of New Jersey
DEPARTMENT OF HUMAN SERVICES
ASSOCIATE AGREEMENT between the New Jersey Department Human Services
(Agency/Vendor.) for Contract Number
This Business Associate Agreement sets
forth the responsibilities of
with an address of
and the New Jersey Department of Human Services, as a Covered
Entity, in relationship to
Protected Health Information (PHI), as those terms are defined and
regulated by the Health Insurance Portability and Accountability Act
of 1996 (HIPAA), and the regulations adopted there under by the
Secretary of the United States Department of Health and Human
Services, with the intent that the Covered Entity shall at all times
be in compliance with HIPAA and the underlying regulations.
This Business Associate Agreement is
entered into for the purpose of the Business Associate providing
services on behalf of the Covered Entity.
In consideration for the respective
benefits, rights and obligations described above, and for access to
the PHI held by Covered Entity, the parties agree to be bound by the
terms of this Agreement. There is no underlying contract associated
with this Agreement, or the exchange of this PHI.
1. The terms specified below shall be
defined as follows:
“Business associate” shall mean a
person or entity, other than a member of the workforce of a covered
entity, who performs functions or activities on behalf of, or
provides certain services to, a covered entity that involve access
by the business associate to protected health information. This
definition is also applicable to a subcontractor that creates,
receives, maintains, or transmits protected health information on
behalf of another business associate.
“Covered Entity” shall
generally have the same meaning as the term “covered entity” at
45 CFR 160.103, and in reference to the party to this agreement,
shall the New Jersey Department of Human Services.
"Agreement" shall mean this
Business Associate Agreement.
"Breach" shall mean the
unauthorized acquisition, access, use or disclosure of Protected
Health Information in a manner not permitted by the Privacy Rule or
the Security Rule, which compromises the security of such Protected
Health Information. Breach shall exclude such acquisition, access,
use or disclosure described in 45 CFR Section 164.402.
"Designated Record Set"
shall mean a group of records maintained by or for the Covered
Entity that is the medical records and billing records of
individuals maintained by or for the Covered Entity; and the
enrollment, payment, claims, adjudication, and case or medical
management record systems maintained by or for the Covered Entity,
or used, in whole or in part, by or for the Covered Entity to make
decisions about individuals.
"HIPAA" shall mean the
Health Insurance Portability and Accountability Act of
1996, P.L. 104-191.
"HIPAA Regulations" shall
mean the regulations promulgated under HIPAA by the U.S. Department
of Health and Human Services, including but not limited to, the
Privacy Rule and the Security Rule, and shall include the
regulations codified at 45 CFR Parts 160, 162 and 164.
"HITECH" shall mean the
Health Information Technology for Economic and Clinical Health Act,
Title XIII of Division A of the American Recovery and Reinvestment
Act of 2009, P.L. 111-005.
"Individual" shall mean the
person who is the subject of the Protected Health Information and
includes a person who qualifies as a personal representative in
accordance with 45 CFR 164.502(g).
"Notice of Privacy Practices"
shall mean the Notice of Privacy Practices required by 45 CFR
164.520, provided by Covered Entity to Individuals.
"Privacy Rule" shall mean
the Standards for Privacy of Individually Identifiable Health
Information at 45 CFR Parts 160 and 164, Subparts A and E.
“Protected Health Information
(PHI)” shall mean individually identifiable health information
that is transmitted by electronic media or transmitted or maintained
in any other form or medium.
"Record" shall mean any
item, collection, or grouping of information that includes Protected
Health Information and is maintained, collected, used, or
disseminate by or for a Covered Entity.
"Required by Law" shall
have the same meaning as in 45 CFR 164.501.
"Secretary" shall mean the
Secretary of the United States Department of Health & Human
Services or his designee.
"Security Rule" shall mean
the Standards for Security for the Protection of Electronic
Protected Health Information, codified at 45 CFR parts 160, 162 and
q. Underlying Contract:
“Underlying Contract” shall mean the agreement between Covered
Entity and Business Associate for _________
subject, ie, for specified record management services), designated as
2. All other terms used herein shall
have the meaning specified in the Privacy Rule or in the absence of
if no meaning is specified, shall have their plain meaning.
