BUSINESS ASSOCIATE ADDENDUM This BUSINESS ASSOCIATE ADDENDUM (this Addendum ) is made and entered into as of July 1, 2012, ( Effective Date ) and supplements and is made a part of the services agreement (the Agreement ) by and between the School District of Harrisburg ( Covered Entity ) and the Family Health Council of Central Pennsylvania, Inc. ( Business Associate ) denominated as the yearly SUBCONTRACT between the parties. WHEREAS, Provider (as defined below) has a contractual relationship with FHCCP requiring this Addendum; WHEREAS, both Parties seek to comply with the federal privacy and security regulations set forth in 45 C.F.R. Parts 160 and 164 and the Health Information Technology for Economic and Clinical Health ("HITECH") Act. NOW, THEREFORE, for and in consideration of the mutual covenants contained herein, the Parties to this Addendum, intending to be legally bound, hereby agree as follows: SECTION 1. DEFINITIONS 1.1 ARRA. ARRA shall mean Subtitle D - Privacy, 13401 of the American Recovery Act and Reinvestment Act of 2009 within the HITECH Act. 1.2 Business Associate. Business Associate shall mean FHCCP. 1.3 Covered Entity. Covered Entity shall mean Provider. 1.4 Electronic PHI. Electronic PHI shall have the meaning set forth in the Security Rule at 45 C.F.R. 160.103, limited to the information that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity. 1.5 Individual. Individual shall have the meaning as the term "individual" set forth in 45 C.F.R. 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. 164.502(g). 1.6 PHI. PHI shall mean collectively Protected Health Information and Electronic PHI, limited to the information that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity. - 1 -
1.7 Privacy Rule. Privacy Rule shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Parts 160 and 164, Subparts A and E. 1.8 Protected Health Information. Protected Health Information shall have the same meaning as the term protected health information in 45 C.F.R. 164.501, limited to the information that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity. 1.9 Provider. Provider shall mean School District of Harrisburg. 1.10 Required by Law. Required By Law shall have the same meaning as the term required by law in 45 C.F.R. 164.501. 1.11 Security Rule. Security Rule shall have the meaning set forth at 45 C.F.R. Parts 160 and 164, Subparts A and C. 1.12 Secretary. Secretary shall mean the Secretary of the Department of Health and Human Services or his designee. SECTION 2. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE 2.1 Business Associate agrees to not use or disclose PHI other than as permitted or required by this Addendum, the Agreement or as Required by Law. 2.2 Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Addendum. 2.3 Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate or any of its contractors in violation of the requirements of this Addendum. a. Business Associate agrees to immediately, but in no event later than five (5) days, report to Covered Entity any use or disclosure of PHI not permitted by this Addendum of which it becomes aware. b. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Addendum to Business Associate with respect to such information, including, without limitation, all requirements regarding the safeguarding of Electronic PHI and the obligations regarding compliance with the Security Rule provisions set forth in this Addendum. - 2 -
c. To the extent applicable, Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner agreed upon, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. 164.524. d. To the extent applicable, Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. 164.526 at the request of Covered Entity or an Individual, and in the time and manner agreed upon. e. Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary, in a time and manner agreed upon or designated by the Secretary, for purposes of the Secretary determining compliance with the Privacy Rule. f. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. 164.528. g. Business Associate agrees to provide information to Covered Entity, within thirty (30) days following a written request by Covered Entity for an accounting of disclosures under subsection (f), to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. 164.528; provided, however, upon the effective date of Subtitle D-Privacy, 13405(c)(3) of ARRA and upon the written request of Covered Entity, Business Associate shall make such accountings directly to the Individual. h. Business Associate shall use appropriate safeguards to prevent unauthorized use or disclosure of PHI and shall in accordance with the Security Rule, implement such administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity. i. In addition to the obligations set forth in subsection (h), on such date as ARRA becomes effective, Business Associate shall abide by Sections 164.308, 164.310, 164.312 and 164.316 of the Security Rule to the same extent that Covered Entity is obligated to abide by such sections. Business Associate acknowledges that Business Associate may be subject to certain civil and criminal penalties for violating such provisions of the Security Rule. - 3 -
