The Business Associate Policy and Procedure is part of all contracts with Angels Service LLC.
Angels Service LLC “Covered Entity” or “CE” and all others are referred to as “Associate”.
A. CE wishes to disclose certain information to Associate pursuant to the terms of the Contract, some of which may constitute Protected Health Information (“PHI”) (defined below).
B. CE and Associate intend to protect the privacy and provide for the security of PHI disclosed to Associate pursuant to this Contract in compliance with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-19 1 (“HIPAA”) and regulations promulgated hereunder by the U.S. Department of Health and Human Services (the “HIPAA Regulations”) and other applicable laws, as amended.
C. As part of the HIPAA Regulations, the Privacy Rule (defined below) requires CE to enter into a contract containing specific requirements with Associate prior to the disclosure of PHI, as set forth in, but not limited to, Title 45, Sections 160.103, 164.502(e) and 164.504(e) of the Code of Federal Regulations (“CFR”) and contained in this Addendum.
The parties agree as follows:
a. Except as otherwise defined herein, capitalized terms in this policy shall have the definitions set forth in the HIPAA Privacy Rule at 45 CER Parts 160 and 164, as amended (“Privacy Rule”). In the event of any conflict between the mandatory provisions of the Privacy Rule and the provisions of this Contract, the Privacy Rule shall control. Where the provisions of this Contract differ from those mandated by the Privacy Rule, but are nonetheless permitted by the Privacy Rule, the provisions of this Contract shall control.
b. “Protected Health Information” or “PHI” means any information, whether oral or recorded in any form or medium: (i) that relates to the past, present or future physical or mental health condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and (ii) that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual, and shall have the meaning given to such term under the Privacy Rule, including, but not limited to, 45 CFR Section 164.501.
c. “Protected Information” shall mean PHI provided by CE to Associate or created or received by Associate on CE’s behalf.
Obligations of Associate.
a. Permitted Uses. Associate shall not use Protected Information except for the purpose of performing Associate’s obligations under this Contract and as permitted under this Addendum. Further, Associate shall not use Protected Information in any manner that would constitute a violation of the Privacy Rule if so used by CE. Associate may use Protected Information: (i) for the proper management and administration of Associate; (ii) to carry out the legal responsibilities of Associate; or (iii) for Data Aggregation purposes for the Health Care Operations of CE as permitted by 45 CFR pt. 164.504(e)(2)(i)(B).
b. Permitted Disclosures. Associate shall not disclose Protected Information in any manner that would constitute a violation of this Agreement, or of the Privacy Rule if disclosed by CE. Associate may disclose Protected Information: if (a) the disclosure is Required By Law, or (b) Associate ensures that the person or entity to whom PHI is disclosed under this section will (i) maintain the confidentiality of the information disclosed, (ii) use or further disclose such information only as Required By Law or for the purpose for which it was disclosed to such person, and (iii) immediately notify Associate of any compromise of the confidentiality of the information. Associate may disclose Protected Information as necessary to report violations of law to appropriate federal or state authorities, consistent with 45 CFR Section 502(j)(l). Additional provisions, if any, governing permitted disclosures of Protected Information are set forth in Attachment 1 to this Addendum.
c. Appropriate Safeguards. Associate shall implement appropriate safeguards as are necessary to protect the confidentiality, integrity, and availability of Protected Information; protect against any threats or hazards to the security or integrity of such information; and protect against unauthorized access to, or use of, such information. Associate shall maintain a comprehensive written information privacy and security program that includes administrative, technical and physical safeguards appropriate to the size and complexity of the Associate’s operations and the nature and scope of its activities. Associate will provide CE with such information concerning Associate’s safeguards and information security program as CE may reasonably request from time to time.
