parties to this Business Associate Addendum (“Addendum”) are the
State of Michigan, acting by and through the Department of Management
and Budget, on behalf of the Department of
__________________________________________, (“Contractor”). This
Addendum supplements and is made a part of the existing contract(s)
or agreement(s) between the parties including the following
purposes of this Addendum, the State is (check one):
) Covered Entity (“CE”)
) Business Associate (“Associate”)
Contractor is (check one):
) Covered Entity (“CE”)
) Business Associate (“Associate”)
Pursuant to the terms of the Contract, CE wishes to disclose certain
information to Associate, some of which may constitute Protected
Health Information (“PHI”) (defined below). In consideration of
the receipt of PHI, Associate agrees to protect the privacy and
security of the information as set forth in this Addendum.
CE and Associate intend to protect the privacy and provide for the
security of PHI disclosed to Associate pursuant to the Contract in
compliance with the Health Insurance Portability and Accountability
Act of 1996, Public Law 104-191 (“HIPAA”) and regulations
promulgated thereunder by the U.S. Department of Health and Human
Services (the “HIPAA Regulations”) and other applicable laws, as
As part of the HIPAA Regulations, the Privacy Rule and the Security
Rule (defined below) requires CE to enter into a contract containing
specific requirements with Associate prior to the disclosure of PHI,
as set forth in, but not limited to, 45 CFR §§ 160.103, 164.502(e),
164.504(e), and 164.314 and contained in this Addendum.
consideration of the mutual promises below and the exchange of
information pursuant to this Addendum, the parties agree as follows:
as otherwise defined herein, capitalized terms in this Addendum shall
have the definitions set forth in the HIPAA Regulations at 45 CFR
Parts 160, 162 and 164, as amended, including, but not limited to,
subpart A, subpart C (“Security Rule”) and subpart E (“Privacy
means both the Contract and this Addendum.
means the underlying written agreement or purchase order between the
parties for the goods or services to which this Addendum is added.
Health Information” or “PHI”
means any information, whether oral or recorded in any form or
medium: (i) that relates to the past, present or future physical or
mental condition of an individual; the provision of health care to an
individual; or the past, present or future payment for the provision
of health care to an individual; and (ii) that identifies the
individual or with respect to which there is a reasonable basis to
believe the information can be used to identify the individual, and
shall have the meaning given to such term under the Privacy Rule,
including, but not limited to, 45 CFR § 164.501.
shall mean PHI provided by CE to Associate or created or received by
Associate on CE’s behalf.
Associate shall not use Protected Information except for the purpose
of performing Associate’s obligations under the Contract and as
permitted under this Agreement. Further, Associate shall not use
Protected Information in any manner that would constitute a violation
of the HIPAA Regulations if so used by CE, except that Associate may
use Protected Information: (i) for the proper management and
administration of Associate; (ii) to carry out the legal
responsibilities of Associate; or (iii) for Data Aggregation purposes
for the Health Care Operations of CE. Additional provisions, if any,
governing permitted uses of Protected Information are set forth in
Attachment A to this Addendum.
Associate shall not disclose Protected Information in any manner
that would constitute a violation of the HIPAA Regulations if
disclosed by CE, except that Associate may disclose Protected
Information: (i) in a manner permitted pursuant to the Contract and
this Addendum; (ii) for the proper management and administration of
Associate; (iii) as required by law; (iv) for Data Aggregation
purposes for the Health Care Operations of CE; or (v) to report
violations of law to appropriate federal or state authorities,
consistent with 45 CFR § 164.502(j)(1). To the
extent that Associate discloses Protected Information to a third
party, Associate must obtain, prior to making any such disclosure:
(i) reasonable assurances from such third party that such Protected
Information will be held confidential as provided pursuant to this
Addendum and only disclosed as required by law or for the purposes
for which it was disclosed to such third party; and (ii) an agreement
to implement reasonable and appropriate safeguards to protect the
Protected Information; and (iii) an agreement from such third party
to immediately notify Associate of any breaches of confidentiality of
the Protected Information or any Security Incident, to the extent it
has obtained knowledge of such breach. Additional provisions, if
any, governing permitted disclosures of Protected Information are set
forth in Attachment I.
Associate shall implement appropriate Security Measures as are
necessary to protect against the use or disclosure of Protected
Information other than as permitted by the Contract or this Addendum.
Associate shall maintain a comprehensive written information privacy
and security program that includes Security Measures that reasonably
and appropriately protect the Confidentiality, Integrity, and
Availability of Protected Information relative to the size and
complexity of the Associate’s operations and the nature and scope
of its activities.
of Improper Use or Disclosure.
