most IT professionals are not knowledgeable on the requirements of the HIPAA & The HITECH Act. To review your compliance status at no charge call 813-892-4411 and request our exclusive Compliance Checklist.

Common Business Associates.Answering Service, Billing Service, Collection Agency, Transcription Service, Off-Site Record Storage and Retrieval, Record Disposal Service, Accountant, Practice Management Software Vendor, Electronic Medical Record Software Vendor, Biomedical Equipment Maintenance and Repair Service, Computer hardware Maintenance and Repair Service, Courier Service.

Frequently Asked Questions

Your Compliance. Our Priority.

HITECH Updates Your requirements as a Physician’s Practice.Have You Updated Your Business Associates Agreement and Performed

Due Diligence Required to Protect Your Medical Records?

HITECH OMNIBUS DEFINITION OF BUSINESS ASSOCIATE Final 45C.F.R. Section 160.103 and 78 Fed. Reg. 5,572 (Jan. 25, 2013). “To help clarify this point, we have modified the definition of ‘‘business associate’’ to generally provide that a business associate includes a person who ‘‘creates, receives, maintains, or transmits’’ (emphasis added) protected health information on behalf of a covered entity.” As Summarized by Pillsbury Law Expanded Definition of ‘Business Associate’ Parties That “Create, Receive, Maintain or Transmit” Protected Health Information (“PHI”). The Final Rule clarifies and expands the HIPAA Rules’ definition of “business associate” to include one who, other than in the capacity of a member of a covered entity’s workforce, “creates, receives, maintains, or transmits” PHI on behalf of a covered entity for a function or activity that is regulated under HIPAA. As a result, as indicated under the HITECH Act, parties that provide data transmission services for covered entities (or for their business associates, as explained below), and who require routine access to PHI, are to be treated as business associates. In addition, those that provide data storage and other maintenance services and that have ongoing access to that PHI also now clearly fall within the HIPAA Rules’ requirements for business associates. In contrast, those that act as mere “conduits” for the transmission of PHI, such as telecommunications carriers, remain outside HIPAA’s regulation. As Summarized by McDermott Will & Emery Law Firm Who Is a Business Associate? The final rule affirms that individuals and entities that are not part of a covered entity’s workforce and that engage in activities such as claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing continue to be business associates. The final rule amends the definition of a “business associate” to mean a person or entity that creates, receives, maintains or transmits protected health information to perform certain functions or activities on behalf of a covered entity. The final rule also adds a new category of services, patient safety activities, to the list of functions and activities a person or entity may undertake on behalf of a covered entity that give rise to a business associate relationship. Three categories of service providers are specifically identified as business associates under the final rule: Health information organizations, e-prescribing gateways, and other people or entities that provide data transmission services to a covered entity with respect to protected health information and that require access on a routine basis to such protected health information People or entities that offer personal health records to one or more individuals on behalf of a covered entity Subcontractors that create, receive, maintain or transmit protected health information on behalf of business associates The addition of subcontractors means that all requirements and obligations that apply to direct contract business associates of a covered entity also apply to all downstream service providers. The preamble to the final rule provides additional guidance on which entities are considered to be business associates. A data storage company that has access to protected health information (whether digital or hard copy) is a business associate, even if the entity does not view the information or only does so on a random or infrequent basis. Document storage companies maintaining protected health information on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold. A researcher may be a business associate if the researcher performs a function, activity or service for a covered entity that falls within the definition of business associate—for example, creating a deidentified or limited data set for the covered entity. Both data transmission services and personal health record vendors may be business associates based on the facts and circumstances surrounding their duties and responsibilities. If the vendor has access to protected health information in order to perform its duties and responsibilities, regardless of whether the vendor actually exercises this access, the vendor is a business associate.