d. Reporting of Violations And Security Incidents. Associate shall report to Covered Entity (a) any successful unauthorized access, use, disclosure, acquisition, modification, or destruction of Covered Entity’s electronic PHI; (b) any successful interference with Associate’s information systems that affects the confidentiality, integrity, or availability of Covered Entity’s electronic PHI; or (c) any use or disclosure of Covered Entity’s PHI, whether in electronic or paper form, in violation of this Agreement, of which Associate becomes aware. Associate will make such report orally to Covered Entity within 24 hours of Associate’s becoming aware of the incident followed by a report in writing (facsimile or e-mail is acceptable) within 48 hours of the initial oral report. The written report shall include, at a minimum subject to the availability of necessary information, a brief description of the incident, the date and time that the incident occurred, the date and time that the incident was discovered, the identity and state of residence of affected plan participants and the affected categories of information for each plan participant, and a brief description of the steps taken to mitigate the incident. Associate shall take (i) prompt corrective action to mitigate the harmful effects of any such Security Incident or unauthorized use or disclosure of PHI, and (ii) any additional action pertaining to such Security Incident or unauthorized use or disclosure required by applicable federal and state laws and regulations.
Except upon request of Covered Entity, Associate is not required to report to Covered Entity (a) any unsuccessful unauthorized access, use, disclosure, modification, or destruction of the Covered Entity’s electronic PHI, or (b) any unsuccessful interference with Associate’s information systems that affects Covered Entity’s electronic PHI, provided however, that Associate shall document and maintain records of such unsuccessful incidents so that Associate will be able to provide a report in response to Covered Entity’s request.
e. Associate’s Agents. Associate will not disclose PHI to any agent or subcontractor except as permitted by this Agreement. If Associate uses one or more agents or subcontractors to provide services under the Contract, and such agents or subcontractors receive or have access to Protected Information, each agent or subcontractor shall sign an agreement with Associate containing substantially the same provisions as this Addendum and further identifying CE as a third party beneficiary with rights of enforcement and indemnification from such agents in the event of any violation of such agent agreement. Associate shall implement and maintain sanctions against agents and subcontractors that violate such restrictions and conditions and shall mitigate the effects of any such violation.
f. Access to Protected Information. Associate shall make Protected Information maintained by Associate or its agents in Designated Record Sets available to CE for inspection and copying within ten (10) days of a request by CE to enable CE to fulfill its obligations to permit individual access to PHI under the Privacy Rule, including, but not limited to, 45 CFR Section 164.524.
g. Amendment of PHI. Within ten (10) days of receipt of a request from CE for an amendment of Protected Information or a record about an individual contained in a Designated Record Set, Associate or its agents shall make such Protected Information available to CE for amendment and incorporate any such amendment to enable CE to fulfill its obligations with respect to requests by individuals to amend their PHI under the Privacy Rule, including, but not limited to, 45 CFR Section 164.526. If any individual requests an amendment of PHI, directly from Associate or its agents, Associate must notify CE in writing within five (5) days of receipt of the request. Any denial of amendment of Protected Information maintained by Associate or its agents shall be the responsibility of CE.
h. Accounting Rights. Within ten (10) days of notice by CE of a request for an accounting of disclosures of Protected Information, Associate and its agents shall make available to CE the information required to provide an accounting of disclosures to enable CE to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 CER Section 164.528. As set forth in, and as limited by, 45 CFR Section 164.528, Associate shall not provide an accounting to CE of disclosures: (i) to carry out treatment, payment or health care operations, as set forth in 45 CFR Section 164.506; (ii) to individuals of Protected Information about them as set forth in 45 CFR Section 164.502; (iii) pursuant to an authorization as provided in 45 CFR Section 164.508; (iv) to persons involved in the individual’s care or other notification purposes as set forth in 45 CFR Section 164.510; (v) for national security or intelligence purposes as set forth in 45 CFR Section 164.5 12(k)(2); or (vi) to correctional institutions or law enforcement officials as set forth in 45 CFR Section 164.5 12(k)(5). Associate agrees to implement a process that allows for an accounting to be collected and maintained by Associate and its agents for at least six (6) years prior to the request, but not before the compliance date of the Privacy Rule. At a minimum, such information shall include: (i) the date of disclosure; (ii) the name of the entity or person who received Protected Information and, if known, the address of the entity or person; (iii) a brief description of Protected Information disclosed; and (iv) a brief statement of purpose of the disclosure that reasonably informs the individual of the basis for the disclosure, or a copy of the individual’s authorization, or a copy of the written request for disclosure. In the event that the request for an accounting is delivered directly to Associate or its agents, Associate shall within five (5) days of the receipt of the request forward it to CE in writing. It shall be CE’s responsibility to prepare and deliver any such accounting requested. Associate shall not disclose any Protected Information except as set forth in Section 2(b) of this Addendum.
