ABOM Business Associate Agreement This agreement ( Agreement ) is between the American Board of Obesity Medicine ( ABOM ), as the Business Associate, and the Covered Entity (individually a Party and collectively the Parties ) and is intended to comply with the provisions of the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) and the regulations promulgated thereunder by the U.S. Department of Health and Human Services set forth in the Privacy Rule. Recitals WHEREAS, ABOM, a Colorado nonprofit corporation, is an independent medical specialty board which provides certification and related services to physicians in the field of bariatric medicine, including, but not limited to, administering a certification exam ( Examination ) and evaluating a physician s credentials, professional experience, charts or other medical records to determine whether ABOM should award board certification in bariatric medicine to such physician ( Credentialing Services ); WHEREAS, ( Physician ), an individual residing in the State of who is submitting an application for an Examination to ABOM, may disclose or otherwise provide to ABOM certain Protected Health Information in connection with the Credentialing Services; WHEREAS, ABOM and Physician intend to protect the privacy of Protected Health Information as Required by Law and otherwise comply with the provisions of HIPAA and the Privacy Rule; and NOW, THEREFORE, ABOM and Physician hereby agree as follows: 1. Definitions Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the Privacy Rule. (a) (b) Business Associate. The term Business Associate shall mean ABOM. Covered Entity. The term Covered Entity shall mean Physician. (c) Individual. The term Individual shall have the same meaning as the term individual in 45 CFR 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g). (d) Privacy Rule. The term Privacy Rule shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E.
(e) Protected Health Information. The term Protected Health Information shall have the same meaning as the term protected health information in 45 CFR 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity. (f) Required by Law. The term Required by Law shall have the same meaning as the term required by law in 45 CFR 164.103. (g) Secretary. The term Secretary shall mean the Secretary of the Department of Health and Human Services or his or her designee. 2. Obligations and Activities of Business Associate (a) Business Associate agrees to not use or disclose Protected Health Information other than as permitted or required by the Agreement or as Required by Law. (b) Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement. (c) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement. (d) Business Associate agrees to report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement of which it becomes aware. (e) Business Associate agrees to ensure that its directors, officers, committee members, employees, agents, independent contractors, and representatives to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, agree to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. (f) Business Associate agrees to make internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity available to Covered Entity or to the Secretary, within thirty (30) days of a written request, for purposes of the Secretary determining Covered Entity s compliance with the Privacy Rule. (g) Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. (h) Business Associate agrees to provide to Covered Entity, within thirty (30) days of a written request, information collected in accordance with Section 2(g) of this Agreement, to 2
permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. 3. Permitted Use and Disclosures by Business Associate (a) Except as otherwise limited in this Agreement, Business Associate shall be permitted to use or disclose Protected Health Information that it receives from or on behalf of Covered Entity for the purpose of providing the Credentialing Services. Business Associate may provide Protected Health Information to, and permit the use of Protected Health Information by, its directors, officers, committee members, employees, agents, independent contractors, and representatives to the extent Business Associate, in its sole discretion, determines is necessary for providing Certification Services. (b) Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information for the proper management and administration of Business Associate, provided that disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. (c) Business Associate may use Protected Health Information to report violations of law to appropriate federal and state authorities, consistent with 45 CFR 164.502(j)(1). 4. Obligations of Covered Entity (a) Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR 164.520, to the extent that such limitation may affect Business Associate s use or disclosure of Protected Health Information. (b) Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate s use or disclosure of Protected Health Information. (c) Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR 164.522, to the extent that such restriction may affect Business Associate s use or disclosure of Protected Health Information. (d) Covered Entity acknowledges that, in addition to the execution of this Agreement, Covered Entity may obtain, in Covered Entity s sole discretion, Individual patient authorizations from any Individual whose Protected Health Information may be disclosed to or used by Business Associate in connection with the Credentialing Services whereby such Individual consents to, authorizes, and otherwise permits the disclosure and use of such Protected Health Information by Business Associate for the Credentialing Services. 3