B. Obligations and Activities of
Business Associate may use PHI for
the following functions, activities, or services for or on behalf of
Covered Entity provided that such use would not violate this
Agreement, the HIPAA regulations the Privacy Rule, or Notice of
Privacy Practices if done by Covered Entity. In the event that this
Agreement conflicts with any other written agreement made between
the parties, relating to the exchange of PHI, this Agreement shall
control. Business Associate's access to and use of the PHI is
limited to the provision of services by the Business Associate on
behalf the Covered Entity set forth in the contract between the
Business Associate and the Covered Entity.
Business Associate may further
disclose PHI to a subcontractor/person for the proper management and
administration of Business Associate, provided that such disclosure
is Required by Law, or would not violate this Agreement, the Privacy
Rule, or Notice of Privacy Practices if done by Covered Entity, and
Business Associate executes an additional business associates
agreement as Required by Law or for the purpose for which it was
disclosed to the person, and the subcontractor/person notifies
Business Associate of any instances of which it is aware in which
PHI has been disclosed. In the event that this agreement conflicts
with any other agreement relating to the access or use of PHI, this
agreement shall control.
Business Associate agrees to not use
or disclose PHI other than as permitted or required by this
Agreement or as Required by Law. In the event that this agreement
conflicts with any other agreement relating to the access or use of
PHI, this agreement shall control.
Business Associate agrees to
implement and use appropriate safeguards to prevent use or
disclosure of PHI other than as provided for by this Agreement.
Business Associate shall maintain a comprehensive written
information privacy and security program that includes
administrative, technical and physical safeguards appropriate to the
size and complexity of the Business Associate's operations and the
nature and scope of its activities.
Business Associate agrees to take
prompt corrective action to mitigate any harmful effect that is
known to Business Associate of a use or disclosure of PHI by
Business Associate in violation of the requirements of this
Business Associate agrees to notify
Covered Entity of any use or disclosure of PHI not provided for by
this Agreement, or the Privacy Rule, or of any suspected or actual
breach of security or intrusion whenever it becomes aware
or of any complaint that Business Associate receives regarding the
use or disclosure of PHI,
within twenty-four hours of Business Associate becoming aware of
such use, disclosure or suspected or actual breach of security or
intrusion. Business Associate further agrees to take prompt
corrective action to cure or mitigate any harmful effects of any
such use, disclosure, or actual or suspected breach of security of
Business Associate agrees to ensure
that any officer, employee, contractor, subcontractor or agent to
whom it provides PHI received from or maintained, created or
received by Business Associate on behalf of Covered Entity agrees to
the same restrictions and conditions that apply through this
Agreement to Business Associate with respect to such PHI.
Business Associate shall
terminate its agreement with any agent or subcontractor to whom it
provides PHI if such agent or subcontractor fails to abide by any
material term of such agreement.
. Business Associate agrees to
provide access to PHI in a Designated Record Set to Covered Entity
or to an Individual as directed by Covered Entity in order to meet
the requirements of 45CFR 164.524, within 30 days of the date of any
such request, unless the request is denied by Covered Entity
pursuant to 45 CFR 164.524(a)(1), (a)(2) or (a)(3).
Business Associate agrees to make any
amendment(s) to PHI in a Designated Record Set as Covered Entity
directs in order to meet the requirements of 45 CFR 164.526, within
30 days of such a request, unless the request has been denied
pursuant to 45 CFR 164.526(d). Business Associate shall provide
written confirmation of the amendment(s) to the Covered Entity.
Business Associate agrees to create
and maintain an appeal process that meets the requirements of 45 CFR
164.524 and 164.526 that an Individual can utilize if the
Individual's request for access to or amendment of PHI is denied.
