1 BUSINESS ASSOCIATE AGREEMENT WITH TRANSFUSION FACILITIES This BUSINESS ASSOCIATE AGREEMENT (this Agreement ) is entered into as of the date first written in the signature block below (the Effective Date ) by and between [insert name of Provider] ( Provider ) and the AABB Center for Patient Safety ( Center ), a Component PSO listed under the Patient Safety and Quality Improvement Act of 2005, having its principal place of business at 8101 Glenbrook Road, Bethesda, Maryland, 20814, and whose parent organization is the American Association of Blood Banks, a non-profit organization. Provider and Center may each be referred to herein as a Party or collectively as the Parties. This Agreement supplements and serves as an addendum to the Terms and Conditions for Participation with the AABB Center for Patient Safety ( Participation Agreement ) entered into between the Parties. 1. BACKGROUND AND PURPOSE. Provider has engaged Center to provide certain services to Provider through the Participation Agreement. Provider is a covered entity and Center is a business associate as such terms are defined in the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) and the regulations promulgated thereunder at 45 C.F.R. Part 160 and Part 164, subparts A and C (the Security Rule ), subparts A and D (the Breach Notification Rule ), and subparts A and E (the Privacy Rule ), all as applicable and as amended (including, but not limited to, amendments made by Subtitle D of the HITECH Act (Title XIII of the American Recovery and Reinvestment Act of 2009)) and as clarified by guidance issued pursuant thereto (collectively, the Rules ). Therefore, in connection with the Participation Agreement, the Parties wish to execute this Agreement to ensure their compliance with applicable provisions of the Rules and to ensure that Center protects the privacy and security of Protected Health Information as further provided herein. 2. DEFINITIONS. Unless otherwise defined in this Agreement, all capitalized terms used in this Agreement have the meanings ascribed to them in the Rules; provided, however, that Protected Health Information or PHI shall mean Protected Health Information limited to the information Center received from, or created, maintained, transmitted, or received on behalf of, Provider. 3. PROVIDER AGREEMENT. By signing below, Provider acknowledges that it has read, understands, and agrees to comply with the terms and conditions of this Agreement and the Participation Agreement. 4. ADDENDUM TO PARTICIPATION AGREEMENT. This Agreement amends the Participation Agreement, inclusive of all other prior amendments or modifications to such Participation Agreement. The terms and provisions of this Agreement shall control to the extent they are contrary, contradictory, or inconsistent with the terms of the Participation Agreement. Otherwise, all other terms and provisions of the Participation Agreement shall remain in full force and effect. 5. OBLIGATIONS OF THE PARTIES WITH RESPECT TO PHI. 5.1 Obligations of Center. With regard to its use and disclosure of PHI, Center agrees to: a. not use or further disclose PHI other than as permitted or required by this Agreement or as Required by Law. b. use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement. Without limiting the generality of the foregoing, Center will:
2 implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI (or EPHI ) that it receives from, or creates, receives, maintains, or transmits on behalf of, Provider; ensure that any agent of Center, including a subcontractor, to whom Center provides such EPHI agrees to implement substantially the same safeguards and other measures to protect such EPHI as set forth in this Agreement; and report to Provider any successful Security Incident of which Center becomes aware. c. report to Provider any use or disclosure of PHI in violation of this Agreement of which Center becomes aware. Center shall mitigate, to the greatest extent possible, any harmful effects from any use or disclosure of PHI that Center reports to Provider as provided herein. d. ensure that any agent, including any subcontractor, to whom Center provides PHI agrees in writing to the same restrictions and conditions on the use and disclosure of PHI that apply to Center pursuant to this Agreement. e. make available, in the form, time, and manner reasonably requested by Provider, any and all PHI required for Provider to respond to an Individual s request for access to PHI about them in accordance with 45 C.F.R. 164.524. Center acknowledges that individuals have the right to obtain PHI about them in an electronic format, and Center will provide PHI in such electronic format as may be reasonably requested by Provider to the extent Center maintains PHI in an electronic format. f. make available, in the form, time, and manner reasonably requested by Provider, PHI for amendment and incorporate any such amendment as directed by Provider to allow Provider to comply with 45 C.F.R. 164.526. g. document any and all disclosures of PHI by Center or its agents, including subcontractors, as well as any other information related to such disclosures of PHI that would be required for Provider to respond to an Individual s request for an accounting of disclosures in accordance with 45 C.F.R. 164.528. h. make available, in the form, time, and manner reasonably requested by Provider, any and all information documented in accordance with subsection 5.1.g. i. subject to subsection 5.1.j. and any applicable privileges, and following consultation with Provider, make available to the Secretary of the U.S. Department of Health and Human Services ( HHS ) any and all internal practices, books, and records of Center or its agents, including subcontractors, relating to the use and disclosure of PHI, for purposes of determining Provider s compliance with the Privacy Rule. j. to the extent permitted by law, notify Provider of any and all requests by the Secretary of HHS for information described in subsection 5.1.i. prior to any release of information thereunder.
