Business Associates Agreement
HIPAA BUSINESS ASSOCIATE CONTRACT FOR EYE CARE PROVIDERS
This Business Associate Agreement (the “Agreement”) between Customer (“Covered Entity”) andVisionWeb (“BUSINESS ASSOCIATE”) will be in effect during any such time period that Covered Entityhas subscribed to and is using VisionWeb’s services and upon termination as set forth below.
WHEREAS, COVERED ENTITY will make available and/or transfer to BUSINESS ASSOCIATE certaininformation in conjunction with goods or services that are confidential and must be afforded specialtreatment and protection.
WHEREAS, BUSINESS ASSOCIATE will have access to and/or receive from COVERED ENTITY certaininformation, that can be used or disclosed only in accordance with this Agreement and the Departmentof Health and Human Services (“HHS”) Privacy and Security Standards.
WHEREAS, Covered Entity has engaged BUSINESS ASSOCIATE to perform services or provide software,or both;
WHEREAS, Covered Entity possesses Individually Identifiable Health Information that is protectedunder HIPAA (as hereinafter defined), the HIPAA Privacy Regulations (as hereinafter defined), theHIPAA Security Regulations (as hereinafter defined), and the HITECH Standards (as hereinafter defined)and is permitted to use or disclose such information only in accordance with such laws and regulations;
WHEREAS, BUSINESS ASSOCIATE may receive such information from Covered Entity, or create and receivesuch information on behalf of Covered Entity, in order to perform certain of the services or providecertain of the goods, or both; and
WHEREAS, Covered Entity wishes to ensure that BUSINESS ASSOCIATE will appropriately safeguardIndividually Identifiable Health Information;
NOW THEREFORE, the Parties agree as follows:
The parties agree that the following terms, when used in this Agreement, shall have the following meanings, providedthat the terms set forth below shall be deemed to be modified to reflect any changes made to such terms from time to timeas defined in the HIPAA Privacy Regulations, the HIPAA Security Regulations, and the HITECH Standards (collectively theHIPAA Rules). Terms used in this agreement and not otherwise defined shall have the meaning of those terms in theHIPAA Rules.
“BUSINESS ASSOCIATE” shall have the same meaning as the definition for BUSINESS ASSOCIATE setforth in 45 CFR 160.103.
“Covered Entity” means a health plan, a health care clearinghouse, or a health care provider whotransmits any health information in electronic form in connection with a transaction covered by theHIPAA Privacy and HIPAA Security Regulations.
“Data Aggregation” means, with respect to PHI (“Protected Health Information”) created or receivedby a BUSINESS ASSOCIATE in its capacity as the BUSINESS ASSOCIATE of a Covered Entity, the combiningof such PHI by the BUSINESS ASSOCIATE with the PHI received by the BUSINESS ASSOCIATE in its capacityas a BUSINESS ASSOCIATE of another Covered Entity, to permit data analyses that relate to the healthcare operations of the respective Covered Entities.
“Electronic Protected Health Information” or “ePHI” means the Protected Health Information that istransmitted by or maintained in electronic media as defined in the HIPAA Security Regulations.
“End User License Agreement” or “EULA” is the agreement between VisionWeb and its customers and endusers. The EULA dictates the subscription terms and conditions, service level agreements and paymentterms.
“HIPAA” means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.
“HIPAA Privacy Regulations” means the regulations promulgated under the HIPAA by the United StatesDepartment of Health and Human Services to protect the privacy of Protected Health Information,including but not limited to, 45 CFR § 160 and 45 CFR § 164, Subpart A and E.
“HIPAA Security Regulations” means the regulations promulgated under HIPAA by the United StatesDepartment of Health and Human Services to protect the security of Electronic Protected HealthInformation, including, but not limited to 45 CFR § 160 and 45 CFR § 164, Subpart A and C.