j. On such date as Subtitle D - Privacy, 13402(b) of ARRA becomes effective, to the extent that Business Associate accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses, or discloses unsecured health information (as such term is defined in subsection (h)(i) of 13402 of ARRA), then Business Associate shall, promptly, but in no event greater than five (5) days following discovery of a breach involving unsecured health information, notify Covered Entity in writing of such breach, which such notification shall include the identification of each Individual whose unsecured protected health information has been, or is reasonably believed to have been accessed, acquired or disclosed during such breach. In addition, Business Associate will cooperate with Covered Entity with providing notice of the breach to Individuals. k. Business Associate acknowledges that Business Associate may be violating the Privacy Rule if Business Associate breaches the terms of this Addendum or if Business Associate knows of a pattern of activity of practice of Covered Entity that constitutes a material breach of Covered Entity s obligations under this Addendum or otherwise involves PHI unless Covered Entity took reasonable steps to cure the breach or end the violation following notification by Business Associate to Covered Entity, and if such steps by Covered Entity were unsuccessful in curing such breach or ending such violation, Business Associate did not either terminate the arrangement or if termination was not feasible, report such problem to the Secretary. Business Associate further acknowledges that in the event of such violation of the Privacy Rule by Business Associate, Business Associate may be subject to certain civil and criminal penalties. SECTION 3. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE: GENERAL USE AND DISCLOSURE 3.1 Service Agreement Except as otherwise limited in this Addendum, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Agreement, provided such use or disclosure would not violate the Privacy Rule or Security Rule if done by Covered Entity or the minimum necessary policies and procedures governing the minimum necessary use, as the same may be amended from time to time, of the Covered Entity. SECTION 4. SPECIFIC USES AND DISCLOSURE PROVISIONS 4.1 Except as otherwise limited in this Addendum, Business Associate may use protected PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. - 4 -
a. Except as otherwise limited in this Addendum, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that such disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person is required in writing to immediately notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. b. Except as otherwise limited in this Addendum, Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 42 C.F.R. 164.504(e)(2)(i)(B). c. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 164.502(j)(1). SECTION 5. OBLIGATIONS OF COVERED ENTITY TO INFORM BUSINESS ASSOCIATE OF PRIVACY PRACTICES AND RESTRICTIONS 5.1 Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 C.F.R. 164.520, to the extent that such limitation may affect Business Associate s use or disclosure of PHI. a. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Business Associate s use or disclosure of PHI. b. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. 164.522, to the extent that such restriction may affect Business Associate s use or disclosure of PHI. SECTION 6. NON-PERMISSIBLE REQUESTS BY COVERED ENTITY 6.1 Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity. SECTION 7. TERM AND TERMINATION 7.1 Term. The Term of this Addendum shall be effective as of the above date, and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created, received, maintained or transmitted by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy - 5 -
PHI, protections are extended to such information, in accordance with the termination provisions in this Section. a. Termination for Cause. Upon Covered Entity s knowledge of a material breach by Business Associate, Covered Entity may: 1. Provide an opportunity for Business Associate to cure the breach or end the violation and then terminate this Addendum and the Agreement if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity; 2. Immediately terminate this Addendum and the Agreement if Business Associate has breached a material term of this Addendum and cure is not possible; or 3. Report the violation to the Secretary if neither termination nor cure are feasible. b. Effect of Termination 1. Except as provided in paragraph (2) of this subsection, upon termination of this Addendum for any reason, Business Associate shall destroy or return all PHI to Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI. 2. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon written agreement that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Addendum to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. SECTION 8. MISCELLANEOUS 8.1 Regulatory References. A reference in this Addendum to a section in the Privacy Rule or the Security Rule means the section as in effect or as amended. a. Amendment. The Parties agree to take such action as is necessary to amend this Addendum from time to time as is necessary for Covered Entity to comply with the - 6 -
requirements of the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 (HIPAA). b. Survival. The obligations of Business Associate under Section 7.1(b) Effect of Termination of this Addendum shall survive the termination of this Addendum. c. Interpretation. Any ambiguity in this Addendum shall be resolved to permit Covered Entity to comply with HIPAA. d. Prior Agreements. This Addendum supersedes all prior Business Associate Agreements by and between the Parties. - 7 -
IN WITNESS WHEREOF, the parties hereto have duly executed this Addendum as of the date first above written. FHCCP BY: TITLE: DATE: PROVIDER: SCHOOL DISTRICT OF HARRISBURG NAME/TITLE: Jennifer Smallwood, Board Vice President BY: DATE: ATTEST: NAME/TITLE: Carol Kaufmann, Board Secretary BY: DATE: - 8 -