Qatalyst Health - Business Associate Agreement

BUSINESS ASSOCIATE ADDENDUM

This Business Associate Addendum ("Addendum") sets out the responsibilities and obligations of Service Provider (referred to in this Addendum as "Business Associate") and Customer (referred to in this Addendum as "Covered Entity"). In connection with the Agreement, Business Associate and Covered Entity agree to the terms and conditions of this Addendum, which is incorporated into and made a part of the Agreement, in order to comply with the use and handling of Protected Health Information of Covered Entity ("PHI") under the Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R., Parts 160 and 164, as amended from time to time ("Privacy Standards") and the Security Standards, 45 C.F.R. §160, 162 and 164, as amended from time to time ("Security Standards") of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009 and its accompanying regulations (the "HITECH Act"), as may be amended from time to time in accordance with the terms and conditions set forth in this Addendum.

Unless otherwise provided, all capitalized terms in this Addendum will have the same meaning as provided under the Privacy Standards, the Security Standards and the HITECH Act. Notwithstanding the foregoing, for purposes of this Addendum, the term "PHI" shall refer solely to information accessed, received, used, disclosed and/or maintained by Business Associate as part of the provision of services to Covered Entity pursuant to the Agreement.

1. Uses and Disclosures of Protected Health Information

Business Associate provides certain services and functions for and/or on behalf of Covered Entity under the Agreement. In order for Business Associate to perform one or more of these functions for Covered Entity, Business Associate may receive or access PHI from Covered Entity or other sources in accordance with the terms of the Agreement. Business Associate may use and disclose such PHI pursuant to this Addendum, the Agreement, or as otherwise permitted by law, to the extent necessary for Business Associate to perform its services for Covered Entity and for the proper management and administration of its business activities. Business Associate will not use or further disclose any PHI in violation of this Addendum.

Business Associate may use and disclose PHI that is created or received by Business Associate from or on behalf of Covered Entity if such use or disclosure, respectively, complies with each applicable requirement of 45 C.F.R. § 164.504(e) and the HITECH Act. The additional requirements of Subtitle D of the HITECH Act that relate to privacy and that apply to covered entities will also apply to Business Associate and are incorporated into this Addendum by reference.

Except as otherwise limited by any agreement between the parties hereto with regard to the provision of services, Business Associate may use PHI to provide data aggregation services to Covered Entity as permitted by 45 C.F.R. §164.504(e)(2)(i)(B).

2. Use of PHI for Administrative Activities

Notwithstanding Section 1 above, Business Associate may use or disclose PHI for management and administrative activities of Business Associate or to comply with the legal responsibilities of Business Associate; provided, any such disclosure is required by law or the Business Associate obtains reasonable assurances from the third party that receives the Protected Health Information that the third parties will treat the Protected Health Information confidentially and will only use or further disclose the Protected Health Information in a manner consistent with the purposes that the Protected Health Information was provided by Business Associate, and promptly report any breach of the confidentiality of the Protected Health Information to Business Associate.

3. Minimum Necessary

The parties shall at all times comply with the "minimum necessary" requirements for use and disclosure of PHI. All uses and discloses shall therefore be limited, to the extent practicable, to a limited data set or, if needed, to the minimum necessary to accomplish the intended purposes for such use or disclosure as determined by the disclosing entity and consistent with Section 13405(b) of the HITECH Act and any implementing regulations adopted thereunder.

4. Sale of PHI

Except to the extent otherwise permitted by this Addendum, Business Associate shall not directly or indirectly receive remuneration in exchange for PHI that is created or received by Business Associate from or on behalf of Covered Entity unless: (1) pursuant to an authorization by the Individual in accordance with 45 C.F.R. §164.508 that includes a specification for whether the PHI can be further exchanged for remuneration by the entity receiving PHI of that Individual; or (2) as provided in Section 13405(d)(2) of the HITECH Act and regulations to be issued by the Secretary, upon the effective date of such regulations. Nothing herein shall preclude the payment of consideration from Covered Entity to Business Associate in return for the provision of services by Business Associate to Covered Entity.

5. Safeguards

Business Associate will implement appropriate safeguards to prevent any use or disclosure of PHI not otherwise permitted in this Addendum. Business Associate will implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity and comply with 45 C.F.R. §§ 164.308, 164.310, 164.312 and 164.316 of the Security Rule as required by the HITECH Act. Notwithstanding any provision of this Addendum to the contrary, the parties hereto hereby agree and acknowledge that Business Associate shall have no responsibility to protect or safeguard any information or PHI prior to access or actual receipt of such information or PHI by Business Associate.

6. Reports of Impermissible Use or Disclosure

Business Associate will report to Covered Entity any use or disclosure of PHI not permitted by this Addendum within ten (10) business days of Business Associate's learning of such use or disclosure. Business Associate will also report to Covered Entity within ten (10) business days upon discovery by Business Associate of any security incident relating to PHI of which it becomes aware.