Date: Dear Business Associate, RE: Request for Business Associate Agreement as Required by the Omnibus Rule The Omnibus Rule mandates that our organizations enter into and maintain a Business Associate Agreement. This document outlines your role and responsibilities as to the HIPAA Privacy & Security Rules. HIPAA Omnibus regulations require not only that a Business Associate Agreement is in place, but that each organization conduct a risk assessment as required by the Security Rule, have in place a set of Privacy and Security Policies and Procedures and that staff is trained yearly on HIPAA policies and procedures. Omnibus requires our organization to perform due diligence as to your HIPAA compliance. Please fill out and return Attachment “A” of the Business Associate Agreement to verify your adherence to the Omnibus regulations. Failure to sign and return both the Agreement and Compliance Status Questionnaire will be grounds for termination of our contract and is required by the Omnibus Rule. Definition of a Business Associate as Updated by the Omnibus Rule The Omnibus Rule amends the definition of a “business associate” to mean a person or entity that creates, receives, maintains or transmits protected health information to perform certain functions or activities on behalf of a covered entity. The preamble to the final rule provides additional guidance on which entities are considered to be business associates. A company that has access to protected health information or the network it resides on (whether digital or hard copy) is a business associate, even if the entity does not view the information or only does so on a random or infrequent basis. Document storage and document destruction (shredding) companies maintaining or destroying protected health information on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold. Business associates cannot avoid regulatory liability or limit that liability by refusing to sign a Business Associate Agreement. In addition, business associates must ensure that any subcontractors who handle PHI also have a business associate agreement in place. A business associate agreement of a subcontractor is not required to be in place with the covered entity, only the business associate. Potential Liability for Business Associates and Subcontractors Omnibus regulations state that business associates are directly liable under the HIPAA privacy and security rules for impermissible uses and disclosures of protected health information (PHI), failure to provide breach notification to the covered entity, failure to disclose PHI as necessary to satisfy a covered entity’s obligations with respect to an individual’s request for an electronic copy of PHI, failure to disclose PHI to the Secretary of HHS to investigate or determine the business associate’s compliance with the rules, failure to comply with minimum necessary standards, failure to enter into business associate agreements with subcontractors that create or receive a covered entity’s PHI on its behalf, failure to provide an accounting of disclosures and failure to comply with the electronic security requirements. Omnibus carries minimum, mandatory fines for “willful neglect” that start at $10,000, thus it is imperative your organization is compliant. The Compliance Date for the Omnibus Rule was September 23, 2013. Therefore it is vitally important that you sign and return this agreement as soon as possible. Should you have any questions please call our office or HITECH Compliance Associates (813-892-4411) for further information or clarification of the provisions in the Agreement and Compliance Status Questionnaire. Additional information can be found at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html Thank you for your prompt response to this request. Signed: __________________________________ Printed Name: Organization Name, Address, Phone.

1 © 2013 HITECH Compliance Associates All Rights Reserved | Business Associate Agreement for HITECH Omnibus

BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made a part of the contract (“Contract”) by and between __________________________________________________ the Covered Entity (“CE”) and __________________________________________________ the Business Associate (“BA”), dated _________________________. This Agreement is effective as of _______________________ (the “Agreement Effective Date”). RECITALS

A. CE wishes to disclose certain information to BA pursuant to the terms of the Contract, some of which may constitute protected Health Information (“PHI”) (defined below).

B. CE and BA intend to protect the privacy and provide for the security of PHI disclosed to BA

pursuant to the Contract in compliance with the Health Information Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (the HITECH Omnibus Rule Omnibus Final Rule, the “Final Rule”), and regulations promulgated there under by the U.S. Department of Health and Human Service (the “HIPAA Regulations”) and other applicable laws.

C. As part of the HIPAA Regulations, the Privacy Rule and the Security Rule (defined below) require

CE to enter into a contract containing specific requirements with BA prior to the disclosure of PHI, as set forth in, but not limited to, 45 C.F.R. § 164.504(e), Title 45, Sections 164.314(a), 164.502(e) and 164.504(e) of the Code of Federal Regulations (“C.F.R.”), Final 45 C.F.R. Section 160.103 and contained in this Agreement.

In consideration of the mutual promises below and the exchange of information pursuant to this Agreement, the parties agree as follows: 1. Definitions a. Breach shall have the meaning given to such term under the HITECH Omnibus Rule Omnibus Rule [Final 78 Fed. Reg. at 5,695]. b. Business Associate shall have the meaning given to such term under the Privacy Rule, the Security Rule and the HITECH Omnibus Rule, including, but not limited to, 42 U.S.C. Section 17938 and Final 45 C.F.R. Section 160.103 and 78 Fed. Reg. 5,572 (Jan. 25, 2013). c. Covered Entity shall have the meaning given to such term under the Privacy Rule and the Security Rule, including, but not limited to, Final 45 C.F.R. Section 160.103. d. Data Aggregation shall have the meaning given to such term under the privacy Rule, including but not limited to, 45 C.F.R. Section 164.501. e. Designated Record Set shall have the meaning given to such term under the Privacy Rule, including, but not limited to, 45 C.F.R. Section 164.501. f. Electronic Protected Health Information means Protected Health Information that is maintained in or transmitted by electronic media.


