BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is entered into by and between Professional Office Services, Inc., with principal place of business at PO Box 450, Waterloo, Iowa, 50704, (the Associate referring to Business Associate as defined below) and, with principal place of business at (the Covered Entity ). DEFINITIONS: A. Catch-all definition. The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. B. Business Associate. Business Associate shall generally have the same meaning as the term business associate at 45 CFR 160.103, and in reference to the party to this agreement, shall mean Professional Office Service, Inc. C. Covered Entity. Covered Entity shall generally have the same meaning as covered entity at 45 C.F.R. 160.103, and in reference to the party to this agreement, shall mean (insert name of covered entity). D. HIPAA RULES. HIPAA rules shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164. RECITALS: A. Covered Entity is governed by the provisions of the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ), and the final rules and regulations issued pursuant thereto by the U. S. Department of Health and Human Services ( DHHS ) as same relate to all covered entities (the HIPAA Privacy and Security Rules ), and by the provisions of Title XIII of the American Recovery and Reinvestment Act of 2009 (the HITECH Act ) and any and all final administration rules for HIPAA; and B. Covered Entity maintains identifiable health information defined in the HIPAA Privacy Rule as Protected Health Information ( PHI ); and C. Associate and its employees, affiliates, agents or representatives may access records containing PHI in the course of performing its obligations to the Covered Entity pursuant to certain agreements for
services identified on Exhibit A (Product Set-Up Sheet) and by this reference made a part hereof(the Service Agreement ); and D. Whereas, the HIPAA Privacy and Security Rules and the HITECH Act require that the Covered Entity enter into an agreement such as this document with the Associate in order to protect the privacy and confidentiality of PHI within Associate s knowledge and control as a result of its relationship with Covered Entity pursuant to the Service Agreements; and E. Covered Entity and Associate desire to enter into this Agreement and, where necessary, amend the Service Agreements to protect the confidentiality of the PHI. NOW, THEREFORE, the parties agree as follows: 1. Associate s General Obligations. Associate agrees that it will not use nor further disclose PHI other than as required or permitted for the performance of its obligations under the Service Agreements or as required by law. This Agreement expressly prohibits all other uses of PHI not authorized by this Agreement. 2. Permitted Uses and Disclosures by Business Associate. In performance of Associate s general obligations as above, the Associate shall also be obligated and authorized as follows: (a) (b) (c) Disclosure of PHI to another party for the reasons described in Paragraph 1 must either be required by law or be coupled with reasonable assurances in writing to Associate from the person to whom the PHI is disclosed that such person will safeguard the PHI and further use and disclose it only as required by law or for the purpose for which Associate disclosed it to such person, and an agreement from such person in writing to notify Associate of any instances of which it is aware in which confidentiality of the PHI has been breached. Associate may disclose PHI to manage and administer Associate s business, to perform data aggregation services for Covered Entity and for other clients; and to create de-identified information, subject to the requirements of HIPAA regarding the de-identification of information, subject to any restrictions on the use of PHI requested by one of Covered Entity s patients and agreed to by Covered Entity and communicated to Associate by Covered Entity. However, in the event that Associate is unable or unwilling to comply with such restrictions, Associate will be relieved of any and all further obligation to perform services under the Service Agreements following written notification of that inability or unwillingness to Covered Entity. Associate will use appropriate safeguards to prevent use or disclosure of PHI other than as provided for in this Agreement.
(d) (e) (f) (g) (h) (i) (j) Associate may not use or disclose protected health information in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity. Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains or transmits on behalf of the Covered Entity as required pursuant to 45 CFR 164.314. Associate shall be directly subject to the application of the HIPAA Security Rule found at Subpart C of 45 C.F.R. Part 164. Associate will report to the Covered Entity any unauthorized use or disclosure of PHI by Associate or by its agents, contractors or subcontractors, or of any other security incident of which it becomes aware, within twenty-four (24) hours of discovery by Associate and the remedial action taken or proposed to be taken with respect to that improper use or disclosure. Notice of any such breach shall include the identification of any individual whose unsecured PHI has been, or is reasonably believed by Associate to have been, accessed, acquired, or disclosed during such breach. Associate shall cooperate with the Covered Entity in mitigating any harmful effects of such use or disclosure. Associate will ensure all contractors, subcontractors, and agents to whom it provides PHI agree in writing to adhere to the same restrictions and conditions on the use or disclosure of same that apply to Associate hereunder. Associate agrees to make available to its workforce and disclose to its contractors, subcontractors, and agents, only the minimum PHI necessary for them to perform the functions required by Associate under the Service Agreement or to fulfill any other purpose for which use or disclosure of PHI is permitted in this Agreement. In addition, Associate agrees to make uses and disclosures and requests for protected health information consistent with Covered Entity s minimum necessary policies and procedures. Associate agrees to provide individuals with access to and copies of their PHI maintained by Associate, and limit fees therefore, pursuant to Section 164.524 and Section 164.525 of the Regulations. Associate agrees to make available protected health information in a designated record set to the covered entity as necessary to satisfy covered entity s obligations under 45 C.F.R. 164.524. Associate further agrees to make any amendment(s) to protected health information in a designated record set as directed or agreed to by the covered entity pursuant to 45 C.F.R. 164.526, or take other measures as necessary to satisfy covered entity s obligations under 45 C.F.R. 164.526.
