This Business
Associate Agreement (“Agreement”) was entered into as of this ________ day of
______, 2003 (“Effective Date”), by and between US X-Ray (“Covered Entity”) and
___________________________________________ (“Business Associate”).
WHEREAS, Covered Entity is a “Covered Entity” as such term is defined in the Privacy Regulations (as defined below), including, without limitation 45 CFR x 165.500; and
WHEREAS, the Business
Associate is a “Business Associate” as such term is defined in the Privacy
Regulations, including, without limitation 45 CFR x 160.103; and
WHEREAS, [THE Parties
have a prior agreement dated _____________ (the “Substantive Agreement”) under
which] the Business Associate regularly uses and/or discloses,
or will use and/or disclose Protected Health Information on behalf of the
Covered Entity(“PHI”) in its performance of the Services described below; and
WHEREAS, both Parties
are committed to complying with the Standards for Privacy of Individually Identifiable
Health Information (“Privacy Regulation”) under the Health Insurance
Portability and Accountability Act of 1996 (“HIPAA”) set forth at 45 CFR x 160.12 et seq. and 164.500
et seq.; and
WHEREAS, it is Covered
Entity’s policy to protect the confidentiality of PHI, and to disclose such PHI
only under circumstances and in a manner that is permissible by law, and to
require the same of any and all business associates with whom it contracts; and
WHERERAS, this
Agreement sets forth the terms and conditions pursuant to which PHI that is
provided to, or created or received by, the Business Associate from or on
behalf of the Covered Entity, will be handled between the Business Associate
and the Covered Entity and with third parties during the term of the Substantive
Agreement and after its termination.
THEREFORE, in
consideration of the mutual covenants and agreements contained herein, and for
other good and valuable consideration, the receipt and sufficiency of which are
hereby acknowledged, the parties hereby agree as follows:
ARTICLE
1
1.1
For purposes of this Agreement, the
following terms shall have the meanings as hereinafter described:
(a)
“Designated Record Set”. A group of records maintained by or for the
Covered Entity that includes medical billing enrollment, payment, claims
adjudication, and other records used to make decisions about a Member.
(b)
“Disclose”. The release, transfer or provision of access
to PHI, whether oral or recorded in any form or medium.
(c)
“Protected Health Information”. Any information, whether oral or recorded in
any form or medium, that relates to the past, present or future physical or
mental health or condition of an individual, the provision of health care to an
individual, or the past, present or future payment for the provision of health
care to an individual, consistent with 45 x CFR 164.501.
(d)
“Identifying Characteristic”. Includes all of the following, as well as
any other unique information: name; address; names of relatives; name of
employers; all elements of dates, including birth date, admission date,
discharge date, etc.; telephone numbers; fax numbers; electronic mail address;
social security number; Medicaid record number; health plan beneficiary number;
account number; certificate/license number; serial number of a vehicle or other
device; internet URL; internet protocol (IP) address number; biometric
identifiers, including finger and voice print; and photographic images.
(e)
“Use”. The sharing,
employment, application, utilization, examination, or analysis, in any form or
medium, of PHI within the Business Associate organization.
1.2
Other Terms. Capitalization terms contained herein but
not otherwise defined shall have the meaning given to such terms in 45 CFR x 160.103 and 164.501.
ARTICLE
II
2.1
Services. Except as otherwise limited in this
Agreement, Business Associate may use or disclose PHI to perform functions,
activities, or services for, or on behalf of Covered Entity as specified in the
Substantive Agreement, provided, however that such use or disclosure would not
violate the Privacy Rule if done by Covered Entity. All other uses or
disclosures not authorized by this Agreement or otherwise required by
applicable law are prohibited.
2.2
Business Activities of the Business
Associate. Unless
otherwise limited herein, the Business Associate may:
(a) Use the PHI in Business Associate’s possession for the proper management, administration and conduct of Business Associate’s duties and obligations arising out of the Substantive Agreement and to fulfill any present or future legal responsibilities of the Business Associate provided that such uses are in accordance with any and all state and federal laws governing the confidentiality and security of such PHI.
(b)
Disclose the PHI in its possession to
third parties for the purpose of the proper management, administration and
conduct of Business Associates duties and obligations arising out of the
Substantive Agreement or to fulfill any present or future legal
responsibilities of the Business Associate, provided, however that the Business
Associate represents to the Covered Entity, in writing, that (i) the
disclosures are required by law, as provided for in 45 CFR x
164.501 or (ii) the Business Associate has received from the third party
written assurances regarding its confidential handling of such PHI as required
under CFR x 164.504(e)(4).
