BUSINESS ASSOCIATE AGREEMENT



Similar documents
BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE ADDENDUM

HIPAA BUSINESS ASSOCIATE AGREEMENT

Business Associate and Data Use Agreement

BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

This form may not be modified without prior approval from the Department of Justice.

BUSINESS ASSOCIATE AGREEMENT

The Institute of Professional Practice, Inc. Business Associate Agreement

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT

WellDyneRxWEST Customer (TPA, Broker, Consultant, Group Health Plan, and other).

BUSINESS ASSOCIATE AGREEMENT

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

Health Plan Select, Inc. Business Associate Privacy Addendum To The Service Agreement

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY

SAMPLE BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

CATHOLIC SOCIAL SERVICES BUSINESS ASSOCIATE AGREEMENT

Disclaimer: Template Business Associate Agreement (45 C.F.R )

Louisiana State University System

University Healthcare Physicians Compliance and Privacy Policy

HSHS BUSINESS ASSOCIATE AGREEMENT BACKGROUND AND RECITALS

BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT WITH TRANSFUSION FACILITIES

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement

HIPAA BUSINESS ASSOCIATE AGREEMENT

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):

MaxMD 2200 Fletcher Ave. 5 th Floor Fort Lee, NJ (201) support@max.md Page 1of 10

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

ADDENDUM 5 - BUSINESS ASSOCIATE AGREEMENT

FirstCarolinaCare Insurance Company Business Associate Agreement

HIPAA Data Use Agreement Policy R&G Template Updated for Omnibus Rule HIPAA DATE USE AGREEMENT 1

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE

Model Business Associate Agreement

AMWELL SERVICE PROVIDER SUBSCRIPTION AGREEMENT

Business Associate Agreement

INDEPENDENT CONTRACTOR AGREEMENT FOR HEALTH CARE PROVIDERS

HIPAA BUSINESS ASSOCIATE AGREEMENT

Please print the attached document, sign and return to or contact Erica Van Treese, Account Manager, Provider Relations &

BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS:

HIPAA Business Associate Agreement Instructions

HIPAA Business Associate Agreement

DRAFT BUSINESS ASSOCIATES AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement

BUSINESS ASSOCIATE CONTRACTUAL ADDENDUM

BUSINESS ASSOCIATE ADDENDUM

AGREEMENT. Solicitor Without Per Diem Compensation

HIPAA BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION

Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE ADDENDUM. WHEREAS, Provider (as defined below) has a contractual relationship with FHCCP requiring this Addendum;

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT. Emory University and/or Emory Healthcare, Inc. ( Emory ) ( Covered Entity ) and

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS

BUSINESS ASSOCIATE AGREEMENT FOR ATTORNEYS

BUSINESS ASSOCIATE AGREEMENT RECITALS

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

DATA USE AGREEMENT RECITALS

Business Associate Agreement

HIPAA POLICY REGARDING BUSINESS ASSOCIATES

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement Involving the Access to Protected Health Information

Transcription:

BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (this Agreement ) is made effective as of the day of 2014 (the Effective Date ), by and between Sarasota County Public Hospital District, a Florida independent special district, d/b/a Sarasota Memorial Hospital and Sarasota Memorial Health Care System ( Covered Entity ) and ( Business Associate ). ARTICLE 1: RECITALS 1.1 The Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated pursuant thereto, as amended and supplemented ( HIPAA ), prohibits Covered Entity from disclosing certain individually identifiable health information ( Protected Health Information ) without satisfactory assurance that the recipient will appropriately safeguard such information, unless the disclosure is to another health care provider for treatment as defined by HIPAA. 1.2 The Health Information Technology for Economic and Clinical Health provisions of the American Recovery and Reinvestment Act of 2009 and the regulations promulgated pursuant thereto, as amended and supplemented ( HITECH ), prescribe mandatory procedures to be followed in the event a Security Incident or Breach involving Protected Health Information occurs. 1.3 Covered Entity desires to disclose Protected Health Information to Business Associate or have Business Associate create, receive, maintain, or transmit Protected Health Information on behalf of Covered Entity, and Business Associate desires to accept such information on the terms and conditions contained in this Agreement. 1.4 Capitalized terms used but not defined in this Agreement have the same meaning as those terms defined within HIPAA or HITECH, unless another meaning is clearly indicated. NOW, THEREFORE, in consideration of the mutual covenants contained herein, it is agreed as follows: ARTICLE 2: INCORPORATION OF RECITALS, EXHIBITS, ETC. The parties agree that the recitals are true and correct, and are hereby incorporated. The parties also agree that any referenced exhibits, schedules, documents, or instruments are hereby incorporated. ARTICLE 3: COVENANTS AND OBLIGATIONS OF BUSINESS ASSOCIATE 3.1 Ownership of Protected Health Information. Business Associate acknowledges and agrees that (a) all Protected Health Information is and will remain the property of Covered Entity and (b) Business Associate will acquire no ownership right in or title to any of the Protected Health Information. 3.2 Use and Disclosure. Business Associate shall not use or disclose Protected Health Information in violation of this Agreement or in violation of HIPAA. Business Associate agrees it will use and disclose Protected Health Information only as specifically permitted by this Agreement or as required by law. 3.3 Prohibited Payment for Protected Health Information. Business Associate will not, directly or indirectly, receive payment in exchange for any Protected Health Information unless Covered Entity obtained from the individual who is the subject of the Protected Health Information a signed written authorization specifically stating that the Protected Health Information may be exchanged for payment, or as otherwise permitted by the limited exceptions provided under HITECH. 3.4 Safeguards; Risk Assessment. Business Associate shall use and implement appropriate Business Associate Agreement

safeguards to prevent the use or disclosure of Protected Health Information except as specifically provided in this Agreement. Such safeguards must include, without limitation, administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity as required by HIPAA and HITECH. Business Associate shall ensure, and will be fully responsible for ensuring, that any and all subcontractors or agents to whom Business Associate provides Protected Health Information will also implement and use all such safeguards. Business Associate agrees to conduct a risk assessment and to implement and use reasonable administrative, physical, and technical safeguards designed to protect both Covered Entity s Protected Health Information and other business and propriety information from unauthorized use or disclosure. Business Associate agrees to update such risk assessment and safeguards at least annually. Upon request by Covered Entity, Business Associate agrees to provide all documentation sufficient to demonstrate Business Associate s compliance with this Section 3.4. 3.5 Reporting. Business Associate shall immediately, and in no case later than 5 calendar days after the use or disclosure, report to Covered Entity any use or disclosure of Protected Health Information not specifically authorized by this Agreement, including, without limitation, any Security Incident of which Business Associate becomes aware (or after a reasonable investigation should be aware) and any Breach of Unsecured Protected Health Information in accordance 45 C.F.R. 164.410. 3.6 Mitigation. Business Associate agrees to mitigate, to the extent reasonably possible, any harmful effect that is known (or after a reasonable investigation should be known) to Business Associate from any use or disclosure of Protected Health Information by Business Associate that is not specifically authorized by this Agreement. Business Associate further agrees to mitigate, to the extent reasonably possible, any harmful effect that is known (or after a reasonable investigation should be known) to Business Associate from any Security Incident. 3.7 Subcontractors and Agents. Business Associate may disclose Protected Health Information to a business associate that is a subcontractor only if Business Associate obtains satisfactory assurances in accordance with 45 C.F.R. 164.504 that such subcontractor will (a) appropriately safeguard the Protected Health Information by imposing, at a minimum, the same restrictions, requirements, and conditions applicable to Business Associate under this Agreement with respect to such Protected Health Information and (b) enter into a HIPAA-compliant and HITECH-compliant business associate agreement with the subcontractor. Business Associate shall ensure, and will be fully responsible for ensuring, that any and all subcontractors or agents to whom Business Associate provides Protected Health Information received from Covered Entity, or created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity, comply with the same restrictions, requirements, and conditions applicable to Business Associate under this Agreement with respect to such Protected Health Information. 3.8 Availability of Protected Health Information. Business Associate shall make available Protected Health Information in a Designated Record Set, to Covered Entity, or, as directed by Covered Entity, to an individual who is the subject of the Protected Health Information (the Individual ), in accordance with the requirements under 45 C.F.R. 164.524. 3.9 Amendment/Corrections to Protected Health Information. Upon the request of and in the time and manner designated by Covered Entity, Business Associate shall make any amendment or correction to Protected Health Information in a Designated Records Set, in accordance with the requirements under 45 C.F.R. 164.526. 3.10 Accounting of Disclosures. (a) Business Associate shall document disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. 164.528. Business Associate Agreement 2