Associate shall report to CE in writing any use or disclosure of
Protected Information, whether suspected or actual, other than as
provided for by the Contract and this Addendum within ten (10) days
of becoming aware of such use or disclosure. If the disclosure is a
Major Disclosure, then the improper use or disclosure shall be
reported within three (3) days. A Major Disclosure means any
improper use or disclosure of over twenty-five percent (25%) of the
Protected Information held by the Associate. CE and Associate will
cooperate to mitigate the effects of any unauthorized use or
disclosure and document the outcome.
If Associate uses one or more subcontractors or agents to provide
services under this Agreement, and such subcontractors or agents
receive or have access to Protected Information, each subcontractor
or agent shall sign an agreement with Associate containing
substantially the same provisions as this Addendum and further
identifying CE as a third party beneficiary of the agreement with
such subcontractors or agents in the event of any violation of such
subcontractor or agent agreement. Associate shall implement and
maintain sanctions against agents and subcontractors that violate
such restrictions and conditions and shall mitigate the effects of
any such violation.
to Protected Information.
Associate shall make Protected Information maintained by Associate
or its agents or subcontractors in Designated Record Sets available
to CE for inspection and copying within ten (10) days of a request by
CE to enable CE to fulfill its obligations to permit individual
access to PHI under the Privacy Rule, including, but not limited to,
45 CFR § 164.524.
Within ten (10) days of receipt of a request from CE for an
amendment of Protected Information or a record about an individual
contained in a Designated Record Set,
or its agents or subcontractors shall make such Protected Information
available to CE for amendment and incorporate any such amendment to
enable CE to fulfill its obligations with respect to requests by
individuals to amend their PHI under the Privacy Rule, including, but
not limited to, 45 CFR § 164.526. If any individual requests an
amendment of Protected Information directly from Associate or its
agents or subcontractors, Associate must notify CE in writing within
ten (10) days of receipt of the request. Any denial of amendment of
Protected Information maintained by Associate or its agents or
subcontractors shall be the responsibility of CE.
Within ten (10) days of notice by CE of a request for an accounting
of disclosures of Protected Information,
and its agents or subcontractors shall make available to CE the
information required to provide an accounting of disclosures to
enable CE to fulfill its obligations under the Privacy Rule,
including, but not limited to, 45 CFR § 164.528. As set
forth in, and as limited by, 45 CFR § 164.528, Associate shall not
provide an accounting to CE of disclosures made: (i) to carry out
treatment, payment or health care operations, as set forth in 45 CFR
§ 164.506; (ii) to individuals of Protected Information about them
as set forth in 45 CFR § 164.502; (iii) pursuant to an authorization
as provided in 45 CFR § 164.508; (iv) to persons involved in
the individual’s care or other notification purposes as set forth
in 45 CFR § 164.510; (v) for national security or intelligence
purposes as set forth in 45 CFR § 164.512(k)(2); or (vi) to
correctional institutions or law enforcement officials as set forth
in 45 CFR § 164.512(k)(5). Associate agrees to implement a process
that allows for an accounting to be collected and maintained by
Associate and its agents or subcontractors for at least six (6) years
prior to the request, but not before the compliance date of the
Privacy Rule. At a minimum, such information shall include: (i) the
date of disclosure; (ii) the name of the entity or person who
received Protected Information and, if known, the address of the
entity or person; (iii) a brief description of Protected Information
disclosed; and (iv) a brief statement of purpose of the disclosure
that reasonably informs the individual of the basis for the
disclosure, or a copy of the individual’s authorization, or a copy
of the written request for disclosure. In the event that the request
for an accounting is delivered directly to Associate or its agents or
subcontractors, Associate shall within ten (10) days of the receipt
of the request forward it to CE in writing. It shall be CE’s
responsibility to prepare and deliver any such accounting requested.
shall not disclose any Protected Information except as set forth in
Section 2(b) of this Addendum.
Access to Records.
Associate shall make its internal practices, books and records
relating to the use and disclosure of Protected Information available
to the Secretary of the U.S. Department of Health and Human Services
(the “Secretary”), in a time and manner designated by the
Secretary, for purposes of determining CE’s compliance with the
shall provide to CE a copy of any Protected Information that
Associate provides to the Secretary concurrently with providing such
Protected Information to the Secretary.
Associate (and its agents or subcontractors) shall only request, use
and disclose the minimum amount of Protected Information necessary to
accomplish the purpose of the request, use or disclosure, in
accordance with the Minimum Necessary requirements of the Privacy
Rule, including, but not limited to 45 CFR §§ 164.502(b) and
Unless otherwise specified in the Contract, Associate acknowledges
that Associate has no ownership rights with respect to the Protected
Information. The CE retains all rights with respect to ownership of
the Protected Information.
of Protected Information.