(k) (l) Associate will notify Covered Entity immediately of any requests by an individual to amend the individual s PHI maintained by Associate and will direct the requesting individual to Covered Entity for the handling of such request. The Associate will cooperate with Covered Entity in the handling of such request and will incorporate any amendment accepted by Covered Entity in accordance with Section 164.526 of the Regulations. Associate is not authorized to independently agree to any amendment of PHI. Associate will notify Covered Entity immediately of any requests by an individual for an accounting of disclosures of PHI and direct the requesting individual to Covered Entity for the handling of that request. The Associate shall provide to Covered Entity within twenty (20) days thereafter with all information in its possession or in possession of its contractors, subcontractors and agents which is needed to permit Covered Entity to respond to the request in accordance with Section 164.528 of the Regulations. Associate agrees to maintain and make available information required to provide an accounting of the disclosures to the covered entity as necessary to satisfy covered entity s obligations under 45 C.F.R. 164.528. (m) Associate agrees to make all of its records, books, agreements, policies and procedures relating to the use and/or disclosure of PHI available to the Secretary of DHHS or his or her designees for purposes of determining Covered Entity s compliance with the Regulations, subject to attorneyclient and other applicable legal privileges, and impose the same requirement on all contractors, subcontractors and agents. (n) Upon the termination of the Service Agreements, Associate shall return to Covered Entity or destroy all PHI in its possession and require the return or destruction of all PHI in the possession of any contractor, subcontractor, or agent of Associate and shall not retain nor permit any contractor, subcontractor or agent to retain copies thereof in any form. In the event that such return or destruction is not feasible, the protections of this Agreement shall remain in effect for so long as Associate or its contractor, subcontractor or agent has possession of or access to such PHI, and the Associate agrees to limit further uses and disclosures of the PHI to those purposes which make return or destruction not feasible. 3. Covered Entity s Obligations. Covered Entity agrees to the following: (a) Covered Entity will provide each of its patients with an appropriate privacy notice as required by law which will identify the potential uses and disclosures of the patient s PHI that Covered Entity may make, including without limitation, the use of such PHI for billing and collection activities and the disclosure of such PHI to a healthcare clearinghouse in connection with such billing and collection activities. Covered Entity will use its good faith efforts to have each patient acknowledge, in writing, his or her receipt and review of said privacy notice.
(b) (c) (d) (e) Covered Entity will notify Associate immediately of any restrictions on the use of any of Covered Entity s PHI requested by one of Covered Entity s patients and agreed to by Covered Entity. Covered Entity will provide Associate with sufficient information regarding any such restriction to enable Associate to determine whether Associate is able or willing to comply with such restriction. Covered Entity will notify Associate immediately in the event Covered Entity desires Associate to disclose any PHI received by Associate from Covered Entity regarding one of Covered Entity s patients to the patient or to the patient s legal representative. Covered Entity will notify Associate immediately in the event Covered Entity desires Associate to amend or otherwise modify any PHI received by Associate from Covered Entity regarding one of Covered Entity s patients. Covered Entity shall defend, indemnify and hold harmless Associate and each of its officers, directors, employees and agents from and against any and all penalties, claims, losses, liabilities, damages, costs and expenses, including reasonable attorney s fees and expenses incurred by Associate arising out of or in connection with Covered Entity s negligent failure to comply with the provisions of HIPAA and related regulations or in any other such manner that Covered Entity s conduct results in a breach of this Agreement or in liability to Associate which arises out of negligent or other unlawful conduct by Covered Entity. 4. Term. This Agreement shall become effective on the date listed on the signature page of this Agreement, and shall continue in effect until all obligations of the parties have been met, unless otherwise terminated as provided herein. 5. Termination. Covered Entity may immediately terminate this Agreement and Service Agreements if Covered Entity makes the determination that Associate has breached the material terms of this Agreement. As an alternative, Covered Entity may elect to provide Associate with written notice of the existence of alleged material breach and afford the Associate an opportunity to cure the alleged material breach upon mutually agreeable terms. In the event that the Associate fails to take reasonable steps to cure the breach according to those terms, such failure is grounds for the immediate termination of the Agreements. Additionally, the respective rights and obligations of the Associate and the Covered Entity under this Agreement shall survive termination of this Agreement as specifically set forth in the terms hereof and according to the obligations imposed on Covered Entity under HIPAA. 6. Acknowledgement by Covered Entity. The Covered Entity acknowledges that, although this Agreement was prepared by Associate and provided by Associate for Covered Entity s use, Covered Entity is not relying upon Associate for the legal sufficiency of this document and has made its own independent
determination, with the assistance of legal counsel, to ensure that its terms adequately protect Covered Entity under HIPAA and the rules and regulations implementing same. 7. No Third-Party Beneficiaries. The parties agree that there are no intended third-party beneficiaries of the respective parties obligations under this Agreement. Included within the foregoing and without limiting same, it is the intent of the parties hereto that nothing contained in this Agreement gives rise to any right or cause of action, contractual or otherwise, in or on behalf of any patient whose PHI is used or disclosed pursuant to this Agreement or any person who qualifies as a personal representative of such patient. 8. Relationship to Agreements. This Agreement is intended by the parties to serve as an amendment and supplement to the Service Agreements. In the event of a conflict between the terms of this Agreement and the terms of the Service Agreements, the terms of this Agreement will control. 9. Miscellaneous. (a) (b) (c) This Agreement is intended to inure to the benefit of and be binding upon the parties hereto and their respective successors and assigns. This Agreement shall be interpreted according to the laws of the State of Iowa. This Agreement may not be modified, waived, or amended, except by mutual written agreement of the parties. Any waiver with respect to one circumstance shall not be construed as continuing nor as a bar to nor waiver of any right or remedy as to subsequent circumstances. (d) This Agreement shall automatically incorporate by reference any changes in application law and regulations such that this agreement may be deemed amended to comply with any such applicable law. Covered Entity: Business Associate: Professional Office Services, Inc. By: Name: By: Name: Kayleen Homewood Title: Date: Title: Date: Product Manager/ HIPAA Compliance Officer Effective Date: Revised 5/16/14