g. Electronic Health Record shall have the meaning given to such term in the HITECH Omnibus Rule, including, but not limited to, 42 U.S.C. Section 17921. h. Health Care Operations shall have the meaning given to such term under the Privacy Rule, including, but not limited to, 45 C.F.R. Section 164.501. i. HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification and Enforcement Rules at Final 45 CFR Part 160 and Part 164. j. Minimum Necessary shall have the meaning given to such term under the Privacy Rule, including, but not limited to, 45 C.F.R. Section 164.501 and Final 45 C.F.R. § 160.103. k. Privacy Rule shall mean the HIPAA Regulation that is codified at 45 C.F.R. Parts 160 and 164, Subparts A and E. l. Protected Health Information or PHI means any information, whether oral or recorded in any form or medium; (i) that relates to the past, present or future physical or mental condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and (ii) that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual, and shall have the meaning given to such term under the Privacy Rule, including, but not limited to, 45 C.F.R. Section 164.501. Protected Health Information includes Electronic Protected Health Information [Final 45 C.F.R. Sections 160.103, 164.501]. m. Protected Information shall mean PHI provided by CE or BA or created or received by BA on CE’s behalf. n. Security Rule shall mean the HIPAA Regulation that is codified at 45 C.F.R. Parts 160 and 164, Subparts A and C. o. Unsecured PHI shall have the meaning given to such term under the HITECH Omnibus Rule and any guidance issued pursuant to such Act including, but not limited to, 42 U.S.C. Section 17932(h). 2. Obligations and Activities of Business Associate a. Permitted Uses. BA shall not use Protected Information except for the purpose of performing BA’s obligations under the Contract and as permitted under the Contract and Attachments. Further, BA shall not use Protected Information in any manner that would constitute a violation of the Privacy Rule or the HITECH Omnibus Rule if so used by CE. However, BA may use Protected Information (i) for the proper management and administration of BA, BA may use Protected Information, (ii) to carry out the legal responsibilities of BA, or (iii) for Data Aggregation purposes for the Health Care Operations of CE [45 C.F.R. Sections 164.504(e)(2)(i), 164.504(e)(2)(ii)(A) and 164.504(e)(4)(i)]. b. Permitted Disclosures. BA shall not disclose Protected Information except for the purpose of performing BA’s obligations under the Contract and as permitted under the Contract and Agreement. BA shall not disclose Protected Information in any manner that would constitute a violation of the Privacy Rule or the HITECH Omnibus Rule if so disclosed by CE. However BA may disclose Protected Information (i) for the proper management and administration of BA; (ii) to carry out the legal responsibilities of BA; (iii) as required by law; or (iv) for Data Aggregation purposes for the Health Care Operation of CE. If BA discloses Protected Information to a third party, BA must obtain, prior to making any such disclosure,