ARTICLE
III
3.1
Confidentiality. Business Associate agrees to maintain the
confidentiality of any PHI disclosed to Business Associate by Covered Entity in
accordance with all applicable Federal, State and local laws and regulations,
and more specifically, in accordance with the following:
(a) Business Associate represents and warrants that PHI shall be used and disclosed solely as is reasonably necessary to perform Services to or on behalf of Covered Entity, and Covered Entity relies upon such representation and warranty in providing the PHI.
(b) Business
Associate represents and warrants the Business Associate shall not use,
disclosed, release, reveal, show, sell, rent, lease, loan, publish, or
otherwise grant access to PHI in any manner that is prohibited by law or
regulation, or in any manner that would be a violation of any law or regulation
if such action were to have been performed by Covered Entity.
(c)
Business Associate represents and
warrants that if Business Associate uses, discloses, releases, reveals, shows,
sells, rents, lease, loans, publishes, or otherwise grants access to access to PHI or an element of PHI, Business
Associate will do so only in the minimum amount and to the minimum number of
individuals necessary to achieve the purpose of the services being rendered to
or on behalf of Covered Entity.
(d) Except
as otherwise permitted by this Agreement, Business Associate agrees that no
finding, listing or information derived from the PHI many be released if such
finding, listing or information contains any combination of PHI elements that
might allow the deduction of an individual’s identification without first
obtaining written authorization from Covered Entity. Business Associate agrees that Covered Entity may determine
whether any finding, listing, information or any combination of PHI identifiers
would, with reasonable effort, permit one to identify an individual or to
deduce the identity of an individual to a reasonable degree of certainty in
Covered Entity’s sole discretion.
(e) Business
Associate agrees to establish appropriate administrative, technical, and physical
safeguards to protect the confidentiality of PHI that Business Associate
receives from Covered Entity, and to prevent individuals not involved in
performing Services to Covered Entity from using or accessing the PHI.
(f)
Business Associate shall immediately
report to Covered Entity any use or disclosure of PHI received from Covered
Entity that is not authorized by the terms and conditions of this Agreement or
is otherwise in violation of applicable law, and shall mitigate, to the extent
practicable, any harmful effects or such unauthorized disclosure.
(g) Business
Associate agrees that if Covered Entity determines or has a reasonable belief
that Business Associate may have used, made a disclosure of or permitted access
to PHI in a way that is not authorized by this Agreement or in accordance with
applicable law, then Covered Entity may in its sole discretion require Business
Associate to: (a) promptly investigate
and provide a written report to Covered Entity of the Business Associate’s
determination regarding any alleged or actual unauthorized disclosure, access,
or use; (b) cease such practices immediately; (c) return to Covered Entity, or
destroy, all PHI; and/or (d) take any other action Covered Entity deems
appropriate.
(h) In
the event Business Associate discloses PHI to a third party other than an
employee of Business Associate, including without limitation, any agent or
independent contractor of Business Associate, Business Associate shall execute
a written agreement with such third party that requires such third party to
abide by substantially all of the terms and conditions contained in this
Agreement.
(i)
Business Associate understands that
Covered Entity is subject to state and
federal laws governing the confidentiality of the PHI. Business Associate agrees to abide by all
such laws, whether or not fully articulated herein, and to keep the PHI in the
same manner and subject to the same standards as is required of Covered Entity.
3.2
Relationship to Individuals Who are the
Subjects of PHI.
(a) Business Associate agrees that Covered Entity retains all ownership rights to the PHI, and that Business Associate does not obtain any right, title or interest to the PHI furnished by Covered Entity.
(b)
Business Associate agrees to comply with
all lawful request made by the Covered Entity or individuals who are subjects
of PHI to permit access to inspect and obtain a copy of their PHI about the
individual that is subject to this agreement, as required by law, within thirty
(30) days of such request.
(c)
Business Associate agrees that, within
five (5) days of a request being made, Business Associate will provide Covered
Entity with any PHI requested by Covered Entity.
(d)
Business Associate agrees to make PHI
available for amendment and to immediately incorporate any amendments or corrections
to a Designated Record Set upon request by Covered Entity or a Member and in
the time and manner requested by Covered Entity.
