BUSINESS ASSOCIATE AGREEMENT

This BUSINESS ASSOCIATE AGREEMENT (this “Agreement”) is by and between Provider (“Covered Entity”) and ACO (“Business Associate”) (each referred to as a “Party” and collectively, the “Parties”).

WHEREAS, the Parties desire to enter into this Agreement in order to comply with the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), the Health Information Technology for Economic and Clinical Health Act, Public Law §111-5 and the regulations promulgated thereunder by the United States Department of Health and Human Services, including the Privacy, Security, Breach Notification and Enforcement Rules at 45 CFR Parts 160 and 164, each as amended by the final rule known as the Omnibus Rule (collectively, “HIPAA”);

WHEREAS, the Parties have entered into the Underlying Agreement (as defined below) pursuant to which Covered Entity and Business Associate may use and/or disclose, protected health information (“PHI”) in their performance of the services pursuant to the Underlying Agreement, excluding PHI received by Business Associate for purposes of rendering “treatment” or “healthcare operations” as those terms are defined under HIPAA; and

WHEREAS, this Agreement sets forth the terms and conditions pursuant to which PHI shall be handled between Covered Entity and Business Associate, and with third parties, during the term of the Underlying Agreement and after its termination.

NOW THEREFORE, in consideration of the mutual promises set forth in this Agreement and the business arrangements, and other good and valuable consideration, the sufficiency and receipt of which are hereby severally acknowledged, the Parties agree as follows:

TERMS

1.               Participant Provider Agreement.  All terms and conditions below apply to in connection with that certain Participant Provider Agreement by and between Provider and the ACO (the “Underlying Agreement”).  Provider agrees to comply with all terms and conditions of the Underlying Agreement and those set forth in these Provider ACO REACH Terms and Conditions.  Capitalized terms used below that are not defined below have the meaning given to them in the Underlying Agreement, unless otherwise specified below.

2.               Definitions.  All capitalized terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in HIPAA.

a.      “Breach” when capitalized, shall have the meaning set forth in 45 CFR § 164.402 (including all of its subsections); with respect to all other uses of the word “breach” in this Agreement, the word shall have its ordinary contract meaning. 

b.     “Effective Date” means the date on which Business Associate was first engaged to provide services to Covered Entity under the Service Agreement.

c.      “Electronic Protected Health Information” or “EPHI” shall have the same meaning as the term “electronic protected health information” in 45 CFR § 160.103, limited to information that (i) is received by Business Associate from Covered Entity, or (ii) is accessed, created, received, transmitted or maintained by Business Associate on behalf of Covered Entity.

d.     “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 CFR § 160.103, limited to information that (i) is received by Business Associate from Covered Entity, or (ii) is accessed, created, received, transmitted or maintained by Business Associate on behalf of Covered Entity.  PHI includes EPHI.

3.               Obligations and Activities of Business Associate.

a.      Use and Disclosure.  Business Associate agrees to not use or disclose PHI other than as permitted or required by this Agreement, or as Required By Law. To the extent Business Associate is to carry out one or more of Covered Entity’s obligations under Subpart E of the Privacy Rule, Business Associate shall comply with the applicable requirements of Subpart E that apply to Covered Entity in the performance of such obligations.

b.     Safeguards.  Business Associate shall, where applicable, comply with the HIPAA Security Rule with respect to EPHI and agrees to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of EPHI and that prevent the use or disclosure of such PHI other than as provided for by this Agreement.

c.      Minimum Necessary.  Business Associate agrees to make reasonable efforts to limit the use and/or disclosure of PHI to the minimum amount of information necessary to accomplish the intended permissible purpose of the use or disclosure.

d.     Mitigation.  Business Associate agrees to mitigate, to the extent practicable, any harmful effect known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this Agreement.

e.      Subcontractors.  Business Associate agrees to ensure that any Subcontractor that creates, receives, maintains or transmits PHI on behalf of Business Associate agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.

f.      Additional Restrictions.  If Covered Entity notifies Business Associate that Covered Entity has agreed to be bound by additional restrictions on the uses or disclosures of PHI, Business Associate shall be bound by such additional restrictions and shall not disclose PHI in violation of such additional restrictions in accordance with 45 CFR § 164.522.

