This Business Associate Agreement (“Agreement”) is entered into by and between CAD Accounts Receivable Mgmt LLC and, (hereinafter “Business Associate”)
and (hereinafter “Provider”)
Business Associate and Provider have entered into the agreement(s) for services identified in Section II below. Business Associate and Provider recognize that it may become necessary to exchange individually identifiable health information (also referred to as “Protected Health Information” or “PHI” as defined in the Health Information
Portability and Accountability Act of 1996 or “HIPAA”) in order to carry out each parties’ obligations under the services agreement(s) identified in Section II. In order to comply with all applicable provisions of “HIPAA” including the “Privacy Rule” governing the privacy of “PHI,” Business Associate and Provider hereby agree that their actions with regard to the exchange of, use, disclosure, or access to “PHI” by themselves, their employees, authorized agents and representatives shall, at all times, be governed by the terms of this Agreement to assure the confidentiality of “PHI.”
II. Services Agreements:
Business Associate and Provider are currently parties to the following Service Agreement:
CAD Accounts Receivable Mgmt LLC
The above agreement is hereby incorporated by reference into this Agreement. In the event of any conflict between the terms of the Services Agreement(s) and this Agreement, the terms and conditions of this Agreement shall govern.
Terms used herein, but not otherwise defined, shall have the same meaning as those terms are used and defined in “HIPAA.”
IV. Obligations and Activities of Business Associate
a. Business Associate agrees not to use or disclose “PHI” to anyone other than as permitted or required under this Agreement or as otherwise required by law.
b. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of “PHI,” other than as provided for by this Agreement, by itself, its employees, agents or representatives, or third persons.
c. Business Associate agrees to mitigate, to the extent practicable, any known harmful effect of a use or disclosure of “PHI” by Business Associate in violation of the requirements of this Agreement.
d. Business Associate agrees to immediately report to Provider any use or disclosure of “PHI” not provided for by this Agreement of which it becomes aware.
e. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides “PHI” received from, or created or received by Business Associate on behalf of Provider, agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
f. At the request of Provider, Business Associate agrees to provide access to Provider or to an Individual as directed by Provider, to “PHI” in a Designated Record Set within a reasonable time and manner in order to meet the requirements under 45 CFR § 164.524.
g. Business Associate agrees to make any amendment(s) to “PHI” in a Designated Record Set that the Provider directs or agrees to pursuant to 45 CFR § 164.526 at the request of Provider or an Individual, in a reasonable time and manner.
h. Business Associate agrees to make all written internal practices, books, and records, including policies and procedures relating to the use and disclosure of Protected Health Information, available to Provider, or to the Secretary of the Department of Health and Human Services (hereinafter “Secretary”), in a reasonable time and manner, or in a time and manner designated by the Secretary, for purposes of determining Provider’s
compliance with the “Privacy Rule.”
i. Business Associate agrees to document such disclosures of “PHI” and information related to such disclosures as would be required for Provider to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528.
j. Business Associate agrees to provide to Provider or an Individual, in a reasonable time and manner, information collected in accordance with Subsection (i) above, of this Agreement, to permit Provider to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528.
V. Permitted Uses and Disclosures by Business Associate
Except as otherwise restricted in this Agreement, Business Associate may use or disclose “PHI” to perform its functions, activities, or services for, or on behalf of, Provider as specified in the services agreement(s) identified in Section II, provided that such use or disclosure would not violate the HIPAA “Privacy Rule” if done by Provider or the minimum necessary policies and procedures of the Provider.
VI. Specific Use and Disclosure Provisions
a. Except as otherwise restricted in this Agreement, Business Associate may use “PHI” for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, provided that such uses are permitted under state and federal law.
b. Except as otherwise restricted in this Agreement, Business Associate may disclose “PHI” for the proper management and administration of the Business Associate. Business Associate represents to Provider that (1) any disclosure it makes will be permitted under applicable state and federal law, and (2) Business Associate will obtain reasonable assurances from the person to whom the information is disclosed that it will remain
confidential and used or further disclosed only as permitted by law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
c. Except as otherwise restricted in this Agreement, Business Associate may use “PHI” to provide Data Aggregation services to Provider as permitted by 45 CFR § 164.504(e)(2)(i)(B).
d. Business Associate may use “PHI” to report violations of law to appropriate Federal and State authorities, consistent with § 164.502(j)(1).
e. Business Associate may de-identify “PHI” as necessary for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate provided that de-identification conforms to the requirements of applicable law as provided for in 45 CFR §164.514(b) and that Business Associate maintains documentation of de-identification as required by law. Documentation properly de-identified is no longer subject to the terms of this Agreement.
