HIPAA Compliance Program, Compliance Office 210-567-2014, Compliance Line 1-877-507-7317
 

Sample Business Associate Insert Into Services Agreement

 

NOTE: The Office of Legal Affairs recommends this agreement/contract state what"protected health information" (PHI) will be shared among the entities, and include a specific statement of how PHI will be used, how it will be transmitted and to whom. All agreements/contracts must be reviewed by the Office of Legal Affairs. The Office of Legal Affairs may be contacted at (210) 567-2020 to assist you with any questions.

If you enter into an agreement with another entity or individual that will use or receive individually identifiable health information in the course of providing services on behalf of the institution, the following insert into the services agreement should be considered.


Download: Microsoft Word .doc file or Acrobat Reader .pdf file of this document.


ARTICLE XL
Use and Disclosure of PHI

A. Acknowledgment of HIPAA Obligations and Other Regulations Implementing the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. §1320(d) ("HIPAA"). The parties acknowledge that federal regulations relating to the confidentiality of individually identifiable health information require covered entities to comply with the privacy standards adopted by the U.S. Department of Health and Human Services as they may be amended from time to time, 45 C.F.R. parts 160 and 164, subparts A and E ("the Privacy Rule") and the security standards adopted by the U.S. Department of Health and Human Services as they may be amended from time to time, 45 C.F.R. parts 160, 162 and 164, subpart C ("the Security Rule"). Collectively, the Privacy Rule and the Security Rule are referred to herein as "HIPAA Rules." The HIPAA Rules, as well as any applicable state confidentiality laws, require Covered Entity to ensure that business associates who receive confidential information in the course of providing services on behalf of Covered Entity comply with certain obligations regarding the confidentiality of health information. "Covered Entity" and "Business Associate" are defined in the HIPAA Rules, and for the purposes of this Agreement, shall refer to __________ and _________, respectively.

B. Purposes for which Protected Health Information May Be Used or Disclosed. In connection with the services provided by Business Associate on behalf of Covered Entity pursuant to this Agreement, Covered Entity may use and disclose protected health information ("PHI"), as defined in the HIPAA Rules, to Business Associate for the purposes of (describe purpose of disclosure, which will relate directly to the services provided in the agreement, e.g., claims processing, audit, design of computer system, etc.).

C. Business Associate Obligations. Business Associate agrees to comply with applicable federal and state confidentiality and security laws, including, but not limited to the Privacy Rule and Security Rule, including without limitation:

    1. Use of PHI. Business Associate shall not use PHI except as necessary to fulfill the purposes of this Agreement. Business Associate is permitted to use and disclose PHI as necessary for the proper management and administration of Business Associate or to carry out its legal responsibilities and its responsibilities under this Agreement. However, Business Associate shall in such case:

    (a) provide training to members of its workforce regarding the confidentiality requirements in the HIPAA Rules and this Agreement;

    (b) obtain reasonable assurances from the person to whom the information is disclosed that it will be held confidential and further used and disclosed only as required by law or for the purpose for which it was disclosed to the person or entity;

    (c) agree to notify the Covered Entity of any instances of which it is aware in which the PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules; and

    (d) ensure that all disclosures of PHI are subject to the principle of "minimum necessary use and disclosure," i.e., only PHI that is the minimum necessary to accomplish the intended purpose of the use, disclosure, or request may be disclosed.

    2. Disclosure to Third Parties. If Business Associate discloses PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, to agents, including a subcontractor, Business Associate shall require the agent to agree to the same restrictions and conditions that apply to Business Associate under this Agreement. Business Associate shall ensure that any agent, including a subcontractor, agrees to implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains, or transmits on behalf of the Covered Entity. Business Associate shall be fully liable to Covered Entity for any acts, failures or omissions of the Agent in providing the services as if they were Business Associate's own acts, failures or omissions, to the extent permitted by law. Business Associate further expressly warrants that its Agents will be specifically advised of, and will comply in all respects with, the terms of this Agreement.