(i) reasonable written assurances from such third party that such Protected Information will be held confidential as provided pursuant to this Addendum and only disclosed as required by law or for the purposes for which it was disclosed to such third party, and (ii) a written agreement from such third party to immediately notify BA of any breaches of confidentiality of the Protected Information, to the extent it has obtained knowledge of such breach [Final 45 C.F.R. § 164.504(e)]. c. Prohibited Uses and Disclosures. BA shall not use or disclose Protected Information for fund-raising or marketing purposes. BA is not allowed to sell CE’s Protected Information for any purpose. BA shall not disclose Protected Information to a health plan for payment or health care operations purpose if the patient has requested this special restriction, and has paid out of pocket in full for the health care item or service to which the PHI solely relates 42 U.S.C. Section 17935(a). BA shall not directly or indirectly receive remuneration in exchange for Protected Information, except with the prior written consent of CE and as permitted by the HITECH Omnibus Rule, 42 U.S.C. Section 17935(d)(2); however, this prohibition shall not affect payment by CE to BA for services provided pursuant to the Contract. d. Appropriate Safeguards. BA shall implement appropriate safeguards as necessary to prevent the use or disclosure of Protected Information otherwise than as permitted by the contract or Attachments, including, but not limited to, administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Protected Information, in accordance with 45 C.F.R. Sections 164.308, 164.310, and 164.312.[45 C.F.R. Section 164.504(e)(2)(ii)(b); 45 C.F.R. Section 164.308(b)] and [45 C.F.R. § 164.504(e)]. BA shall comply with the policies and procedures and documentation requirement of the HIPAA Security Rule, including, but not limited to, 45 C.F.R. Section 164.316 [42 U.S.C. Section 17931] and [Final 45 C.F.R. § 164.504(e)]. e. Reporting Improper Access, Use or Disclosure. BA shall report to CE in writing of any access, use or disclosure of Protected Information not permitted by the Contract and Attachments, and any Breach of Unsecured PHI of which it becomes aware without unreasonable delay and in no case later than seven (7) calendar days after discovery [42 U.S.C. Section 17921; 45 C.F.R. Section 164.504(e)(2)(ii)(c); 45 C.F.R. Section 164.308(b)] and [45 C.F.R. § 164.504(e)] and [Final 45 C.F.R. § 164.504(e)]. f. Business Associate’s Subcontractors and Agents. BA shall ensure that any agents, including subcontractors, to whom it provides Protected Information, agree in writing to the same restrictions and conditions that apply to BA with respect to such PHI and implement the safeguards required by paragraph c above with respect to Electronic PHI [45 C.F.R. Section 164.504(e)(2)(ii); 45 C.F.R. Section 164.308(b)] and [45 C.F.R. § 164.504(e)]. BA shall ensure compliance with and maintain documentation of compliance with the “HIPAA Rules” and shall make available Attachment “A” of this Agreement for all subcontractors. BA shall implement and maintain sanctions against agents and subcontractors that violate such restrictions and conditions shall mitigate the effects of any such violation (see 45 C.F.R. Sections 164.530(f), 164.530(e)(1)) and [45 C.F.R. § 164.504(e)]. g. Access to Protected Health Information. BA shall make Protected Health Information maintained by BA or its agents or subcontractors in Designated Record Sets available to CE for inspection and copying within ten (10) days of a request by CE to enable CE to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 C.F.R. Section 164.524 [45 C.F.R. Section 164.504(e)(2)(ii)(E)]. If BA maintains an Electronic Health Record, BA shall provide such information in electronic format to enable CE to fulfill its obligations under the HITECH Omnibus Rule, including, but not limited to, 42 U.S.C. Section 17935(e) and [Final 45 C.F.R. § 164.504(e)]. BA shall notify CE within seven (7) days should the individual request Protected Health Information from the BA and forward any Protected Health


