This Business Associate Agreement (this “Agreement”) is entered into as of________________________________, __, (the Effective Date) by and between (“Dental Practice”) and __________edentalMarket______________________________________ (“Business Associate”).
RECITALS:
WHEREAS, Business Associate performs services for or on behalf of Dental Practice (the “Services”) pursuant to that certain ______SafeBase Service Agreement______________ dated__ __, (the “Underlying Agreement”), which Services involve the access, use and/or disclosure of Protected Health Information (as defined below); and
NOW THEREFORE, the parties agree as follows:
1) Definitions. Capitalized terms not otherwise defined in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule and Security Rule (as de4fined below).
a) “Breach,” when capitalized shall have the meaning set forth in 45 CFR § 164.402 (including all of its subsections).
b)“Electronic Protected Health Information” or “EPHI” shall have the same meaning as the term “electronic protected health information” in 45 CFR § 160.103, limited to information that Business Associate creates, accesses, receives or maintains for or on behalf of Dental Practice.
c)“Protected Health Information” or “PHI” shall have the meaning set forth in 45 CFR § 160.103, limited to information that Business Associate creates, accesses, receives or maintains for or on behalf of Dental Practice. PHI includes EPHI.
d)“Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information codified at 45 CFR parts 160 and 164, Subparts A, D and E, as currently in effect.
e)“Security Rule” means the Standards for Security for the Protection of Electronic Protected Health Information, codified at 45 CFR parts 160 and 164, Subparts A and C, as currently in effect.
f)“Unsecured Protected Health Information” shall have the same meaning as the term “unsecured protected health information” in 45 CFR § 1640402, limited to such information accessed, created, received or maintained by Business Associate.
2) Scope of Use and Disclosure of PHI.
a)Business Associate Status. Business Associate acknowledges that it is Dental Practice’s “business associate” as defined by HIPAA. Business Associate agrees to comply with the HIPAA regulations as they directly apply to business associates.
b)Performance of Services. Business Associate shall not access, use or further disclose PHI other than as permitted or required by this Agreement, to perform the Services pursuant to the Underlying Agreement or as Required by Law. Business Associate shall not access, use or disclose PHI in any manner that would violate HIPAA if such access, use or disclosure was done by Dental Practice.
1.Uses and Disclosure Permitted By Law. Business Associate may use or disclose PHI: (A) as is necessary for the proper management and administration of Business Associate’s organization, and (B) to carry out the legal responsibilities of Business Associate; provided, however that any permitted disclosure of PHI to a third party must be either Required By Law or subject to reasonable assurances obtained by Business Associate from the third party that PHI will be held confidentially, and securely, and used or disclosed only as Required By Law or for the purposes for which it was disclosed to such third party, and that any breaches of confidentiality of PHI which become known to such third party will be immediately reported to Business Associate.
2.Statistical Aggregation. Business Associate shall not use PHI for any compilation or aggregation of data or for any commercial purpose whatsoever not set forth in this Agreement, unless permitted by Dental Practice in a written document.
3.De-identification. Business Associate shall not use PHI to create de-identified PHI for any purpose not set forth in this Agreement, unless permitted by Dental Practice in a written document.
c)Minimum Necessary. Business Associate shall not access, use or disclose more than the minimum necessary PHI to perform or fulfill the intended permissible purpose, in accordance with this Agreement.
d)Privacy Rule. To the extent, Business Associate carries out one or more of Dental Practice’s obligations under the HIPAA Privacy Rule, Business Associate shall comply with the requirements of HIPAA that apply to Dental Practiced in the performance of such obligation(s).
e)Security Rule and Safeguards. Business Associate shall use safeguards that are appropriate and sufficient to prevent access, use or disclose of PHI other than as permitted or required by this Agreement. Business Associate shall comply with the Security Rule with respect to EPHI, including implementing Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriate protect the Confidentiality, Integrity and Availability of EPHI.
f)Notification. Without unreasonably delay, Business Associate shall notify Dental Practice, in writing, or any use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware. Without unreasonably delay, Business Associate shall report to Dental Practice in writing of any Security Incident of which it becomes aware in accordance with the Security Rule and Business Associate’s obligations under the same. Upon Dental Practice’s request, Business Associate shall provide a report of any and all impermissible uses, disclosures and/or Security Incidents.