Notwithstanding Section 5(d) of this Addendum, Associate and its
subcontractors or agents shall retain all Protected Information
throughout the term of the Contract and shall continue to maintain
the information required under Section 2(h) of this Addendum for a
period of six (6) years from the date of creation or the date when it
last was in effect, whichever is later, or as required by law. This
obligation shall survive the termination of the Contract.
of Protected Information.
Associate agrees to implement policies and procedures for the final
disposition of electronic Protected Information and/or the hardware
and equipment on which it is stored, including but not limited to,
removal before re-use.
During the term of the Contract or this Addendum, Associate shall
notify CE within twenty-four (24) hours of any suspected or actual
breach of security, intrusion, or unauthorized use or disclosure of
PHI and/or any actual or suspected use or disclosure of data in
violation of any applicable federal or state laws or regulations.
Associate shall take (i) prompt corrective action to cure any such
deficiencies and (ii) any action pertaining to such unauthorized
disclosure required by applicable federal and state laws and
regulations. CE and Associate will cooperate to mitigate the effects
on any breach, Security Incident, intrusion, or unauthorized use and
document the Security Incident and its outcome.
Inspection and Enforcement.
Within ten (10) days of a written request by CE, Associate and its
agents or subcontractors shall allow CE to conduct a reasonable
inspection of the facilities, systems, books, records, agreements,
policies and procedures relating to the use or disclosure of
Protected Information pursuant to this Addendum for the purpose of
determining whether Associate has complied with this Addendum;
provided, however, that: (i) Associate and CE shall mutually agree
in advance upon the scope, timing and location of such an
inspection; (ii) CE shall protect the confidentiality of all
confidential and proprietary information of Associate to which CE
has access during the course of such inspection; and (iii) CE or
Associate shall execute a nondisclosure agreement, if requested by
Associate or CE. The fact that CE inspects, or fails to inspect, or
has the right to inspect, Associate’s facilities, systems, books,
records, agreements, policies and procedures does not relieve
Associate of its responsibility to comply
this Addendum, nor does CE’s (i) failure to detect or
(ii)detection, but failure to notify Associate or require Associate’s
remediation of any unsatisfactory practices, constitute acceptance of
such practice or a waiver of CE’s enforcement rights under this
Associate shall be responsible for using Security Measures to
reasonably and appropriately maintain and ensure the Confidentiality,
Integrity, and Availability of Protected Information transmitted to
CE pursuant to this Agreement, in accordance with the standards and
requirements of the HIPAA Regulations, until such Protected
Information is received by CE, and in accordance with any
specifications set forth in Attachment I.
CE shall be responsible for using Security Measures to reasonably
and appropriately maintain and ensure the Confidentiality, Integrity,
and Availability of Protected Information transmitted to Associate
pursuant to this Agreement, in accordance with the standards and
requirements of the HIPAA Regulations, until such Protected
Information is received by Associate, and in accordance with any
specifications set forth in Attachment I.
CE shall provide Associate with a copy of its notice of privacy
practices produced in accordance with 45 CFR § 164.520, as well as
any subsequent changes or limitation(s) to such notice, to the extent
such changes or limitations may effect Associate’s use or
disclosure of Protected Information. CE shall provide Associate with
any changes in, or revocation of, permission to use or disclose
Protected Information, to the extent it may affect Associate’s
permitted or required uses or disclosures. To the extent that it may
affect Associate’s permitted use or disclosure of Protected
Information, CE shall notify Associate of any restriction on the use
or disclosure of Protected Information that CE has agreed to in
accordance with 45 CFR § 164.522.
This Addendum shall continue in effect as to each Contract to which
it applies until such Contract is terminated or is replaced with a
new contract between the parties containing provisions meeting the
requirements of the HIPAA Regulations, whichever first occurs.
However, certain obligations will continue as specified in this
In addition to any other provisions in the Contract regarding
breach, a breach by Associate of any provision of this Addendum, as
determined by CE, shall constitute a material breach of the Agreement
and shall provide grounds for termination of the Contract by CE
pursuant to the provisions of the Contract covering termination for
cause. If the Contract contains no express provisions regarding
termination for cause, the following shall apply to termination for
breach of this Addendum, subject to 5.b.:
If Associate refuses or fails to timely perform any of the
provisions of this Addendum, CE may notify Associate in writing of
the non-performance, and if not corrected within thirty (30) days, CE
may immediately terminate the Agreement. Associate shall continue
performance of the Agreement to the extent it is not terminated.