g.     Access to PHI.  Business Associate agrees to make available PHI in a Designated Record Set to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. §164.524.

h.     Amendment of PHI.  Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set as reasonably directed by Covered Entity pursuant to 45 C.F.R. §164.526.

i.       Accounting of Disclosures.  Business Associate agrees to document and provide to Covered Entity, an accounting of disclosures of PHI and information related to such disclosures as reasonably required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.

j.       Forwarding Requests from Individual.  In the event that any Individual requests access to, amendment of or accounting of PHI directly from Business Associate, Business Associate shall forward such request to Covered Entity in accordance with applicable law.

k.     Books and Records.  Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or received by Business Associate on behalf of, Covered Entity available to Covered Entity or to the Secretary for purposes of the Secretary determining Covered Entity’s compliance with HIPAA, in accordance with applicable law.

l.       Reporting.  Business Associate agrees to report to Covered Entity any Security Incident or other use or disclosure of the PHI not permitted by this Agreement of which it becomes aware, in accordance with HIPAA. If Business Associate discovers that a Breach of Unsecured PHI has occurred, Business Associate shall notify Covered Entity in accordance with the requirements of 45 CFR §164.410. 

4.               Permitted Uses and Disclosures by Business Associate.

a.      Uses and Disclosures.  Except as otherwise expressly limited in this Agreement, Business Associate may use and disclose PHI as permitted under this Agreement, provided that such use or disclosure would not violate HIPAA if done by Covered Entity.

b.     Management and Administration.  Except as otherwise expressly limited in this Agreement, Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided, however, that any permitted Disclosure of PHI to a third party must be either Required By Law or subject to Business Associate obtaining reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

c.      Disclosures Required By Law.  Business Associate may use or disclose any PHI as Required By Law.

d. Data Aggregation.  Business Associate may use and disclose PHI to provide Data Aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B).

e.  De-Identification.  Business Associate may use PHI to de-identify PHI and create de-identified information from PHI as described under 45 CFR § 164.514, subject to any restrictions in HIPAA. Covered Entity and Business Associate understand and acknowledge that properly de-identified information is not PHI under the terms of this Agreement, and Business Associate may subsequently use and disclose such de-identified data unless otherwise prohibited by applicable law.

f.      License.  Subject to any restrictions established by this Agreement, the Parties agree that Business Associate may access, use, and disclose the information contemplated hereunder to the extent permitted by law, including de-identified information, and agree that any result or product derived from permitted access and use under applicable law, including any derivatives of information, shall be the property of Business Associate and all rights related to such product(s).  In the event such license is necessary, Parties agree Business Associate is granted a non-exclusive, transferrable, assignable, fully-paid and royalty-free license to the derivative information, result, and works of the information, and such license shall survive termination of this Agreement.

5.               Indemnification.  The Parties agree and acknowledge they shall be responsible for their own actions, omissions, negligence or misconduct.  Each Party ( the “Indemnifying Party”) agrees to indemnify, defend, and hold harmless the other Party (the “Indemnified Party”) and its directors, officers, affiliates, employees, agents, and permitted successors from and against any and all claims, losses, liabilities, damages, costs, and expenses (including reasonable attorneys’ fees) arising directly and solely out of the Indemnifying Party’s actions, omissions, gross negligence, or misconduct, including, without limitations for failure to perform the Parties’ respective obligations under this Agreement, the Privacy Rule, or the Security Rule.

6.               Obligations of Covered Entity.

a.      Notice of Privacy Practices.  Covered Entity shall notify Business Associate of any limitation(s) in any applicable notice of privacy practices in accordance with 45 CFR § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.  Covered Entity shall provide such notice no later than fifteen (15) days prior to the effective date of the limitation.

b.     Notification of Changes Regarding Individual Permission.  Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.  Covered Entity shall provide such notice no later than fifteen (15) days prior to the effective date of the change.  Covered Entity shall obtain any consent or authorization that may be required by the HIPAA Privacy Rule, or applicable state law, prior to furnishing Business Associate with PHI.

c.      Notification of Restrictions to Use or Disclosure of PHI.  Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.  Covered Entity shall provide such notice no later than fifteen (15) days prior to the effective date of the restriction.  Covered Entity shall obtain any consent or authorization that may be required by the HIPAA Privacy Rule, or applicable state law, prior to furnishing Business Associate with PHI.

d. Permissible Requests.  Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule, the Security Rule or HIPAA if done by Covered Entity, except as permitted pursuant to the provisions of Section 4 of this Agreement.