g)Subcontractors. Business Associate shall ensure that any and all subcontractors that create, receive, maintain or transmit PHI on behalf of Business Associate agree, in writing, to the same restrictions and conditions that apply to Business Associate. Each subcontract agreement must include, without limitation, the provisions of this Agreement. Business Associate shall make such agreement with its subcontractors available to Dental Practice upon request.
h)Audit. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Dental Practice available to the Secretary of Health and Human Services and/or Dental Practice, upon request, for purposes of determining and facilitating Dental Practice’s compliance with HIPAA.
i)Patient Rights.
1. Patient Right to Review. Business Associate shall make PHI maintained in a Designated Record Set available to Dental Practice or, at the direction of Dental Practice, to an individual, in accordance with § 164.524 of the Privacy Rule.
2.Patient Right to Amend. Business Associate shall make PHI available le for amendment and incorporate any amendments to PHI maintained in a Designated Record Set at the direction of Dental Practice and in accordance with § 164.526 of the Privacy Rule. Dental Practice shall be involved in any decision of Business Associate to amend the PHI of an individual.
3.Patient Right to Request Accounting. Business Associate shall document and make available to Dental Practice or, at the direction of Dental Practice, to an individual information relating to such individual as is necessary for Dental Practice to respond to a request for an accounting of disclosures in accordance with § 164.52l8 of the Privacy Rule.
A. Business Associate agrees to implement an appropriate record-keeping process to ensure compliance with the requirements of this Section
B.Business Associate agrees to provide PHI it maintains electronically in a Designated Record Set in an electronic form at the request of Dental Practice or an individual.
4.Notice to Dental Practice. Business Associate shall notify Dental Practice immediately in writing upon receiving a request from an individual to review, copy or amend his or her medical record information or to receive an accounting of disclosures. Business Associate shall also provide Dental Practice with a prompt written report of the details of its handling of such requests.
j)Breach. Business Associate shall notify Dental Practice of breaches of unsecured PHI in accordance with the requirements of 45 CFR §164.410. Such notification shall include, to the extent possible, the identification of each individual whose PHI has been or is reasonably believed to have been accessed, acquired, used or disclosed during the Breach, along with any other information that Dental Practice will be required to include in its notification to an affected individual, the media and /or the Secretary, as applicable, including, without limitation, a description of the Breach, the date of the Breach and its discovery, the type of Unsecured Protected Health Information involved and a description of Business Associate’s investigation, mitigation and prevention efforts.
k)Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate or a subcontractor or agent of Business Associate in violation of the requirements of this Agreement, the Privacy Rule, the Security Rule or other applicable federal or state law.
3) Dental Practice Obligations.
a) Notice of Privacy Practices. Dental Practice shall notify Business Associate of limitation(s) in its notice of privacy practices to the extent such limitation affects Business Associate’s permitted uses or disclosures under this Agreement.
b)Individual Authorization. Dental Practice shall notify Business Associate of changes in, or revocation of, authorization by an individual to use or disclose PHI, to the extent such changes affect Business Associate’s permitted uses or disclosures under the Agreement.
c)Restrictions. Dental Practice shall notify Business Associate of restriction(s) in the use or disclosure of PHI that Dental Practice has agreed to, to the extent such restriction affects Business Associate’s permitted uses or disclosures under this Agreement.
4) Term and Termination.
a)Term. The Term of this Agreement shall become effective as of the Effective Date, and remain in effect until all PHI is returned or destroyed in accordance with this Section.
b)Termination for Cause: Dental Practice may terminate this Agreement immediately if Dental Practice, in its sole discretion, determines that Business Associate has violated a material term of this Agreement. Dental Practice, at its option and within its sole discretion, may (1) permit Business Associate take steps to cure the breach; and (2) in the event Dental Practice determines such cure is sufficient, elect to keep this Agreement in force.
c)Obligation of Business Associate Upon Termination. Upon termination of this Agreement for any reason, Business Associate shall promptly return to Dental Practice or destroy all PHI received from Dental Practice, or created or received by Business Associate on behalf of Dental Practice, that Business Associate still maintains in any form. Business Associate shall retain no copies of the PHI in any form. Upon request by Dental Practice, Business Associate shall promptly supply a certificate executed by an officer (vice president level or above) of the Business Associate confirming that Business Associate has returned or destroyed all PHI and all copies thereof.
d)Survival. The obligations of Business Associate under this Section shall survive the termination of this Agreement.
