Business Associate Agreement This BUSINESS ASSOCIATE AGREEMENT (the "Agreement") is entered into by and between the Board of Regents of the University of Wisconsin System on behalf of the [insert name of Covered Department] at the University of Wisconsin-Milwaukee (the "Covered Entity") and (the "Business Associate"). RECITALS WHEREAS, the Covered Entity and the Business Associate are parties to an agreement (the "Underlying Agreement") pursuant to which the Business Associate provides certain services to the Covered Entity and, in connection with those services, the Covered Entity discloses to the Business Associate certain individually identifiable Protected Health Information ("PHI"), including electronic PHI, that is subject to protection under the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA") and the ARRA (defined below); and WHEREAS, the parties desire to comply with the HIPAA and ARRA standards for the privacy and security of the PHI of Covered Entity's patients; NOW THEREFORE, in consideration of the recitals above and the mutual covenants and conditions herein contained, the Covered Entity and the Business Associate enter into this Agreement to provide a full statement of their respective responsibilities. I. DEFINITIONS 1.1 Unless otherwise provided herein, capitalized terms shall have the same meaning as set forth in HIPAA and its implementing regulations, 45 CFR 160, 164 and the ARRA. 1.2 ARRA shall mean the Health Information Technology for Economic and Clinical Health Act provisions of the American Recovery and Reinvestment Act of 2009, Pub. Law No. 111-5, as amended from time to time, and any existing and future implementing regulations, when and as each is effective. II. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE 2.1 Performance of Agreement. Business Associate agrees to request, use or disclose PHI only as necessary to perform the functions, activities or services for or on behalf of the Covered Entity, specifically permitted or required by the Agreement and in compliance with (i) each applicable requirement of 45 CFR 164.504(e), (ii) 42 USC. 17035(b) (minimum necessary), and (iii) as otherwise required by law. Further, Business Associate shall not request, use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by the Covered Entity. 2.2 Safeguards for Protection of PHI. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement. Business Associate agrees to implement administrative, physical, Board of Regents of the University of Wisconsin System on behalf of the University of Wisconsin Milwaukee, 2010.
and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains, or transmits on behalf of the covered entity and to comply with the requirements set forth in 45 CFR 164.308, 164.310, 164.312, and 164.316. 2.3 Mitigation of Harmful Effects of Disclosure of PHI. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement. 2.4 Compliance by Agents, Including Subcontractors. Business Associate agrees to ensure that any agents, including subcontractors, to whom it provides PHI received from, created by, or received by the Business Associate on behalf of the Covered Entity agree in writing to the same restrictions and conditions that apply to the Business Associate with respect to such information. To the extent that Business Associate provides ephi to a subcontractor or agent, it shall require the subcontractor or agent to implement reasonable and appropriate safeguards to protect the ephi. 2.5 Reporting of Unauthorized Use. Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Agreement or any security incident of which it becomes aware. Without unreasonable delay and in no case later than sixty (60) calendar days after discovery, Business Associate shall notify Covered Entity of any Breach of any Unsecured PHI in accordance with 42 USC 17932(b). 2.6 Access to PHI. Business Associate agrees to provide access, at the request of Covered Entity and in the time and manner convenient to both parties, to PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements addressed in 45 CFR 164.524. 2.7 Amendments of PHI. Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526 at the request of Covered Entity or an Individual and in the time and manner convenient to both parties. 2.8 Access to Internal Practices, Books and Records. For the purpose of the Secretary determining Covered Entity's compliance with the Privacy Rule, Business Associate shall make internal practices, books and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, created by, or received by the Business Associate on behalf of the Covered Entity available to the Covered Entity or to the Secretary in a time and manner convenient to both parties or designated by the Secretary. 2.9 Documentation of Disclosures. The Business Associate shall document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity or Business Associate to respond to a request by an Individual for an accounting or disclosures of PHI in accordance with 45 CFR 164.528 and 42 USC 17935(c). Page 2 of 5
