The Institute of Professional Practice, Inc. Business Associate Agreement This Business Associate Agreement ( Agreement ) effective on (the Effective Date ) is entered into by and between The Institute of Professional Practice, Inc. [also d/b/a Mid- Atlantic Services Corporation] with its principal place of business at 2096 Airport Road, Berlin, Vermont (the Covered Entity ) and (the Business Associate ). Whereas, the Covered Entity regularly discloses Protected Health Information ( PHI ) to the Business Associate and the Business Associate regularly uses or discloses PHI in its performance of services for the Covered Entity; and Whereas, the Covered Entity and Business Associate intend to comply with the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) and its associated regulations as modified by the Health Information Technology for Economic and Clinical Health Act ( HITECH Act ); and Whereas, the Covered Entity and Business Associate have entered into that certain Business Associate Agreement dated [ ], and now wish to supersede that Business Associate Agreement in order to comply with HIPAA, as amended by the HIPAA implementing regulations at 45 C.F.R. Parts 160-164. The HIPAA Privacy Rule is the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. part 160 and part 164, subparts A and E. The HIPAA Security Rule is the HIPAA Security Standards (45 C.F.R. Parts 160 and 164, subpart C). The HIPAA Breach Notification Rule is the Notification in the Case of Breach of Unsecured Protected Health Information, as set forth at 45 C.F.R. part 164 subpart D; and Whereas, the Privacy Rule and the Security Rule require the Covered Entity to obtain written assurance that the Business Associate will appropriately safeguard PHI, the parties wish to set forth the terms and conditions pursuant to which PHI that is provided by, created or received by the Business Associate from or on behalf of the Covered Entity, will be handled in accordance with HIPAA. Now, therefore, in consideration of the foregoing and of the mutual covenants and agreements set forth herein the parties agree as follows: 1. Definitions. Terms used, but not otherwise defined, in this Agreement shall have the same meaning as in the Privacy Rule, 45 CFR Part 160, or 45 CFR Part 164. 1
(a) Breach. Breach has the same meaning as that term has in Section 13400 of the Health Information Technology for Economic and Clinical Health Act of 2009 ( HITECH Act ) and 45 CFR 164.402. (b) Electronic Health Record. Electronic Health Record means the same as electronic protected health information in Section 13400(5) of HITECH. (c) Electronic PHI. All references to Electronic PHI mean Electronic Protected Health Information under the Security Rule, 45 CFR 160.103. (d) Electronic Transactions Rule. Electronic Transactions Rule means the final regulations issued by HHS concerning standard transactions and code sets under 45 CFR Parts 160 and 162. (e) Individual. Individual includes a person who qualifies as a personal representative in accordance with 45 CFR 164.502 (g). (f) Service Agreement. Service Agreement means the Agreement, dated, as amended, between Covered Entity and Business Associate under which Business Associate provides services for The Institute of Professional Practice, Inc. and persons served by IPPI. (g) Security Incident. Security Incident means the attempted or successful unauthorized access, use, modification, or destruction of information or interference with system operations in an information system containing IPPI s PHI data base. (h) Security Rule. Security Rule means the Security Standards for the Protection of Electronic Protected Health Information at 45 CFR Parts 160 and 162, and Parts 164, Subparts A and C, which shall apply to the Business Associate in the same manner that such sections apply to the Covered Entity. (i) Transaction. Transaction shall have the same meaning given the term transaction in 45 CFR 160.103. (j) Unsecured Protected Health Information. Unsecured Protected Health Information is PHI that is not secured through the use of a technology or methodology specified by the Secretary of Department of Health and Human Services ( HHS ) in regulations or as otherwise defined in Section 13402(h) of the HITECH Act and 45 CFR 164.402. 2. Services. Services means the services provided by the Business Associate under the Services Agreement dated [ ] or if there is no written Agreement, the services as described below: Except as otherwise specified herein, the Business Associate may transmit, use, store and disclose PHI only as permitted or required by this Agreement or otherwise as required by law to perform Services. The Business Associate may disclose PHI for the purposes authorized by this Agreement only (a) to its employees, Subcontractors and agents, all as in accordance with Paragraph 3, or (b) as otherwise directed by the Covered Entity to the extent directly related to and necessary for the performance of the 2
Services. Business Associate will in the performance of the functions, activities, Services and operations make reasonable efforts to use, to disclose, and to request only the minimum amount of PHI reasonably necessary to accomplish the intended purpose of the use, disclosure or request except that Business Associate shall not be obligated to comply with the minimum-necessary limitation if neither Business Associate nor Covered Entity is required by HIPAA to limit its use, disclosure or request to the minimum necessary. The parties acknowledge that the phrase minimum necessary shall be interpreted in accordance with the HITECH Act and any regulations promulgated thereunder. Business Associate will use, disclose and request, to the extent practicable, only a limited data set (as defined by 45 C.F.R. 164.514(e)(2)), unless there is need for PHI with direct identifiers (as specified in 45 C.F.R. 164.514(e)(2)) to accomplish the purpose for which Business Associate is using, disclosing or requesting the PHI. If there is need for PHI with direct identifiers, Business Associate will use, disclose or request only the Minimum Necessary to accomplish the purpose of the use, disclosure or request. 3. Responsibilities of Business Associate. With regard to its use or disclosure of PHI, the Business Associate hereby agrees that it shall: (a) Use or disclose the PHI only as needed to perform Services or its obligations for the Covered Entity, provided that such use or disclosure would not violate the Privacy Rules if done by the Covered Entity. (b) Not use or further disclose PHI other than as permitted or required to perform the Services subject to the provisions of this Agreement or as otherwise required by law. (c) Implement, maintain and use commercially appropriate security safeguards to prevent unauthorized use or disclosure of PHI including the implementation of administrative, physical and technical safeguards (including written policies and procedures) that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic PHI that it creates, receives, maintains or transmits on behalf of the Covered Entity as required to provide the Services. (d) Mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement. (e) Report to the designated Privacy Officer of the Covered Entity, in writing, any use or disclosure of PHI that is not permitted or required by this Agreement of which Business Associate knew or should have known and/or any Security Incident of which it becomes aware. Business Associate will report the aggregate number of unsuccessful attempts to access, use, disclose, or modify Electronic PHI or to interfere with system operations on an information system containing Covered Entity s Electronic PHI. Such reports shall include the data base access logs to Covered Entity s PHI, including but not limited to logs of unsuccessful attempts to access Covered Entity s PHI as well as Breaches wherever such data is maintained. Such reports shall be provided at least quarterly. Business Associate will report to Covered Entity any successful unauthorized access, use, disclosure, modification, or distribution of Electronic PHI or any successful 3
interruption with system operations in an information system containing Electronic PHI, in writing, as soon as reasonably possible. (f) Notify the Privacy Officer of the Covered Entity immediately of any Breach of Unsecured Protected Health Information as soon as discovered. (i.) The notification should include, in the exercise of Business Associate s best efforts and due diligence, the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed to have been accessed, acquired or disclosed during such Breach. (ii.) Notification to Individuals by the Business Associate must be made as soon as reasonably possible and not more than 60 days from discovering the Breach. Notification must be coordinated with and approved by the Covered Entity; (iii.) Business Associate will coordinate with Covered Entity in the determination of additional specific actions that will be required of the Covered Entity for mitigation of the Breach; and (iv.) If the Business Associate is a vendor of personal health records, notification of the Breach will need to be made to the Federal Trade Commission. (g) Be responsible for any and all costs associated with the notification and mitigation of a Breach which results in a disclosure of PHI that violates HIPAA. (h) Require all of its employees, representatives, Subcontractors or agents that receive or use or have access to PHI to agree in writing to adhere to the same restrictions and conditions and requirements on the use or disclosure of PHI as are contained herein; moreover, Business Associate shall ensure that any such agent or Subcontractor agrees to implement reasonable and appropriate safeguards to protect PHI including but not limited to having such Subcontractor sign a Business Associate Agreement with the Business Associate which includes provisions at least as stringent as those contained herein. The Business Associate will indemnify and hold IPPI harmless for any and all Breaches of the Agreement by any agent or Subcontractor of the Business Associate in accordance with Section 10 of this Agreement. (i) Provide access, at the request of Covered Entity, and in the time and manner designated by Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR 164.524. Amend PHI as required under 45 C.F.R. 164.526 as requested by Covered Entity or an Individual Comply with Covered Entity s and/or an Individual s request for restrictions and confidential communications in connection with the disclosure of PHI under 45 C.F.R. 164.522 whenever feasible. (j) Document such disclosure of PHI and information related to such disclosure as would be required for the Covered Entity to respond to a request by an Individual for an accounting of disclosures in accordance with 45 CFR 164.528. (k) Business Associate will provide in a timely manner, information collected in accordance with paragraph (i) of this section, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 4
CFR 164.528. At Covered Entity s request, Business Associate will provide an accounting as follows: (i) Disclosure Tracking. Business Associate will record each disclosure of Individual s PHI which is not excepted from disclosure accounting under 45 C.F.R. 164.528 that Business Associates makes to Covered Entity or a Third Party. The information about each disclosure that Business Associate must record is (1) the disclosure date; (b) the name and (if known) address of the person or entity to whom Business Associate made the disclosure; (c) a brief description of the PHI disclosed, and (d) a brief statement of the purpose of the disclosure (Items (a)-(c), collectively Disclosure Information ). For repetitive disclosures of Individual s PHI that Business Associate makes for a single purpose to the same person or entity, Business Associate may record (a) the Disclosure Information for the first of these repetitive disclosure, (b) the frequency, periodicity or number of these repetitive disclosures and (c) the date of the last of these repetitive disclosures. (ii) Exceptions from Disclosure Tracking. Business Associate is not required to record Disclosure Information or otherwise account for disclosures of PHI that are excepted by 45 CFR 164.528(a). (l) Make available all records, books, agreements, policies and procedures relating to the use and/or disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity to Covered Entity or available to HHS in the time and manner determined by the parties or as determined by the Secretary of HHS for purposes of determining the Covered Entity s compliance with the Privacy Rules and Security Rules. With reasonable notice, Covered Entity may audit Business Associate to monitor compliance with this Agreement. Business Associate will promptly correct any violation of this Agreement found by Covered Entity and will certify in writing that the correction has been made. Covered Entity s failure to detect any unsatisfactory practice does not constitute acceptance of the practice or a waiver of Covered Entity s enforcement rights under this Agreement. (m) Upon written request, make available to the Covered Entity within thirty (30) days during normal business hours at Business Associate s offices, all records, books, agreements, policies and procedures relating to the use and/or disclosure of PHI for purposes of enabling the Covered Entity to determine the Business Associate s compliance with the terms of this Agreement. (n) Use the minimum necessary of such PHI it creates or receives for or from Covered Entity for Business Associate s proper management and administration or to carry out Business Associate s legal responsibilities. Business Associate may also use PHI to report violations of law to appropriate Federal and state authorities, consistent with 45 CFR 502(j)(l). (o) Return or destroy the information once this Agreement is terminated, if feasible. If it is not possible to return or destroy the information because of other obligations or legal requirements, the protections of the Agreement will apply until the information is returned or destroyed and no other uses or disclosures may be made except for the purposes that prevented the return or destruction of the information. 5
(p) If Business Associate transmits, stores, or receives any covered Electronic PHI on behalf of Covered Entity, comply with all applicable provisions of the Standard Law Electronic Transmissions Rule to the extent required by law, and ensure that any agents that assist Business Associate in conducting Covered Electronic Transactions on behalf of the Covered Entity agree in writing to comply with the standards for Electronic Transactions to the extent required by law and to execute a Business Associate Agreement with Business Associate. Business Associate shall also comply with the National Provider Identifier requirements as set forth in 45 CFR Part 162, if and to the extent applicable. (i) Business Associate will not enter into any trading partner agreement in connection with the conduct of Standard Transactions that (w) changes the definition, data condition, or use of a data element or segment in a Standard Transaction; (x) adds any data element or segment to the maximum defined data set; (y) uses any code or data element that is marked not used in the Standard Transaction s implementation specification or is not in the Standard Transaction s implementation specification; or (z) changes the meaning or intent of the Standard Transaction s implementation specification, as these terms are defined in 45 C.F.R. Part 162. (ii) All communications between Business Associate and Covered Entity that are required to meet the Standards for Electronic Transactions shall do so. (q) Under the Security Rules: (i) Implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic PHI that it receives, maintains, or transmits on behalf of the Covered Entity and which prevent, detect, contain, and correct security violation. (ii) Ensure that any agent, including a subcontractor, to whom Business Associate provides such information, agrees to implement reasonable and appropriate safeguards to protect it, including the entering into Business Associate Agreements with those subcontractors with obligations at least as stringent as those contained in this Agreement and which identify Covered Entity as a third party beneficiary with rights of enforcement in the event of a violation. If the agreement does not identify Covered Entity as a third party beneficiary with rights of enforcement, the Business Associate will indemnify and hold IPPI harmless for any and all Breaches of the Business Associate Agreement by such agent or subcontractor of the Business Associate in accordance with Section 10 of this Agreement. (iii) Immediately report to the Covered Entity any Security Incident of which it becomes aware in accordance with Section 14. Business Associate will upon discovery notify Covered Entity of any Breach of PHI that has not been secured as specified in this Agreement. Business Associate will make such notification without unreasonable delay and in no case later than sixty (60) calendar days after discovery. Business Associate s notice to Covered Entity will identify each Individual whose unsecured PHI has been or is reasonably believed by Business Associate to have been accessed, acquired or disclosed during such Breach. 6
(iv) Establish and implement procedures and other reasonable efforts at its own expense for mitigating, to the greatest extent possible, any harmful effects arising from any improper disclosure or use of PHI. (v) Comply with each of the Standards and Implementation Specifications of Sections 164.308 (Administrative Safeguards), 164.310 (Physical Safeguards), 164.312 (Technical Safeguards), and 164.516 (Policies and Procedures and Documentation Requirements) of the HIPAA Security Rule at 45 C.F.R. Part 164, Subpart C. In complying with these Standards and Implementation Specifications, Business Associate will be guided by the guidance issued annually by the Secretary pursuant to HITECH 13401(c). The foregoing provisions of this subparagraph parallel those in Section 164.504(e) of the Privacy Rules, but do not reference use and disclosure or availability of information to the Covered Entity. (r) Not transmit PHI outside the United States without the prior written consent of the Covered Entity. 4. Sale of Information Prohibited. Business Associate agrees that it and its agents and subcontractors are prohibited from directly or indirectly receiving remuneration in exchange for an individual s protected health information, and from directly or indirectly receiving payment for any use or disclosure of PHI for marketing purposes.. 5. Responsibilities of the Covered Entity. With regard to the use or disclosure of PHI by the Business Associate, the Covered Entity hereby agrees: (a) To inform the Business Associate of any changes in the form of notice of privacy practices that the Covered Entity provides to Individuals pursuant to 45 CFR 164.520 to the extent such changes may affect Business Associate s use or disclosures of PHI and provide the Business Associate a copy of the notice currently in use. (b) To inform the Business Associate of any changes in, or revocation of, the permission by Individual to use or disclose PHI to the extent such PHI changes may affect Business Associate s use or disclosure of PHI. (c) To notify the Business Associate, in writing and in a timely manner, of any restrictions on the use or disclosure of PHI agreed to by the Covered Entity as provided for in 45 CFR 164.522. (d) Not to request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rules if done by the Covered Entity. 6. Applicability of State Law. If a state law applicable to the relationship between the Covered Entity and the Business Associate applies additional or more stringent requirements to the parties than those required by HIPAA, the Business Associate agrees to comply with the state law requirements. 7. Mutual Representation and Warranty. Each party represents and warrants to the other party that all of its employees, agents, representatives and members of its work force, whose services may be used to fulfill its respective obligations under this Business 7
Associate Agreement, are or shall be appropriately informed of the terms of this Business Associate Agreement, and are under legal obligation to fully comply with all provisions of this Business Associate Agreement. 8. Term and Termination. (a) Term. This Business Associate Agreement shall become effective on the Effective Date and shall terminate when all of the PHI provided by Covered Entity to the Business Associate, or created or received by the Business Associate on behalf of the Covered Entity, is destroyed or returned to the Business Associate, or created or received by the Business Associate on behalf of the Covered Entity, is destroyed or returned to the Covered Entity, or, if it is not feasible to return or destroy PHI, protection is extended to such information in accordance with Section 8(c) below. (b) Termination. Upon Covered Entity s knowledge of a material breach of this Business Associate Agreement by Business Associate, Covered Entity may provide an opportunity for Business Associate to cure the breach or end the violation and may terminate this Agreement and the Services if Business Associate does not cure the breach or end the violation within thirty (30) days. If the Business Associate has breached a material term of the Business Associate Agreement and a cure is not possible, then the Covered Entity may immediately terminate this Business Associate Agreement and the Services. If termination is not feasible, the Covered Entity may report the breach to the Secretary of HHS. (c) Effect of Termination. (i) Except as provided in subparagraph (ii) of this Section, upon termination of this Business Associate Agreement, for any reason, Business Associate shall return or destroy PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision also shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI. (ii) In the event that Business Associate determines that returning or destroying the PHI is not feasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the parties that return or destruction of PHI is not feasible, Business Associate shall extend the protections of this Business Associate Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction not feasible, for so long as Business Associate maintains such PHI. 9. Insurance. Business Associate shall maintain insurance with respect to Business Associate s obligations under this Agreement reasonably satisfactory to Covered Entity and provide, from time to time as requested by Covered Entity, proof of such insurance. 10. Indemnification. Business Associate will indemnify, defend and hold harmless Covered Entity and its respective employees, directors, officers, subcontractors, agents and affiliates from and against all claims, actions, damages, losses, liabilities, fines, penalties, costs or expenses (including without limitation reasonable attorneys fees) suffered by Covered Entity arising from or in connection with any breach of this 8
Agreement, or any negligent or wrongful acts or omissions in connection with this Agreement, by Business Associate or by Business Associate s employees, directors, officers, subcontractors, or agents. 11. Survival of Certain Provisions of this Agreement and Previous Agreements. The respective rights and obligations of Business Associate and Covered Entity under the provisions of Sections 3, 4, 8(c) and 10, above, shall survive the termination of this Business Associate Agreement indefinitely. No provision of this Agreement shall be construed to supersede any provision of any previous Business Associate Agreement between the parties that is intended to survive the termination of such Agreement. 12. Amendment. This Business Associate Agreement may not be modified or amended, except in writing as agreed to by each party. 13. No Third Party Beneficiaries. Nothing expressed or implied in this Business Associate Agreement is intended to confer, nor shall anything herein confer, upon any person other than the parties hereto any rights, remedies, obligations, or liabilities whatsoever. 14. Notices. Any notices to be given hereunder shall be made via U.S. Mail or express courier, or hand delivery to the other party s address given below as follows: If to Business Associate: If to Covered Entity: HIPAA Privacy Officer, Michael Farrah The Institute of Professional Practice, Inc. 356 Broad Street, 3 rd Floor Fitchburg, MA 01420 15. Inconsistencies. To the extent of any inconsistencies between the Agreement and this Business Associate Agreement, the terms and conditions of this Business Associate Agreement shall be controlling as to HIPAA-related matters. 16. Interpretation. Any ambiguity in the Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the Privacy Rules and Security Rules. The parties agree to amend this Agreement from time to time as necessary for Covered Entity to comply with the requirements of the Privacy and Security Rules, and HIPAA. 17. Service Agreement. This Agreement amends and supersedes any inconsistent provisions in the Service Agreement concerning the subject matter herein to assure that the parties remain in compliance with final regulations and any amendments to the final regulations promulgated by HHS with respect to PHI. 9
IN WITNESS WHEREOF, the parties hereto hereby execute this Agreement as of the Effective Date. Business Associate Witness By: Name: Title: Date: The Institute of Professional Practice, Inc. Witness By: Name: Michael Farrah Title: Privacy Officer Date: s:\ippi\client hippa policy april 2010\2013amendedclienthippaa\02. tab 2-business associate agreementcovered entity21210.doc 10