VII. Obligations of Provider
a. Provisions for Provider to Inform Business Associate of Privacy Practices and Restrictions
1) Provider shall notify Business Associate of any limitation(s) in its notice of privacy practices of Provider in accordance with 45 CFR § 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of Protected Health Information.
2) Provider shall notify Business Associate of any changes in, or revocation of, permission by Individuals to use or disclose “PHI”, to the extent that such changes may affect Business Associate's use or disclosure of Protected Health Information.
3) Provider shall notify Business Associate of any restriction to the use or disclosure of “PHI” that Provider has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of Protected Health Information.
b. Permissible Requests by Provider: Provider shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the “Privacy Rule” if done by Provider, except if the Business Associate will use or disclose protected health information for data aggregation or management and administrative activities of Business Associate.
VIII. Term and Termination
a. Term. The Term of this Agreement shall run concurrently with the term(s) set forth in any services agreement(s) identified in Section II, and shall terminate when all of the “PHI” provided by Provider to Business Associate, or created or received by Business Associate on behalf of Provider, is destroyed or returned to Provider, or, if it is not feasible to return
or destroy the “PHI,” protections are extended to such information in accordance with the termination provisions in this Section.
b. Termination by Provider for Cause. Upon Provider's knowledge of a material breach by Business Associate, Provider shall either (1) provide an opportunity for Business Associate to cure the breach or end the violation, or (2) terminate this Agreement and the services agreement(s) identified in Section II if Business Associate does not cure the breach or end the violation within a reasonable time mutually agreed to by Provider and Business Associate. If neither termination nor cure are feasible, Provider shall report the violation to the Secretary.
c. Termination by Business Associate for Cause. Upon Business Associate’s knowledge of a material breach by Provider, Business Associate shall either (1) provide an opportunity for Provider to cure the breach or end the violation, or (2) terminate this Agreement and the services agreement(s) identified in Section II if Provider does not cure the breach or end the violation within a reasonable time mutually agreed to by Provider and Business Associate. If neither termination nor cure are feasible, Business Associate shall report the violation to the Secretary.
c. Effect of Termination.
1) Except as provided in paragraph (2) of this subsection, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all “PHI” received from Provider, or created or received by Business Associate on behalf of Provider. This provision shall apply to “PHI” that is in the possession of subcontractors or agents of Business Associate. Business Associate shall not
retain copies of “PHI” for its own internal records or purposes.
2) In the event that Business Associate determines that returning or destroying “PHI” is not feasible, Business Associate shall inform Provider of the conditions that make return or destruction not feasible. After such notification that return or destruction of “PHI” is not feasible, Business Associate shall extend the
protections of this Agreement to such “PHI” and restrict all further uses and disclosures of such “PHI” to the purposes that make the return or destruction of
the “PHI” not feasible for so long as Business Associate maintains such “PHI” in its possession.
3) In the event of a material breach of this Agreement or the “Privacy Rule” by Provider, its agents, contractors (other than Business Associate), employees and representatives, Provider agrees to hold harmless and indemnify Business Associate against all claims for sanctions, fines, penalties or damages of any kind including payment of Business Associate’s costs and reasonable attorney fees incurred in any proceedings arising out of any such violation.
a. Regulatory References. A reference in this Agreement to a section in HIPAA means the section as in effect or as amended.
b. Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Provider to comply with the
requirements of the Health Information Portability and Accountability Act of 1996, Pub. L. No. 104-191.
c. Survival. The respective rights and obligations of Business Associate under Section VIII(c) of this Agreement shall survive the termination of this Agreement.
d. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Provider to comply with the Privacy Rule.
e. Governing Law. This Agreement shall be interpreted in accordance with the law of the State in which this Agreement is made, and in accordance with “HIPAA” where it supersedes or preempts state law.
f. Waiver. This Agreement may not be modified, nor shall any provision be waived or amended, except in a writing duly signed by authorized representatives of both parties. The failure of either party to enforce at any time any provision of this Agreement shall not be construed to be a waiver of such provision, nor in any way affect the validity of this Agreement or the right of either party to thereafter enforce each and every provision.
x. Xxxxxxxxx. If one or more provisions of this Agreement are found to be invalid and stricken by a court of competent jurisdiction, then the remainder of this Agreement shall continue in full force and effect as if the stricken language has never been included.
WHEREFORE, intending to be legally bound, Business Associate and Provider have hereunto set their hand and seal as of the Effective Date above.
CAD Accounts Receivable Mgmt LLC
Business Associate Healthcare Provider Name
CAD Signature Client Signature
Email: firstname.lastname@example.org / Fax: 000-000-0000