3 k. comply with the Security Rule. l. use, disclose, and request only the Minimum Necessary PHI in order to accomplish the intended purpose of such use, disclosure, or request, consistent with the terms of the Participation Agreement, unless a use, disclosure or request is exempt from the Minimum Necessary requirement specified in 45 C.F.R. 164.502(b)(2). To the extent practicable and consistent with the terms of the Participation Agreement, as determined by Center, the Minimum Necessary shall be the information contained in a Limited Data Set, as defined in 45 C.F.R. 164.514(e)(2). m. not, directly or indirectly, receive remuneration in exchange for Provider s PHI unless Center or Provider has obtained an authorization from the subject individual(s) which complies with all applicable requirements, or unless an exception specified in 45 C.F.R. 164.502(a)(5)(ii)(B)(2) applies. Center may not rely on any of the foregoing exceptions as to Provider s PHI without advance notice to Provider that describes the types of circumstances and the applicable exceptions to be relied upon by Center. 5.2 Permitted Uses and Disclosures of PHI by Center. Except as otherwise specified in this Agreement, Center may make any and all uses and disclosures of PHI necessary to perform its obligations under the Participation Agreement. Unless otherwise limited by this Agreement, Center may: (a) use the PHI in its possession for its proper management and administration or to carry out the legal responsibilities of Center; (b) disclose the PHI in its possession to a third party for the purpose of Center s proper management and administration or to carry out the legal responsibilities of Center, provided that the disclosures are Required by Law or that Center has obtained reasonable assurances from the third party to whom PHI is to be disclosed that the PHI will be held confidentially and the third party has agreed to notify Center of any instances of which it becomes aware in which the confidentiality of the information has been breached; and (c) provide Data Aggregation services relating to the Health Care Operations of the Provider as permitted by the Privacy Rule. Center may only use and disclose PHI as described above if such use and disclosure is in compliance with 45 C.F.R. 164.504(e), and, except for uses and disclosures permitted pursuant to (a), (b), and (c) above, Center shall not use and disclose PHI in a manner that would violate the Privacy Rule if done by Provider. 5.3 Obligations of Provider. a. Provider agrees to notify Center of any restrictions on uses and disclosures of PHI to which Provider agrees that will impact in any manner the use and/or disclosure of that PHI by Center under this Addendum. b. Provider agrees to notify Center of any changes in, or revocation of, permission by an Individual to use or disclose PHI that will impact in any manner the use and/or disclosure of that PHI by Center under this Agreement. c. Provider agrees to notify Center of any changes in its Notice of Privacy Practices that will impact in any manner the use and/or disclosure of PHI by Center under this Agreement. d. Provider agrees to obtain any patient authorizations or consents that may be required under federal or state law in order to transmit PHI to Center and to enable Center to use and disclose PHI as contemplated by this Agreement and the Participation Agreement.
