BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (this “Agreement”) is made and entered into by and between The University of Tennessee (“UT”), an educational institution and instrumentality of the State of Tennessee, on behalf of its Health Science Center (“UTHSC”) and the individual or entity listed on the signature page hereof (“Contractor”). UTHSC and Contractor hereafter may be referred to individually as a “Party” or collectively as the “Parties.”
WHEREAS, UTHSC and Contractor have entered into one or more agreements, pursuant to which Contractor will provide certain services on behalf of UTHSC, and which provides for Contractor’s access, receipt, transmission, maintenance, creation, storage, use and/or disclosure of Protected Health Information (PHI) (as defined below);
WHEREAS, the services provided by Contractor on behalf of UTHSC are anticipated to cause Contractor to be a Business Associate under HIPAA, as those terms are defined below; and
WHEREAS, the purpose of this Agreement is to satisfy the obligations of UTHSC and Contractor under HIPAA, and to ensure the integrity, confidentiality, privacy and security of UTHSC’s PHI.
NOW, THEREFORE, for and in consideration of the recitals above and the mutual promises and covenants contained herein, the receipt and sufficiency of which is hereby acknowledged and agreed upon, UTHSC and Contractor enter into this Agreement to provide a full statement of their respective responsibilities and obligations to one another as set forth below.
A. DEFINITIONS
For purposes of this Agreement, the terms below shall have the meaning given to them in this Section.
Base Agreement(s) shall refer to the underlying agreement(s) between the Parties, pursuant to which Contractor will provide certain services on behalf of UTHSC, and which provides for Contractor’s access, receipt, transmission, maintenance, creation, storage, use and/or disclosure of PHI, making Contractor a potential Business Associate of UTHSC.
Business Associate shall have the meaning given to that term at 45 C.F.R. §160.103.
Breach Notification Rule shall mean the regulations and applicable subparts found at 45 C.F.R. Part 164.
Breach of Unsecured PHI shall have the meaning given to the terms “Breach” and “Unsecured Protected Health Information” at 45 C.F.R. §164.402.
Covered Entity shall have the meaning given to that term at 45 C.F.R. §160.103.
Data Aggregation shall have the meaning given to that term at 45 C.F.R. §164.501.
Designated Record Set shall mean a group of records maintained by or for UTHSC or another Covered Entity that: (a) consists of medical records and billing records about individuals maintained by or for UTHSC or another Covered Entity; (b) consists of the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (c) consists of records used, in whole or part, by or for UTHSC or another Covered Entity to make decisions about individuals. For purposes of this provision, the term “record” means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a Covered Entity. The meaning of Designated Record Set in this Agreement shall be consistent with the meaning given to that term in 45 C.F.R. §164.501.
De-Identify shall mean to alter the PHI such that the resulting information meets the requirements described in 45 C.F.R. §164.514(a) and (b).
Effective Date shall mean the date that both Parties have signed this Agreement, whichever date is later if signed on different dates.
Electronic Protected Health Information or Electronic PHI shall have the meaning given to that term at 45 C.F.R. §160.103.
Health Care Operations shall have the meaning given to that term at 45 C.F.R. §164.501.
HIPAA shall mean the Health Insurance Portability and Accountability Act of 1996 (Sections 262 and 264 of Pub. L. No. 104-191), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act (Sections 13400-13424 of Pub. L. No. 111-5); and by the Patient Protection and Affordable Care Act (Section 1104 of Pub. L. No. 111-148) and these Acts’ implementing privacy, security, breach notification, and enforcement rules and regulations set forth in 45 C.F.R. Parts 160 and 164, as the same may be amended from time to time.
HHS shall mean the United States Department of Health and Human Services.
HIPAA Privacy Rule shall mean the regulations and applicable subparts found at 45 C.F.R. Parts 160 and 164, as may be amended from time to time.
HIPAA Security Rule shall mean the regulations and applicable subparts found at 45 C.F.R. Parts 160 and 164, as may be amended from time to time.
Protected Health Information (PHI) shall mean information created, received, transmitted or maintained in any form or medium on behalf of UTHSC or another Covered Entity, including demographic information collected from an individual, that is
(a) created or received by a health care provider, health plan, employer, or health care clearinghouse; and (b) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and (i) identifies the individual or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Required by Law shall have the meaning given to that term at 45 C.F.R. §164.103.
