CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS Dear Physician Member: Thank you for contacting the California Medical Association and thank you for your membership. In order to advocate on your behalf, it may be necessary for CMA staff to receive and review claims data and other documentation that may include Protected Health Information ("PHI"). As a "business associate" under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, CMA requests that physician members sign and return the attached CMA Business Associate Agreement ("Agreement"). This will ensure that CMA complies fully with federal and state privacy protection laws. This Agreement provides satisfactory assurances that CMA will appropriately safeguard all PHI it discloses, or receives from or on behalf of physician members. Although CMA has had a standing Business Associate Agreement with its members, changes in the law pursuant to the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) have increased the obligations of business associates, necessitating CMA to update the standing Agreement. To receive assistance from CMA, please: 1. Fill in physician name and name of practice in the space provided at the top of page 1of the Agreement; 2. After reviewing, sign and date the Agreement on page 5; 3. Keep original copy for your records; 4. Promptly return a copy of the executed Agreement to CMA by fax to (916) 551-2027 or by email to economicservices@cmanet.org. Once we receive the signed CMA Business Associate Agreement, CMA will be pleased to assist you. California Medical Association Last Updated: September 1, 2010
CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS This HIPAA Business Associate Agreement is made by and between, ("Physician Practice") and California Medical Association, a California nonprofit trade association ("CMA") and is effective as of the earlier of the date on which CMA first performed Services (as defined below) for Physician Practice or the date on which CMA first received Protected Health Information from Physician Practice (as defined below) ("Effective Date"). This HIPAA Business Associate Agreement amends and incorporates by reference all existing agreements between Physician Practice and CMA. Recitals A. CMA is dedicated to maintaining quality medical care and improving physician-patient relationships. Toward these goals, it assists its members with certain payment and health care operations activities, and, as such, may, from time to time, receive, have access to, or create, Protected Health Information. B. Physician Practice is a Covered Entity (as defined below) under the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH") at Title XIII of Public Law 111-5 (collectively, "HIPAA"). C. CMA and Physician Practice are committed to complying with the Privacy Laws, as defined below. D. The parties desire to set forth the terms and conditions of disclosure of Protected Health Information by Physician Practice to CMA and of use and disclosure of Protected Health Information by CMA. Article I. Definitions of Terms Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms have in the Privacy Rule, 45 C.F.R 160.103 and 164.501. For purposes of this Agreement: 1.01 Agreement means the existing agreement(s) in effect between Physician Practice and CMA, as amended by this Business Associate Agreement. 1.02 Breach means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule. Breach does not include: (a) (b) (c) disclosure of PHI where CMA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information; OR any unintentional acquisition, access, or use of PHI by a Workforce member or person acting under the authority of CMA if: (i) such acquisition, access, or use was made in good faith and within the scope of authority; AND (ii) such acquisition, access, or use does not result in further use or disclosure in a manner not permitted under the Privacy Rule; OR any inadvertent disclosure by a person who is authorized to access PHI at the CMA to another person authorized to access PHI at the Physician Practice or CMA; AND the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule. 1.03 Business Associate shall have the meaning given to such term in 45 C.F.R. 160.103. 1.04 C.F.R. shall mean the Code of Federal Regulations. 1.05 Covered Entity shall have the meaning given to such term in 45 C.F.R. 160.103. 1.06 Data Aggregation shall have the meaning given to such term in 45 C.F.R. 164.501. 1.07 Designated Record Set shall have the meaning given to such term in 45 C.F.R. 164.501. 1
1.08 Individual shall have the meaning give to such term in 45 C.F.R 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R 164.502(g). 1.09 Privacy Laws shall mean HIPAA, the HIPAA regulations and any other applicable state or federal laws or regulations affecting or regulating the privacy or security of health information, including the California Confidentiality of Medical Information Act. 1.10 Privacy Rule shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R part 160 and part 164, subparts A and E. 1.11 Required By Law shall have the same meaning as such term in 45 C.F.R 164.103. 1.12 Protected Health Information ("PHI") shall have the meaning given to such term in 45 C.F.R. 160.103. 1.13 Secretary means the Secretary of the Department of Health and Human Services ("HHS") or his designee. 1.14 Services shall have the meaning set forth in Section 2.01. 1.15 Treatment shall have the meaning as such term in 45 C.F.R 164.501. 1.16 Unsecured PHI means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology (e.g., encryption or destruction) specified by the Secretary on the HHS Web site. 1.17 Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for CMA, is under the direct control of CMA, whether or not they are paid by CMA. 1.18 All references to the C.F.R. are to their then current version. Article II. Obligations of CMA. 2.01. Permitted Uses and Disclosures. CMA shall not use or disclose PHI received or created pursuant to this Agreement except as permitted or required by this Agreement or as Required by Law. CMA shall comply with the privacy requirements of HIPAA that are applicable to Covered Entities as required by 42 U.S.C. 17934. CMA may use PHI to: (a) assist Physician Practice obtain coverage and payment for services rendered; (b) to advocate on Physician Practice's behalf with respect to other health care operations issues, including, but not limited to, issues involving audits, health plan and IPA bankruptcies, coding and documentation, managed care and other contracts, practice management, credentialing, peer review and licensure; (c) to perform Data Aggregation as permitted under the Privacy Rule (collectively, the "Services"). 2.02. CMA's Operations Permitted Uses of PHI. CMA may use the PHI it obtains or creates in its capacity as a Business Associate for the proper management and administration of CMA or to carry out CMA's legal responsibilities. 2.03. CMA's Operations Permitted Disclosures of PHI. CMA may disclose the PHI it obtains or creates in its capacity as a Business Associate if such disclosure is necessary for the CMA's proper management and administration or to carry out the CMA's legal responsibilities, and: (a) (b) the disclosure is required by law; or CMA obtains reasonable assurances from the recipient of the PHI that the PHI will be held confidentially and used or further disclosed only as required by law or with such further authorizations required by law, and any such disclosure shall be only for the purpose for which it was initially disclosed to the recipient; and the recipient notifies the CMA (and CMA 2
in turn notifies Physician Practice) of any instances of which it is aware in which the confidentiality of the PHI has been breached. Except for disclosures for Treatment purposes, CMA and its agents shall use, disclose, or request only the limited data set (as defined in 45 C.F.R. 164.514(e)(2)), or if that is inadequate, the minimum PHI necessary to accomplish the intended purpose of that use, disclosure or request. The party disclosing the PHI shall determine what constitutes the minimum necessary to accomplish the intended purpose of the disclosure. CMA understands that the HHS Secretary is mandated to issue guidance on what constitutes "minimum necessary," and agrees that CMA and its agents will be bound by that guidance when it is issued and becomes effective. 2.04. Access to PHI by Individuals. CMA shall cooperate with Physician Practice to fulfill all requests by Individuals for access to the Individual's PHI that are approved by Physician Practice as required by 45 C.F.R. 164.524 and California law. CMA shall forward copies of PHI in CMA's possession if requested by Physician Practice to provide copies to patients of the Physician Practice within five (5) business days of such request. If CMA receives a request from an Individual for access to PHI, CMA immediately shall forward such request to Physician Practice. Physician Practice shall be solely responsible for determining the scope of PHI and Designated Record Set with respect to each request by an Individual for access to PHI. 2.05. Access to CMA's Books and Records. To the extent required by the Privacy Rule, CMA shall make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by CMA on behalf of Physician Practice available to the Secretary, in a time and manner designated by the Physician Practice or the Secretary, as needed to permit the Secretary to determine Physician Practice's compliance with the Privacy Rule. 2.06. Amendment of PHI. To the extent it possesses a Designated Record Set, CMA shall incorporate all amendments or addenda to PHI received from Physician Practice. 2.07. Disclosure Accounting. In the event that CMA makes any disclosures of PHI that are subject to the accounting requirements of 45 C.F.R. 164.528, CMA promptly shall report to Physician Practice and maintain a record of each such disclosure, including the name of the Individual, the date of the disclosure, the name and, if available, the address of the recipient of the PHI, a brief description of the PHI disclosed and a brief description of the purpose of the disclosure. CMA shall maintain this record for a period of six (6) years and make available to Physician Practice upon request in an electronic format so that Physician Practice may meet its disclosure accounting obligations under 45 C.F.R. 164.528. CMA understands that the Secretary is mandated to adopt rules expanding the disclosure accounting obligations applicable to physician practices that maintain EHRs, and agrees that CMA will be bound by those rules when they are issued and become effective. 2.08. Security Safeguards. CMA shall comply with the security requirements of HIPAA that are applicable to Covered Entities as required by 42 U.S.C. 17931, including, without limitation: (a) (b) (c) Implementing, maintaining and using appropriate and effective administrative, technical and physical safeguards to reasonably preserve the confidentiality, integrity and availability of any electronic PHI as required by the security standards set forth in 45 C.F.R. 164.308, 164.310, and 164.312; Complying with the policies and procedures and documentation requirements of the HIPAA Security Rule, including 45 C.F.R. 164.316, as and when required by HIPAA; Reporting to Physician Practice any security incident immediately upon becoming aware of such incident. In addition, CMA agrees to (a) maintain written documentation of its policies and procedures, and of any action, activity, or assessment which the HIPAA Security Rule requires to be documented, (b) retain this documentation for six (6) years from the date of its creation or the date when it last was effective, whichever is later, (c) make this documentation available to those persons responsible for implementing 3