    3. Data Aggregation. In the event that Business Associate works for more than one Covered Entity, Business Associate is permitted to use and disclose PHI, but only in order to analyze data for permitted health care operations, and only to the extent that such use is permitted under the HIPAA Rules.

    top of page

    4. De-identified Information. Use and disclosure of de-identified health information is permitted, but only if (i) the precise use is disclosed to Covered Entity and permitted by Covered Entity in its sole discretion and (ii) the de-identification is in compliance with 45 CFR §164.502(d), and any such de-identified health information meets the standard and implementation specifications for de-identification under 45 CFR §164.514(a) and (b).

    5. Notice of Privacy Practices. Business Associate shall abide by the limitations of any Notice of Privacy Practices ("Notice") published by the Covered Entity of which it has knowledge. Covered Entity shall provide to Business Associate such Notice when it is adopted. Any use or disclosure permitted by this Agreement may be amended by such Notice. However, the amended Notice shall not affect permitted uses and disclosures on which Business Associate relied prior to such notice.

    6. Withdrawal of Consent or Authorization. If the use or disclosure of PHI in this agreement is based upon an individual's specific consent or authorization for the use of his or her PHI, and the individual revokes such consent or authorization in writing, or the effective date of such authorization has expired, or the consent or authorization is found to be defective in any manner that renders it invalid, Business Associate shall, if it has notice of such revocation, expiration or invalidity, to cease the use and disclosure of any such individual's PHI except to the extent it has relied on such use or disclosure, or where an exception under the Privacy Rule expressly applies.

    7. Use or Disclosure That Would Violate HIPAA. Business Associate is prohibited from further use or disclosure of PHI in a manner that would violate the requirements of the HIPAA Rules if the PHI were used or disclosed by the Covered Entity.

    8. Safeguards. Business Associate shall maintain appropriate safeguards to ensure that PHI is not used or disclosed other than as provided by this Agreement or as Required by Law. Business Associate shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any electronic PHI it creates, receives, maintains, or transmits on behalf of Covered Entity.

    9. Records Management. Upon termination of this Agreement, Business Associate agrees to return or destroy all PHI received from Covered Entity that Business Associate maintains in any form and shall comply with federal and state laws as they may be amended from time to time governing the maintenance or retention of PHI. If the return or destruction of PHI is not feasible, Business Associate agrees to extend the protections of this Agreement to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.

    10. Individual Rights Regarding Designated Record Sets. If Business Associate maintains a designated record set (as defined in the HIPAA Rules) on behalf of Covered Entity, Business Associate agrees as follows:

    (a) Correction of PHI. Business Associate agrees that it will amend PHI maintained by Business Associate as requested by Covered Entity.

    (b) Individual Right to Copy or Inspection. Business Associate agrees that, if it maintains PHI in a designated record set for the Covered Entity, it will permit an individual to inspect or copy PHI about the individual in that set under conditions and limitations required under 45 CFR §164.524. The Covered Entity is required to take action on such requests as soon as possible but not later than 30 days following receipt of the request. Business Associate agrees to make reasonable efforts to assist Covered Entity in meeting this deadline, to the extent the requested information is maintained by Business Associate and not the Covered Entity. The information shall be provided in the form or format requested, if it is readily producible in such form or format; or in summary, if the individual has agreed in advance to accept the information in summary form. A reasonable, cost-based fee for copying health information may be charged.

    (c) Individual Right to Amendment. Business Associate agrees, if it maintains PHI in a designated record set, to make amendments to PHI at the request and direction of Covered Entity pursuant to 45 CFR §164.526. If Business Associate maintains a record in a designated record set that is not also maintained by Covered Entity, Business Associate agrees that it will accommodate an individual's right to have access to and amend PHI about the individual in a designated record set in accordance with the Privacy Rule set forth at 45 CFR §164.526, unless the regulation provides for a denial or exception that applies.

    11. Accounting of Disclosures. Business Associate agrees to make available to the individual and/or the Covered Entity from whom the PHI originated, information required for an accounting of disclosures of PHI with respect to the individual, in accordance with 45 CFR §164.528, and incorporating exceptions to such accounting designated under the regulation. Such accounting is limited to disclosures that were made in the six (6) years prior to the request (not including any disclosures prior to the compliance date of the Privacy Rule).

