HIPAA business associate agreement

HIPAA business associate agreement

If Customer is a Covered Entity or Business Associate, Customer Data includes Protected Health information, and Prescryptive is providing Services as a Business Associate, the terms of this HIPAA Business Associate Agreement (this “BAA”) shall be incorporated into that Prescryptive customer agreement (the “Related Agreement”) between Prescryptive and Customer.

  • 1. Definitions. Capitalized terms not defined herein shall have the meaning set forth in the Related Agreement.
      1. (a) “Covered Entity” shall have the same meaning as the term “Covered Entity” in 45 C.F.R. § 160.103 of HIPAA.
      2. (b) “Breach” shall have the same meaning as the term “breach” in 45 C.F.R. § 164.402.
      3. (c) “Breach Notification Rule” means the Breach Notification for Unsecured Protected Health Information Final Rule.
      4. (d) “Business Associate” shall have the same meaning as the term “Business Associate” in 45 C.F.R. § 160.103 of HIPAA.
      5. (e) “Designated Record Set” shall have the same meaning as the term “designated record set” in 45 C.F.R. § 164.501.
      6. (f) “Electronic Protected Health Information” shall mean Protected Health Information that is transmitted by or maintained in electronic media as defined in 45 C.F.R. § 160.103.
      7. (g) “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996 enacted by the United States Congress and its implementing regulations promulgated thereunder, as amended from time to time, including the Privacy Rule, the Breach Notification Rule, and the Security Rule as amended from time to time, including by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, and by the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the HITECH Act and the Genetic Information Nondiscrimination Act; Final Rule.
      8. (h) “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
      9. (i) “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E, as they may be amended from time to time.
      10. (j) “Protected Health Information” shall have the same meaning as given this term in 45 C.F.R. § 160.103 of HIPAA, provided that it is limited to such protected health information that is received by Prescryptive from, or created, received, maintained, or transmitted by Prescryptive on behalf of, Customer. For purposes of this BAA, Protected Health Information does not include health information that has been de-identified in accordance with the standards for de-identification set forth in the Privacy Rule.
      11. (k) “Required by Law” shall mean a legal mandate as described under 45 C.F.R. § 164.103 that compels an entity to use or disclose of Protected Health Information and that is enforceable in a court of law (including, but not limited to, court orders and court-ordered warrants, a summons issued by a court or grand jury, and subpoenas which have been issued in accordance with the notice, qualified protective order and other procedures described in 45 C.F.R. § 164.512(e)).
      12. (l) “Secretary” shall mean the Secretary of the U.S. Department of Health and Human Services or his or her designee.
      13. (m) “Security Incident” shall have the same meaning as the term “security incident” in 45 C.F.R. § 164.304.
      14. (n) “Security Rule” shall mean the standards for the security of Electronic Protected Health Information at 45 C.F.R. Part 164, Subpart C, as amended from time to time.
      15. (o) “Unsecured Protected Health Information” shall have the same meaning as the term “unsecured protected health information” in 45 C.F.R. § 164.402, and guidance promulgated thereunder.Capitalized terms used in this BAA and not otherwise defined herein shall have the meanings set forth in the Privacy Rule, the Security Rule, and the HIPAA Final Rule, which definitions are incorporated in this BAA by reference.
    1. 2. Permitted Uses and Disclosures by Prescryptive.
      1. (a) Performance of the Related Agreement(s). Except as otherwise limited in this BAA, Prescryptive may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Customer as specified in the Related Agreement, provided that such use or disclosure would not violate the Privacy Rule if carried out by Customer, unless expressly permitted under paragraph (b) of this Section.
      2. (b) Management, Administration, and Legal Responsibilities. Except as otherwise limited in this BAA, Prescryptive may use and disclose Protected Health Information for the proper management and administration of Prescryptive and/or to carry out the legal responsibilities of Prescryptive, provided that any disclosure may occur only if (1) Required by Law; or (2) Prescryptive obtains written reasonable assurances from the person to whom the Protected Health Information is disclosed that it will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Prescryptive of any instances of which it becomes aware in which the confidentiality of the Protected Health Information has been breached. Notwithstanding anything to the contrary, Prescryptive may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).
      3. (c) Data Aggregation. Except as otherwise limited in this BAA, Prescryptive may use Protected Health Information to provide Data Aggregation services for Health Care Operations of Customer as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
      4. (d) De-identified Data. Prescryptive may de-identify Protected Health Information in accordance with the standards set forth in 45 C.F.R. § 164.514(b) and may use or disclose such de-identified data unless prohibited by applicable law.
      5. (e) Limitations. Prescryptive shall not violate the HIPAA prohibition on the sale of Protected Health Information. Prescryptive shall make reasonable efforts to use, disclose, and/or request the minimum necessary Protected Health Information to accomplish the intended purpose of such use, disclosure or request.
    2. 3. Responsibilities with Respect to Protected Health Information.
      1. (a) Prescryptive’s Responsibilities. To the extent Prescryptive is acting as a Business Associate, Prescryptive agrees to the following:
        1. i. Prescryptive shall not use or disclose Protected Health Information except as permitted or required by the Related Agreement(s) and/or this BAA (inclusive of Exhibit 1 (Designated Business Associates)) or as otherwise Required by Law;
        2. ii. Prescryptive shall not use or disclose Protected Health Information unless such use or disclosure, respectively, is in compliance with each applicable requirement of 45 C.F.R. § 164.504(e);
        3. iii. Prescryptive shall (1) use reasonable and appropriate safeguards to prevent inappropriate use or disclosure of Protected Health Information other than as provided for by this BAA, and (2) maintain compliance with 45 C.F.R. Part 164, Subpart C, and as required by the HITECH Act;
