Business Associate Agreement – 1st Credentialing
This Business Associate Agreement (“Agreement”), effective as of the signature date of the Services Agreement between Client and 1st Credentialing (the “Effective Date”), is entered into by and between Client (“Covered Entity”) and SysInformation Healthcare Services, LLC d/b/a 1st Credentialing (“Business Associate”).
WHEREAS, Covered Entity and Business Associate have entered into, or are entering into, or may subsequently enter into, agreements or other documented arrangements (collectively, the “Business Arrangements”), including but not limited to the Services Master Agreement and its schedules, attachments, Scopes of Work and Exhibits (the “Services Agreement”), pursuant to which Business Associate may provide services to or for Covered Entity that require Business Associate to access, create and use health information that is protected by state and/or federal law;
WHEREAS, pursuant to the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the U.S. Department of Health & Human Services (“HHS”) promulgated the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Standards”), at 45 C.F.R. Parts 160 and 164, requiring certain individuals and entities subject to the Privacy Standards to protect the privacy of certain individually identifiable health information (“Protected Health Information”, or “PHI”), and has issued the Security Standards (the “Security Standards”), at 45 C.F.R. Parts 160, 162 and 164, for the protection of electronic protected health information (“EPHI”), as amended by applicable provisions of the Health Information Technology for Economic and Clinical Health Act (Title XIII, Subtitle D) and its implementing regulations (the “HITECH Act”) (collectively, the “HIPAA Regulations”);
WHEREAS, in order to protect the privacy and security of PHI, including EPHI, the HIPAA Regulations require covered entities and business associates to enter into a “business associate agreement” with certain individuals and entities providing services for or on behalf of the covered entity or business associate if such services require the use or disclosure of PHI or EPHI; and
WHEREAS, Business Associate and Covered Entity desire to enter into this Agreement.NOW THEREFORE, in consideration of the mutual promises set forth in this Agreement and the Business Arrangements, and other good and valuable consideration, the sufficiency and receipt of which are hereby severally acknowledged, the parties agree as follows:
1. Defined Terms
1.1. All capitalized terms not otherwise defined in this Agreement shall have the meanings set forth in the HIPAA Regulations, as applicable, and all references to PHI herein shall be construed to include EPHI. Notwithstanding the foregoing, any reference to PHI is limited when used herein to the PHI accessed, created, received, maintained, or transmitted by Business Associate from or on behalf of Covered Entity. A reference in this Agreement to a section in the HIPAA Regulations means the section in effect or as amended.
2. Business Associate Obligations
2.1. Business Associate shall not use or further disclose PHI other than as permitted or required by this Agreement, the Business Arrangements, or as required by law.
2.2. Business Associate shall use appropriate safeguards, and comply, where applicable, with the Security Standards with respect to EPHI, to prevent the use or disclosure of PHI other than as expressly permitted under this Agreement. Business Associate agrees not to use or disclose PHI in a manner that would violate the requirements of the HIPAA Regulations if the PHI were used or disclosed by Covered Entity in the same manner, except as otherwise set forth herein.
2.3. Business Associate shall, to the extent Business Associate is to carry out Covered Entity’s obligations under the Privacy Standards, comply with the requirements of the Privacy Standards that apply to Covered Entity in the performance of such obligations.
2.4. If any subcontractors create, receive, maintain or transmit PHI on behalf of Business Associate, Business Associate shall, in accordance with 45 CFR §§164.502(e)(1)(ii) and 164.308(b)(2), require such subcontractors to agree in writing to the same or substantially similar restrictions and conditions that apply to the Business Associate under this Agreement.
2.5. Business Associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the EPHI that it creates, receives, maintains, or transmits on behalf of Covered Entity. Business Associate agrees to the following reporting procedures for Security Incidents that result in unauthorized access, use, disclosure, modification, or destruction of EPHI or interference with system operations (“Successful Security Incidents”) and for Security Incidents that do not result in unauthorized access, use, disclosure, modification, or destruction of EPHI or interference with system operations (“Unsuccessful Security Incidents”). Business Associate will promptly report to Covered Entity any Successful Security Incident of which it becomes aware. To avoid unnecessary burden on either party, Business Associate shall report to Covered Entity any Unsuccessful Security Incident of which it becomes aware only upon request of Covered Entity. The frequency, content, and format of the report of Unsuccessful Security Incidents shall be mutually agreed upon by the parties.