Security Incident shall have the meaning given to that term at 45 C.F.R. §164.304.
Workforce means, as provided in 45 C.F.R. §160.103, employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity or Business Associate is under the direct control of such Covered Entity or Business Associate whether or not they are paid by the Covered Entity or Business Associate.
Any terms used in this Agreement that appear in HIPAA and that are not otherwise defined herein shall have the meaning assigned to those terms in HIPAA to the extent necessary for the Parties to comply with HIPAA. To the extent HIPAA is amended, the defined terms in this Agreement shall be modified automatically to be consistent with the meaning of such terms as defined in HIPAA.
B. OBLIGATIONS AND ACTIVITIES OF CONTRACTOR
- Safeguards for Protection of PHI. Contractor agrees to implement and utilize appropriate safeguards to prevent the use or disclosure of PHI other than as provided by this Agreement or in HIPAA. Contractor specifically agrees to comply with the HIPAA Privacy Rule, the HIPAA Security Rule and the Breach Notification Rule that are directly applicable to Contractor. Contractor agrees to use appropriate safeguards to comply with HIPAA with respect to Electronic PHI to prevent the use or disclosure of Electronic PHI, other than as provided for by HIPAA and this Agreement. Contractor represents and certifies that it has conducted a HIPAA Security Rule risk analysis and has taken appropriate measures to assess and manage security risks. Contractor agrees to take reasonable steps to ensure that the actions or omissions of its Workforce and any agents or subcontractors do not cause Contractor to breach the terms of this Agreement.
- Security and Encryption of PHI. Contractor agrees to secure PHI in compliance with the safe harbors set forth in HHS Guidance “Specifying the Technologies and Methodologies that Render PHI Unusable, Unreadable, or Indecipherable,” as may be amended from time to time and HHS Certified Electronic Records Technology Standards, Implementation Specifications and Certification Criteria at 45 C.F.R. Part 170.
- Policies and Procedures; Training; Documentation. Contractor agrees to maintain policies and procedures to comply with HIPAA, to train its Workforce on such policies and procedures, and to document such compliance to the extent required by HIPAA. Contractor agrees to maintain such documentation for at least six (6) years or as otherwise required by HIPAA and other applicable law.
- Use of Subcontractors. Contractor agrees to ensure that any and all agents (other than Contractor’s Workforce members) or subcontractors that Contractor may have a need to utilize in carrying out its obligations under this Agreement agree in writing to comply with this Agreement, HIPAA, and other applicable law prior to allowing any such agent or subcontractor to access, create, use, disclose, transmit, maintain or store any PHI.
- Detection and Reporting of Breaches of Unsecured PHI. Contractor agrees to exercise reasonable diligence to detect any Breach of Unsecured PHI and to report to UTHSC’s Privacy Officer any potential Breach of Unsecured PHI. Specifically, Contractor shall report to UTHSC in writing any unauthorized use or disclosure of PHI, including but not limited to the following: (i) any Security Incident involving Electronic PHI of which it becomes aware, and/or (ii) any potential Breach of Unsecured PHI occurring on or after the Effective Date. Contractor agrees to notify UTHSC of any such unauthorized use or disclosure of PHI within five (5) business days after becoming aware of such use or disclosure and agrees to provide such notice to UTHSC in the manner and with the content required by HIPAA and UTHSC. UTHSC shall determine in its sole discretion whether UTHSC or Contractor will correspond with or notify individuals regarding potential or actual Breaches of Unsecured PHI. UTHSC reserves the right to direct Contractor, at Contractor’s sole expense, to notify individuals of a Breach of Unsecured PHI that occurs as the result of Contractor’s or its agents’ or subcontractors’ acts or omissions.
- Mitigation. Contractor agrees to mitigate, to the greatest extent practicable, any harmful effect that is known to Contractor of any use or disclosure of PHI by Contractor or its agents or subcontractors in violation of the requirements of HIPAA or this Agreement. Contractor agrees to notify UTHSC of Contractor’s mitigation efforts within five (5) business days after making such mitigation efforts.
- Requests from UTHSC or Individuals. Contractor agrees to:
- Furnish to UTHSC within five (5) business days after its request, at no cost to UTHSC, PHI maintained in a Designated Record Set in the time, manner, form and format (including an electronic copy) requested by UTHSC to allow UTHSC to comply with 45 C.F.R. §164.524, as may be amended from time to time;
- Forward to UTHSC any request by an individual directly to Contractor for the individual to access his or her PHI within five (5) business days of receipt, and respond to the individual’s request only upon written direction by UTHSC, which decision shall be made solely by UTHSC in its discretion;
- Amend within five (5) business days after UTHSC’s written request, at no cost, PHI about an individual in a Designated Record Set that is maintained by, or otherwise within the possession of Contractor in the manner prescribed by UTHSC to allow UTHSC to comply with 45 C.F.R. §164.526, as may be amended from time to time;
- Notify UTHSC within five (5) business days after Contractor’s receipt of any individual’s request for Contractor to amend such individual’s PHI in a Designated Record Set, and respond to the individual’s request only upon written direction by UTHSC, which decision shall be made by UTHSC in its discretion;
- Make available within five (5) business days after UTHSC’s written request information related to such disclosures as would be required for UTHSC to respond timely to a request for an accounting of disclosures pursuant to 45 C.F.R. §164.528, as may be amended from time to time;
- Document any disclosures of PHI made by Contractor, in the same manner required of UTHSC by 45 C.F.R. §164.528, and implement an appropriate recordkeeping system to enable Contractor to comply with the requirements of this provision;
- Furnish to UTHSC, or to the individual requestor only upon UTHSC’s written direction, information collected in accordance with this Agreement, in the time and manner designated by UTHSC, to permit UTHSC to comply with 45 C.F.R. §164.528, as may be amended from time to time;
- Forward to UTHSC, or to the individual requestor only upon UTHSC’s written direction, within five (5) business days after Contractor’s receipt, any request by an individual for an accounting of disclosures, the manner of response and/or delivery of any accounting of disclosures requested by such individual to be determined by UTHSC in its discretion;
- Comply with, upon UTHSC’s written request, any restriction to the use or disclosure of PHI or confidential communications that UTHSC has agreed to in accordance with 45 C.F.R. §164.522(a) and (b), or as otherwise required of UTHSC by HIPAA;
- Comply with an individual’s request for restriction of disclosure to the individual’s health plan for purposes of payment or health care operations, if the PHI to be disclosed pertains solely to a health care item or service for which a Covered Entity has been paid in full by the individual out of pocket; and
- Make available to UTHSC (or its designee) any of UTHSC’s PHI or PHI related to the Base Agreement(s) that Contractor, or any of Contractor’s agents or subcontractors have in their possession within the time frame, format and manner required by UTHSC at no additional cost to UTHSC.
- Marketing and Fundraising. Contractor agrees to comply with the HIPAA requirements and prohibitions applicable to Covered Entities and Business Associates regarding marketing and fundraising, including but not limited to opt-out, notice and authorization requirements. Notwithstanding the foregoing, Contractor shall not engage in any marketing and fundraising activities relating to PHI without the express advance written agreement of UTHSC.
- Prohibitions on Foreign Activities and Cloud Computing. Contractor agrees not to create, access, receive, maintain, transmit, use, disclose, store, or outsource any PHI physically outside of the United States of America. Contractor agrees not to use cloud computing models, without executing with the cloud vendor a HIPAA-compliant subcontractor Business Associate agreement containing substantially the same terms as this Agreement.
- General Limitations on Contractor. Contractor agrees not to:
- Create, access, receive, maintain, transmit, use, disclose or store PHI in a manner other than as provided in this Agreement or as Required by Law;
- Create, access, receive, maintain, transmit, use, disclose or store PHI in any manner that would violate applicable laws or regulations, including without limitation, HIPAA, as may be amended from time to time;
- De-identify PHI unless for the benefit of UTHSC and unless expressly allowed by the Base Agreement(s);
- Sell PHI, limited data sets (as defined in 45 C.F.R. §164.514, as may be amended from time to time) or De-identified PHI to any third party; and
- Create, access, receive, maintain, transmit, use, disclose or store PHI in excess of HIPAA’s minimum necessary requirements as set forth in 45 C.F.R. §164.502(b), as may be amended from time to time.