        4. iv. Prescryptive shall not disclose Protected Health Information received from Customer, or created or received by Prescryptive on behalf of Customer, to any person or entity, including any agent or subcontractor of Prescryptive (but not including a member of Prescryptive’s own workforce), until such person or entity agrees in writing to be bound by terms substantially consistent with the provisions of this BAA and applicable state or Federal law;
        5. v. If Prescryptive maintains Protected Health Information in a “designated record set” for Customer, then Prescryptive shall, within 30 days of a written request by Customer on behalf of an Individual or by an Individual who is the subject of Protected Health Information, make access to such to such information available to Customer or the Individual in accordance with 45 C.F.R. § 164.524 of the Privacy Rule; provided, however, that Prescryptive is not required to provide such access where the Protected Health Information contained in a designated record set is duplicative of the Protected Health Information contained in a designated record set possessed by Customer.
        6. vi. If Prescryptive maintains Protected Health Information in a “designated record set” for Customer, then Prescryptive shall, within 60 days of a written request by Customer on behalf of an Individual or by an Individual who is the subject of Protected Health Information, make any amendment(s) to such Protected Health Information that may be requested or agreed to by the Individual pursuant to the amendment requirements under 45 C.F.R. § 164.526;
        7. vii. Prescryptive shall make internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received on behalf of Customer available to the Secretary promptly or in the time and manner designated by the Secretary for purposes of determining Customer’s compliance with the HIPAA, subject to attorney-client and other applicable legal privileges;
        8. viii. Prescryptive will mitigate to the extent reasonably practicable a harmful effect that is known to Prescryptive of a use or disclosure of Protected Health Information by Prescryptive that is not permitted by this BAA.
        9. ix. Prescryptive shall maintain a record of each disclosure of Protected Health Information by Prescryptive or its employees, agents, representatives or subcontractors in each case to the extent required in order for Customer to meet the accounting requirements of 45 C.F.R. § 164.528 (listing the date of disclosure, the name and address of the recipient, the subject of the information, a brief description of what was disclosed and the purpose of the disclosure); and to provide a copy of such record to an Individual who is the subject of such information within 60 days of a request, including disclosures made on or after the date that is six (6) years prior to the request or April 14, 2003, whichever is later; and
        10. x. Prescryptive shall report to Customer (a) any Use and/or Disclosure of Customer’s Electronic Protected Health Information that is not permitted or required by this BAA of which Prescryptive becomes aware; (b) any Security Incident of which it becomes aware, provided that notice is hereby deemed given for Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents shall be given; and/or (c) any Breach of Customer’s Unsecured Protected Health Information that Prescryptive may discover (in accordance with 45 C.F.R. 1164.410 of the Breach Notification Rule). Notification of a Breach will be made without unreasonable delay, but in no event more than five (5) business days after Prescryptive’s determination of a Breach.
          For purposes of this Section, “Unsuccessful Security Incidents” mean, without limitation, pings and other broadcast attacks on Prescryptive’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, as long as such incident does not result in unauthorized access, acquisition, Use, or Disclosure of Protected Health Information. Notification(s) under this Section, if any, will be delivered to contacts identified by Customer pursuant to Section 5(a) (Notices) of this BAA by any means Prescryptive selects, including through e mail. Prescryptive’s obligation to report under this Section is not and will not be construed as an acknowledgement by Prescryptive of any fault or liability with respect to any Use, Disclosure, Security Incident, or Breach.
      2. (b) Customer’s Responsibilities.
        1. i. Customer shall not request Prescryptive to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule or Security Rule if carried out by Customer.
        2. ii. Customer will obtain any consent or authorization that may be required by the Privacy Rule, or applicable state law, prior to furnishing Prescryptive with Protected Health Information. Customer will notify Prescryptive of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Prescryptive’s use or disclosure of Protected Health Information. Customer will provide such notice no later than fifteen (15) days prior to the effective date of the change.
        3. iii. Customer hereby agrees that any reports, notification, or other notice by Prescryptive pursuant to this BAA may be made electronically. Customer shall provide contact information to PSOC@prescryptive.com (or such other location or method of updating contact information as Prescryptive may specify from time to time) and shall ensure that Customer’s contact information remains up to date during the term of this BAA. Contact information must include the name of individual(s) to be contacted, title of individuals(s) to be contacted, e-mail address of individual(s) to be contacted, name of Customer organization, and, if available, Customer’s contract number, Group Number, or subscriber identification number. Failure to submit and maintain as current the aforementioned contact information may delay Prescryptive’s ability to provide Breach notifications under this BAA.
        4. iv. Customer shall be responsible for implementing appropriate privacy and security safeguards to protect its Protected Health Information in compliance with HIPAA. Without limitation, it is Customer’s obligation to (a) not include Protected Health Information in information Customer submits to technical support personnel through a support request or to community forums.  In addition, Prescryptive does not act as, or have the obligations of, a Business Associate under HIPAA with respect to Customer’s data once it is sent to or from Customer outside Prescryptive services over the public Internet, or if Customer fails to follow applicable instructions regarding data transfer or transport; and (b) implement privacy and security safeguards in the systems, applications, and software Customer controls, configures, and uploads into Prescryptive services or uses in connection with Prescryptive services. Failure to submit and maintain as current the aforementioned contact