Notwithstanding termination of the Agreement, and subject to any
directions from CE, Associate shall take timely, reasonable and
necessary action to protect and preserve property in the possession
of Associate in which CE has an interest.
Payment for completed performance delivered and accepted by CE shall
be at the Contract price.
Termination for Default.
If after such termination it is determined, for any reason, that
Associate was not in default, or that Associate’s action/inaction
was excusable, such termination shall be treated as a termination for
convenience, and the rights and obligations of the parties shall be
the same as if the contract had been terminated for convenience, as
described in this Addendum or in the Contract.
Steps to Cure Breach.
If CE knows of a pattern of activity or practice of Associate that
constitutes a material breach or violation of the Associate’s
obligations under the provisions of this Addendum or another
arrangement and does not terminate this Agreement pursuant to Section
5(a), then CE shall take reasonable steps to cure such breach or end
such violation, as applicable. If CE’s efforts to cure such breach
or end such violation are unsuccessful, CE shall either (i) terminate
this Agreement, if feasible or (ii) if termination of this Agreement
is not feasible, CE shall report Associate’s breach or violation to
the Secretary of the Department of Health and Human Services.
Except as provided in paragraph (2) of this subsection, upon
termination of this Agreement, for any reason, Associate shall return
or destroy all Protected Information that Associate or its agents or
subcontractors still maintain in any form, and shall retain no copies
of such Protected Information. If Associate elects to destroy the
Protected Information, Associate shall certify in writing to CE that
such Protected Information has been destroyed.
If Associate believes that returning or destroying the Protected
Information is not feasible, including but not limited to, a finding
that record retention requirements provided by law make return or
destruction infeasible, Associate shall promptly provide CE notice of
the conditions making return or destruction infeasible. Upon mutual
agreement of CE and Associate that return or destruction of Protected
Information is infeasible, Associate shall continue to extend the
protections of Sections 2(a), 2(b), 2(c), 2(d) and 2(e) of this
Addendum to such information, and shall limit further use of such
Protected Information to those purposes that make the return or
destruction of such Protected Information infeasible.
Waiver of Immunity.
No term or condition of this Agreement shall be construed or
interpreted as a waiver, express or implied, of any of the
immunities, rights, benefits, protection, or other provisions of the
Michigan Governmental Immunity Act, MCL 691.1401, et
the Federal Tort Claims Act, 28 U.S.C. 2671 et
or the common law,
as applicable, as now in effect or hereafter amended.
CE makes no warranty or representation that compliance by Associate
with this Addendum, HIPAA or the HIPAA Regulations will be adequate
or satisfactory for Associate’s own purposes. Associate is solely
responsible for all decisions made by Associate regarding the
safeguarding of Protected Information.
To the extent that CE determines an examination is necessary in
order to comply with CE’s legal obligations pursuant to HIPAA
relating to certification of its security practices, CE or its
authorized agents or contractors, may, at CE’s expense, examine
Associate’s facilities, systems, procedures and records as may be
necessary for such agents or contractors to certify to CE the extent
to which Associate’s security safeguards comply with HIPAA, the
HIPAA Regulations or this Addendum.
to Comply with Law.
The parties acknowledge that state and federal laws relating to data
security and privacy are rapidly evolving and that amendment of this
Addendum may be required to provide for procedures to ensure
compliance with such developments. The parties specifically agree to
take such action as is necessary to implement the standards and
requirements of HIPAA, the Privacy Rule, the Security Rule and other
applicable laws relating to the security or privacy of Protected
Information. The parties understand and agree that CE must receive
satisfactory written assurance from Associate that Associate will
adequately safeguard all Protected Information. Upon the request of
either party, the other party agrees to promptly enter into
negotiations concerning the terms of an amendment to this Addendum
embodying written assurances consistent with the standards and
requirements of HIPAA, the Privacy Rule, the Security Rule or other
applicable laws. CE may terminate the Agreement upon thirty (30)
days written notice in the event (i) Associate does not promptly
enter into negotiations to amend this Agreement when requested by CE
pursuant to this Section or (ii) Associate does not enter into an
amendment to this Agreement providing assurances regarding the
safeguarding of PHI that CE, in its sole discretion, deems sufficient
to satisfy the standards and requirements of HIPAA, the HIPAA
Regulations and other applicable laws.
of Attachment A.
Attachment A may be modified or amended by mutual agreement of the
parties in writing from time to time without formal amendment of this
in Litigation or Administrative Proceedings.