2.10 Accounting of Disclosures. Business Associate agrees to provide to Covered Entity, in time and manner convenient to all parties, information collected with respect to a particular Individual in accordance with this Agreement in order to permit Covered Entity to respond to a request by such Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528 and 42 USC 17935(c) and (e), and when directed by Covered Entity, make that accounting directly to the Individual 2.11 Remuneration, Communications and Fundraising. Business Associate agrees (i) not to directly or indirectly receive remuneration in exchange for any PHI in compliance with 42 USC 17935(d); and (ii) not to make or cause to be made any (a) communication about a product or service that is prohibited by 42 USC 17935(a) or (b) written fundraising communication prohibited by 42 USC 17935(a). III. OTHER PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE 3.1 For Management and Administration. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, provided that disclosures are Required By Law or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. 3.2 For Data Aggregation Services. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 42 CFR 164.504(e)(2)(i) (B). 3.3 To Report Violations of Law. Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 164.502(j)(1). IV. OBLIGATIONS OF COVERED ENTITY 4.1 Notification. (a) (b) Regarding Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 CFR 164.520 to the extent that such limitation may affect Business Associate's use or disclosure of PHI. Regarding Individual's Authorization. Covered Entity shall notify Business Associate of any changes in or revocation of permission by Individual to use or disclose PHI but only to the extent that such changes may affect Business Associate's use or disclosure of PHI. Page 3 of 5
(c) Regarding Restrictions Per 164.522. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI. 4.2 General. Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity. V. TERM AND TERMINATION 5.1 Term. This Agreement shall be effective as of the effective date of the Underlying Agreement and shall terminate on the earlier of (i) termination pursuant to Section 5.2 of this Agreement, and (ii) termination or expiration of the Underlying Agreement. 5.2 Termination for Cause. If either party knows of a pattern of activity or practice of the other party that constitutes a material breach or violation of this Agreement, the non-breaching party shall: (a) Notice. Provide written notice of the breach or violation to the other party, specifying the nature of the breach or violation. (b) Cure Opportunity. Provide an opportunity for the breaching party to cure the breach or end the violation. If the breaching party does not cure the breach or end the violation to the reasonable satisfaction of the non-breaching party within thirty-days of receipt of the written notice, the non-breaching party may terminate this Agreement and the Underlying Agreement. If cure is not possible, the non-breaching party may immediately terminate this Agreement and the Underlying Agreement. 5.3 Effect of Termination. (a) Return or Destruction of PHI. Except as provided in paragraph (b) of this section, upon termination of this Agreement for any reason, Business Associate shall return or destroy all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of PHI. (b) Impossibility of Return or Destruction. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon notification that return or destruction of PHI is infeasible, Business Associate shall Page 4 of 5
extend protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible. This section shall survive termination of this Agreement for any reason. VI. MISCELLANEOUS 6.1 Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended. 6.2 Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for the parties to comply with HIPAA. 6.3 Transferability. Neither party's interest under this Agreement may be transferred or assigned or assumed by any other party, in whole or in part, without the prior written consent of the other party to the Agreement. 6.4 Governing Law. This Agreement shall be governed by and interpreted in accordance with the laws of the State of Wisconsin. 6.5 Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the Privacy Rule. If any portion of this Agreement is inconsistent with the terms of the Underlying Agreement, the terms of this Agreement shall prevail. 6.6 Execution. This Agreement may be executed in multiple counterparts, each of which shall constitute an original and all of which shall constitute but one Agreement. IN WITNESS WHEREOF, the parties have executed this Agreement on the date last shown below but effective as of the date of the Underlying Agreement. THE BOARD OF REGENTS FOR THE UNIVERSITY OF WISCONSIN SYSTEM ON BEHALF OF THE UNIVERSITY OF WISCONSIN-MILWAUKEE By: Date: Title: [INSERT NAME OF BUSINESS ASSOCIATE HERE] By: Date: Title: Page 5 of 5