5) Limitation of Liability, Indemnification and Insurance.
a)Limitation of Liability. To the extent that Business Associate has limited its liability under the terms of the Underlying Agreement, whether with a maximum recovery for direct damages or a disclaimer against any consequential, indirect or punitive damage, or other such limitations, all limitations shall exclude damages to Dental Practice arising out of a breach of this Agreement by Business Associate or any Breach of PHI by Business Associate.
b)Indemnification. Business Associate agrees to indemnify, defend, and hold harmless Dental Practice and its directors, officers, affiliates, employees, agents, and permitted successors from and against any and all claims, losses, liabilities, damages, costs, and expenses (including reasonable attorneys’ fees) arising out of or related to Business Associate’s breach of its obligations under this Agreement, including, but not limited to a Breach of Unsecured Protected Health Information by Business Associate.
c)Insurance. Business Associate agrees at the request of Dental Practice, to obtain and maintain insurance coverage against the improper use and disclosure of PHI by Business Associate, naming Dental Practice as a named insured. Promptly following a request by Dental Practice for the maintenance of such insurance. Business Associate will provide a certificate evidencing such insurance coverage.
6) Miscellaneous Provisions.
a)Notices. Any notice required or permitted under this Agreement will be given in writing and will be sent –
To Dental Practice at:
Notices will be deemed to have been received upon actual receipt, one business day after being sent by overnight courier service, or three business days after mailing by first-class mail, whichever occurs first.
b)Governing Law. This Agreement will be governed by, and construed in accordance with the laws of the state of Ohio without giving effect to choice of law provisions thereof.
c)Waiver. No delay or omission by either party to exercise any right or remedy under this Agreement will be construed to be either acquiescence or the waiver of the ability to exercise any right or remedy in the future. Failure of a party to insist upon strict adherence to any term or condition of this Agreement shall not be considered a waiver by that party of its right thereafter to insist upon strict adherence to that, or any other, term or condition of this Agreement. No waiver of any breach of any provision of this Agreement shall constitute a waiver of any prior, concurrent or subsequent breach of the same or any other provisions hereof, and no waiver shall be effective unless made in writing and signed by an authorized representative of the waiving party.
d)Severability. All provisions of this Agreement are separate and divisible, and if any part or parts of this Agreement are held to be unenforceable, the remainder of this Agreement will continue in full force and effect.
e)Amendments. The parties shall amend this Agreement from time to time by mutual written agreement in order to keep this Agreement consistent with any changes made to the HIPAA laws or regulations in effect as of the Effective Date and with any new regulations promulgated under HIPAA. Dental Practice may terminate this Agreement and, where appropriate, the Underlying Agreement in whole or in part if the parties are unable to agree to such changes by the compliance date for such new or revised HIPAA laws or regulations.
f)Interpretation. In the event of any conflict between the provisions of this Agreement and the Underlying Agreement, the provisions of this Agreement shall control. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the parties to comply with HIPAA.
g)Automatic Amendment. This Agreement shall automatically incorporate any change or modification of applicable state or federal law as of the effective date of the change or modification. Business Associate agrees to maintain compliance with all changes or modifications to applicable state or federal law.
h)Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.
i)Independent contractors. The parties acknowledge and agree that Business Associate is an independent contractor. Nothing in this agreement shall be construed to create any partnership, joint venture, agency, or employment relationship of any kind between the parties. Notwithstanding the foregoing, to the extent that Business Associate is ever determined for any purpose to be an agent of the Dental Practice (under the Federal common law of agency or otherwise), Business Associate shall be acting outside of the scope of agency if Business Associate fails to notify the Dental Practice immediately if Business Associate violates or breaches any provision of this Agreement or violates the HIPAA Rules.