(b) Business Associate shall provide to Covered Entity or the Individual, in the time and manner designated by Covered Entity, all information maintained or collected in accordance with this Agreement to permit Covered Entity to respond to a request by the Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. 164.528. 3.11 Availability of Records. (a) Business Associate shall make its internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created, received, maintained, or transmitted by Business Associate on behalf of, Covered Entity available to Covered Entity or the Secretary of Health and Human Services for purposes of determining Covered Entity s compliance with HIPAA. (b) Business Associate shall make its policies, procedures, and documentation required by HIPAA (including, without limitation, the policies, procedures, and documentation relating to safeguards to prevent the use or disclosure of Protected Health Information) available to Covered Entity or the Secretary of Health and Human Services for purposes of determining Covered Entity s compliance with HIPAA. 3.12 Permitted Uses and Disclosures by Business Associate. (a) Except as limited by this Agreement, Business Associate may use or disclose Protected Health Information in the fulfillment of its obligations to Covered Entity in the scope of its services for, or on behalf of, Covered Entity, provided that such use or disclosure would not violate HIPAA if done by Covered Entity. (b) Except as limited by this Agreement, Business Associate may use Protected Health Information for the proper management and administration of Business Associate or to carry out its legal responsibilities. (c) Except as limited by this Agreement, Business Associate may disclose Protected Health Information for the proper management and administration of Business Associate, provided that the disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that (i) the information will remain confidential; (ii) the information will be used or disclosed only as required by law or for the purpose for which it was disclosed to that person; and (iii) the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. 3.13 Notification in Case of Security Breach. If Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses Unsecured Protected Health Information (as defined in HITECH), Business Associate shall, following the discovery of a Breach of such information, immediately, and in no case later than 5 calendar days after the discovery of the Breach, notify Covered Entity of such Breach. Such notification must (a) identify the date of the Breach, the date of the discovery of the Breach, and the nature of the Breach; (b) identify each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach; (c) identify the specific elements of Protected Health Information that were the subject of the Breach; (d) provide a brief description of what happened and what caused the Breach to occur; (e) provide a description of the types of Unsecured Protected Health Information that were involved in the Breach (such as whether or not a full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); and (f) provide all other information required to satisfy the notification requirements of HITECH. Business Associate shall further comply with any and all such other requirements as contained within HITECH. 3.14 Compliance. Business Associate agrees to comply, and shall ensure that any and all subcontractors or agents to whom Business Associate provides Protected Health Information comply, with Business Associate Agreement 3

