FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance Company, a North Carolina corporation ("FCC"), and ( Business Associate ) (each a "Party" and collectively the "Parties"). WITNESSETH: WHEREAS, Business Associate provides medical bill auditing, review, and other related services to FCC ( Services ), which involves Business Associate s receipt, creation, use and/or disclosure of certain Protected Health Information (as such term is defined below) for or on behalf of FCC; and WHEREAS, the Parties desire to comply with the requirements of the Health Information Portability and Accountability Act of 1996, as codified at 42 U.S.C. 1320d, et seq. ( HIPAA ), the Health Information Technology Act of 2009, as codified at 42 U.S.C. 17901, et seq. ( HITECH ), and any current and future regulations promulgated under either HIPAA or HITECH, including the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164 (collectively referred to herein as the HIPAA Rules ). NOW, THEREFORE, in consideration of the mutual covenants contained herein and other good and valuable consideration, the Parties agree as follows: I. DEFINITIONS A. Breach. Breach shall mean, subject to the exclusions set forth in 45 CFR 164.402, the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under 45 CFR Part 164, Subpart E, that compromises the security or privacy of such PHI. B. Business Associate. Business Associate shall generally have the same meaning as the term business associate at 45 CFR 160.103, and in reference to the party to this Agreement, shall mean Business Associate. C. Covered Entity. Covered Entity shall generally have the same meaning as the term covered entity at 45 CFR 160.103, and in reference to the party to this Agreement, shall mean FCC. D. Individual. Individual shall have the same meaning as the term Individual in 45 CFR 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g). E. Protected Health Information or PHI. Protected Health Information or PHI shall have the same meaning as the term Protected Health Information in 45 CFR 160.103, limited to the information created or received by Business Associate on behalf of or from Covered Entity. 1
F. Secretary. Secretary shall mean the Secretary of the Department of Health and Human Services or his/her designee. G. Security Incident. Security Incident shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. H. Unsecured Protected Health Information. Unsecured Protected Health Information shall mean Protected Health Information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary. Terms used but not otherwise defined in this Agreement shall have the same meaning as given to those terms in the HIPAA Rules. In the event of an inconsistency between the provisions of this Agreement and mandatory provisions of the HIPAA Rules, the HIPAA Rules shall control. Where provisions of this Agreement are different than those mandated in the HIPAA Rules, but are nonetheless permitted by the same, the provisions of this Agreement shall control. II. BUSINESS ASSOCIATE S OBLIGATIONS A. Permitted Use and Disclosure of PHI. Business Associate shall use and disclose PHI only as permitted by this Agreement, or as Required By Law. Except as otherwise limited in this Agreement, Business Associate may: 1. Use or disclose PHI to perform its obligations and functions in order to provide Services to Covered Entity; 2. Use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities; 3. Disclose PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities, if such disclosure is Required By Law, or if Business Associate obtains the written agreement of the recipient providing (i) reasonable assurances that the recipient will keep the PHI confidential, use or further disclose the PHI only as Required By Law or for the purpose for which it was disclosed to the recipient, and (ii) that the recipient shall immediately notify Business Associate of any instance of which the recipient is aware in which the confidentiality of the PHI has been breached; 4. Use PHI to provide Data Aggregation services to the extent specified in a service agreement; 5. Use or disclose PHI to report violations of the law to law enforcement; and 6. Use PHI to create de-identified information consistent with the standards of 45 CFR 164.514. B. Safeguards. Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity, as required by the HIPAA Rules, specifically Subpart C of 45 CFR Part 164. 2
C. Minimum Necessary. Business Associate, and its agents, shall request, use and disclose only the minimum amount of Protected Health Information necessary to accomplish the purpose of the request, use or disclosure. Business Associate understands and agrees that the regulatory definition of minimum necessary is subject to development and change. Business Associate, accordingly, shall keep itself informed of all regulatory guidance issued with respect to what constitutes minimum necessary. D. Prohibited Uses and Disclosures. Business Associate shall not use or disclose PHI for any purpose other than as specifically permitted by this Agreement. Specifically, but without limitation, Business Associate (a) shall not use or disclose PHI for fundraising or marketing purposes, (b) shall not disclose PHI to a health plan for payment or health care operations purposes if Business Associate is made aware that the patient has requested a special restriction on disclosure and has paid out of pocket in full for the health care item or services to which the PHI solely relates, and (c) shall not directly or indirectly receive remuneration in exchange for PHI (which does not affect payment from Covered Entity for Business Associate s Services). Further, to the extent Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, Business Associate must comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s). E. Agents & Subcontractors. Business Associate shall ensure, in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity, agrees in writing to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. F. Required Reports Regarding Breaches and Security Incidents. 1. Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for in this Agreement of which it becomes aware, including without limitation any Breach of Unsecured Protected Health Information, and any Security Incident involving Electronic PHI, within ten (10) business days after discovery thereof. An act or event shall be considered discovered as of the first day on which the occurrence of the event is known, or reasonably should have been known, to any employee, officer or agent of Business Associate, other than the individual committing the act or event. 2. Business Associate shall report the information described below to Covered Entity within ten (10) business days following discovery of a Breach of Unsecured Protected Health Information, except when despite all reasonable efforts by Business Associate to obtain the information required, circumstances beyond the control of Business Associate necessitate additional time. Under such circumstances, Business Associate shall notify Covered Entity as soon as possible and without unreasonable delay, but in no event later than thirty (30) calendar days from the date of discovery of a Breach. The notice shall include, to the extent possible: i. the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during the Breach; ii. the date of the Breach; iii. the date of the discovery of the Breach; 3
and iv. a description of the types of Unsecured PHI that were involved; v. such other information available to Business Associate that Covered Entity may by law be required to include in any notification to the Individual, as well as any other details necessary to complete the risk assessment specified in 45 CFR 164.402(2). 3. Covered Entity shall be responsible for providing notification to Individuals whose Unsecured PHI has been disclosed, as well as the Secretary and the media, as required by Sec. 13402 of the HITECH Act, 42 U.S.C. 17932. In the event that Business Associate is required to provide notification to patients, other individuals or the relevant regulatory agencies regarding a Breach, any such notices must be approved, in advance, by Covered Entity. Covered Entity s approval shall also be required for the manner of delivering notice of a Breach to a patient or other individual. G. Access to PHI. To the extent that Business Associate possesses an applicable Designated Record Set, and within a reasonable amount of time of receipt of a request from Covered Entity to access such PHI, Business Associate shall transmit such information to Covered Entity, to the extent required for Covered Entity s compliance with its obligations under 45 CFR 164.524. If an Individual requests access to PHI directly from Business Associate, Business Associate will forward such a request to Covered Entity within a reasonable amount of time. Covered Entity will be responsible for making all determinations regarding the granting or denial of an Individual s request, and Business Associate shall make no such determinations. If Business Associate maintains PHI in a Designated Record Set electronically and the Individual requests an electronic copy of such information, Business Associate shall provide such information in electronic format to Covered Entity, in accordance with 45 CFR 164.524(c)(2)(ii). If any patient requests an amendment of PHI directly from Business Associate or its agent, Business Associate shall notify Covered Entity in writing within five (5) days of the request. Any approval or denial of amendment to PHI maintained by Business Associate or its agent shall be the responsibility of Covered Entity. H. Amendment of PHI. To the extent that Business Associate possesses an applicable Designated Record Set, and within a reasonable amount of time of receipt of a request from Covered Entity to amend PHI contained in the Designated Record Set, Business Associate shall: 1. Provide such information to Covered Entity for amendment; or 2. If Covered Entity s request includes specific information to be included in the amendment, incorporate such amendment in the PHI maintained by Business Associate as required by 45 CFR 164.526. Within a reasonable amount of time of receipt of a request by an Individual to Business Associate to amend PHI, Business Associate shall forward to Covered Entity any such requests. Covered Entity shall be responsible for making all determinations regarding amendments to PHI, and Business Associate shall make no such determinations. I. Accounting. Business Associate shall document such disclosures of PHI as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528. 4
1. Within a reasonable amount of time of receipt of a notice from Covered Entity requesting an accounting of PHI disclosures, Business Associate shall provide Covered Entity with records of such disclosures containing information as outlined in 45 CFR 164.528(b). 