Business Associate Agreement This Business Associate Agreement (the Agreement ) is made by and between Business Associate, [Name of Business Associate], and Covered Entity, The Connecticut Center for Health, each individually a Party and collectively the Parties. The purpose of this Agreement is to comply with the privacy requirements ( Privacy Rule ) of the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) (45 CFR parts 142 and 160-164, as may be amended). Unless otherwise defined in this Agreement, capitalized terms have the meaning given by the Privacy Rule. Business Associate receives and uses or has access to Protected Health Information ( PHI ) in the course of providing certain services ( Services ) to the Covered Entity. The Privacy Rule requires the Covered Entity to obtain written assurances from Business Associate that Business Associate will appropriately safeguard the PHI. Accordingly, the Parties agree as follows: 1. DEFINITIONS 1.1 Business Associate. Business Associate shall mean [Insert name of business associate]. 1.2 Covered Entity. Covered Entity shall mean The Connecticut Center for Health. 1.3 Individual. Individual shall have the same meaning as the term individual in 45 CFR 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g). 1.4 Privacy Rule. Privacy Rule shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E. 1.5 Protected Health Information. Protected Health Information or PHI shall have the same meaning as the term protected health information in 45 CFR 164.501, limited to the information created or received by Business Associate from or on behalf of Covered Entity. 1.6 Required by Law. Required by Law shall have the same meaning as the term required by law in 45 CFR 164.501. 1.7 Secretary. Secretary shall mean the Secretary of the Department of Health and Human Services or his/her designee.
2. PERMITTED USES AND DISCLOSURES 2.1 Business Associate may use and/or disclose PHI only as permitted or required by this Agreement or as otherwise Required by Law. 2.2 Business Associate may disclose PHI to, and permit the use of PHI by, its employees, contractors, agents or other representatives to the extent such disclosures are related to and necessary for the performance of Services. Business associate will require any subcontractor, agent, or other representative, to whom it provides PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, to agree to the same restrictions and conditions that apply though this Agreement to Business Associate with respect to the use and disclosure of PHI. 2.3 Business Associate may use or disclose PHI on behalf of, or to provide Services to, Covered Entity for the following purposes, if such use or disclosure of PHI would not violate the Covered Entity s obligations under the Privacy Rule or the minimum necessary policies of the Covered Entity. [List Purposes]. OR Business Associate may use or disclose PHI to perform functions, activities, or Services for, or on behalf of, Covered Entity as specified in [Insert name of Services Agreement], provided that such use or disclosure would not violate the Privacy rule if done by the Covered Entity or the minimum necessary policies and procedures of the Covered Entity. 2.4 Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. 2.5 Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. 2.6 Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 42 CFR 164.504(e)(2)(i)(B). 2.7 Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 164.502(j)(1). 3. SAFEGUARDS AND REPORTING 3.1 Business Associate will implement appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by this Agreement.
3.2 Business Associate will mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate that is in violation of the requirements of this Agreement. 3.3 Business Associate will report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware. 4. INDIVIDUAL RIGHTS 4.1 Business Associate will provide access, at the request of Covered Entity, to PHI contained in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual, in order to meet the requirements of 45 CFR 164.524 ( Access of Individuals to Protected Health Information ). Business Associate will provide such access within a reasonable time, as required by Covered Entity. 4.2 At the request of either Covered Entity or an Individual, Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526 ( Amendment of Protected Health Information ). Business Associate will make such amendment within a reasonable time, as required by Covered Entity. 4.3 Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528 ( Accounting of Disclosures of Protected Health Information ). 4.4 Business Associate agrees to provide to Covered Entity or an Individual, information collected in accordance with Section 4.3 of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528. Business Associate will provide such information within a reasonable time, as required by Covered Entity. 5. AVAILABILITY OF BOOKS AND RECORDS 5.1 Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary, in a time and manner as reasonably required by Covered Entity, for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule. 6. OBLIGATIONS OF COVERED ENTITY 6.1 Covered Entity shall notify Business Associate of any limitation(s) in Covered Entity s Notice of Privacy Practices ( Notice ), to the extent that such limitation may affect Business Associate's use or disclosure of PHI.
6.2 Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI. 6.3 Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI. 6.4 Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule and this Agreement if done by Covered Entity. 7. TERM AND TERMINATION 7.1 The Term of this Agreement shall be effective as of the effective date of the Privacy Rule, and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section 7. 7.2 Upon Covered Entity's knowledge of a material breach by Business Associate, Covered Entity shall either: a. Provide an opportunity for Business Associate to cure the breach or end the violation and terminate this Agreement if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity; b. Immediately terminate this Agreement if Business Associate has breached a material term of this Agreement and cure is not possible; or c. If neither termination nor cure is feasible, Covered Entity shall report the violation to the Secretary. 7.3 Effect of Termination a. Except as provided in paragraph (b) of this Section 7.3, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI. b. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon Covered
Entity s agreement, which shall not be unreasonably withheld, that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. 8. MISCELLANEOUS 8.1 Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended. 8.2 Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy Rule and the Health Insurance Portability and Accountability Act. 8.3 Survival. The respective rights and obligations of Business Associate under Section 7.3 of this Agreement shall survive the termination of this Agreement. 8.4 Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the Privacy Rule. 8.5 No Third Party Beneficiaries. This Agreement is not intended to, and does not, create any obligations, rights, remedies or liabilities to any third parties. 8.6 Governing Law. This Agreement is governed by federal law and the laws of the State of Connecticut. The Parties agree to submit to jurisdiction in courts within the State of Connecticut. 8.7 Assignability. This Agreement may be assigned by mutual, written agreement of the Parties. 8.8 Waiver. Failure of Covered Entity to enforce any portion of this Agreement shall not serve as a waiver of any rights to later enforce any part of this Agreement.