all of the requirements and obligations of HIPAA and HITECH that apply to Covered Entity. Business Associate shall comply, and shall ensure that any and all subcontractors or agents to whom Business Associate provides Protected Health Information comply, with all requirements and obligations as are necessary for Covered Entity to fully comply with and satisfy the provisions of HIPAA and HITECH. 3.15 Privacy and Data Security Insurance. Business Associate shall at all times during the term of this Agreement maintain privacy and data security insurance. The privacy and data security insurance policy must provide for insurance coverage of at least $1,000,000. Such insurance policy must identify Covered Entity as an additional named insured. 3.16 Additional Covenants and Obligations of Business Associate. (a) Business Associate represents and warrants that each employee, agent, contractor, and subcontractor of Business Associate who will access Protected Health Information has (i) satisfactorily completed and passed a customary background screening check, (ii) satisfactorily completed and passed an illegal substance examination in accordance with Business Associate s policies and procedures, and (iii) reviewed s Confidentiality Agreement, which is attached hereto as Exhibit A. (b) During the term of this Agreement, Business Associate shall immediately notify Covered Entity s Privacy Officer in writing if any employee, agent, or contractor of Business Associate who is or was an authorized user of any software application or database containing Protected Health Information (i) has terminated or discontinued his or her employment or contractual relationship with Business Associate or (ii) for any reason will no longer be in a position requiring such such employee, agent, or contractor to access such software application or database containing Protected Health Information. ARTICLE 4: COVENANTS AND OBLIGATIONS OF COVERED ENTITY 4.1 Notice of Privacy Practices. Upon request, Covered Entity shall provide Business Associate with the Notice of Privacy Practices that Covered Entity produces in accordance with 45 CFR 164.520, as well as any changes to such notice. 4.2 Changes and Restrictions. (a) Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, if such changes affect Business Associate s permitted or required uses or disclosures. (b) Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that the Covered Entity has agreed to in accordance with 45 C.F.R. 164.522. ARTICLE 5: INDEPENDENT CONTRACTOR Each party shall be regarded as an independent contractor for all purposes including, without limitation, income tax and employment tax purposes, and each party shall represent such status to third parties. Neither party shall withhold any portion of the other party s compensation for income tax, employment tax, or any other purpose. This Agreement shall not make either party an agent, employee, partner, or joint venturer of or with the other party, and neither party shall have the authority to bind or transact business in the other party s name, or make representations or commitments on the other party s behalf without prior written approval. The parties acknowledge and agree Business Associate is not an agent of Covered Entity and Covered Entity does not have the right or the authority to control the conduct of Business Associate in the course of Business Associate s performance of Business Associate s services on behalf of Covered Entity. Business Associate Agreement 4

ARTICLE 6: TERM AND TERMINATION 6.1 Term. This Agreement will begin on the Effective Date and will terminate when (a) all of the Protected Health Information is destroyed or returned to Covered entity or (b) if it is infeasible to return or destroy the Protected Health Information, protections are extended to the Protected Health Information in accordance with Section 6.3 of this Agreement. 6.2 Termination by Covered Entity for Cause. Upon Covered Entity s knowledge of a material breach of this Agreement by Business Associate, Covered Entity may: (a) Provide an opportunity for Business Associate to cure the breach or end the violation. Covered Entity may subsequently terminate this Agreement if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity; (b) Immediately terminate this Agreement if Business Associate has breached a material term of this Agreement and cure is not possible; or (c) If termination and cure are not feasible, report the violation to the Secretary of Health and Human Services. 6.3 Effect of Termination. (a) Except as provided in Section 6.3(b) of this Agreement, upon termination of this Agreement for any reason, Business Associate shall return or destroy all Protected Health Information to Covered Entity. This provision will also apply to Protected Health Information that is in the possession of any subcontractors or agents of Business Associate. Business Associate, and any subcontractors or agents of Business Associate, will retain no copies of such Protected Health Information. (b) If Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the parties that return or destruction of the Protected Health Information is infeasible, Business Associate shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information. ARTICLE 7: STANDARD PROVISIONS 7.1 Legal References. A reference in this Agreement to a section of HIPAA, HITECH, or other statute or regulation means the section in such statute or regulations in effect, or as amended, and for which compliance is required. 7.2 Entire Agreement. This Agreement, along with the exhibits, schedules, documents, certificates, and instruments referred to herein, embodies the entire agreement and understanding of the parties with respect to the subject matter of this Agreement. There are no restrictions, promises, representations, warranties, covenants, or undertakings except as expressly set forth or referred to herein. This Agreement supersedes all prior agreements and understandings between the parties with respect to the subject matter of this Agreement. 7.3 Amendment. No amendment to this Agreement will be effective unless it is in writing and executed by a duly authorized representative of each party. 7.4 Indemnification. Business Associate shall indemnify, defend, and hold harmless Covered Entity and its affiliates, officers, directors, agents, employees, and similar persons or entities (collectively the Indemnitee ) from and against any and all claims, liabilities, damages, losses, judgments, and expenses (including reasonable attorney s fees and legal costs) arising from or relating to (a) any wrongful Business Associate Agreement 5