- Availability of Contractor’s Books and Records. Contractor agrees to make available its internal practices, books, agreements, records, and policies and procedures relating to the use and disclosure of PHI, upon request, to HHS for purposes of determining compliance with HIPAA and this Agreement. Notwithstanding the foregoing, prior to any such disclosure to HHS or any other federal or state agency, Contractor agrees to notify UTHSC immediately of such request and shall furnish UTHSC with copies of such request and Contractor’s response.
- Liability of Contractor. Contractor agrees to indemnify, defend (at UT’s written request), and hold harmless UT, its officers, employees, and Workforce members from and against any and all claims, lawsuits, actions, proceedings, losses, damages, costs, expenses, liabilities, assessments, judgments, administrative fines of any nature, including but not limited to reasonable attorneys’ fees, costs and expenses which arise out of or are caused by the acts and/or omissions of Contractor, Contractor’s agents, or Contractor’s subcontractors in carrying out the terms and conditions of this Agreement, including but not limited to a Breach of any Unsecured PHI, a breach of this Agreement, or a failure to comply with HIPAA.
- Insurance. Contractor agrees to carry and warrants and represents that it does carry liability insurance to cover expenses (including but not limited to Breach of Unsecured PHI notification expenses, fraud alert expenses, mitigation of damages expenses, consultant fees, investigation/litigation costs, legal costs, etc.) associated with a Breach of Unsecured PHI and other HIPAA violations. Contractor shall provide proof of such insurance to UTHSC (or its designee) upon request.
C. OBLIGATIONS OF UTHSC
- Notices to and Requests of Contractor. UTHSC agrees to:
- Notify Contractor of any limitations in UTHSC’s Notice of Privacy Practices in accordance with 45 C.F.R. §164.520, to the extent such limitations affect Contractor’s use or disclosure of PHI;
- Notify Contractor of any changes in, or revocation of, permission by an individual to use or disclose PHI, if and to the extent such changes affect Contractor’s use and disclosure of PHI;
- Notify Contractor of any restriction on the use or disclosure of PHI that UTHSC has agreed to in accordance with 45 C.F.R. § 164.522, to the extent such restriction may affect Contractor’s use or disclosure of PHI;
- Comply with HIPAA minimum necessary requirements as set forth in 45 C.F.R. §164.502(b), as may be amended from time to time; and
- Not request that Contractor use or disclose PHI in any manner that would not be permissible under HIPAA if done by UTHSC.
- Permitted Uses and Disclosures of PHI by Contractor. Except as otherwise limited in this Agreement, UTHSC agrees to authorize and permit Contractor to:
- Create, access, receive, transmit, maintain, store, use and/or disclose PHI as reasonably necessary to provide the services described in the Base Agreement(s), or as otherwise permitted or required of Contractor by this Agreement, by HIPAA or as Required by Law;
- Perform Data Aggregation services relating to the health care operations of UTHSC to the extent such services are required in the Base Agreement(s); and
- Use PHI in its possession for the proper management and administration of Contractor’s business and to carry out its legal responsibilities, and disclose PHI for Contractor’s proper management and administration or to carry out its legal responsibilities, provided that (i) such disclosures are Required by Law; or (ii) Contractor obtains, in writing, prior to making any disclosure to a third party (A) reasonable assurances from such third party that such third party shall maintain the confidentiality, privacy, and security of the PHI as required by this Agreement and that such PHI shall be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to such third party; and (B) a written agreement from such third party to notify Contractor immediately of any potential breaches of the confidentiality, privacy or security of the PHI or any potential Breach of Unsecured PHI.
D. MISCELLANEOUS PROVISIONS
- Scope and Interpretation. The terms and conditions of this Agreement shall supplement and amend the Base Agreement(s) and relationships between the Parties, which cause Contractor to be a Business Associate of UTHSC. Any ambiguity in this Agreement shall be resolved to permit UTHSC to comply with HIPAA. In case of any inconsistency or conflict between a Base Agreement and the terms and conditions of this Agreement, the terms and conditions of this Agreement shall control to the extent necessary for UTHSC to comply with HIPAA. Except as supplemented and/or amended in writing, the terms of the Base Agreement(s) shall continue unchanged and shall apply with full force and effect to govern the matters addressed in the Base Agreement(s).
