ADDENDUM 5 - BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the BAA ) is effective as of (the Effective Date ) and is entered into by and between, with an address of (the Covered Entity ) and New Hampshire Health Information Organization Corporation, with an address of 125 Airport Road, Concord, NH 03301 (the Business Associate ). 1. Definitions The following definitions apply to this BAA: 1.1 Catch-all definition: The following terms used in this BAA shall have the same meaning ascribed to those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure (or Disclose or Disclosing, as the context requires), Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Person, Protected Health Information (or PHI), Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use (or Using, as the context requires), and any capitalized terms not defined herein shall have the same meaning as those terms have under HIPAA or HITECH, as the case may be. 1.2 Specific definitions: 1.2.1 The term Business Associate means the Person identified as the Business Associate in the preamble to this BAA. 1.2.2 The term business associate has the meaning ascribed to that term at 45 CFR 160.103. 1.2.3 The term Covered Entity means the Person identified as the Covered Entity in the preamble to this BAA. 1.2.4 The term covered entity has the meaning ascribed to that term at 45 CFR 160.103. 1.2.5 The term HIPAA means the Health Insurance Portability and Accountability Act of 1996, as amended, and all regulations and rules related thereto. 1.2.4 The term HITECH means the Health Information Technology for Economic and Clinical Health Act, Title XIII of Division A of the American Recovery and Reinvestment Act of 2009 and all regulations and rules related thereto. 1.2.5 The term HIPAA Rules shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164. Page 1 of 7
1.2.6 The term Services Agreement means the Participation Agreement between the Covered Entity and the Business Associate dated effective pertaining to services to be provided by the Business Associate to or on behalf of the Covered Entity and all addenda, schedules, attachments and exhibits thereto, as may be amended from time to time. 1.2.7 The term subcontractor has the meaning ascribed to that term at 45 CFR 160.103. 2. Obligations and Activities of the Business Associate The Business Associate agrees to: 2.1. not Use or Disclose Protected Health Information other than as permitted or required by this BAA or as Required By Law; 2.2 use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information, to prevent Use or Disclosure of Protected Health Information other than as provided for by this BAA; 2.3 promptly report to Covered Entity any Use or Disclosure of Protected Health Information not provided for by this BAA of which it becomes aware, including Breaches of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware; 2.4 in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree to appropriate written restrictions, conditions, and requirements with respect to such Protected Health Information, including obtaining satisfactory assurances that the subcontractor will appropriately safeguard the Protected Health Information; 2.5 make available Protected Health Information in a Designated Record Set to Covered Entity as necessary to satisfy Covered Entity s obligations under 45 CFR 164.524, and the Business Associate will forward to Covered Entity to fulfill, within five business days of receipt by Business Associate, the Individual s request; 2.6 make any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed to by Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity s obligations under 45 CFR 164.526, and the Business Associate will forward to Covered Entity to fulfill, within five business days of receipt by Business Associate, the Individual s request; 2.7 maintain and make available to the Covered Entity the information required to provide an accounting of Disclosures as necessary to satisfy Covered Entity s obligations under 45 CFR 164.528, and the Business Associate will forward to Covered Entity to fulfill, within five business days of receipt by Business Associate, the Individual s request; Page 2 of 7
2.8 to the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164 (Privacy of Individually Identifiable Health Information), comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and 2.9 make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules. 3. Permitted Uses and Disclosures by Business Associate Business Associate is permitted to make the following Uses and Disclosures of Protected Health Information: 3.1 Business Associate may Use or Disclose Protected Health Information as necessary to perform the services set forth in Services Agreement. 3.2 Business Associate may Use or Disclose Protected Health Information as Required By Law. 3.3 Where applicable, when Using or Disclosing Protected Health Information or when requesting Protected Health Information from Covered Entity or another covered entity or business associate, the Business Associate agrees to make reasonable efforts to limit Protected Health Information to the Minimum Necessary to accomplish the intended purpose of the Use, Disclosure, or request. 3.4 Business Associate may not Use or Disclose Protected Health Information in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity, except for the specific Uses and Disclosures set forth below. 3.5 Business Associate may Use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. 3.6 Business Associate may Disclose Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of the Business Associate, provided the Disclosures are Required By Law, or the Business Associate enters into a business associate agreement (which complies with 45 CFR 164.502(e) and 164.504(e)) with the Person to whom the information is Disclosed that the information will remain confidential and Used or further Disclosed only as Required By Law or for the purposes for which it was Disclosed to the Person, and the Person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been Breached. 3.7 Business Associate may provide Data Aggregation services relating to the Health Care Operations of the Covered Entity. Page 3 of 7