“HITECH Standards” means the privacy, security and security Breach notification provisionsapplicable to a BUSINESS ASSOCIATE under Subtitle D of the Health Information Technology for Economicand Clinical Health Act (“HITECH”), which is Title XIII of the American Recovery and Reinvestment Actof 2009 (Public Law 111-5), and any regulations promulgated thereunder.
“Individual” means the same meaning as the term “individual” in 45 CFR § 164.501 and shallinclude a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
“Individually Identifiable Health Information” means information that is a subset of healthinformation, including demographic information collected from an individual, and;
is created or received by a health care provider, health plan, employer, or health careclearinghouse; and
relates to the past, present, or future physical or mental health or condition of an individual;the provision of health care to an individual; or the past, present or future payment for provisionof health care to an individual; and
that identifies the individual; or
with respect to which there is a reasonable basis to believe the information can be used toidentify the individual.
“Ownership of Data” is designated within the VisionWeb End User License Agreement (“EULA”).VisionWeb will maintain the customer’s data containing ePHI for a reasonable period of time to allowthe customer sufficient time to validate their data from the VisionWeb system.
“Protected Health Information” or “PHI” has the same meaning as the term “protected healthinformation” in 45 CFR § 164.501, limited to the information created or received by BUSINESSASSOCIATE from or on behalf of Covered Entity.
“Provider(s)” means any healthcare professional that provides billable services to patients whomis an employee, customer, or has an employment, contractor, or agent relationship with a customer,for which the Service organizes information and provides medical billing management.
“Required By Law” shall have the same meaning as the term “required by law” in 45 CFR § 164.501.
“Secretary” means the Secretary of the United States of America Department of Health and HumanServices or his designee.
“Breach” shall mean the acquisition, access, use, or disclosure of Protected Health Informationin a manner not permitted under 45 CFR § 164, Subpart E (the “HIPAA Privacy Rule”) “Breach”shall not include:
Any unintentional acquisition, access or use of Protected Health Information by a workforcemember or person acting under the authority of Covered Entity or BUSINESS ASSOCIATE, if suchacquisition, access or use was made in good faith and within the scope of authority and does notresult in further use or disclosure in a manner not permitted under the HIPAA Privacy Rule; or
Any inadvertent disclosure by a person who is authorized to access Protected Health Informationat Covered Entity or BUSINESS ASSOCIATE to another person authorized to access Protected HealthInformation at Covered Entity or BUSINESS ASSOCIATE, respectively, or organized health carearrangement in which Covered Entity participates, and the information received as a result of suchdisclosure is not further used or disclosed in a manner not permitted under the HIPAA Privacy Rule;or
A disclosure of Protected Health Information where Covered Entity or BUSINESS ASSOCIATE has agood faith belief that an unauthorized person to whom the disclosure was made would not reasonablyhave been able to retain such information.
A Disclosure of Protected Health Information where a Covered Entity or BUSINESS ASSOCIATE, asapplicable, demonstrates that there is a low probability that the protected health information hasbeen compromised based on a risk assessment of at least the factors set forth in 45 CFR 164.402(2)(1)-(iv).
BUSINESS ASSOCIATE hereby agrees to refrain from the use or disclosure of the informationprovided or made available other than as expressly permitted or required under thiscontract.
BUSINESS ASSOCIATE will establish and maintain appropriate safeguards toprevent the use or disclosure of information.
The parties agree that BUSINESS ASSOCIATE may unilaterally amend this Agreementfrom time to time for the reasons set forth in the above paragraph and for otherbusiness reasons and that any such amended agreement which BUSINESS ASSOCIATE signson a later date will supercede this Agreement.
The term of this Contract shall commence as of the date signed by COVEREDENTITY below and shall expire when all information provided by the COVERED ENTITY toBUSINESS ASSOCIATE is destroyed or returned to the COVERED ENTITY.
PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
Except as otherwise limited in this Agreement:
BUSINESS ASSOCIATE is permitted to use information if necessary to properlymanage and/or administer its commerce (excluding support for marketing)
BUSINESS ASSOCIATE may use information to provide Data Aggregation servicesto COVERED ENTITY as permitted by 45 CFR § 164.504(e)(2)(i)(B).