4 5.4 Breach of Unsecured Protected Health Information. As required by the Breach Notification Rule, as it may be amended from time to time, Center shall maintain systems to monitor and detect a Breach of Unsecured PHI, whether the Unsecured PHI is in paper or electronic form. Center shall provide to Provider notice of a Breach of Unsecured PHI within thirty (30) days of the first day the Breach is known. Center shall cooperate with Provider to determine whether the Breach requires notice to individuals and others under the Breach Notification Rule, and will cooperate with Provider as may be necessary to allow Provider to provide notification of the Breach to individuals as required by the Breach Notification Rule. Provider is responsible for the provision of notice to individuals in a timely manner, provided that Provider shall consult with Center as needed regarding the details of the notice. 5.5 Marketing. The Parties agree to comply with the restrictions on marketing and fundraising communications contained in the Privacy Rule. 5.6 Effect of Changes to the Rules. To the extent that any relevant provision of the Rules is amended in a manner that materially changes the obligations of Center or Provider that are embodied in the terms of this Agreement, the Parties agree to amend this Agreement in order to give effect to such revised obligations. If the Parties cannot agree on an amendment to this Agreement, this Agreement and the Participation Agreement may be terminated by either Party upon thirty (30) days written notice, or upon such lesser notice as may be required by applicable law, to the other Party. 6. TERMINATION. 6.1 The term of this Agreement shall commence on the Effective Date and shall terminate when all PHI provided by Provider to Center, or created or received by Center on behalf of Provider, is destroyed or returned to Provider. Upon either Party s knowledge of a material breach of the terms of this Agreement by the other Party, the non-breaching Party shall provide the breaching Party written notice of that breach in sufficient detail to enable the breaching Party to understand the specific nature of that breach and afford the breaching Party an opportunity to cure the breach. If the breaching Party fails to cure the breach within a reasonable time as specified by the non-breaching Party, the non-breaching Party may terminate this Agreement and the Participation Agreement. 6.2 Upon termination of the Participation Agreement, Center shall return to Provider or destroy any and all PHI in the possession or control of Center and its agents, including subcontractors, and retain no copies, if it is feasible to do so. If return or destruction of PHI is infeasible, Center agrees to: (a) provide written notification to Provider of the conditions that make such return or destruction infeasible; and (b) for so long as Center or its agents, including subcontractors, maintain such PHI, (i) extend all protections contained in this Agreement to the use and/or disclosure of any retained PHI by Center or its agents, including subcontractors, and (ii) limit any further uses and/or disclosures of such PHI by Center or its agents, including subcontractors, to the purposes that make the PHI s return or destruction infeasible.
5 7. MISCELLANEOUS. 7.1 Interpretation. The terms of this Agreement shall prevail in the case of any conflict with the terms of the Participation Agreement to the extent necessary to allow Provider and Center to comply with applicable provisions of HIPAA, the Privacy Rule, the Security Rule, or the Breach Notification Rule. 7.2 Survival. The obligations imposed on Center pursuant to this Agreement with respect to PHI shall survive termination of this Agreement and continue indefinitely solely with respect to PHI that Center or its agents, including subcontractors, retain in accordance with Section 6.2. 7.3 No Third Party Beneficiaries. Except as may be specifically set forth in this Agreement, nothing in this Agreement shall confer upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever. 7.4 Privileges and Protections Not Waived. Nothing herein shall be construed as waiver of applicable legal or other privileges or protections held or enjoyed by Provider. 7.5 Amendment. This Agreement shall not be amended except by the mutual written agreement of the Parties. 7.6 Assignment. Neither Party may assign any of its rights or obligations under this Agreement without the prior written consent of the other Party. 7.7 Notice. Any notices required hereunder shall be given as set forth in the Participation Agreement. 7.8 Counterparts. This Agreement may be executed in any number of counterparts, each of which shall be deemed an original. Facsimile copies hereof shall be deemed to be originals. 7.9 Relationship of the Parties. In performing the services herein specified, Center will be acting as an independent contractor engaged by Provider. Nothing contained in the Participation Agreement or this Agreement shall be construed to create a partnership or a joint venture or to authorize Center to act as a general or special agent of Provider, except as specifically set forth in this Agreement or the Participation Agreement. [Signatures on following page]
6 IN WITNESS WHEREOF, each of the undersigned has caused this Agreement to be executed in its name and on its behalf by its duly authorized representative. Provider: AABB Center for Patient Safety, A Component PSO of the American Association of Blood Banks By: Print Name: Print Title: Date: By: Print Name: Print Title: Date: