BUSINESS ASSOCIATE AGREEMENT
Health Insurance Portability and
Accountability Act of 1996
This Agreement is by and between the undersigned HIPAA (Health Insurance Portability and Accountability Act of 1996) Covered Entity as defined below (the “Covered Entity”) and U2 Cloud, LLC or its affiliates,(hereinafter “U2” or sometimes “Business Associate”), collectively, the “Parties”. This Agreement shall become effective on _____________________unless otherwise specified herein and shall terminate pursuant to those further provisions of this Agreement.
WHEREAS, the United States Department of Health and Human Services has promulgated regulations at 45 C.F.R. Parts 160, 162, and 164 relating to standards for privacy and security of individually identifiable health information (the “Privacy and Security Rules”) pursuant to Subtitle F (Administrative Simplification) of the Health Insurance Portability and Accountability Act of 1996, (Pub. L. 104-191, August 21, 1996, 110 Stat.1936), 42 U.S.C. § 1320d D 1320d-8 (collectively with the Privacy and Security Rules, as each may be amended from time to time, referred to herein sometimes as “HIPAA”); and
WHEREAS, the Parties desire to into an arrangement whereby Business Associate will provide certain services to Covered Entity, and, pursuant to such arrangement, Business Associate may be considered a “Business Associate” of Covered Entity as defined in the applicable sections of 45 CFR (HIPAA Privacy Rule), as amended; and
WHEREAS, the undersigned Covered Entity is a health care provider or similar entity with similar requirements responsible for transmitting health information in electronically as defined in 45 CFR §160.103; and
WHEREAS, Business Associate may have access to Protected Health Information in the course of providing services pursuant to this Agreement;
THEREFORE, in consideration of the Parties’ mutually beneficial obligations under the HIPAA Privacy Rule, and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged by each, the Parties further agree as stated herein.
1. PERMITTED USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION BY BUSINESS ASSOCIATE
1. 1 Business Associate agrees to use or disclose any Protected Health Information solely for (a) meeting its obligations as set forth in any agreements between the Parties evidencing their business relationship, or (b) as required by applicable law, rule or regulation, or by accrediting or credentialing organization to whom Covered Entity is required to disclose such information or as otherwise permitted under this Agreement or the HIPAA Privacy
1.2 Business Associate agrees that upon termination of this Agreement, or any similar documentation of the business
relationship of the Parties, or upon request of Covered Entity, whichever occurs first, if feasible, Business Associate will return or destroy all Protected Health Information received from Covered Entity that Business Associate still maintains in any form and retain no copies of such information, or if such return or
destruction is not feasible, Business Associate will extend the protections of this Agreement to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible.
1.3 Business Associate agrees to ensure that its agents, including a subcontractor, to whom it provides Protected Health Information received from or created by Business Associate on behalf of Covered Entity, agrees to the same restrictions and Protected Health Information and agrees to take reasonable steps to ensure that its agents’ actions or omissions do not cause the Business Associate to breach this Agreement.
1.4 Notwithstanding the prohibitions set forth in this Agreement, Business Associate may use and disclose Protected Health Information as follows:
(a) if necessary, for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that as to any such disclosure, the following requirements are met:
(b) the disclosure is required by law; or
(c) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
(d) Business Associate will implement appropriate safeguards to prevent use or disclosure of Protected Health Information other than as permitted in this Agreement. The Secretary shall have the right to audit Business Associate’s records and practices related to use and disclosure of Protected Health Information to ensure Covered Entity’s compliance with the Covered Entity any use or disclosure of Protected Health Information which is not in compliance with the terms of this agreement of which it becomes aware.
(e) Business Associate may provide data aggregation services relating to the health care operations of the Covered Entity.
2. OBLIGATIONS OF BUSINESS ASSOCIATE
2.1 Business Associate agrees to not use or disclose Protected Health Information other than as permitted or required by the Agreement or as required by law.
2.2 Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement.
2.3 Business Associate agrees to report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement of which it becomes aware.
2.4 Business Associate agrees that any agent, including a subcontractor, to whom it provides Protected Health Information received from Covered Entity, agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
2.5 Business Associate agrees to make internal practices, books, and records, including policies and procedures, relating to the use and disclosure of Protected Health Information received from Covered Entity available to the Secretary for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule.
2.6 Business Associate agrees to make any amendment(s) to protected health information in a designated record set as directed or agreed to by the covered entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526.
3. RESPONSIBILITY FOR PROTECTED HEALTH INFORMATION
3.1 The parties agree that, due to the nature of the technology utilized by Business Associate, Business Associate cannot make available Protected Health Information to the extent and in the manner required by Section 164.524 of the HIPAA Privacy Rule. This requirement shall be the sole responsibility of Covered Entity.
3.2 The parties agree that, due to the nature of the technology utilized by Business Associate, Business Associate cannot make Protected Health Information available for amendment and incorporate any amendments to Protected Health Information in accordance with the requirements of Section 164.526 of the HIPAA Privacy Rule. This requirement shall be the sole responsibility of Covered Entity.
3.3 The parties agree that, due to the nature of the technology utilized by Business Associate, Business Associate cannot make Protected Health Information available for purposes of accounting of disclosures, as required by Section 164.528 of the HIPAA Privacy Rule. This requirement shall be the sole responsibility of Covered
4.1 “Covered Entity” shall have the meaning given in 45 C.F.R. § 160.103.
4.2 “Individual” shall have the meaning given in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative pursuant to 45 C.F.R. § 164.502(g).
4.3 “Protected Health Information” shall have the meaning given in 45 C.F.R. § 160.103 limited to the information received by the customer and/or the Business Associate from or on behalf of the Covered Entity. “Electronic Protected Health Information” or “EPHI” is a subset of PHI and shall have the meaning given in 45 C.F.R. § 160.103.
4.4 “Required by Law” shall have the same meaning given in 45 C.F.R. § 164.103.
4.5 “Security Regulations” means the Standards for Security of Electronic Protected Health Information at 45 C.F.R. Parts 160, 162 and 164, as they apply to Covered Entity.
4.6 “Secretary” shall mean the Secretary of the United States Department of Health and Human Services.
4.7 In the event of an inconsistency between the provisions of this Agreement and mandatory provisions of the HIPAA Privacy Rule, as amended, the HIPAA Privacy Rule shall control. Where provisions of this Agreement are different than those mandated in the HIPAA Privacy Rule, but are nonetheless permitted by the HIPAA Privacy Rule, the provisions of this Agreement shall control.
Termination of Covered Entity’s business relationship with Business Associate shall be governed under the terms set forth in a separate U2 Cloud User Agreement, such Agreement to be incorporated herein by reference. Notwithstanding anything in this Agreement or in the U2 Cloud User Agreement to the contrary, Covered Entity shall have the right to terminate this Agreement immediately if Covered Entity determines that Business Associate has violated any material term of this Agreement.
6.1 Rights Created. This Agreement is not intended to create any right that is not expressly stated herein or expressly created in the HIPAA Privacy Rule as to any party. Further, no relationship between the Parties is created or implied by this Agreement other than that of separate and independent entities contracting for the express business purposes specified herein.
6.2 Failure of Compliance; Cure. Should either Party believe at any time, that any provision of this Agreement fails to comply with the in-force requirements of the HIPAA Privacy Rule or related regulations, that Party shall notify the other Party in writing of such failure. After such notification, for a period of thirty (30) days thereafter, the Parties take all corrective steps necessary to
ensure compliance. At the expiration of such period, and if such failure remains un-corrected, either Party has the right to terminate this Agreement immediately after written notice specifying such failure of compliance to the other Party.
6.3 Governing Law. This Agreement will be governed by and construed in accordance with the laws of the State of Florida without regard to its conflicts of laws principles. Any claim or suit arising out of or relating to this Agreement will be brought in any court of competent jurisdiction located in the County of Duval and State of Florida.
6.4 Severability. If any one or more of the provisions contained herein will, for any reason, be held to be invalid, illegal, or unenforceable in any respect, such invalidity, illegality, or unenforceability will not affect any of the other provisions of this Agreement, and this Agreement will be construed as if such provision(s) had never been contained herein, provided that such
provision(s) will be curtailed, limited, or eliminated only to the extent necessary to remove the invalidity, illegality or unenforceability.
6.5 Survival of Obligations. The obligations of the Parties as to all Protected Health Information shall survive the expiration, termination, expiration and/ or cancellation of this Agreement, until such time as all such information has been returned to Covered Entity or destroyed.
6.6 Waiver; Modification. No waiver by either Party of any breach of the provisions of this Agreement will be deemed a waiver of any preceding or succeeding breach of this Agreement. No such waiver will be effective unless it is in writing signed by the parties hereto, and then only to the extent expressly set forth in such writing. This Agreement may be amended or modified only in a writing signed by the Parties.
6.7 Minimum Requirements. The Parties acknowledge and agree that the regarding Business Associate’s use and disclosure of Protected Health Information. Should there be any more restrictive practices regarding Protected Health Information under which the Business Associate provides its services to Covered Entity, the more restrictive provisions shall control.
[End of Agreement; signatures on page following]
IN WITNESS WHEREOF, the Parties have executed this Agreement as of the day and year written above.
Authorized Signatory: _______________________________
U2 Cloud, LLC
Authorized Signatory: _______________________________