i. Governmental Access to Records. Associate shall make its internal practices, books and records relating to the use and disclosure of Protected Information available to the Secretary of the U.S. Department of Health and Human Services (the “Secretary”), in a time and manner designated by the Secretary, for purposes of determining CE’s compliance with the Privacy Rule. Associate shall notify Covered Entity of any such request by the Secretary within three business days of receiving the request. Associate shall provide to CE a copy of any Protected Information that Associate provides to the Secretary concurrently with providing such Protected Information to the Secretary.
j. Minimum Necessary. Associate (and its agents) shall only request, use and disclose the minimum amount of Protected Information necessary to accomplish the purpose of the request, use or disclosure, in accordance with the Minimum Necessary requirements of the Privacy Rule including, but not limited to 45 CFR Sections 164.502(b) and 164.514(d).
k. Data Ownership. Associate acknowledges that Associate has no ownership rights with respect to the Protected Information.
I. Retention of Protected Information. Notwithstanding Section 4(d) of this Addendum, Associate and its agents shall retain all Protected Information throughout the term of this Contract and shall continue to maintain the information required under Section 2(h) of this Addendum for a period of six (6) years after termination of the Contract.
m. Associate’s Insurance. In addition to any insurance requirements in the Contract, Associate shall maintain casualty and liability insurance to cover loss of PHI data and claims based upon alleged violations of privacy rights through improper use or disclosure of PHI. All such policies shall meet or exceed the minimum insurance requirements of the Contract (e.g., occurrence basis, combined single dollar limits, annual aggregate dollar limits, additional insured status and notice of cancellation).
n. Notification of Breach. During the term of this Contract, Associate shall notify CE within twenty-four (24) hours of any suspected or actual breach of security, intrusion or unauthorized use or disclosure of PHI and/or any actual or suspected use or disclosure of data in violation of any applicable federal or state laws or regulations. Associate shall take (i) prompt corrective action to cure any such deficiencies and (ii) any action pertaining to such unauthorized disclosure required by applicable federal and state laws and regulations.
o. Audits, Inspection and Enforcement. Within ten (10) days of a written request by CE, Associate and its agents shall allow CE, or its designee, to conduct a reasonable inspection of the facilities, systems, books, records, agreements, policies and procedures relating to the use or disclosure of Protected Information pursuant to this Addendum for the purpose of determining whether Associate has complied with this Addendum; provided, however, that: (i) Associate and CE shall mutually agree in advance upon the scope, timing and location of such an inspection; (ii) CE shall protect the confidentiality of all confidential and proprietary information of Associate to which CE has access during the course of such inspection; and (iii) CE shall execute a nondisclosure agreement, upon terms mutually agreed upon by the parties, if requested by Associate. The fact that CE inspects, or fails to inspect, or has the right to inspect, Associate’s facilities, systems, books, records, agreements, policies and procedures does not relieve Associate of its responsibility to comply with this Addendum, nor does CE’s (i) failure to detect or (ii) detection, but failure to notify Associate or require Associate’s remediation of any unsatisfactory practices, constitute acceptance of such practice or a waiver of CE’s enforcement rights under the Contract.
p. Safeguards During Transmission. Associate shall be responsible for using appropriate safeguards to maintain and ensure the confidentiality, privacy and security of Protected Information transmitted to CE pursuant to the Contract, in accordance with the standards and requirements of the Privacy Rule, until such Protected Information is received by CE, and in accordance with any specifications set forth in Attachment 1 to this Policy.