the procedures to which the documentation pertains, and (d) review this documentation periodically, and update it as needed in response to environmental or operational changes affecting the security of the electronic protected health information. 2.09. Mitigation. CMA shall mitigate, to the extent practicable, any harmful effect that is known to CMA of a use or disclosure of PHI by CMA in violation of the requirements of this Agreement. 2.010. Reports of Non-Permitted Use or Disclosure. CMA shall report to Physician Practice any use or disclosure of PHI not provided for by this Agreement. In addition, CMA shall, following discovery of a Breach of Unsecured PHI, promptly notify Physician Practice of such Breach as and when required by 42 U.S.C. 17932. 2.011. Sale of PHI. CMA will comply with any rule adopted by the HHS Secretary regarding the sale of PHI as soon as it becomes effective. CMA shall comply with the prohibition on the sale of electronic health records and PHI set forth in 42 U.S.C. 17935(d). 2.012. Agents. CMA shall require that any subcontractors or other agents to whom it provides PHI received from, or created or received by CMA on behalf of Physician Practice agree in writing to the same use, request and disclosure restrictions imposed on CMA by this Agreement. 2.013. Ownership of Information. All PHI shall be deemed owned by the Physician Practice unless otherwise agreed in writing. During the term of this Agreement, CMA and any authorized subcontractors or other agents shall have the right to use the PHI solely as specified by this Agreement. CMA and its agents shall have the right to de-identify the PHI at CMA's option, in accordance with 45 C.F.R. 164.514(b). 2.014. Additional Obligations. CMA will be held to the same standards as Physician Practice to rectify a pattern of activity or practice that constitutes a material breach or violation of CMA's obligation under this Agreement. CMA will be subject to the same penalties as a covered entity for any violation of the HIPAA Privacy or Security requirements, and CMA will also be subject to periodic audits by the HHS Secretary. Article III. Obligations of Physician Practice 3.01. Notice of Privacy Practices. Physician Practice shall provide CMA with a copy of Physician Practice's Notice of Privacy Practices upon request and inform CMA of any changes to such Notice of Privacy Practices that affect CMA. 3.02. Notice of Changes. Physician Practice shall provide CMA with any changes in, or revocation of, permission by Individual to use or disclose PHI, if such changes affect CMA's permitted or required uses and disclosures. 3.03. Notice of Restrictions. Physician Practice shall notify CMA of any restriction to the use or disclosure of PHI that Physician Practice has agreed to in accordance with 45 C.F.R 164.522. 3.04. Impermissible Requests. Physician Practice shall not ask or require CMA to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by a Covered Entity. Article IV. Term and Termination 4.01. Term. The Term of this Agreement shall be effective as of the Effective Date, and shall remain in effect, except as otherwise provided herein, for so long as the Physician Practice is a member of the CMA. 4.02. Termination for Breach of Privacy or Security. Upon Physician Practice's determination of a material breach of this Agreement by CMA, Physician Practice shall either: (a) provide an opportunity for CMA to cure the breach or end the violation and terminate this Agreement if CMA does not cure the breach or end the violation within the time specified by Physician Practice; or (b) immediately terminate this Agreement 4
if CMA has breached a material term of this Agreement and cure is not possible. Physician Practice shall give notice to CMA of the existence of an alleged breach and shall provide CMA with a reasonable opportunity to dispute the existence of such breach. 4.03. Effects of Termination; Disposal of PHI. Upon termination of this Agreement, to the extent is it feasible to do so, CMA shall recover and destroy all PHI that is in its possession or the possession of its subcontractors or agents that CMA obtained or maintained pursuant to this Agreement on behalf of the Physician Practice. However, the parties agree that, because of the nature of CMA's advocacy activities, it may not be feasible for CMA to accomplish this. Therefore, CMA shall extend, and require that its subcontractors and agents agree to the extension of all protections, limitations and restrictions required by this Agreement until the PHI is destroyed. This section shall survive the termination of this Agreement. Article V. Miscellaneous 5.01. Notices. Any notice required to be given pursuant to the terms and provisions of this Agreement shall be in writing and may be either personally delivered or sent by registered or certified mail in the United States Postal Service, Return Receipt Requested, postage prepaid, addressed to each party at the addresses maintained by the CMA. Any such notice shall be deemed to have been given, if mailed as provided herein, as of the date mailed. 5.02. Change in Law. CMA and Physician Practice shall cooperate with each other in good faith to amend this Agreement as necessary to comply with any subsequent changes or clarifications of the Privacy Laws. 5.03. Intent to Comply with Laws. This Agreement shall be construed consistently with all Privacy Laws and in favor of the protection of PHI. All other aspects of this Agreement shall be governed under the laws of the State of California and venue for any actions relating to this agreement shall be proper in Sacramento County, California. 5.04. Execution. By signature below the undersigned warrant that they have the authority to enter into this Agreement individually and/or in any applicable representative capacity. Signatures may be exchanged by facsimile or by electronic mail. CMA / S / Dustin Corcoran Executive Vice-President & CEO PHYSICIAN PRACTICE Signature: Printed Name: Practice Name: Date: 5