Business Associate agrees to make its
comprehensive written information privacy and security program, as
well as its internal practices, books and records, including
policies and procedures relating to the use and disclosure of PHI
received from, or created, maintained, or received by Business
Associate on behalf of Covered Entity available to Covered Entity
within 30 days of the date of such request, or to the Secretary in a
time and manner designated by the Secretary.
Business Associate agrees to document
all disclosures of PHI which would be required for Covered Entity to
respond to a request by an Individual for an accounting of
disclosures of PHI in accordance with 45 CFR 164.528. Business
Associate agrees to provide to Covered Entity, within 30 days of the
date of such request, all disclosures of PHI.
Notwithstanding the provisions of
Section D of this Agreement, pursuant to 45 CFR 164.530(j), Business
Associate agrees that it and its officers, employees, contractors,
subcontractors and agents shall continue to maintain the information
required under subsection B(9) of this Agreement for a period of six
years from the date of its creation or the date when it was last in
effect, whichever is later.
Business Associate agrees that from
time to time, upon reasonable notice, it shall allow Covered Entity
or its authorized agents or contractors, to inspect the facilities,
systems, books, records and procedures of Business Associate to
monitor compliance with this Agreement. In the event the Covered
Entity, in its sole discretion, determines that the Business
Associate has violated any term of this Agreement or the Privacy
Rule, it shall so notify the Business Associate in writing.
Business Associate shall promptly remedy the violation of any term
of this Agreement and shall certify same in writing to the Covered
Entity. The fact that Covered Entity or its authorized agents or
contractors inspect, fail to inspect or have the right to inspect
Business Associate's facilities, systems, books, records, and
procedures does not relieve Business Associate of its responsibility
to comply with this Agreement. Covered Entity's (1) failure to
detect, or (2) detection by failure to notify Business Associate, or
(3) failure to require Business Associate to remediate any
unsatisfactory practices, shall not constitute acceptance of such
practice or a waiver of Covered Entity's enforcement rights under
this Agreement. Nothing in this paragraph is deemed to waive
Section E of this Agreement or the New Jersey Tort Claims Act, NJSA
59:1-1 et seq., as they apply to Covered Entity.
Business Associate shall implement
administrative, physical and technical safeguards that protect the
confidentiality, integrity, and availability of PHI in compliance
with the Security Rule.
Business Associate shall report all
security incidents, as defined by the Security Rule, within
twenty-four hours of becoming aware of such actual or suspected
Sections 164.308, 164.312 and 164.316
of Title 45, Code of Federal Regulations, apply to Business
Associate in the same manner as such sections apply to the Covered
Entity. The HITECH requirements that relate to security, and that
are applicable to the Covered Entity, shall also be applicable to
the Business Associate and are incorporated into this Agreement by
In the event of an actual or
suspected breach, Business Associate shall provide Covered Entity
with a written report, as soon as possible but not later than five
(“5”) days after the breach/suspected breach became known. The
report shall include, to the extent available: a) the
identification of each individual whose unsecured PHI has been, or
is reasonably believed by the Business Associate to have been,
accessed, acquired, used or disclosed during the breach; b) a brief
description of what happened, including the date of the breach and
the date of the discovery, if known; c) a description of the types
of unsecured PHI involved in the breach; d) any steps individuals
affected by the breach should take to protect themselves from
potential harm resulting from the breach; and e) a description of
what Business Associate is doing to investigate the breach, mitigate
harm to the individual(s), and protect against future breaches.
In addition, the business
Associate shall, at the request of the Covered Entity, provide
breach notification required by HITECH.
C. Provisions for Covered Entity to
Inform Business Associate of Privacy Practices and Restrictions.
1. Covered Entity shall be responsible
for using appropriate safeguards to maintain and ensure the
confidentiality, privacy and security of PHI transmitted to Business
Associate pursuant to this Agreement, in accordance with the
requirements and standards in the Privacy Rule, until such PHI is
received by Business Associate.
2. In accordance with 45 CFR 164.520,
Covered Entity shall notify Business Associate of any limitations in
Covered Entity's Notice of Privacy Practices to the extent that such
limitation may affect Business Associate's use or disclosure of PHI.