Information requested to the CE within ten (10) days. Unless agreed to and documented BA will not directly disclose Protected Health Information. h. Amendment of PHI. Within 10 (ten) days of receipt of a request from CE for an amendment of Protected Information or a record about an individual contained in a Designated Record Set, BA or its agents or subcontractors shall make such Protected Information available to CE for amendment and incorporate any such amendment to enable CE to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 C.F.R. Section 164.526. If any individual requests an amendment of Protected Information directly from BA or its agents or subcontractors, BA must notify CE in writing five (5) days of the request. Any approval or denial of amendment of Protected Information maintained by BA or its agents or subcontractors shall be the responsibility of CE [Final 45 C.F.R. Section 164.504(e)(2)(ii)(F)]. i. Accounting of Disclosures Rights. [Within ten (10) days of notice by CE of a request for an accounting of disclosures of Protected Information] {Promptly upon any disclosure of Protected Information for which CE is required to account to an individual,}, BA and its agents or subcontractors shall make available to CE the information required to provide an accounting of disclosures to enable CE to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 C.F.R. Section 164.528, and the HITECH Omnibus Rule, including but not limited to 42 U.S.C. Section 17935(c), as determined by CE. Accounting of disclosures from paper records, outside of payment, treatment or health care operations purposes are required to be collected and maintained by BA and its agent or subcontractors for at least six (6) years prior to the request. However, accounting of disclosures from an Electronic Health Record for treatment, outside of payment, treatment or health care operations purposes are required to be collected and maintained for only three (3) years prior to the request, and only to the extent that BA maintains an electronic health record and is subject to this requirement, At a minimum, the information collected and maintained shall include: (i) the date of disclosure; (ii) the name of the entity or person who received Protected Information and, if known, the address of the entity or person; (iii) a brief description of Protected Information disclose; and (iv) a brief statement of purpose of the disclosure that reasonably informs the individual of the basis for the disclosure. In the event that the request for an accounted is delivered directly to BA or its agents or subcontractors, BA shall within five (5) days of a request forward it to CE in writing. It shall be CE’s responsibility to prepare and deliver any such accounting requested. BA shall not disclose any Protected Information except as set forth in Sections 2.b of this Agreement [45 C.F.R. Sections 164.504(e)(2)(ii)(G) and 165.528]. The provisions of this subparagraph h shall survive the termination of this Agreement. j. Governmental Access to Records. BA shall make its internal practices, books and records relating to the use and disclosure of Protected Information available to CE and to the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) for purposes of determining BA’s compliance with the Privacy Rule [45 C.F.R. Section 164.504(e)(2)(ii)(H). BA shall provide to CE a copy of any Protected Information that BA provides to the Secretary concurrently with providing such Protected Information to the Secretary. k. Minimum Necessary. BA (and its agents or subcontractors) shall request, use and disclose only the minimum amount of Protected Information necessary to accomplish the purpose of the request, use or disclosure, [42 U.S.C. Section 17935(b); 45 C.F.R. Section 164.514(d)(3)] BA understands and agrees that the definition of “minimum necessary” is as stated in 78 Fed. Reg. 5,559 and that the standard will “vary based on the circumstances” and that the BA will stay apprised of future guidance by Health and Human Services as to specific application of the minimum necessary standard to business associates as outlined at Final 78 Fed. Reg. 5,559.


l. Data Ownership. BA acknowledges that BA has no ownership rights with respect to the Protected Information. m. Notification of Breach. During the term of the Contract, BA shall notify CE within seven (7) days of any suspected or actual breach of security, intrusion or unauthorized use or disclosure of PHI of which BA becomes aware and/or any actual or suspected use or disclosure of data in violation of any applicable federal or state laws or regulations. BA shall take (i) prompt corrective action to cure any such deficiencies and (ii) any action pertaining to such unauthorized disclosure required by applicable federal and state laws and regulations including [Final 45 C.F.R. § 164.504(e)]. n. Breach Pattern or Practice by Covered Entity. Pursuant to 42 U.S.C. Section 17934(b), if the BA knows of a pattern of activity or practice of the CE that constitutes a material breach or violation of the CE’s obligations under the Contract or Attachments or other arrangement, the BA must take reasonable steps to cure the breach or end the violation. If the steps are unsuccessful, the BA must terminate the Contract or other arrangement if feasible. BA shall provide written notice to CE of any pattern of activity or practice of the CE that BA believes constitutes a material breach or violation of the CE’s obligations under the Contract or Attachments or other arrangement within five (5) days of discovery and shall meet with CE to discuss and attempt to resolve the problem as one of the reasonable steps to cure the breach or end the violation. o. Audits, Inspection and Enforcement. Within ten (10) days of a written request by CE, BA and its agents or subcontractors shall allow CE to conduct a reasonable inspection of the facilities, systems, books, records, agreement, policies and procedures relating to the use or disclosure of Protected Information pursuant to this Addendum for the purpose of determining whether B.A. has complied with this Agreement; provided, however that (i) BA and CE shall mutually agree in advance upon the scope, timing and location of such an inspection, (ii) CE shall protect the confidentiality of all confidential and proprietary information of BA to which CE has access during the course of such inspection’ and (iii) CE shall execute a nondisclosure agreement, upon terms mutually agreed upon by the parties, if requested by BA. The fact that CE inspects, or fails to inspect, or has the right to inspect, BA’s facilities, systems, books, records, agreement, policies and procedures does not relieve BA of its responsibility to comply with this Agreement, nor does CE’s (i) failure to detect or (ii) detection, but failure to notify BA or require BA’s remediation of any unsatisfactory practices, constitute acceptance of such practice or a waiver of CE’s enforcement rights under the Contract or Agreement, BA shall notify CE within ten (10) days of learning that BA has become the subject an audit, compliance review, or complaint investigation by the Office of Civil Rights. BA understands that CE’s audit logs are reviewed each month to check for intrusion attempts, unauthorized access and other unusual or suspicious behavior. p. Remedies in Event of Breach. Business Associate hereby recognizes that irreparable harm will result to Covered Entity, and to the business of Covered Entity, in the event of breach by Business Associate or subcontractor of the Business Associate of any of the covenants and assurances contained in Paragraphs a thru o of this agreement. As such, in the event of breach of any of the covenants and assurances contained in Paragraph 2. a thru o above, Covered Entity shall be entitled to enjoin and restrain Business Associate from any continued violation of Paragraph 2. a thru o. Further, in the event of breach of Paragraph 2. a thru o by Business Associate or subcontractor of the Business Associate, Covered Entity shall be entitled to reimbursement and indemnification from Business Associate for the Covered Entity’s reasonable attorneys fees and expenses and costs that were reasonably incurred as a proximate result of the Business Associate’s breach. The remedies constrained in this Paragraph p shall be in addition to (and not supersede) any action for damages and/or other remedy Principal may have for breach of any part of this agreement.