Obligations of CE.
a. Safeguards During Transmission. CE shall be responsible for using appropriate safeguards to maintain and ensure the confidentiality, privacy and security of PHI transmitted to Associate pursuant to this Contract, in accordance with the standards and requirements of the Privacy Rule, until such PHI is received by Associate, and in accordance with any specifications set forth in Attachment 1 to this Addendum.
b. Notice of Changes. CE shall provide Associate with a copy of its notice of privacy practices produced in accordance with 45 CFR Section 164.520, as well as any subsequent changes or limitation(s) to such notice, to the extent such changes or limitations may effect Associate’s use or disclosure of Protected Information. CE shall provide Associate with any changes in, or revocation of, permission to use or disclose Protected Information; to the extent it may affect Associate’s permitted or required uses or disclosures. To the extent that it may affect Associate’s permitted use or disclosure of Protected Information, CE shall notify Associate of any restriction on the use or disclosure of Protected Information that CE has agreed to in accordance with 45 CFR Section 164.522. CE may effectuate any and all such notices of non-private information via posting on CE’s web site. Associate shall continually monitor CE’s designated web site for notice of changes to CE’s HIPAA privacy policies and practices.
a. Material Breach. In addition to any other provisions in the Contract regarding breach, a breach by Associate of any provision of this Policy, as determined by solely by CE in its discretion, shall constitute a material breach of this Contract and shall provide grounds for immediate termination of this Contract by CE pursuant to the provisions of the Contract covering termination for cause, if any. If the Contract contains no express provisions regarding termination for cause, the following terms and conditions shall apply:
(1) Default. If Associate refuses or fails to timely perform any of the provisions of the Contract, CE may notify Associate in writing of the non-performance, and if not promptly corrected within the time specified and to CE’s satisfaction, CE may terminate this Contract. Associate shall continue performance of this Contract to the extent it is not terminated and shall be liable for excess costs incurred in procuring similar goods or services elsewhere.
(2) Associate’s Duties. Notwithstanding termination of this Contract, and subject to any directions from CE, Associate shall take timely, reasonable and necessary action to protect and preserve property in the possession of Associate in which CE has an interest.
(3) Compensation. Payment for completed supplies delivered and accepted by CE shall be at the Contract price. CE may withhold amounts due Associate as CE deems necessary to protect CE against loss from third party claims of improper use or disclosure and to reimburse CE for the excess costs incurred in procuring similar goods and services elsewhere.
(4) Erroneous Termination for Default. If after such termination it is determined, for any reason, that Associate was not in default, or that Associate’s action/inaction was excusable, such termination shall be treated as a termination for convenience, and the rights and obligations of the parties shall be the same as if this Contract had been terminated for convenience, as described in this Contract.
b. Reasonable Steps to Cure Breach. If CE knows of a pattern of activity or practice of Associate that constitutes a material breach or violation of the Associate’s obligations under the provisions of this Addendum or another arrangement and does not terminate this Contract pursuant to Section 4(a), then Associate shall take reasonable steps to cure such breach or end such violation, as applicable. If Associate’s efforts to cure such breach or end such violation are unsuccessful, CE shall either (i) terminate the Contract, if feasible or (ii) if termination of this Contract is not feasible, CE shall report Associate’s breach or violation to the Secretary of the Department of Health and Human Services.
c. Judicial or Administrative Proceedings. Either party may terminate the Contract, effective immediately, if (i) the other party is named as a defendant in a criminal proceeding for a violation of HIPAA, the HIPAA Regulations or other security or privacy laws or (ii) a finding or stipulation that the other party has violated any standard or requirement of HIPAA, the HIPAA Regulations or other security or privacy laws is made in any administrative or civil proceeding in which the party has been joined.
d. Effect of Termination.
(1) Except as provided in paragraph (2) of this subsection, upon termination of this Contract, for any reason, Associate shall return or destroy, at CE’s election, all Protected Information that Associate or its agents still maintain in any form, and shall retain no copies of such Protected Information. If Associate elects to destroy the PHI, Associate shall certify in writing to CE, within three business days of the date of such destruction, that such PHI has been destroyed.
(2) If Associate believes that returning or destroying the Protected Information is not feasible, Associate shall promptly provide CE notice of the conditions making return or destruction infeasible. Upon mutual agreement of CE and Associate that return or destruction of Protected Information is infeasible, Associate shall continue to extend the protections of Sections 2(a), 2(b), 2(c), 2(d) and 2(e) of this Policy to such information, and shall limit further use of such PHI to those purposes that make the return or destruction of such PHI infeasible.