3. Covered Entity shall notify
Business Associate of any changes in or revocation of permission by
an Individual to use or disclose PHI, to the extent that such changes
may affect Business Associate's use or disclosure of PHI.
4. Covered Entity shall notify
Business Associate of any restriction to the use or disclosure of PHI
that Covered Entity has agreed to in accordance with 45 CFR 164.522,
to the extent that such restriction may affect Business Associate's
use or disclosure of PHI.
5. Covered Entity shall not request
Business Associate to use or disclose PHI in any manner that would
not be permissible under the Privacy Rule if done by Covered Entity
or under Covered Entity's Notice of Privacy Practices or other
policies adopted by Covered Entity pursuant to the Privacy Rule.
D. Term of Business Associate
1. This Agreement shall be effective
as of the date the Business Associate and the Covered Entity enter
into a contract for the Business Associate’s provision of services
on behalf of the Covered Entity, and it shall terminate when all of
the PHI provided by Covered Entity to Business Associate, or created,
maintained or received by Business Associate on behalf of Covered
Entity, is destroyed or returned to Covered Entity, or, if it is
infeasible to return or destroy PHI, protections are extended to such
information in accordance with subsection 3, below.
2. Upon Covered Entity's knowledge of
a material breach or violation(s) of any of the obligations under
this Agreement by Business Associate, Covered Entity shall, at its
Provide an opportunity for the
Business Associate to cure the breach or end the violation upon such
terms and conditions as Covered Entity shall specify, and if
Business Associate does not cure the
breach or end the violation, upon such terms and conditions as
Covered Entity has specified, Covered Entity may terminate this
Agreement and require that Business Associate fully comply with the
procedures specified in subsection 3, below.
b. Immediately terminate the Contract
and require that Business Associate fully comply with the procedures
specified in subsection 3, below, if Business Associate has breached
a material term of this Agreement and Covered Entity has determined,
in its sole discretion, that cure is not possible, or
c. If neither termination nor cure is
feasible, as determined by Covered Entity in its sole discretion,
Covered Entity shall report the violation to the Secretary.
3. Effect of Breach of this Agreement.
a. Except as provided in paragraph b
of this section, upon termination of the Contract for any reason,
Business Associate shall return or destroy all PHI received from
Covered Entity or created or received by Business Associate on behalf
of Covered Entity. This provision shall also apply to PHI that is in
the possession of subcontractors or agents of Business Associate.
Business Associate shall retain no copies of PHI.
b. Business Associate shall provide
Covered Entity with a certification, within 30 days, that neither it
nor its subcontractors or agents maintains any PHI in any form,
whether paper, electronic or film, received from Covered Entity or
created or received by Business Associate on behalf of Covered
Entity. Covered Entity shall acknowledge receipt of such
certification and, as of the date of such acknowledgement, this
Agreement shall terminate.
c. In the event that Business
Associate determines that returning or destroying the PHI is
infeasible, Business Associate shall provide to Covered Entity
notification of the conditions that make return or destruction
infeasible. Covered Entity shall have the discretion to determine
whether it is feasible for the Business Associate to return or
destroy the PHI. If Covered Entity determines it is feasible,
Covered Entity shall specify the terms and conditions for the return
or destruction of PHI at the expense of Business Associate. Upon
Covered Entity determining that Business Associate cannot return or
destroy PHI, Business Associate shall extend the protections of this
Agreement to such PHI and limit further uses and disclosures of such
PHI to those purposes that make the return or destruction infeasible,
for so long as Business Associate maintains such PHI.