3. Termination a. Material Breach. A breach by BA of any provision of this Addendum, as determined by CE, shall constitute a material breach of the Contract and shall provide grounds for immediate termination of the Contract, any provision in the Contract to the contrary notwithstanding. [45 C.F.R. Section 164.504(e)(2)(iii)] and [Final 45 C.F.R. § 164.504(e)]. b. Judicial or Administrative Proceedings. CE may terminate the Contract, effective immediately, if (i) BA is named as a defendant in a criminal proceeding for a violation of HIPAA, The HITECH Omnibus Rule, the HIPAA Regulations or other security or privacy laws or (ii) a finding or stipulation that the BA has violated any standard or requirement of HIPAA, the HITECH Omnibus Rule, the HIPAA Regulations or other security or privacy laws is made in any administrative, civil or criminal proceeding in which the party has been joined. c. Effect of Termination. Upon termination of the Contract for any reason, BA shall, at the option of CE, return or destroy all Protected Information that BA or its agents or subcontractors still maintain in any form, and shall retain no copies of such Protected Information. If return or destruction is not feasible, as determined by CE, BA shall contour to extend the protections of Section 3 of this Agreement to such information, and limit further use of such PHI to those purposes that make the return or destruction of such PHI infeasible [45 C.F.R. Section 164.504(e)(ii)(2)(1). If CE elects destruction of the PHI, BA shall certify in writing to CE that such PHI has been destroyed in compliance with standards set by “HIPAA Rule” Regulations. d. Survival. The obligations to protect Protected Health Information of business associate shall survive the termination of this agreement. 4. Disclaimer CE makes no warranty or representation that compliance by BA with this Addendum, HIPAA, the HITECH Omnibus Rule, or the HIPAA Regulations will be adequate or satisfactory for BA’s own purposes. BA is solely responsible for all decisions made by BA regarding the safeguarding of PHI. 5. Certification To the extent that CE determines that such examination is necessary to comply with CE’s legal obligation pursuant to HIPAA relating to certification of its security practices, CE or its authorized agents or subcontractors, may at CE’s expense, examine BA’s facilities, security risk assessment, policies & procedures, employee training requirements, employee files and other systems. Procedures and records as may be necessary for such agents or contractors to certify to CE the extent to which BA’s security safeguards comply with HIPAA, the HITECH Omnibus Rule, the HIPAA Regulations or this Agreement. BA is required to complete Attachment “A” – “Business Associates Compliance Status Questionnaire” as part of this Agreement. 6. Amendment

a. Amendment to Comply with Law. The parties acknowledge the state and federal laws relating to data security and privacy are rapidly evolving and that amendment of the Contract or Agreement may be required to provide for procedures to ensure compliance with such development. The parties specifically agree to take such action as is necessary to implement the standards and requirements of HIPAA, the HITECH Omnibus Rule, the Privacy Rule, The Security Rule and other applicable laws relating to the security or confidentiality of PHI. The parties understand and agree that CE must receive satisfactory written assurance from BA that BA will adequately safeguard all Protected Information. Upon the request of either party, the other


party agrees to promptly enter into negotiations concerning the terms of an amendment to this Agreement embodying written assurances consistent with the standards and requirements of HIPAA, The HITECH Omnibus Rule, the Privacy Rule or other applicable laws. CE may terminate the Contract upon thirty (30) days written notice in the event (i) BA does not promptly enter into negotiations to amend the Contract or Addendum when requested by CE pursuant to this Section or (ii) BA does not enter into an amendment to the Contract or Agreement providing assurances regarding the safeguarding of PHI that CE, in its sole discretion, deems sufficient to satisfy the standards and requirements of applicable laws.

