1. Business Associate shall use or disclose PHI only as set forth in, and in accordance with, this Amendment or as Required by Law. Business Associate shall not use or disclose PHI in any other manner, or for any other purpose.
2. Business Associate agrees that it may use and disclose PHI only if such Use or Disclosure complies with Section 164.504(e) of the Privacy Rules.
Appendix D
Business Associate Agreement and Certification
© Towers Watson 2010
Appendix D
3. Business Associate acknowledges that it is obligated to comply with the standards set forth in Sections 164.502(e) and 164.504(e) of the Privacy Rules in the same manner that such Sections apply to the Plan.
4. Business Associate hereby represents that any PHI it shall seek from Plan shall be the Minimum Necessary, as defined by the Privacy Rules, for Business Associate’s stated purposes under the Agreement(s) and acknowledges that Plan shall rely upon such representation with respect to any request by Business Associate for PHI. Business Associate shall not use or disclose PHI in a manner that would violate the requirements of the Privacy Rules if such Use or Disclosure were made by Plan, except that:
a) Business Associate may use or disclose PHI for the proper management and administration of Business Associate, or to carry out the legal responsibilities of Business Associate, provided that
(i) the Disclosure is Required by Law; or
(ii) Business Associate obtains reasonable assurance from any third person to whom the PHI is disclosed that such PHI will remain confidential and will be used or further disclosed only as Required by Law or for the reasons it was disclosed to the third person, and that the third person will notify Business Associate of any instances of which it is aware in which the Confidentiality of the PHI has been breached;
b) Business Associate may use or disclose PHI to provide data aggregation
services relating to the “Health Care operations” (as defined in the Privacy Rules) of Plan if such services are provided for in the Agreement(s) between Plan and Business Associate.
5. Business Associate shall:
a) Use appropriate safeguards to prevent Use or Disclosure of PHI other than as provided for by this Agreement or as Required by Law; and
b) Implement and maintain administrative, physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity, and Availability of the electronic Protected Health Information (“ePHI”) that it creates, receives, maintains, or transmits on the behalf of Plan; such safeguards are to be consistent with the safeguards described in the Security Rules at Sections 164.304 through 164.316; and
c) Upon the request of Plan, from time to time, provide information to Plan about such safeguards.
6. Business Associate shall report to Plan, in writing and within fourteen (14) days of Business Associate’s becoming aware of:
a) Any Use or Disclosure of PHI or ePHI, not provided for by this Agreement or otherwise Required by Law, or
b) Any Security Incident, as that term is defined in Section 164.304 of the Security Rules.
Appendix D
Business Associate Agreement and Certification
© Towers Watson 2010
7. Business Associate shall ensure that any agents, including any subcontractors, to whom it provides PHI received from, or created or received by Business Associate on behalf of Plan agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such PHI. Business Associate shall further ensure that any such agent or subcontractor to whom Business Associate provides any such
ePHI agrees in writing to implement reasonable and appropriate safeguards to protect such information; such safeguards are to be consistent with the safeguards described in the Security Rules at Sections 164.304 through 164.316.
8. Business Associate shall, within ten (10) days after a request and in the manner designated by Plan or an Individual, provide PHI relating to an Individual that is created or received under an applicable Agreement(s) and contained in a Designated Record Set, to Plan or the Individual, in accordance with Section 164.524 of the Privacy Rules, as amended, including with respect to access to and transmission of PHI that is used or maintained as an electronic health record.
9. Business Associate shall, within ten (10) days after a request and in the manner
designated by Plan or an Individual, make PHI available for amendment or correction by Plan or the Individual and shall incorporate any amendments or corrections to PHI in Business Associate’s Designated Record Sets in accordance with Section 164.526 of the Privacy Rules, when Plan or the Individual notifies Business Associate of the
amendments or corrections.
10. Business Associate shall, within ten (10) days after a request and in the manner designated by Plan or an Individual, restrict Disclosures of PHI in accordance with Section 164.522 of the Privacy Rules, as amended, when Plan or the Individual notifies Business Associate of the request.