(e)
Business Associate agrees to document
disclosures of PHI and information related to such disclosures as may be
required for Covered Entity to respond to a request by an individual for an
accounting of disclosures of PHI in accordance with 45 CFR x
164.528.
(f)
Business Associate agrees to provide to
Covered Entity within the time designated by Covered Entity, information collected
in accordance with Section 3.2 (e) above so as to permit Covered Entity to
respond to a request by an individual for an accounting of disclosures of PHI
in accordance with 45 CFR x 164.528.
3.3
Request for PHI. Business Associate agrees that Business Associate
will use all reasonable efforts to limit its request for PHI to the minimum
amount of PHI necessary to achieve the purpose for which the request is being
made.
3.4
Availability of PHI. Business Associate shall make any and all
internal practices, books, and records related to the creation, use and
disclosure of PHI make available to Business Associate by Covered Entity
available to Covered Entity for inspection and/or audit upon request by Covered
Entity. In addition, Business Associate
agrees to make its internal practices, books and records relating to the use
and disclosure of PHI available to the Department of Health and Human Services
for review, upon the request of the Secretary, at a time and in a manner
designated by the Covered Entity or the Secretary.
3.5
Creation of PHI. In the event Business Associate creates PHI
on behalf of Covered Entity, such PHI will be treated as if it were disclosed
from Covered Entity to Business Associate and such PHI shall be subject to all
the protections afforded by this Agreement.
ARTICLE
IV
4.1
Disclosure of Individually Identifiable
Health Information.
Covered Entity agrees to disclose PHI to Business Associate upon its own
volition, upon Business Associate’s request, or upon the request of a third
party if such disclosure is permissible by law, so that Business Associate and
such PHI shall be subject to all the protections afforded by this Agreement.
4.2
Request by Covered Entity. Except as may be required to perform data
aggregation services or to conduct the management and administrative activities
of Business Associate, Covered Entity shall not request Business Associate to
use or disclose PHI in any manner that would not be permissible under the
Privacy Rule if done by Covered Entity.
4.3
Notice of Privacy Practices.
Covered Entity shall provide Business Associate with Covered Entity’s Notice of
Privacy Practices, including, any amendment or revisions made thereto.
4.4
Changes. Covered Entity shall provide Business
Associate with any changes in, or revocation of, permission by any individual
to use or disclose PHI, if such changes affect Business Associate permitted or
required uses and disclosures of such PHI.
4.5
Other Restriction. Covered Entity shall notify Business
Associte of any restriction to the use or disclosure of PHI that Covered Entity
has agreed to in accordance with 45 CFR x 164.522.
ARTICLE
V
5.1
Term. This Agreement shall become effective on the
Effective Date and shall terminate as provided herein. Notwithstanding anything contained herein to
the contrary, Section 5.4 shall survive the termination of this Agreement.
5.2
Termination by the Covered Entity. As provided for under 45 CFR x
164.504(e)(2)(iii), the Covered Entity may immediately terminate this Agreement
and any related agreements if the Covered Entity makes the determination that
the Business Associate has breached a material term of this Agreement. Alternatively, the determination that the
Business Associate has breach a material term of this Agreement. Alternatively, the Covered Entity may choose
to: (i) provide the Business Associate with written notice of the existence of
an alleged material breach; and (ii) afford the Business Associate an opportunity
to cure said alleged material breach upon mutually agreeable terms. Nonetheless, in the event that mutually
agreeable terms cannot be achieved, Business Associate must cure said breach to
the satisfaction of the Covered Entity with ten (10) days of receiving the
written notice referenced in 5.2(i) above.
Failure to cure in the manner set forth in this paragraph is grounds for
the immediate termination of this Agreement.
5.3
Automatic Termination. This Agreement will automatically terminate
without any further action of the Parties upon the termination or expiration of
the Substantive Agreement.