Associate shall make itself, and any subcontractors, employees or
agents assisting Associate in the performance of its obligations
under this Agreement, available to CE, at no cost to CE, to testify
as witnesses, or otherwise, in the event of litigation or
administrative proceedings being commenced against CE, its
directors, officers or employees, departments, agencies, or
divisions based upon a
claimed violation of HIPAA, the HIPAA Regulations or other laws
relating to security and privacy of Protected Information, except
where Associate or its subcontractor, employee or agent is a named
Third Party Beneficiaries.
Nothing express or implied in this Agreement is intended to confer,
nor shall anything herein confer, upon any person other than CE,
Associate and their respective successors or assigns, any rights,
remedies, obligations or liabilities whatsoever.
Except as specifically required to implement the purposes of this
Addendum, or to the extent inconsistent with this Addendum, all other
terms of the Contract shall remain in force and effect. This
Addendum is incorporated into the Contract as if set forth in full
therein. The parties expressly acknowledge and agree that sufficient
mutual consideration exists to make this Addendum legally binding in
accordance with its terms. Associate and CE expressly waives any
claim or defense that this Addendum is not part of the Agreement
between the parties under the Contract.
and Order of Precedence.
This Addendum is incorporated into and becomes part of each Contract
identified herein. Together, this Addendum and each separate
Contract constitute the “Agreement” of the parties with respect
to their Business Associate relationship under HIPAA and the HIPAA
Regulations. The provisions of this Addendum shall prevail over any
provisions in the Contract that may conflict or appear inconsistent
with any provision in this Addendum. This Addendum and the Contract
shall be interpreted as broadly as necessary to implement and comply
with HIPAA and the HIPAA Regulations. The parties agree that any
ambiguity in this Addendum shall be resolved in favor of a meaning
that complies and is consistent with HIPAA and the HIPAA Regulations.
This Addendum supercedes and replaces any previous separately
executed HIPAA addendum between the parties. In the event of any
conflict between the mandatory provisions of the HIPAA Regulations
and the provisions of this Addendum, the HIPAA Regulations shall
control. Where the provisions of this Addendum differ from those
mandated by the HIPAA Regulations, but are nonetheless permitted by
the HIPAA Regulations, the provisions of this Addendum shall control.
This Addendum is effective upon receipt of the last approval
necessary and the affixing of the last signature required.
of Certain Contract Terms.
Notwithstanding anything herein to the contrary, Associate’s
obligations under Section 5(d) and record retention laws (“Effect
of Termination”) and Section 13 (“No Third Party Beneficiaries”)
shall survive termination of this Agreement and shall be enforceable
by CE as provided herein in the event of such failure to perform or
comply by the Associate.
For the purpose of this Agreement, the individuals identified in the
Contract shall be the representatives of the respective parties. If
no representatives are identified in the Contract, the individuals
listed below are hereby designated as the parties’ respective
representatives for purposes of this Agreement. Either party may
from time to time designate in writing new or substitute
All required notices shall be in writing and shall be hand delivered
or given by certified or registered mail to the representatives at
the addresses set forth below.
and Division: __________________________
notice given to a party under this Addendum shall be deemed
effective, if addressed to such party, upon: (i) delivery, if hand
delivered; or (ii) the third (3rd)
Business Day after being sent by certified or registered mail.
WITNESS WHEREOF, the parties hereto have duly executed this Addendum
Addendum Effective Date.
Attachment sets forth additional terms to the HIPAA Business
Associate Addendum dated ____________________, between
__________________ and _________________ (“Addendum”) and is
effective as of
(the “Attachment Effective Date”). This Attachment applies to
the specific contracts listed below covered by the Addendum. This
Attachment may be amended from time to time as provided in Section
11(b) of the Addendum.
This Attachment applies to the following specific contract covered
by the Addendum:________________________________________
In addition to those purposes set forth in Section 2(a) of the
Addendum, Associate may use Protected Information as follows:
In addition to those purposes set forth in Section 2(b) of the
Addendum, Associate may disclose Protected Information as follows:
The parties acknowledge that the following subcontractors or agents
of Associate shall receive Protected Information in the course of
assisting Associate in the performance of its obligations under the
Contract and the Addendum:
Associate’s receipt of Protected Information pursuant to the
Contract and Addendum shall be deemed to occur as follows, and
Associate’s obligations under the Addendum shall commence with
respect to such PHI upon such receipt:
Restrictions on Use of Data.
CE is a Business Associate of certain other Covered Entities and,
pursuant to such obligations of CE, Associate shall comply with the
following restrictions on the use and disclosure of Protected
section may include specifications for disclosure format, method of
transmission, use of an intermediary, use of digital signatures or
PKI, authentication, additional security of privacy specifications,
de-identification or re-identification of data and other additional