11. Business Associate agrees to document such Disclosures of PHI and information related to such Disclosures as would be required for Plan or Business Associate to respond to a request by an Individual for an accounting of Disclosures in accordance with Section 164.528 of the Privacy Rules, as amended. At a minimum, Business Associate shall document the date of the Disclosure, the name of the entity or person who received the PHI, the address of such entity or person (if known by Business Associate), a brief description of the PHI disclosed, and a brief Statement of the purpose of the Disclosure that reasonably describes the basis for the Disclosure.
12. Business Associate agrees to provide to Plan or an Individual, within fifteen (15) days after a request and in the manner designated by Plan or the Individual, information collected in accordance with Section A (11) of this Amendment during the six years preceding the date of the request, or three years with respect to a request for an accounting of Treatment, Payment or Health Care Operations, (except for Disclosures occurring before the Effective Date), or during a shorter period specified in the request, to permit Plan or Business Associate to respond to a request by an Individual for an
accounting of Disclosures of PHI in accordance with Section 164.528 of the Privacy Rules, as amended.
13. Business Associate shall make its internal practices, books, and records relating to the Use and Disclosure of PHI received from Plan, or PHI created or received by the
Business Associate on behalf of Plan, available to Plan, (or, at the request of Plan, to the Secretary) in a time and manner designated by Plan or the Secretary, to permit the Secretary to determine Plans’ compliance with the Privacy Rules.
Appendix D
Business Associate Agreement and Certification
© Towers Watson 2010
14. Business Associate shall, at termination of the Agreement(s), if feasible, return or destroy all PHI received from Plan, or created or received by the Business Associate on behalf of Plan, that Business Associate still maintains in any form and retain no copies of such PHI or, if such return or destruction is not feasible, extend the protections of the
Agreement(s), including without limitation the provisions of this Amendment, to the PHI and limit further Uses and Disclosures to those purposes that make the return or
Appendix D
destruction of the information infeasible.
15. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI in violation of the
requirements of this Amendment.
16. In accordance with Section 164.410 of the Security Rules, Business Associate shall, following the discovery of a Breach of Unsecured PHI, notify the Plan of such Breach. A Breach shall be treated as discovered by Business Associate as of the first day on which such Breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. Business Associate shall be deemed to have knowledge of a Breach if the Breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the Breach, who is an employee, officer, or other agent of Business Associate (determined in accordance with the federal common law of agency).
Except as provided in the paragraph below, Business Associate shall provide the
notification without unreasonable delay and in no case later than sixty (60) calendar days after discovery of a Breach. The notification shall include, to the extent possible, the identification of each Individual whose Unsecured PHI has been, or is reasonably
believed by the Business Associate to have been, accessed, acquired, used or disclosed during the Breach. Business Associate shall provide Plan with any other available information that Plan is required to include in its notification to the Individual, such information to be provided at the time that Business Associate notifies Plan of the Breach or promptly thereafter as information becomes available.
If a Law Enforcement Official states to Business Associate that a notification, notice, or posting required under subpart D of the Security Rules would impede a criminal investigation or cause damage to national security, Business Associate shall: (a) if the statement is in writing and specifies the time for which a delay is required, delay such notification, notice or posting for the time period specified by the official; or (b) if the statement is made orally, document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than thirty (30) days from the date of the oral statement, unless a written statement as described in (a) above is submitted during that time.
17. Business Associate acknowledges that the Disclosure of PHI may cause irreparable injury to Plan and damages that may be difficult to ascertain. Therefore, Plan shall, upon a Disclosure or threatened Disclosure of any PHI, be entitled to injunctive relief to protect and recover the PHI and Business Associate shall not object to the entry of an injunction or other equitable relief against Business Associate on the basis of an adequate remedy at law, lack of irreparable harm, or any other reason. This provision shall not in any way limit such other remedies as may be available to Plan at law or in equity.
18. Business Associate, at its own expense, shall indemnify and hold harmless Plan, its subsidiaries, affiliates, successors, and assignees, and their directors, officers,
employees and agents, and defend any action brought against same with respect to any claim, demand, cause of action, debt, loss, or liability, including without limitation
attorneys’ fees and costs, to the extent based upon a claim that any action or omission by Business Associate or its employee, agent, subcontractor, or representative breaches any of Business Associate’s obligations, representations or warranties under this Amendment. This provision shall not in any way limit any other indemnification that may be provided for in the Agreement(s).
Appendix D
Business Associate Agreement and Certification
© Towers Watson 2010
19. Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI of an Individual.