5.4
Maintenance of PHI Upon Termination. Business Associate agrees that upon
termination of the Agreement, Business Associate shall: (i) recover any PHI in
the possession of Business Associate’s subcontractors or agents; (ii) contact
Covered Entity with regard to any PHI recovered from Business Associates
subcontractors or agents or currently in Business Associate’s possession that
was received from or created on behalf of Covered Entity; and (iii) determine
whether Covered Entity wishes to have the PHI returned to Covered Entity or
destroyed. If feasible, Business
Associate agrees to proceed in accordance with the Covered Entity’s instruction
to return or destroy PHI within (30) days of receiving such instruction. If Covered Entity elects to have the PHI
destroyed. Business Associate agrees to destroy the PHI in a manner and by a
method acceptable to Covered Entity. If
returning or destroying the PHI is not feasible on account of a regulatory duty
imposed on Business Associate by law, or other valid reason, Business Associate
agrees that the protections afforded to such PHI by this contract will extend
indefinitely beyond the term of this Agreement, and that Business Associate
will limit further uses and disclosures to those purposes that make the return
or destruction of the PHI infeasible.
Business Associate further agrees that no PHI, copies of PHI, or parts
thereof, shall be retained when the aforementioned PHI are returned or
destroyed. In the event, it is
infeasible for the Business Associate to obtain, from a subcontractor or agent,
any PHI in the possession of the subcontractor or agent, the Business Associate
must provide a written explanation to the Covered Entity and require the
subcontractor and agents to agree to extend any and all protection, limitations
and restrictions contained in this Agreement to the subcontractors’ and/or
agents’ use and/or disclosure of any PHI retained after the termination of this
Agreement, and to limit any further uses and/or disclosures to the purposes
that make the return or destruction of the PHI infeasible.
ARTICLE
VI
6.1
Indemnification. Business Associate shall indemnify and hold
Covered Entity (including Covered Entity’s Board of Directors, it officers,
owners, employees, agents, and other representatives, individually and
collectively) harmless from and against all claims, demands, costs, expenses,
liabilities and losses (including reasonable attorneys’ fees) that may arise
against Covered Entity as a result of any violation of this Agreement.
6.2
Notices. Any notice, demand or communication
required, permitted or desired to be given hereunder shall be deemed
effectively given when personally delivered or mailed by prepaid certified
mail, return receipt requested, address as follows:
If
to Covered Entity: US X-Ray
8665 West
96th Street, Ste. 203
Overland
Park, KS 66212
Attn: Bob Bechard
If
to Business Associate: ___________________________
___________________________
___________________________
___________________________
Any
party may change its address by giving notice in accordance with the provisions
of this subparagraph.
6.3
Assignment. No assignment of this Agreement or the
rights and obligations hereunder shall be valid without the specific written
consent of both parties hereto, provided, however, that this Agreement may be
assigned by Covered Entity to any successor entity and such assignment shall
forever release Covered Entity hereunder.
6.4
Waiver of Breach. The waiver by either party of a breach or
violation of any provision of this Agreement shall not operate as, or be
construed to be a waiver of any subsequent breach of the same or other
provision hereof.
6.5
Severability. In the event any provision of this Agreement
is held to be unenforceable for any reason, the unenforceability thereof shall
not affect the remainder of this Agreement, which shall remain in full forces
and effect and enforceable in accordance with its terms.
6.6
Entire Agreement. This Agreement constitutes the entire
Agreement of the parties with respect to the subject matter hereof, and all
prior and contemporaneous understandings, agreements and representations,
whether oral or written, with respect to such matters are superseded.
6.7
Amendments. This Agreement may only be amended by the
written consent of both parties.
6.8
Binding Effect. This Agreement shall be binding upon the
parties hereto and their respective heirs, executors, administrators,
successors and permitted assigns.
6.9
Non-exclusivity. Nothing in this Agreement shall be construed
as limiting the right of either party to affiliate or contract with any other
person or entity on either a limited or general basis while this Agreement is
in effect.
6.10
Incorporation of Recitals. The aforesaid Recitals are hereby
incorporated into this Agreement as if fully set forth herein.
6.11
Law and Regulations. Citations to the Code of Federal Regulations
refer to the privacy regulations published on December 28, 2000 and shall be
read to include and require all subsequent, updated, amended or revised
provisions relating to HIPAA’s privacy regulation.
IN WITNESS WHEREOF, the undersigned have executed this Agreement as of the date first above written.
COVERED
ENTITY: BUSINESS ASSOCIATE:
___________________________ ____________________________
Signature Signature
Bob
Bechard ____________________________
Print
Name
President ____________________________
Title
8665
W. 96th Street ____________________________
Overland
Park, KS 66212 ____________________________
____________________________
Address
___________________________ ____________________________
Date Date