2.6. Business Associate shall report to Covered Entity any Breach of Unsecured PHI of which it becomes aware as required by 45 C.F.R. § 164.410. Business Associate agrees to mitigate, to the extent practical and unless otherwise requested by Covered Entity in writing, any harmful effect that is known to Business Associate and is the result of a use or disclosure of PHI by Business Associate in violation of this Agreement. In the event that Business Associate discovers, as determined in accordance with 45 C.F.R. § 164.410, that a Breach of Unsecured PHI of Covered Entity has occurred, Business Associate shall notify Covered Entity of the identification of each individual who has been or is reasonably believed to have been affected by the Breach, along with any other information that Covered Entity will be required to include in its notification of the individual under the HIPAA Regulations, if known.
3. Use of PHI
Except as otherwise permitted herein or required by law, Business Associate shall use PHI only for the purpose of performing services for Covered Entity as such services are described in the Business Arrangements, and as necessary for the proper management and administration of the Business Associate or to carry out its legal responsibilities, provided that such uses are permitted under federal and state law. Except as otherwise limited in this Agreement, Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 42 C.F.R. § 164.504(e)(2)(i)(B). Business Associate may de-identify any and all PHI provided that the de-identification conforms to the requirements of the Privacy Standards. Any such de-identified information does not constitute PHI and is not subject to the terms of this Agreement once de-identified.
4. Disclosure of PHI
Subject to any limitations in this Agreement, Business Associate may disclose PHI to any third party person or entity as necessary to perform its obligations under the Business Arrangements and as permitted or required by applicable federal or state law. Further, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that (i) such disclosures are required by law, or (ii) Business Associate (a) obtains reasonable assurances from any third party to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the third party; and (b) requires the third party to agree to notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached.
5. Individual Rights Regarding Designated Record Sets
If Business Associate maintains a Designated Record Set on behalf of Covered Entity, Business Associate shall (i) make available PHI to Covered Entity or, as directed by Covered Entity, an individual who is the subject of the PHI in accordance with 45 C.F.R. §164.524, and (ii) make available for amendment and incorporate any amendments to PHI as requested by Covered Entity pursuant to 45 C.F.R. § 164.526.
6. Accounting of Disclosures
Business Associate shall make available to Covered Entity in response to a request from an individual, information required for an accounting of disclosures of PHI with respect to the individual, in accordance with 45 C.F.R. §164.528, as it may be amended from time to time, incorporating exceptions to such accounting designated under the regulation.
7. Records and Audit
Business Associate shall make available to the HHS or its agents, its internal practices, books, and records relating to the use and disclosure of PHI received from, created, or received by Business Associate on behalf of Covered Entity for the purpose of determining Covered Entity’s compliance with the HIPAA Regulations or any other health oversight agency, in a time and manner designated by the Secretary of the HHS.
8. Obligations of Covered Entity.
8.1. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would violate this Agreement or the HIPAA Regulations.
8.2. Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
8.3. Covered Entity hereby agrees to ensure that it obtains an Individual’s authorization or the authorization of Individual’s personal representatives, to the extent required under the Privacy Standards and in the form required by the Privacy Standards, for Business Associate’s uses and disclosures of PHI contemplated by this Agreement and the Business Arrangements and to inform Business Associate of any changes in, or withdrawal of, such written authorization provided to Covered Entity by Individuals or their personal representatives, including without limitation revocations of authorizations pursuant to 45 C.F.R. § 164.508.
8.4. Covered Entity hereby agrees to promptly notify Business Associate, in writing and in a timely manner, of any arrangements permitted or required of Covered Entity under the Privacy Standards that may impact in any manner the use or disclosure of PHI by Business Associate under this Agreement or the Business Arrangements, including without limitation restrictions on the use or disclosure of PHI agreed to by Covered Entity, as provided for in 45 C.F.R. § 164.522 as amended by the HITECH Act.
9. Term and Termination.
9.1. This Agreement shall commence on the Effective Date and shall remain in effect until terminated in accordance with the terms of this Section 9; provided, however, that any termination shall not affect the respective obligations or rights of the parties arising under this Agreement prior to the effective date of termination, all of which shall continue in accordance with their terms.
9.2. If Covered Entity determines that Business Associate has violated a material term of this Agreement, Covered Entity shall either: (i) provide an opportunity for Business Associate to cure the breach or end the violation within the time specified by Covered Entity, and terminate this Agreement and the Business Arrangements if Business Associate does not cure the breach or end the violation, or (ii) immediately terminate this Agreement and the Business Arrangements if cure is not possible.
9.3. Upon the termination of all Business Arrangements, either party may terminate this Agreement by providing written notice to the other party.
9.4. Upon termination of this Agreement for any reason, Business Associate agrees either to return to Covered Entity, or to destroy, all PHI received from Covered Entity or otherwise through the performance of services for Covered Entity, that is in the possession or control of Business Associate. In the case of PHI which is not feasible to “return or destroy,” Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. The obligations under this Section 9.4 shall survive termination of this Agreement and shall continue as long as Business Associate maintains such PHI.