7. Assistance in Litigation or Administrative Proceedings BA shall make itself, and any subcontractors, employees or agents assisting BA in the perform ace of its obligations under the Contract or Agreement, available to CE, at no cost to CE, to testify as a witnesses, or otherwise in the event o litigation or administrative proceedings being commenced against CE, its directors, officers or employees based upon a claimed violation of HIPAA, the HITECH Omnibus Rule, the Privacy Rule, The Security Rule, or other laws relating to security and privacy, except where BA or its subcontractors, employee or agent is a named adverse party. 8. No Third-Party Beneficiaries Nothing express or implied in the Contract or Agreement is intended to confer, nor shall anything herein confer, upon any person other than CE, BA and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever. 9. Effect on Contract Except as specifically required to implement the purposes of this Agreement, or to the extent inconsistent with this Agreement, all other terms of the Contract shall remain in force and effect. 10. Interpretation The provisions of the Agreement shall prevail over any provisions in the Contract that may conflict or appear inconsistent with any provision in the Agreement. This Agreement and the Contract shall be interpreted as broadly as necessary to implement and comply with HIPAA, the HITECH Omnibus Rule, the Privacy Rule and the Security Rule. The parties agree that any ambiguity in this Addendum shall be resolved in favor of a meaning that complies and is consistent with HIPAA, the HITECH Omnibus Rule, the Privacy Rule and the Security Rule. IN WITNESS WHEREOF, the parties hereto have duly executed this Agreement as of the Agreement Effective Date. COVERED ENTITY

______________________________________

By: ___________________________________

Print Name: ____________________________

Title: __________________________________

Date: _________________________________

BUSINESS ASSOCIATE _____________________________________

By: __________________________________

Print Name: ___________________________

Title: _________________________________

Date: _________________________________


ATTACHMENT “A”

Compliance Status Questionnaire Covered Entity: ____________________________________ Date: _______________

HIPAA Compliance Officer: ______________________________________________ Business Associate Contracts and Other Arrangements §164.308(b) (1) – Administrative Safeguards A covered entity, in accordance with § 164.306 [the Security Standards: General Rules], may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a) [the Organizational Requirements] that the business associate will appropriately safeguard the information. All covered entities must enter into a contract or other arrangement with persons that meet the definition of business associate in Final 45 C.F.R. § 160.103. This standard is comparable to the Business Associate Contract standard in the Privacy Rule, but is specific to business associates that create, receive, maintain or transmit EPHI. To comply with this standard, covered entities must obtain satisfactory assurances from the business associate that it will appropriately safeguard EPHI. Business Associate: _____________________________________________________________

HIPAA Security Officer: __________________________________________________________

Service(s) you provide the covered entity: __________________________________________ Due Diligence Review Required By HIPAA and The HITECH Omnibus Law 1. Do you currently have a Business Associate Agreement, updated for The HITECH Omnibus Rule (2013), signed with the above Covered Entity? £ Yes £ No 2. Date of your most recent HIPAA training: ________________________________________ Training was administered by: ___________________________________________________ 3. Date of your most recent Risk Assessment: _________________________________________ Performed By: __________________________________________________________________ Contact Information of above: _____________________________________________________ 4. Do you have a full set of HIPAA Security Policies and Procedures that addresses each of the Security Standards Matrix (Appendix A of the Security Rule)? £ Yes £ No 6. Do you carry HIPAA breach insurance? £ Yes £ No Please Provide a List Of Your Subcontractors That Could Access PHI Company/Individual: ____________________________________________________________ Contact: _______________________________ Phone: ________________________________ Email: __________________________________ Have you verified that this company/person is HIPAA Compliant? £ Yes £ No Please provide documents showing their compliance. Electronic copy preferred. For additional Subcontractors attach a separate sheet if necessary.