2. Within a reasonable amount of time of receipt of a request by an Individual to Business Associate for an accounting of disclosures of PHI, Business Associate shall forward to Covered Entity any such requests within five (5) days of receipt. Covered Entity shall be responsible for providing an accounting of PHI disclosures to the Individual. Business Associate will not provide an accounting of its disclosures directly to the Individual. J. Government Access. Upon reasonable notice and prior written request, Business Associate shall, upon request, make its internal practices, books and records on the use and disclosure of PHI available to Covered Entity and to the Secretary to the extent required for determining Covered Entity s compliance with the HIPAA Rules. Notwithstanding this term, no attorney-client or other applicable legal privilege will be deemed waived by Business Associate as a result of complying with such a request. Business Associate shall concurrently provide Covered Entity with a copy of any PHI that Business Associate provides pursuant to any governmental inquiry. K. Mitigation. Business Associate shall mitigate, to the extent practicable and at its cost, any harmful effects from any use or disclosure of PHI by Business Associate not permitted by this Agreement, regardless of Business Associate s fault or negligence. All such efforts shall be subject to Covered Entity s prior written approval. III. COVERED ENTITY S OBLIGATIONS A. Notice of Change in Privacy Practices. Covered Entity shall notify Business Associate of any limitation(s) in Covered Entity s notice of privacy practices in accordance with 45 CFR 164.520, to the extent that such limitation may affect Business Associate s use or disclosure of PHI. B. Notice of Change in Permissions. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate s use or disclosure of PHI. C. Notice of Change in Use. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR 164.522, to the extent that such restriction may affect Business Associate s use or disclosure of PHI. D. Appropriate Requests. Covered Entity shall not request that Business Associate use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity. IV. TERM AND TERMINATION 5
A. Term. This Agreement shall become effective on the Effective Date and shall terminate at the time of the termination or expiration of any service agreement entered into by the Parties. B. Termination for Cause. If Covered Entity reasonably determines that Business Associate has materially breached this Agreement, Covered Entity shall: 1. Provide Business Associate with thirty (30) days written notice of the alleged material breach and an opportunity to cure the breach, immediately after which time this Agreement and any affected service agreement shall be automatically terminated if the breach is not cured; or 2. Immediately terminate this Agreement and any affected service agreement if cure is not possible. C. Effect of Termination. Upon termination or expiration of this Agreement, Business Associate shall, at Covered Entity s option, return to Covered Entity or destroy all PHI in Business Associate s possession, and/or in the possession of any subcontractor or agent of Business Associate. Business Associate shall not retain any copies of the PHI. In the event that return or destruction of the PHI is not possible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction of the PHI not feasible. Business Associate shall extend the protections of this Agreement to such PHI that is not returned or destroyed, and limit further uses and disclosures of such PHI to those purposes that make the return or destruction not feasible, for as long as Business Associate maintains such PHI. If Covered Entity elects destruction of the PHI, Business Associate shall certify in writing to Covered Entity that such PHI has been destroyed. The provisions of this Section shall survive termination of this Agreement. V. MISCELLANEOUS A. Amendments. The Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the Parties. The Parties shall amend this Agreement from time to time as is necessary to achieve and maintain compliance with the HIPAA Rules. B. Interpretation. Any ambiguity in this Agreement shall be resolved to permit the Parties to comply with the HIPAA Rules. C. Choice of Law. This Agreement shall be governed by the laws of the State of North Carolina without regard to conflict of laws principles thereof. D. Audits, Inspection and Enforcement. Upon request and with reasonable prior notice by Covered Entity, Business Associate and its agents shall allow Covered Entity to conduct a reasonable inspection of the facilities, systems, books, records, agreements, policies and procedures relating to the use or disclosure of PHI pursuant to this Agreement or for the purpose of determining whether Business Associate is in compliance with its obligations under this Agreement. E. Relationship to Agreements with Covered Entity. In the event that a provision of this Agreement is contrary to a provision of any agreement with Covered Entity pertaining to Business Associate s Services, the provisions of this Agreement shall control. 6
F. Relationship of the Parties. FCC and Business Associate are acting solely as independent contractors under this Agreement. It is expressly understood and agreed by the Parties hereto that nothing in this Agreement, its provisions or the relationships contemplated hereby, shall constitute either Party as the general agent, employee, partner, or legal representative of the other Party for any purpose whatsoever, nor shall either Party hold itself out as such. Neither Party to this Agreement shall have the authority to bind or commit the other party hereto in any manner or for any purpose whatsoever, except as may be expressly provided for herein, but rather each Party shall at all times act and conduct itself in all respects and events as an independent contractor. This Agreement creates no relationship of joint venture, partners, associates, or principal and general agent between the Parties hereto. G. Compliance with State and Federal Regulation. Business Associate shall comply with applicable state and federal statutes and regulations governing the privacy, confidentiality and security of patient health information, including but not limited to the requirements established by FCC and the Medicare Advantage program; and shall maintain appropriate policies and procedures to address such requirements and obligations. [Signature Page Follows] 7
IN WITNESS WHEREOF, the Parties hereto have executed and delivered this Business Associate Agreement as of the Effective Date. FirstCarolinaCare Insurance Company By: Name: Title: Date: Business Associate By: Name: Title: Date: 8