(e) Covered Entity acknowledges that he or she has obtained, and will obtain, from Individuals the necessary consents, authorizations and other permissions Required by Law for Business Associate and Covered Entity to comply with HIPAA, the Privacy Rule and any provision in this Agreement. (f) Covered Entity acknowledges that, in certain circumstances, a hospital, healthcare facility, or other medical facility ( Healthcare Facility ), wherein Covered Entity is employed, affiliated, or has otherwise provided any treatment to any Individual at such Healthcare Facility, may require Business Associate to execute a business associate agreement between the Healthcare Facility and Business Associate to comply with HIPAA and the Privacy Rule. Covered Entity acknowledges that it is Covered Entity s sole responsibility to inform Business Associate, in writing, of such requirement and to obtain any necessary business associate agreement between Business Associate and Healthcare Facility. 5. Permissible Requests by Covered Entity Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under HIPAA and the Privacy Rule if done by Covered Entity. 6. Term and Termination (a) Term. The Term of this Agreement shall be effective as of the date this Agreement is signed by Covered Entity (the Effective Date ) and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section. (b) Termination for Cause. Upon Covered Entity s knowledge of a material breach by Business Associate of this Agreement, Covered Entity shall either: (1) Provide an opportunity for Business Associate to cure the breach or end the violation and terminate this Agreement if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity; or (2) Immediately terminate this Agreement if Business Associate has breached a material term of this Agreement and cure is not possible. Business Associate acknowledges that in the event of a material breach of this Agreement, Covered Entity may report the breach to the Secretary. (c) Effect of Termination. (1) Except as provided in paragraph (2) of this Section 6(c), upon termination of this Agreement, for any reason, Business Associate shall return or destroy all Protected Health 4
Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of any directors, officers, committee members, employees, agents, independent contractors, and representatives of Business Associate. Business Associate shall retain no copies of the Protected Health Information. (2) In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon written notice that return or destruction of Protected Health Information is infeasible, Business Associate shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information. 7. Miscellaneous (a) Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended. (b) Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the then most current version of HIPAA and the Privacy Rule. (c) Survival. The respective rights and obligations of Business Associate under Section 6(c) of this Agreement shall survive the termination of this Agreement. (d) Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with HIPAA and the Privacy Rule. (e) Notice. Any notice, approval, request, authorization, direction or other communication under this Agreement will be given in writing and will be deemed to have been delivered and given for all purposes: (i) on the delivery date if delivered by electronic mail or by confirmed facsimile; (ii) on the delivery date if delivered personally to the Party to whom the same is directed; (iii) one business day after deposit with a commercial overnight carrier, with written verification of receipt; or (iv) five (5) business days after the mailing date, if sent by U.S. mail, return receipt requested, postage and charges prepaid, or any other means of rapid mail delivery for which a receipt is available. The contact information below may be used by the Parties hereto: Business Associate Covered Entity Dana Brittan c/o ABOM 2821 S. Parker Road, Suite 625 Aurora, CO 80014 5
Phone: (303) 752-4000 Fax: (303) 752-4001 Email: brittan@abomcertification.com Phone: Fax: Email: (f) Counting Days. If a Party is required to complete the performance of an obligation under this Agreement by a date certain and such date is a Saturday, Sunday, or federal bank holiday (collectively, a Non-Business Day), then the date for the completion of such performance will be the next succeeding day that is not a Non-Business Day. (g) Waiver by Accepting Varied Performance. No waiver of any provision or consent to any action shall constitute a waiver of any other provision or consent to any other action, whether or not similar. No waiver or consent shall constitute a continuing waiver or consent or commit a Party to provide a waiver in the future except to the extent specifically set forth in writing. Any waiver given by a Party shall be null and void if the Party requesting such waiver has not provided a full and complete disclosure of all material facts relevant to the waiver requested. (h) Independent Contractors. The Parties to this Agreement are independent contractors. Neither Party is an agent, representative or employee of the other Party. Neither Party will have any right, power or authority to enter into any agreement for or on behalf of, or incur any obligation or liability of, or to otherwise bind, the other Party. This Agreement will not be interpreted or construed to create an association, agency, joint venture or partnership between the Parties or to impose any liability attributable to such a relationship upon either Party. (i) Consent to Jurisdiction and Forum Selection. The Parties hereto agree that all actions or proceedings arising in connection with this Agreement shall be tried and litigated exclusively in the state and federal courts located in the County of Denver, State of Colorado. (j) Choice of Law. This Agreement shall be governed by and construed under the laws of the State of Colorado without consideration of its conflict of laws provisions. (k) Further Assurances. The Parties shall at their own cost and expense execute and deliver such further documents and instruments and shall take such other actions as may be reasonably required or appropriate to carry out the intent and purposes of this Agreement. (l) Counterparts. This Agreement may be executed in two or more counterparts, via facsimile, electronically or otherwise, any of which shall have the same affect as the originals, but all of which, when taken together, shall constitute one and the same instrument. (m) Compliance with Privacy Rule. Any ambiguity in this Agreement shall be resolved in favor of an interpretation that brings the Agreement into compliance with the then most current version of HIPAA and the Privacy Rule. 6
Date. IN WITNESS WHEREOF, the Parties have executed this Agreement as of the Effective COVERED ENTITY: PHYSICIAN BUSINESS ASSOCIATE: ABOM a Colorado nonprofit corporation By: Print Name: Date: By: John B. Cleek, M.D. Its: 7