or negligent act or omission of Business Associate or any of Business Associate s affiliates, officers, directors, agents, or employees, (b) any wrongful or negligent act or omission of any subcontractor or agent of Business Associate to whom Business Associate provides Protected Health Information, or (c) any breach by Business Associate of this Agreement. This Section 7.4 will survive the termination of this Agreement. 7.5 Assignment. This Agreement and all of the provisions hereof shall be binding upon and inure to the benefit of the parties and their respective successors and permitted assigns. However, neither this Agreement nor any of the rights, interests, or obligations hereunder shall be assigned by any party hereto (including to subcontractors or agents) without the prior written consent of the other party; provided, however, that such consent shall not be unreasonably withheld. Notwithstanding the foregoing, this Agreement may be assigned by either party to an entity controlling, controlled by, or under common control with the party without other party s consent. 7.6 No Third Party Rights. This Agreement is intended solely for the benefit of the parties hereto and shall not be deemed to create any rights in any other person or entity. 7.7 Severability. If any provision or portion of this Agreement shall become invalid or unenforceable for any reason, there shall be deemed to be made such minor changes in such provision or portion as are necessary to make it valid or enforceable. The invalidity or unenforceability of any provision or portion hereof shall not affect the validity or enforceability of the other provisions or portions hereof. 7.8 Interpretation. Whenever the context of any provision shall require it, the singular number shall include the plural number, and vice-versa, and the use of any gender shall include any other or all genders as used in this Agreement. This Agreement has been negotiated at arms length. Any rule of law or legal decision that requires interpretation of ambiguities against the drafting party is not applicable and is hereby waived. The provisions of this Agreement will be interpreted in a reasonable manner to effect the purpose of the parties to this Agreement. 7.9 Prevailing Party Entitled to Attorneys' Fees and Costs. With regard to any legal disputes arising out of or related to this Agreement, the prevailing party is entitled to receive from the non-prevailing party(ies) all reasonable legal fees, costs, charges, and expenses incurred, including reasonable attorneys' fees, whether from the initial request for redress or through trial, appeal, and collection. 7.10 Waiver of Compliance. Except as otherwise provided in this Agreement, any breach by a party may be waived by the other party only by a written instrument signed by the waiving party. Such waiver shall not operate as a waiver of, or estoppel with respect to, any subsequent or other breach. 7.11 Applicable Law and Courts. This Agreement will be governed by the internal laws of the State of Florida (without regard to conflict of laws or similar concepts). Jurisdiction and venue will lie, and all legal proceedings will be brought, in the Twelfth Judicial Circuit in and for Sarasota County, Florida, or in the United States District Court for the Middle District of Florida. 7.12 Avoidance of Violations; Modification. Notwithstanding any provision of this Agreement, the parties shall not violate any applicable laws, rules, or regulations. The parties shall modify this Agreement to the extent necessary to comply with such laws, rules, and regulations. 7.13 Captions. The captions of this Agreement are for convenience only and are not a part of this Agreement and do not in any way limit or amplify the provisions of this Agreement. 7.14 Counterparts. This Agreement may be executed in any number of counterparts, each of which shall be deemed an original, but all of which shall constitute one instrument. A signed copy of this Agreement delivered by facsimile, email, or other means of electronic transmission shall be deemed to have the same legal effect as delivery of an original signed copy of this Agreement, and such signed copy shall be considered an original signed copy for all purposes. Business Associate Agreement 6