7.               Termination.

a.      Term.  This Agreement shall be effective as of the Effective Date, and shall continue until terminated in accordance with Section 7.b hereof, or until the Underlying Agreement terminates.

b.     Termination.  Upon either Party’s (the “Non-Breaching Party”) knowledge of a material breach by the other Party (the “Breaching Party”), the Non-Breaching Party shall provide thirty (30) days for the Breaching Party to cure the material breach, and if the Breaching Party does not cure the material breach within such time, the Non-Breaching Party may terminate this Agreement and the Underlying Agreement, as appropriate.  If the Breaching Party has violated a material term of this Agreement, and cure is not possible, the Non-Breaching Party may immediately terminate this Agreement.

c.      Effect of Termination.  Upon termination of this Agreement or the Underlying Agreement, for any reason, Business Associate shall destroy all PHI received from Covered Entity or received by Business Associate on behalf of Covered Entity, except to the extent any such PHI is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities.  Notwithstanding the foregoing, in the event that Business Associate determines that destroying the PHI is not feasible, Business Associate shall provide to Covered Entity notification of the conditions that make destruction not feasible, and Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the destruction not feasible, for so long as Business Associate maintains such PHI.

8.               Miscellaneous.

a.      Regulatory References.  A reference in this Agreement to a section in HIPAA means the section as in effect or as amended from time to time, and for which compliance is required.

b.     Primacy.  To the extent that any provisions of this Agreement conflict with the provisions of the Underlying Agreement or any other agreement or understanding between the Parties, this Agreement shall control with respect to the subject matter of this Agreement.

c.      Amendment; Waiver.  This Agreement may not be modified, nor shall any provision be waived or amended, except in writing duly signed by the Parties.  A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.

d.     Ambiguities.  Any ambiguity in this Agreement shall be resolved to permit compliance with HIPAA.  To the extent any provision of this Agreement conflicts with any provision of any other agreement or understanding between the Parties, this Agreement shall control with respect to the subject matter of this Agreement.

e.  Injunctions.  Covered Entity and Business Associate agree that any violation of the provisions of this Agreement may cause irreparable harm to Covered Entity.  Accordingly, in addition to any other remedies available to Covered Entity at law, in equity, or under this Agreement, in the event of any violation by Business Associate of any of the provisions of this Agreement, or any explicit threat thereof, Covered Entity shall be entitled to an injunction or other decree of specific performance with respect to such violation or explicit threat thereof, without any bond or other security being required and without the necessity of demonstrating actual damages.  The Parties’ respective rights and obligations under this Section 8.e shall survive termination of the Agreement.

f.      No Third Party Beneficiaries.  Nothing express or implied in this Agreement is intended or shall be deemed to confer upon any person other than Covered Entity, Business Associate, and their respective successors and assigns, any rights, obligations, remedies or liabilities.

g.     Counterparts; Facsimiles.  This Agreement may be executed in any number of counterparts, each of which shall be deemed an original.  Facsimile copies hereof shall be deemed to be originals.

h.     Independent Contractors.  No provision of this Agreement is intended to create, nor shall be deemed or construed to create, any employment, agency or joint venture relationship between Covered Entity and Business Associate other than that of independent entities contracting with each other hereunder solely for the purpose of effectuating the provisions of this Agreement.  None of the Parties or any of their respective representatives shall be construed to be the agent, employer, or representative of the other.  The Parties have reviewed the factors to determine whether an agency relationship exists under the federal common law of agency and it is not the intention of either Covered Entity or Business Associate that Business Associate constitutes an “agent” under such common law.

i.   Notices.  Any notices to be given under this Agreement to a Party shall be in accordance with the terms and conditions set forth in the Underlying Agreement.

Last revised May 30, 2023