- Regulatory References. Any reference in this Agreement to a provision in HIPAA means the section as in effect or amended, as of the date of this Agreement.
- Term and Termination.
- This Agreement shall become effective on the Effective Date and shall continue in effect until terminated in accordance with the terms and conditions of this Agreement.
- The Parties may terminate this Agreement by mutual written consent once all obligations of the Parties have been met under the Base Agreement(s) and under this Agreement, or as otherwise mutually agreed by the Parties.
- UTHSC may terminate immediately, upon written notice to Contractor, this Agreement, the Base Agreement(s), and any other related agreements if UTHSC makes a good faith determination that Contractor has breached a material term of this Agreement. UTHSC may in its discretion allow Contractor a reasonable period of time to cure such material breach and continue under the terms of the Base Agreement(s) and this Agreement if UTHSC deems appropriate.
- Return or Destruction of PHI. Upon termination of this Agreement or the Base Agreement(s) for any reason, all PHI maintained by Contractor and its agents and any subcontractors shall be returned to UTHSC (or UTHSC’s designee) by Contractor in the manner and format required by UTHSC at no additional cost to UTHSC. Neither Contractor nor its agents or subcontractors shall not retain any copies of PHI, unless instructed by UTHSC or required by the Base Agreement(s). If return of the PHI is not feasible, Contractor shall notify UTHSC in writing of the conditions that make return infeasible. If UTHSC determines in its discretion that return or destruction of the PHI is infeasible, Contractor agrees to extend the protections of this Agreement and at no additional cost for as long as Contractor retains such information and agrees to cease further uses and disclosures of such PHI. This provision shall survive any termination of this Agreement or the Base Agreement(s).
- No Third Party Beneficiaries. This Agreement is solely for the benefit of the Parties and is not intended to create nor shall be construed to create any right or remedy for any third party.
- No Agency Relationship. The Parties expressly agree and assert that no agency relationship between the Parties is created by this Agreement or the Base Agreement(s). Contractor acknowledges and agrees that any Breaches of Unsecured PHI shall be considered to be independent acts or omissions by Contractor and beyond the scope of work anticipated by UTHSC for this Agreement and the Base Agreement(s).
- Severability. If a court or tribunal of competent jurisdiction finds any term of this Agreement to be invalid, illegal, or unenforceable, that term shall be curtailed, limited, or deleted, but only to the extent necessary to remove the invalidity, illegality or unenforceability, and without in any way affecting or impairing the remaining terms.
- Notices. All notices, requests and demands or other communications to be given hereunder to a Party shall be made via first class mail, registered or certified or express courier to such Party’s address given below such Party’s signature block on the signature page of this Agreement, or to such other address as the Parties may notify each other of in writing from time-to-time. The Party providing such notice should maintain return receipts or other evidence of delivery of such notice.
- Amendments; Waiver. Except as otherwise provided herein, this Agreement may not be modified, nor shall any provision be waived or amended, except in writing duly signed by authorized representatives of the Parties. The Parties agree to modify this Agreement as necessary to comply with HIPAA. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.
- Entire Agreement. This Agreement and the Base Agreement(s) contain the entire agreement of the Parties as to the subject matter contained herein. To the extent the Parties have previously entered into a Business Associate agreement relative to the Base Agreement(s) and such Base Agreement(s) is/are still in effect, this Agreement supersedes and replaces any such prior Business Associate agreement between the Parties.
[Signature page follows.]
IN WITNESS WHEREOF, the Parties have executed this Agreement by signature of their duly authorized representatives on the dates set forth below to be effective on the Effective Date.
CONTRACTOR THE UNIVERSITY OF TENNESSEE
Type or Print Name of Contractor
By: By:
Type or Print Name of Authorized Representative Type or Print Name of Authorized Representative
Title: Title:
Date: Date:
Address for Notices:
_________________________ Raaj Kurapati
_________________________ Executive Vice Chancellor and _________________________ Chief Operating Officer
_________________________ University of Tennessee Health _________________________ Science Center
_________________________ 62 S. Dunlap, Suite 220
_________________________ Memphis, Tennessee 38163