E. Indemnification and Release
1. Business Associate shall assume all
risk and responsibility for, and agrees to indemnify, defend and save
harmless Covered Entity, its officers, agents and employees and each
and every one of them, from and against any and all claims, demands,
suits, actions, recoveries, judgments, and costs (including attorneys
fees and costs and court costs), expenses in connection therewith, on
account of loss of life, property or injury or damages to the person,
body or property of any person or persons, whatsoever, which shall
arise from or result directly or indirectly from
Business Associate's use or misuse of
PHI or from any action or inaction of Business Associate or its
officers, employees, agents or contractors with regard to PHI or the
requirements of this Agreement or the Privacy Rule. The provision of
this indemnification clause shall in no way limit the obligations
assumed by Business Associate under this Agreement, nor shall they be
construed to relieve Business Associate from any liability nor
preclude Covered Entity from taking any other actions available to it
under any other provisions of this Agreement, the Privacy Rule or at
2. Notwithstanding the above, the
obligations assumed by the Business Associate herein shall not extend
to or encompass suits, costs, claims, expenses, liabilities and
judgments incurred solely as a result of actions or inactions of
3. Business Associate further
acknowledges the possibility of criminal sanctions and penalties for
breach or violation of this Agreement or the Privacy Rule pursuant to
42 USC 1320d-6.
4. Business Associate shall be
responsible for, and shall at its own expense, defend itself against
any and all suits, claims, losses, demands or damages of whatever
kind or nature, arising out of or in connection with an act or
omission of Business Associate, its employees, agencies, or
contractors, in the performance of the obligations assumed by
Business Associate pursuant to this Agreement. Business Associate
hereby releases Covered Entity from any and all liabilities, claims,
losses, costs, expenses and demands of any kind or nature whatsoever,
arising under state or federal laws, out of or in connection with
Business Associate's performance of the obligations assumed by
Business Associate pursuant to this Agreement.
5. The obligations of the Business
Associate under this Section shall survive the expiration of this
1. A reference in this Agreement to a
section of the Privacy Rule means the section as in effect or,as it
may be amended or interpreted by a court of competent jurisdiction.
2. Business Associate and Covered
Entity agree to take such action as is necessary to amend this
Agreement from time to time in order that Covered Entity can continue
to comply with the requirements of the Privacy Rule and HIPAA and
case law that interprets the Privacy Rule or HIPAA. All such
amendments shall be in writing and
signed by both parties. Business
Associate and Covered Entity agree that this Agreement may be
superseded by a revised Business Associate Agreement executed between
the parties after the effective date of this Agreement.
3. The respective rights and
obligations of Business Associate and Covered Entity under Section D,
"Term of Business Associate Agreement", above, shall
survive the termination of the Contract. The respective rights and
obligations of Business
Associate and Covered Entity under
Section E, "Indemnification", and Section B(11), "Internal
Practices", above, shall survive the termination of this
4. Any ambiguity in this Agreement
shall be resolved to permit Covered Entity to comply with the Privacy
Rule, HITECH, and HIPAA, as they may be amended or interpreted by a
court of competent jurisdiction.
5. Nothing expressed or implied in the
Agreement is intended to confer, nor shall anything herein confer,
upon any person other than the Business Associate and Covered Entity,
and any successor state agency to Covered Entity, any rights,
remedies, obligations or liabilities whatsoever.
Any notices to be given hereunder
shall be made via Regular and Certified US Mail, Return Receipt
Requested, and if possible, by facsimile to the addresses and
facsimile members listed below:
Entity: 1. Privacy Officer
DMHAS Privacy Officer
000 Xxxxx Xxxxxx Xxxxxx
X.X. Xxx 000
Xxx Xxxxxx 00000-0000
Assistant Commissioner (specify Division)
Division of Mental Health &
000 Xxxxx Xxxxxx Xxxxxxxx
Xxx Xxxxxx 00000-0000
As the Covered Entity is a body
corporate and politic of the State of New Jersey, the signature of
its authorized representative is affixed below. The undersigned
representative of Covered Entity certifies that he or she is fully
authorized to enter into
the terms and conditions of this
Agreement and to execute and legally bind such Covered Entity to this
The undersigned representative of
Business Associate certifies that he or she is fully authorized to
enter into the terms and conditions of this Agreement and to execute
and legally bind such Business Associate to this document.
Entity: Business Associate:
Name Printed Name