Certified By: ______________________ Title: _________________ Date: _______________________

HIPAA CONFIDENTIALITY AGREEMENT (NON-EMPLOYEES)

Practice: I understand that Practice and their clients have a legal responsibility to protect patient privacy. To do that, it must keep patient information confidential and safeguard the privacy of patient information. In addition, I understand that even though I am not employed by the Practice, my job requires access to the Practice facility and that I may see or hear other confidential information including patient information, operational and/or financial information, pertaining to the Practice and must maintain the confidentially of that information. Regardless of the capacity in which I work, I understand that I must sign and comply with this Agreement in order to continue access to all Practice locations. Any employees that work in or with patient or other confidential information for Practice will be advised of this agreement and be required to comply with all privacy restrictions. By signing this agreement, I understand and agree that: I will keep patient information confidential, and that I will not disclose patient information as required by the Practice’s HIPAA Privacy Manual. Regarding other types of important information to the Practice, I will keep such information confidential and will only disclose such information if it is required for the performance of my job and after receiving the permission of the Practice. I will not discuss any information either patient-related or operations-related in public areas (even if specifics such as a patient s name are not used), unless that public area is an essential place for the performance of my job. I will keep all security codes and passwords used to access the facility, equipment or computer systems, confidential at all times. I understand I am not allowed to access or view patient information for any reason as it would violate HIPAA Privacy Laws. I will not disclose copy, transmit, inquire, modify, or destroy patient information or other Practice confidential information. This especially includes transmissions from the Practice to my home. Once my responsibilities with the Practice are terminated, I will immediately return all property (e.g., keys, documents, ID badges, etc.) to the Practice. Even after my responsibilities are terminated, I agree to meet my obligations under this agreement. I understand that violation of this agreement may result in disciplinary action, up to and including termination of my employment or relationship with the Practice, and this may include civil and criminal legal penalties as a result of the HIPAA Law, the Omnibus Rule and other federal and state laws. I have read the above agreement and agree to comply with it so that I may have continued access to the Practice facilities or continue to work with the Practice. Signature:______________________________________ Date: ______________________________

Print Your Name: ______________________________

Confidentiality Agreement Page 1

HIPAA Confidentiality Agreement Between: “Practice”

_______________________________________________________

_______________________________________________________

_______________________________________________________

AND: “Employee/Worker”

_______________________________________________________

_______________________________________________________

_______________________________________________________

I understand that Practice and their clients have a legal responsibility to protect patient privacy.

To do that, it must keep patient information confidential and safeguard the privacy of patient

information. In addition, I understand that during the course of my employment or other work

with Practice, I may see or hear other confidential information including operational and

financial information, pertaining to the practice and must maintain confidential by law.

Regardless of the capacity in which I work, I understand that I must sign and comply with this

Agreement in order to be hired or continue to work for Practice.

By signing this agreement, I understand and agree that: I will keep patient information

confidential, and that I will disclose patient information only under the conditions described in

the Practice’s HIPAA Privacy Manual. Regarding other types of important information to the

Practice, I will keep such information confidential and will only disclose such information if it is

required for the performance of my job and after receiving the permission of my supervisor.

I will not discuss any information either patient-related or operations-related in public areas

(even if specifics such as a patient s name are not used), unless that public area is an essential

place for the performance of my job. I will keep all security codes and passwords used to access

the facility, equipment or computer systems, confidential at all times. I will only access or view

patient information for that which is required to do my job. If I have any questions about whether

access to certain information is required for me to do my job, I will immediately ask my

supervisor or the practice s Privacy Officer for assistance.

Confidentiality Agreement Page 2

I will not disclose, copy, transmit, inquire, modify, or destroy patient information or other

Practice confidential information without permission from my supervisor. This especially

includes transmissions from the practice to my home.

Once my job with the practice is terminated, I will immediately return all property (e.g., keys,

documents, ID badges, etc.) to the practice. Even after my job is terminated, I agree to meet my

obligations under this agreement.

I understand that violation of this agreement may result in disciplinary action, up to and

including termination of my employment or relationship with the practice, and this may include

civil and criminal legal penalties as a result of the HIPAA Law, the HITECH Act and other

federal and state laws.

I have read the above agreement and agree to comply with it so that I may obtain employment

with the practice or continue to work with the practice.

Signature: ______________________________________

Title: __________________________________________

Print Your Name: ________________________________

Date: __________________________________________

business associates & your practice. - hipaa compliance kit 2 business... · 2018-05-17 ·...

Documents