BUSINESS ASSOCIATE may use information to report violations of law toappropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(1).
REPORTS OF IMPROPER USE OR DISCLOSURE
BUSINESS ASSOCIATE hereby agrees to immediately report to COVERED ENTITY any andall breaches or improper uses or disclosures aside from those permitted in thisAgreement or by the Health Insurance Portability and Accountability Act (HIPAA).
SAFEGUARDS TO PREVENT IMPROPER DISCLOSURES
BUSINESS ASSOCIATE agrees to use appropriate safeguards to prevent use ordisclosure of the Protected Health Information in any manner other than as providedfor by this Agreement and as required by the Health Insurance Portability andAccountability Act.
BUSINESS ASSOCIATE agrees to mitigate, to the maximum extent practicable, anyharmful effect that is known to BUSINESS ASSOCIATE from use or disclosure ofinformation in a manner contrary to terms of this Agreement or according to theHealth Insurance Portability and Accountability Act.
SUBCONTRACTORS AND AGENTS EMPLOYED BY BUSINESS ASSOCIATE
BUSINESS ASSOCIATE hereby agrees that any and all information provided or madeavailable to its subcontractors or agents is subject to the same terms, conditions,and restrictions on use and disclosure of information as agreed upon in this contractbetween COVERED ENTITY and BUSINESS ASSOCIATE.
RIGHT TO ACCESS BY THE FEDERAL GOVERNMENT’S DEPARTMENT OF HEALTH AND HUMANSERVICES
Business Associate agrees to provide access, at the request of Covered Entity toProtected Health Information in a Designated Record Set, to Covered Entity or, asdirected by Covered Entity, to an Individual in a time and manner that allows CoveredEntity to meet the requirements under 45 CFR § 164.524.
Business Associate agrees to make any amendment(s) to Protected Health Informationin a Designated Record Set that the Covered Entity directs or agrees to pursuant to45 CFR § 164.526 at the request of Covered Entity, in a time and manner thatallows a Covered Entity to meet the requirements of 45 CFR 164.526.
BUSINESS ASSOCIATE hereby agrees to make its internal practices (includingpolicies and procedures), books, and records relating to use or disclosure ofinformation gained or received under terms of this Agreement available to theSecretary of the Department of Health and Human Services or the Secretary’sdesignee for purpose of determining compliance with Privacy and Security standardsunder the Health Insurance Portability and Accountability Act.
RIGHTS OF INDIVIDUALS TO ACCESS INFORMATION
BUSINESS ASSOCIATE hereby agrees to make available and provide individuals theright to inspect and receive a copy of their protected health information inaccordance with 45 CFR § 164.524.
BUSINESS ASSOCIATE agrees to cooperate in making protected health informationavailable to individuals for amendment and agrees to document explicitmodifications by the individual in accordance with 45 CFR § 164.526.
BUSINESS ASSOCIATE agrees to provide an account of protected health informationdisclosures to an individual in accordance with 45 CFR §. 164.528.
If BUSINESS ASSOCIATE conducts any HIPAA Standard Transaction for or on behalf ofCOVERED ENTITY, BUSINESS ASSOCIATE shall comply in accordance with 45 CFR § 162.
Shared information, including de-identified protected health information, shall beand remains property of COVERED ENTITY. BUSINESS ASSOCIATE agrees that it acquires notitle or rights to an individual’s protected health information as a result of thiscontract.
BUSINESS ASSOCIATE agrees that COVERED ENTITY has the right to immediatelyterminate this Agreement and seek relief under Disputes Article if COVERED ENTITYdetermines that BUSINESS ASSOCIATE has violated a material term of this Agreement.