    (a) Covered Entity is required to take action on such requests as soon as possible but not later than 60 days following receipt of the request. Business Associate agrees to use its best efforts to assist Covered Entity in meeting this deadline.

    (b) Such accounting must be provided without cost to the individual or Covered Entity if it is the first accounting requested by an individual within any 12 month period; however, a reasonable, cost-based fee may be charged for subsequent accountings if Business Associate informs the individual in advance of the fee and is afforded an opportunity to withdraw or modify the request.

    (c) Such accounting shall be provided as long as Business Associate maintains the PHI.

    D. Internal Practices, Books, and Records. Business Associate shall make available its internal practices, books, and records relating to the use and disclosure of PHI received from, created, or received by Business Associate on behalf of the Covered Entity to the U.S. Department of Heath and Human Services or its agents for the purpose of determining the Covered Entity's compliance with the HIPAA Rules, or any other health oversight agency, or to the Covered Entity.

    E. Indemnification. To the extent permitted by law, Business Associate agrees to indemnify and hold harmless Covered Entity from and against all claims, demands, liabilities, judgments or causes of action of any nature for any relief, elements of recovery or damages recognized by law (including, without limitation, attorney's fees, defense costs, and equitable relief), for any damage or loss incurred by Covered Entity arising out of, resulting from, or attributable to any acts or omissions or other conduct of Business Associate or its agents in connection with the performance of Business Associate's or its agents' duties under this Agreement. This indemnity shall apply even if Covered Entity is alleged to be solely or jointly negligent or otherwise solely or jointly at fault; provided, however, that a trier of fact finds Covered Entity not to be solely or jointly negligent or otherwise solely or jointly at fault. This indemnity shall not be construed to limit Covered Entity's rights, if any, to common law indemnity.

    Covered Entity shall have the option, at its sole discretion, to employ attorneys selected by it to defend any such action, the costs and expenses of which shall be the responsibility of Business Associate. Covered Entity shall provide Business Associate with timely notice of the existence of such proceedings and such information, documents and other cooperation as reasonably necessary to assist Business Associate in establishing a defense to such action.

    These indemnities shall survive termination of this agreement and Covered Entity reserves the right, at its option and expense, to participate in the defense of any suit or proceeding through counsel of its own choosing.

    F. Mitigation. If Business Associate violates this Agreement or the HIPAA Rules, Business Associate agrees to mitigate any damage caused by such breach.

    G. Rights of Proprietary Information. The Covered Entity retains any and all rights to the proprietary information, confidential information, and PHI it releases to Business Associate.

    H. Termination for Breach. Without limiting the termination provisions herein, if Business Associate breaches any provision in this Section entitled "Use and Disclosure of PHI", Covered Entity may, at its option, access and audit the records of Business Associate related to its use and disclosure of PHI, require Business Associate to submit to monitoring and reporting, and such other conditions as Covered Entity may determine is necessary to ensure compliance with this Article; or Covered Entity may terminate this Agreement on a date specified by Covered Entity.

    I. Reference. Any reference in this Section entitled "Use and Disclosure of PHI" means the section of the Privacy Rule or the Security Rule, as applicable, as in effect or as amended.

    J. Amendment. Business Associate and Covered Entity agree to take such action as is necessary to amend this Section entitled "Use and Disclosure of PHI" from time to time in order to allow Covered Entity to comply with the HIPAA Rules and any applicable state confidentiality laws.

    K. Precedent and Ambiguity. If any term of this Section entitled "Use and Disclosure of PHI" conflicts with another term of this Agreement, the term contained in this Section shall be controlling. Any ambiguity in this Section entitled "Use and Disclosure of PHI" shall be resolved to permit Covered Entity to comply with the HIPAA Rules.

    L. Survival of Key Provisions. The provisions of this Section entitled "Use and Disclosure of PHI" shall survive the termination of this Agreement.

    Copyright © Vinson & Elkins L.L.P. 2004