Security Incidents that do not result in any unauthorized access, use, disclosure, modification, destruction of information or interference with system operations ("Unsuccessful Security Incidents") will be reported in the aggregate upon written request of Covered Entity in a manner and frequency mutually acceptable to the parties. Business Associate hereby notifies Covered Entity that Unsuccessful Security Incidents including, but not limited to, ping sweeps or other common network reconnaissance techniques, attempts to log on to a system with an invalid password or username, and denial of service attacks that do not result in a server being taken off line, may occur from time to time.

7. Breach Notification

Business Associate will comply with Section 13402 of the HITECH Act and the regulations implementing such provisions, currently Subpart D of Title 45 of the Code of Federal Regulations, as such regulations may be in effect from time to time (collectively, the "Breach Notification Rules").

Except as provided in 45 C.F.R. § 164.412, Business Associate will give Covered Entity notice of any Breach of Unsecured Protected Health Information pursuant to 45 C.F.R. §164.410. The notice required by this Section will be written in plain language and will include, to the extent possible or available, the following:

The identification of the individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired or disclosed during the Breach;
A brief description of what happened, including the date of the Breach and theft date of the discovery of the Breach;
A description of the types of Unsecured Protected Health Information that were involved in the Breach (such as whether the full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
Any steps individuals who were subjects of the Breach should take to protect themselves from potential harm that may result from the Breach;
A brief description of what Business Associate is doing to investigate the Breach, to mitigate the harm to individuals, and to protect against further Breaches; and
Contact procedures for individuals to ask questions or learn additional information, including a toll free telephone number, an email address, Web site, or postal address.

Notwithstanding the foregoing, Covered Entity shall not provide to Business Associate any PHI that is Unsecured Protected Health Information.

8. Agents and Subcontractors

If Business Associate provides PHI to an agent or subcontractor for a purpose authorized under this Addendum, Business Associate will receive reasonable assurances from the agent or subcontractor that the agent or subcontractor will abide by the same restrictions and conditions applicable to Business Associate's use and disclosure of PHI, as set forth in this Addendum. Business Associate will maintain a list of any such disclosures to agents or subcontractors to the extent required by Section 12 of this Addendum.

9. Obligations Regarding Business Associate's Personnel

Business Associate will appropriately inform all of its employees, agents, representatives and members of its workforce ("Business Associate Personnel"), whose services may be used to satisfy Business Associate's obligations under this Addendum, of the general terms of this Addendum. Business Associate represents and warrants that the Business Associate Personnel are under legal obligation to Business Associate, by contract or otherwise, sufficient to enable Business Associate to fully comply with the provisions of this Addendum.

10. Access to PHI

(a) Covered Entity Access

The parties agree and acknowledge that Business Associate does not maintain PHI in a Designated Record Set. Should Business Associate maintain a Designated Record Set in the future, within ten (10) business days of a request by Covered Entity for access to PHI held by Business Associate in such Designated Record Set, Business Associate will make the requested PHI available to Covered Entity.

(b) Patient Access

If a patient requests access to PHI directly from Business Associate, Business Associate will within ten (10) business days forward such request in writing to Covered Entity. Covered Entity will be responsible for making all determinations regarding the grant or denial of a patient's request for PHI and Business Associate will make no such determinations. Only Covered Entity will release PHI to the patient pursuant to such a request, unless release by Business Associate has otherwise been approved by Covered Entity.

11. Amendment of PHI

Within ten (10) business days of receiving a request from Covered Entity to amend a patient's PHI, if Business Associate retains such PHI in a Designated Record Set, Business Associate will provide such information to Covered Entity for amendment. If Covered Entity's request includes specific information to be included in the PHI as an amendment, Business Associate will incorporate such amendment in such Designated Record Set within ten (10) business days of receipt of Covered Entity's request. Business Associate will forward to Covered Entity within ten (10) business days any requests by patients to Business Associate to amend PHI. Covered Entity will be responsible for making all final determinations regarding amendments to PHI requested by patients and Business Associate will make no such determinations. Nothing in this paragraph shall prohibit Business Associate from amending PHI to the extent necessary for Business Associate to otherwise perform its services for Covered Entity.

12. Accounting of Disclosures; Requests for Disclosure

(a) Disclosure Records

Business Associate will keep a record of any disclosure made to its agents, subcontractors or other third parties for any purpose other than disclosures:

to carry out treatment, payment and health care operations as provided in 45 CFR §164.506;
to Individuals of PHI about them as provided in 45 CFR §164.502;
incident to a use or disclosure otherwise permitted or required by the HIPAA Privacy Rule, 45 CFR Part 164, Subpart E, as provided in 45 CFR §164.502;
pursuant to an authorization as provided in 45 CFR §164.508;
for a facility's directory or to persons involved in the Individual's care or other notification purposes as provided in 45 CFR §164.510;
for national security or intelligence purposes as provided in 45 CFR §164.512(k)(2);
to correctional institutions or law enforcement officials as provided in 45 CFR §164.512(k)(5); or
as part of a limited data set in accordance with 45 CFR §164.514(e).