RETURN OR DESTRUCTION OF INFORMATION
Upon contract termination, BUSINESS ASSOCIATE hereby agrees to return or destroyall information received or created on behalf of COVERED ENTITY. BUSINESS ASSOCIATEagrees not to retain any copies of information after termination of contract.If return or destruction of the information is not feasible, BUSINESS ASSOCIATEagrees to extend protections outlined in this contract and agrees to limit allfurther use or disclosure agrees to provide COVERED ENTITY with written authorizationfor destroyed information.
COMPLIANCE WITH STATE LAW
BUSINESS ASSOCIATE acknowledges that by accepting the information from COVEREDENTITY, it becomes a holder of medical records information under the state Privacylaws and is subject to the provisions of that law. If the HIPAA Privacy or SecurityRules and the state Privacy law conflict regarding the degree of protection providedfor protected health information, BUSINESS ASSOCIATE shall comply with the morerestrictive protection requirement.
GROUNDS FOR BREACH
Non-compliance by BUSINESS ASSOCIATE with any terms of this Agreement or theHealth Insurance Portability and Accountability Act will automatically be consideredgrounds for breach.
PERMITTED USES AND DISCLOSURES
The permitted uses and disclosures of the Business Associate, as required by theHealth Insurance Portability and Accountability Act (HIPAA) and in regulationspromulgated thereunder, are as follows:
Except as otherwise limited in this Agreement, Business Associate may use ordisclose Protected Health Information to perform functions, activities, or servicesfor, or on behalf of, Covered Entity as specified in this Agreement, provided thatsuch use or disclosure would not violate the Privacy Rule if done by Covered Entityor the minimum necessary policies and procedures of the Covered Entity.
Except as otherwise limited in this Agreement, Business Associate may useProtected Health Information for the proper management and administration of theBusiness Associate or to carry out the legal responsibilities of the BusinessAssociate.
Except as otherwise limited in this Agreement, Business Associate may discloseProtected Health Information for the proper management and administration of the BusinessAssociate, provided that disclosures are Required By Law, or Business Associate obtainsreasonable assurances from the person to whom the information is disclosed that it willremain confidential and used or further disclosed only as Required By Law or for the purposefor which it was disclosed to the person, and the person notifies the Business Associate of anyinstances of which it is aware in which the confidentiality of the information has been breached.
Except as otherwise limited in this Agreement, Business Associate may use Protected HealthInformation to provide Data Aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B).
Business Associate may use Protected Health Information to report violations of law to appropriate Federaland State authorities, consistent with § 164.502(j)(1).
Notwithstanding any rights or remedies provided for in this contract, COVERED ENTITY retains all rights toseek injunctive relief to prevent or stop unauthorized use or disclosure of information by BUSINESS ASSOCIATEor any agent, contractor, or third party that received information from BUSINESS ASSOCIATE.
Parties agree to exercise good faith in performance of this contract.
Both parties shall indemnify the other party and hold it harmless from and against any penalties,losses, claims, damages or liabilities (or actions in respect thereof) to which it may become subjectinsofar as such penalties, losses, claims, damages or liabilities (or actions in respect thereof) ariseout of or are based upon any unauthorized use or disclosure of Protected Health Information.
Any controversy or claim arising from or relating to the terms defined under this contract are subjectto settlement by compulsory arbitration in accordance with the Commercial Arbitration Rules of theAmerican Arbitration Association, except for injunctive relief.
Each party agrees to bear its own legal expenses and any other cost incurred for actions or proceedingsbrought about by enforcement of this contract, or from an alleged dispute, breach, default,misrepresentation, or injunctive action associated with the provisions of this contract.
Neither party has the authority to reassign this agreement without the other’s written consent.
The terms of this Agreement consist of this document and constitute the entire agreement between the stated parties.
Both Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary forthem to comply with the requirements of the Health Insurance Portability and Accountability Act.
Any ambiguity in this Agreement shall be resolved to permit COVERED ENTITY to comply with the Health InsurancePortability and Accountability Act.
VisionWeb Holdings, L.L.C.
6500 River Place Blvd, Bldg 3, Suite 100
Austin, TX 78730