Injunctive Relief. CE shall have the right to injunctive and other equitable and legal relief against Associate or any of its agents in the event of any use or disclosure of Protected Information in violation of this Contract or applicable law. Associate acknowledges and agrees that in the event of such impermissible use or disclosure of Protected Information,: (1) CE will suffer real, immediate, and irreparable injury which will be prevented by injunctive relief; (2) CE will have no plain, speedy, and adequate remedy at law; (3) the granting of a preliminary injunction will promote the public interest in privacy rather than disserve the public interest; (4) the balance of equities always favors the injunction in such cases; (5) the injunction will preserve the status quo pending a trial on the merits; and (6) CE shall not be required to demonstrate a reasonable probability of success on the merits in order to obtain injunctive relief.
No Waiver of Immunity. No term or condition of this Policy shall be
construed or interpreted as a waiver, express or implied, by CE of any of the
immunities, rights, benefits, protection, or other provisions of the Colorado
Governmental Immunity Act, CRS 24-10-101 et
seq. or the Federal Tort
Claims Act, 28 U.S.C. 2671 et seq. as applicable, as now in effect or
Associate shall defend and indemnify CE, for any and all claims, inquiries, investigations, costs, reasonable attorneys’ fees, monetary penalties, and damages incurred by CE as a result of any use or disclosure of PHI not permitted by this Agreement, or any other breach of this Agreement by Associate, its agents or subcontractors.
CE shall defend and indemnify Associate and its representatives for any and all claims, inquiries, investigations, costs, reasonable attorneys’ fees, monetary penalties, and damages incurred by Associate as a result of any breach of this Agreement by CE.
The Indemnification section shall survive the termination of any contracts.
Disclaimer. CE makes no warranty or representation that
compliance by Associate with this Contract, HIPAA or the HIPAA Regulations will
be adequate or satisfactory for Associate’s own purposes. Associate is solely
responsible for all decisions made by Associate regarding the safeguarding of
Amendments to Comply with Law. State and federal laws relating to data security and privacy change and updates will be made to this policy to reflect that. CE must receive satisfactory written assurance from Associate that Associate will adequately safeguard all Protected Information. Upon the request of either party, the other party agrees to promptly enter into negotiations concerning updates of this policy, embodying written assurances consistent with the standards and requirements of HIPAA, the Privacy Rule or other applicable laws. CE may terminate the Contract upon thirty (30) days written notice in the event (i) Associate does not promptly enter into negotiations to amend this Contract when requested by CE pursuant to this Section or (ii) Associate does not enter into an amendment to this Contract providing assurances regarding the safeguarding of PHI that CE, in its sole discretion, deems sufficient to satisfy the standards and requirements of HIPAA and the Privacy Rule.
Assistance in Litigation or Administrative Proceedings. Associate shall make itself, and any employees or agents assisting Associate in the performance of its obligations under the Contract, available to CE, at no cost to CE, to testify as witnesses, or otherwise, in the event of litigation or administrative proceedings being commenced against CE, its directors, officers or employees based upon a claimed violation of HIPAA, the Privacy Rule or other laws relating to security and privacy or PHI, except where Associate or its employee or agent is a named adverse party.
No Third Party Beneficiaries. Nothing expressed or implied in this Contract is intended to confer, nor shall anything herein confer, upon any person other than CE, Associate and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
Order of Precedence. The provisions of
this Addendum shall prevail over any provisions in the Contract that may
conflict or appear inconsistent with any provision in this Addendum. Together,
the Contract and this Addendum shall be interpreted as broadly as necessary to
implement and comply with HIPAA and the Privacy Rule. The parties agree that
any ambiguity in this Contract shall be resolved in favor of a meaning that
complies and is consistent with HIPAA and the Privacy Rule. This Contract
supersedes and replaces any previous separately executed HIPAA addendum between
Survival of Certain Contract Terms. Notwithstanding anything herein to the contrary, Associate’s obligations under Section 4(d) (“Effect of Termination”) and Section 12 (“No Third Party Beneficiaries”) shall survive termination of this Contract and shall be enforceable by CE as provided herein in the event of such failure to perform or comply by the Associate.