10.1. Notice. Except as otherwise expressly permitted herein, all notices required or permitted to be given hereunder shall be in writing and shall be deemed effective when personally delivered (including by an acknowledged email) or upon delivery by overnight courier or certified or registered mail, to such mailing or email address, and to the attention of such other authorized person or officer, as any party may designate, at any time, in writing in conformity with these notice provisions.
10.2. Waiver. No provision of this Agreement or any breach thereof shall be deemed waived unless such waiver is in writing and signed by the party claimed to have waived such provision or breach. No waiver of a breach shall constitute a waiver of or excuse any different or subsequent breach.
10.3. Assignment. Neither party may assign (whether by operation or law or otherwise) any of its rights or delegate or subcontract any of its obligations under this Agreement without the prior written consent of the other party. Notwithstanding the foregoing, any assignment permitted under the Services Agreement shall be permissible hereunder.
10.4. Severability. Any provision of this Agreement that is determined to be invalid or unenforceable will be ineffective to the extent of such determination without invalidating the remaining provisions of this Agreement or affecting the validity or enforceability of such remaining provisions.
10.5. Entire Agreement. This Agreement constitutes the complete agreement between Business Associate and Covered Entity relating to the matters specified in this Agreement, and supersedes all prior representations or agreements, whether oral or written, with respect to such matters. In the event of any conflict between the terms of this Agreement and the terms of the Business Arrangements or any such later agreement(s), the terms of this Agreement shall control unless the terms of such Business Arrangements are more strict with respect to PHI and comply with the HIPAA Regulations, or the parties specifically otherwise agree in writing. No oral modification or waiver of any of the provisions of this Agreement shall be binding on either party. No obligation on either party to enter into any transaction is to be implied from the execution or delivery of this Agreement. This Agreement is for the benefit of, and shall be binding upon the parties, their affiliates and respective successors and permitted assigns. No third party shall be considered a third-party beneficiary under this Agreement, nor shall any third party have any rights as a result of this Agreement.
10.6. Governing Law. This Agreement shall be governed by and interpreted in accordance with the laws of the State of Texas. Each party hereby irrevocably and unconditionally agrees that the exclusive venue for any litigation arising out of or relating this Agreement shall be the state or federal court located in the City of Austin, Texas (the “Austin Courts”), and each party hereby waives any objection to the laying of venue of any such litigation in the Austin Courts and agrees not to plead or claim in any Austin Court that such litigation brought therein has been brought in an inconvenient forum.
10.7. Nature of Agreement. None of the provisions of this Agreement are intended to create, nor shall be deemed or construed to create any relationship between the parties hereto other than that of independent contractors. Neither Business Associate nor any of its employees, subcontractors, or other agents shall be deemed to be an “agent,” “employee,” “servant,” or “joint employee” of Covered Entity.
10.8. Counterparts. This Agreement may be executed in one or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same document. In making proof of this Agreement, it shall not be necessary to produce or account for more than one such counterpart executed by the party against whom enforcement of this Agreement is sought.
10.9. Modifications to Comply with Standards. In the event that additional regulations are promulgated under the HIPAA Regulations, or any existing HIPAA Regulations are amended, and a party determines in good faith that any such regulation adopted or amended after the execution of this Agreement shall cause any paragraph or provision of this Agreement to be invalid, void, or in any manner unlawful or subject either party to penalty, then the parties agree to negotiate in good faith to modify and amend this Agreement in a manner that would eliminate any such risk.
10.10. Data Use Agreement. Business Associate may use and disclose PHI to create a limited data set without any of the identifiers listed in 45 C.F.R. § 164.514(e) (“Limited Data Set”) for research, public health, and health care operations purposes. Business Associate may not use or further disclose a Limited Data Set for any other purpose, except as may otherwise be required by law. Business Associate must use appropriate safeguards to prevent use or disclosure of a Limited Data Set other than as provided for herein. Business Associate must report to Covered Entity any use or disclosure of a Limited Data Set not provided for herein of which Business Associate becomes aware. Business Associate must ensure that any agents to whom Business Associate provides a Limited Data Set agree to the same restrictions and conditions that apply to Business Associate with respect to such information. Business Associate may disclose a Limited Data Set to any recipient that agrees to the same restrictions and conditions that apply to Business Associate with respect to such information. With respect to any particular Limited Data Set, Business Associate will not use the Limited Data Set in such a way as to identify any individual whose data is incorporated in the Limited Data Set or to contact any such individual.