3.8 Business Associate is authorized to Use Protected Health Information to de-identify the information in accordance with 45 CFR 164.514(a)-(c). Business Associate may Use and Disclose the de-identified information for any purposes allowed by applicable law. 3.9 Business Associate may Disclose Protected Health Information to a business associate that is a subcontractor and may allow the subcontractor to create, receive, maintain, or transmit Protected Health Information on its behalf, if the Business Associate enters into a business associate agreement (which complies with 45 CFR 164.502(e) and 164.504(e)) with the subcontractor. 4. Obligations of Covered Entity. 4.1 Covered Entity shall provide Business Associate the following notifications: 4.1.1 Notice of any limitation(s) in the Notice of Privacy Practices of Covered Entity under 45 CFR 164.520, to the extent that such limitation may affect Business Associate s Use or Disclosure of Protected Health Information. 4.1.2 Notice of any changes in, or revocation of, the permission by an Individual to Use or Disclose his or her Protected Health Information, to the extent that such changes may affect Business Associate s Use or Disclosure of Protected Health Information. 4.1.3 Notice of any restriction on the Use or Disclosure of Protected Health Information that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate s Use or Disclosure of Protected Health Information. 4.2 Covered entity shall not request Business Associate to Use or Disclose Protected Health Information in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity, except that Business Associate may Use or Disclose Protected Health Information for Data Aggregation relating to the Health Care Operations of the Covered Entity and for management and administration and legal responsibilities of the Business Associate. 4.3 Covered entity will indemnify, defend and hold harmless Business Associate, its contractors and licensors, and their respective members, managers, shareholders, directors, officers, employees, agents and representatives, and all of their respective heirs, estates, successors and assigns (collectively the Business Associate Parties ) from and against any and all demands, claims, actions, losses, damages, fines, penalties, judgments and liabilities, including all related attorneys fees, costs, expenses and interest (collectively Losses ) of any kind asserted or instituted by a third party arising out of or related to Covered Entity s (a) failure to timely and appropriately address any Individual requests that are forwarded to Covered Entity pursuant to Sections 2.5 2.7 or (b) violation of any provisions of Sections 4.1 and/or 4.2 of this BAA. Page 4 of 7
5. Term and Termination 5.1 Term. The Term of this BAA is effective as of the Effective Date and shall remain in force until termination or expiration of the (a) Services Agreement, or (b) this BAA, whichever occurs first. 5.2 Termination for Cause. Business Associate agrees that Covered Entity may terminate this BAA immediately if Covered Entity determines that Business Associate has violated a material term of the BAA or any provision of HIPAA or HITECH. 5.3 Obligations of Business Associate Upon Termination. Upon termination of this BAA for any reason, Business Associate, with respect to Protected Health Information received from the Covered Entity or created, maintained, or received by Business Associate on behalf of the Covered Entity, must: 5.3.1 Retain only that Protected Health Information which is necessary for Business Associate to continue its proper management and administration and/or to carry out its legal responsibilities; 5.3.2 Return to Covered Entity or, if agreed to by Covered Entity destroy, the remaining Protected Health Information that the Business Associate still maintains in any form; 5.3.3 Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic Protected Health Information to prevent Use or Disclosure of the Protected Health Information, other than as provided for in this Section 5.3, for as long as Business Associate retains the electronic Protected Health Information; 5.3.4 Not Use or Disclose the Protected Health Information retained by Business Associate other than for the purposes for which such Protected Health Information was retained and subject to the same conditions set out in Sections 3.5 and 3.6 and which applied prior to termination; and 5.3.5 Return to Covered Entity or, if agreed to by Covered Entity destroy, the Protected Health Information retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities. 5.4 Survival. The obligations of Business Associate under this Section 5 shall survive the termination of this BAA. 6. Miscellaneous 6.1 Regulatory References. A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended. Page 5 of 7
6.2 Amendment. The Parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law. 6.3 Notices. Any notices to be given hereunder shall be made via U.S. certified mail, return receipt requested, or express courier, or hand delivery to the other party s address given below as follows, and delivery will be deemed to occur upon delivery or if delivery is refused in the case of mailing upon three business days from mailing: If to Covered Entity: Privacy Officer If to Business Associate: Jeff Loughlin, Executive Director NHHIO 125 Airport Rd., Concord NH, 03301 6.4 Interpretation. Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Rules. 6.5 Severability. Any provision of this BAA which is determined to be invalid or unenforceable will be ineffective to the extent of such determination without invalidating the remaining provisions of this BAA or affecting the validity or enforceability of such remaining provisions. 6.6 Governing Law and Forum. This Agreement shall be governed by and interpreted in accordance with the laws of the State of New Hampshire without regard to its conflict of law provisions, and the State of New Hampshire shall be the sole forum for resolution of disputes regarding this BAA or the subject matter thereof. The parties hereto agree to the exclusive personal jurisdiction of the courts located in the State of New Hampshire over them with regard to the same. 6.7 Complete Agreement. This BAA constitutes the complete understanding and agreement of the parties with respect to the subject matter thereof. All other representations, promises, understandings and agreements are superseded by this BAA. Except as otherwise provided in this BAA, nothing in this BAA shall be construed as giving any third party any right, remedy or claim. In the event of a conflict between the Services Agreement and the BAA, the terms of the BAA shall take precedence and control. This BAA may only be amended by a writing signed by duly authorized representatives of the parties. Page 6 of 7
The Business Associate and the Covered Entity hereby execute this BAA by signing in the places allocated below according to the convention /s/ Name, and agrees said electronic signature shall be valid and binding under NH RSA 294-E (Uniform Electronic Transactions Act) and the E-Signatures in Global and National Commerce Act (where applicable) and other applicable law. EXECUTED as of the Effective Date by: Business Associate: By: Name: Jeff Loughlin Title: Executive Director Date: Covered Entity: By: Name: Title: Date: Page 7 of 7