7.15 Notices. All notices and other communications required or permitted to be given under this Agreement must be in writing and will be deemed to have been duly provided only when (i) delivered personally by messenger or by recognized courier service, (ii) sent by electronic facsimile with proof of confirmation, or (iii) 4 days following the day when deposited in the U.S. Mail by registered or certified mail, postage prepaid, return receipt requested, addressed as set forth below: If to Business Associate, to: Facsimile: Attention: If to Covered Entity, to: 1700 South Tamiami Trail Sarasota, Florida 34239 Attention: Privacy Officer 7.16 Cooperation. The parties agree to cooperate and execute all documents to implement and carry out the provisions of this Agreement. IN WITNESS WHEREOF, the parties have caused this Agreement to be duly executed on the day and year first above written. COVERED ENTITY By: Name: David Verinder As Its: Interim President and CEO BUSINESS ASSOCIATE By: Name: As Its: 2187739_1 Business Associate Agreement 7

Exhibit A SARASOTA MEMORIAL HEALTH CARE SYSTEM CONFIDENTIALITY AGREEMENT SMHCS takes the security of our patients and employees personal and medical information very seriously. Everyone who works at SMHCS either as an employee, physician, physician representative, contracted service provider or volunteer has a legal and ethical responsibility to help safeguard the privacy of our patients and maintain the confidentiality of their Protected Health Information (PHI). Anyone who violates hospital policy and/or state and federal regulations related to HIPAA, PHI and patient privacy may be subject to immediate termination and/or criminal prosecution. The following are some of the important practices that everyone who works at SMHCS are required to follow to help safeguard confidential information: Never access, disclose or discuss confidential information, including a patient s financial or personal health records, tests and results, unless it is necessary to do your job. That includes current or previous patient cases, as well as your own family members PHI. Federal law prohibits (with limited exceptions) access to PHI of family members without written authorization from the patient. In addition, SMHCS policy prohibits (without exception) any electronic access to a family member s PHI without written authorization from the patient. Other than through established portals, SMHCS policy also prohibits employees from accessing their own PHI without first providing written authorization to the Health Information Management Department or the Practice Administrator (for employees of First Physicians Group). Once written authorization is obtained, employees may view their own PHI through electronic health records only (SCM CareVISION and Intergy EHR) No other access via any other SMHCS software application is allowed including AM/PFM, Syngo, Intergy Practice Management, etc. Note: It is not a violation of policy for an employee to inadvertently access his or her own PHI during the normal course of his or her job (e.g. a visit number is accessed that belongs to the employee). As someone who works at SMHCS, I clearly understand and fully agree that unless specifically authorized, I will not access, discuss, disclose, reveal, or in any way use, either directly or indirectly, SMHCS patient/employee information. I am aware the owner of such information may seek any legal remedies available against me for violation of the privacy laws. I agree to indemnify and defend SMHCS against any and all liability in the event I violate this Confidentiality Agreement or applicable policies and procedures of SMHCS. I also understand and agree that any violation of any portion of the Confidentiality Agreement, applicable policies and procedures of SMHCS, or of state and federal laws and regulations governing confidentiality of Protected Health Information or a patient s right to privacy, may be cause for corrective action including immediate termination and possible criminal prosecution. Business Associate Agreement 8

I further understand that: I am not permitted to share my SMHCS passwords. It is my responsibility to promptly and consistently secure work stations to prevent others from accessing patient information. This includes but is not limited to computer screens and work files. I am to properly discard printed PHI and other confidential material in accordance with current policies and procedures. (e.g. placing paper in locked recycle bins or designated areas and not in trash receptacles) I am not to use SMHCS electronic systems to access personal PHI unless I have provided written authorization to the Health Information Management Department or a Practice Administrator (for employees of First Physicians Group). This includes any and all SMHCS software applications. My signature on this form confirms that I have read, understand, and agree with the content of this Confidentiality Agreement. Signature of Employee/Physician/Other Date Printed Name of Employee/Physician/Other Business Associate Agreement 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information