Business Associate will maintain such disclosure record for six (6) years from the effective date of termination of this Addendum. Notwithstanding the foregoing, Business Associate agrees to document disclosures of PHI and collect information related to such disclosures as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528, and in accordance with, and upon the effective date of, Section 13405(c) of the HITECH Act.

(b) Data Regarding Disclosures

For each disclosure for which Business Associate must maintain documentation under paragraph 12(a), Business Associate will record and maintain the following information:

Unless subject to multiple disclosures below:

the date of disclosure;
the name of the entity or person who received the PHI, and the address of such entity or person, if known;
a description of the PHI disclosed; and
a brief statement of the purpose of the disclosure.

If Business Associate has made multiple disclosures of PHI to the same person or entity for a single purpose, the accounting may provide:

The information required above for the first disclosure;
The frequency, periodicity, or number of the disclosures made during the accounting period; and
The date of the last such disclosure during the accounting period.

(c) Patient Request for Disclosure of Records

Within ten (10) business days of receipt of a notice from Covered Entity to Business Associate of a patient's request for an accounting of PHI disclosed, Business Associate will provide Covered Entity with the records of disclosures requested in the notice. Business Associate will provide the records for the time period requested by the patient or for six (6) years before the date on which the accounting was requested by the patient, as set forth in the notice.

(d) Patient Request to Business Associate

If a patient requests an accounting of disclosures directly from Business Associate, Business Associate will forward the request to Covered Entity within ten (10) business days of Business Associate's receipt of the request and will make its records of disclosures available to Covered Entity as otherwise provided in this Section. Covered Entity will be responsible to prepare and delivery the records of disclosure to the patient. Business Associate will not provide an accounting of its disclosure directly to the patient.

13. Covered Entity Obligations

Covered Entity shall provide Business Associate with the "Notice of Privacy Practices" that Covered Entity produces in accordance with 45 C.F.R. §164.520, as well as any changes to such notice.

Covered Entity shall provide Business Associate with notice of any changes to, revocation of, or permission by an Individual to Use or Disclose PHI, including, without limitation, any authorization, if such changes affect Business Associate's permitted Uses or Disclosures, as soon as Covered Entity receives or becomes aware of such changes to or revocation of permission.

In the event that Covered Entity shall agree to any restriction to the Use or Disclosure of PHI that would materially impact Business Associate, Covered Entity shall provide written notice to Business Associate of such restriction and shall not provide to Business Associate, or permit Business Associate access to, PHI subject to such restriction.

Covered Entity shall not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity or that would otherwise violate the HIPAA Rules, this Addendum or the Minimum Necessary standards.

14. Termination

Upon Covered Entity's knowledge of a material breach of this Addendum by Business Associate, Covered Entity shall notify Business Associate of such breach in reasonable detail and provide thirty (30) days' notice and opportunity for Business Associate to cure the breach or violation, or if cure is not possible, Covered Entity may immediately terminate this Addendum.

15. Responsibilities upon Termination

(a) Return of PHI; Destruction

Within thirty (30) days of termination of this Addendum, if feasible Business Associate will return to Covered Entity all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity which Business Associate maintains in any form or format, and Business Associate will not maintain or keep in any form or format any portion of such PHI. Alternatively, Business Associate may destroy all such PHI and provide written documentation of such destruction. The requirement to return or destroy such PHI will apply to all agents or subcontractors of Business Associate. Business Associate will be responsible for recovering, and likewise returning to Covered Entity or destroying, any PHI from such agents or subcontractors. If Business Associate cannot obtain the PHI from any agent or subcontractor, Business Associate will so notify Covered Entity and will require that such agents or subcontractors directly return PHI to Covered Entity or otherwise destroy such PHI, subject to the terms of this Section.

(b) Alternative Measures

If Business Associate believes that returning or destroying PHI at the termination of this Addendum is infeasible, it will provide written notice to Covered Entity of such infeasibility within ten (10) business days of the effective date of termination of this Addendum along with reason why such return or destruction is infeasible. Business Associate agrees to extend all protections, limitations and restrictions of this Addendum to Business Associate's use or disclosure of PHI retained after termination of this Addendum, and to limit further uses or disclosures to those purposes that make the return or destruction of the PHI infeasible. Any such extended protections, limitations and restrictions will apply to any agents or subcontractors of Business Associate for whom return or destruction of PHI is determined by Covered Entity to be infeasible.

16. Business Associate Books and Records

Business Associate will make its internal practices, books and records on the use and disclosure of PHI available to the Secretary of the Department of Health and Human Services to the extent required for determining compliance with the Privacy Standards and any other provisions of HIPAA and HIPAA regulations. Notwithstanding this provision, no attorney-client, accountant-client or other legal privilege will be deemed waived by Business Associate or Covered Entity as a result of this Section.

17. Change in Law

The parties agree to promptly amend this Addendum to the extent changes in laws addressing the privacy or security of PHI impose new or different rights and obligations on covered entities and business associates.

Contact Information

If you have questions about this Business Associate Agreement or HIPAA compliance, please contact us:

Qatalyst Health

Email: privacy@qatalysthealth.com

Privacy Officer: privacy@qatalysthealth.com

Website: www.qatalysthealth.com