BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement Addendum (“Agreement”) is made (date) by and between
(“Covered Entity”) and Ansafone Contact Centers LLC (“Business Associate”). Covered Entity and Business Associate are sometimes referred to individually in this Agreement as a “Party” and collectively as the “Parties.”
- WHEREAS Covered Entity and Business Associate entered into a Master Service Agreement (“MSA”) for the provision of call center services, software, or some other business arrangement, (the “MSA’s); and,
- WHEREAS The Parties contemplate that they may enter additional agreements in the future pursuant to which Business Associate may provide services to Covered Entity, license software to Covered Entity, or enter into some other business arrangement (“Future MSA’s”); and,
- WHEREAS In connection with the Current MSA and Future MSA’s (collectively, the “MSA’s” and individually, an “MSA”), Business Associate may, on Covered Entity’s behalf, access, use, create and/or disclose Protected Health Information (“PHI”) or Electronic Protected Health Information (“ePHI”), as defined in the federal regulations set forth at 45 C.F.R. §§ 160 and 164 (the “Privacy Rule” and “Security Rule”) and,
- WHEREAS Covered Entity and Business Associate intend to protect the privacy and provide for the security of PHI and/or ePHI disclosed to Business Associate in compliance with the Privacy Rule and Security
Now therefore, in consideration of the mutual promises below and the exchange of information provided for herein, the Parties agree as follows:
- Terms not otherwise specifically defined in this Agreement have the meanings ascribed to them in HIPAA.
- Obligations of Covered Entity. Covered Entity is responsible for using appropriate safeguards to maintain and ensure the confidentiality, privacy and security of Covered Entity’s PHI transmitted to Business Associate pursuant to the Services Agreement(s) and this Agreement, in accordance with the standards and requirements of HIPAA, until that PHI is received by Business
- Obligations of Business
- Permitted Uses and Disclosures
- Purpose: Business Associate may use and further disclose Covered Entity’s PHI solely to provide or perform the Services in accordance with the terms of the Services Agreement(s) and this Business Associate may not use or disclose Covered Entity’s PHI in a manner that would violate HIPAA or other applicable laws if done by Covered Entity.
- Type of Information: Business Associate may use and or disclose only the minimum necessary amount of Covered Entity’s PHI needed for Business Associate to perform the Services, consistent with Covered Entity’s minimum necessary policies and procedures, and in accordance with any minimum necessary standards and guidance released by the Secretary of the Department of Health and Human Services (HHS) pursuant to
- Use for Management and Administration: Business Associate may use Covered Entity’s PHI for the proper management and administration of Business Associate, if disclosure is necessary: (1) for the proper management and administration of Business Associate or (2) to carry out the legal responsibilities of Business Associate.
- Disclosure for Management and Administration: Business Associate may disclose Covered Entity’s PHI for the proper management and administration of Business Associate as necessary if:
- the disclosure is required by law, or
- Business Associate obtains from a third party to which Covered Entity’s PHI is disclosed a written agreement:
- that Covered Entity’s PHI will be held confidentially, in compliance with HIPAA, and used or further disclosed only in accordance with the terms of this Agreement and as required by law or as necessary for the purpose for which it was disclosed to the third party, and
- to notify Business Associate, without unreasonable delay, of any instances of which the third party becomes aware of a Breach with respect to Covered Entity’s PHI.
In no event, however, may Business Associate disclose Covered Entity’s PHI for the foregoing purposes to any third party and its representatives that are not within the borders and jurisdiction of the United States of America without the prior written consent of Covered Entity, which may be withheld in Covered Entity’s sole discretion.
- Uses or Disclosures Requiring Prior Agreement; No De-Identification: Business Associate agrees and understands that except as expressly provided in this Agreement and subject to HIPAA and other applicable State laws, it will not use or disclose Covered Entity’s PHI to any other person or entity without first having received Covered Entity’s prior written Further, Covered Entity does not authorize Business Associate to De-identify Covered Entity’s PHI without Covered Entity’s separate prior written agreement. For purposes hereof, De-identify and De-identification mean to alter the PHI such that the resulting information meets the requirements described in 45 C.F.R. § 164.514 (a) and (b).
- Compliance with Privacy Rule and Security Rule: To the extent Business Associate is to carry out a function or obligation of Covered Entity with respect to the Privacy Rule or Security Rule, Business Associate will comply with the requirements of any Privacy or Security Rule subparts that apply to the Covered Entity in the performance of its function or obligation.
- Business Associate’s Agents. Business Associate will ensure that any agent to which it provides Covered Entity’s PHI agrees to comply with all HIPAA requirements that apply to Business Associate and with the terms and the restrictions of this Agreement with respect to the PHI, and to ensure that any Subcontractor of agent agrees to any additional terms and restrictions necessary to allow Business Associate to meet its obligations under this Agreement including, but not limited to, the terms and conditions set forth in Paragraph E, Section 8.
- Prohibited Uses and Disclosures.
- Prohibition on Sale of PHI and Business Associate will not directly or indirectly accept remuneration in exchange for using or disclosing any of Covered Entity’s PHI, including in De-identified form, except Business Associate may accept remuneration from Covered Entity in exchange for services or functions performed pursuant to this Agreement. Business Associate will not use or disclose Covered Entity’s PHI for Marketing except for or on behalf of Covered Entity with Covered Entity’s prior written consent.
- All Other Uses Prohibited: Business Associate will not use or further disclose Covered Entity’s PHI other than as expressly permitted or required by this Agreement, or as otherwise required by
- Security Safeguards.
- General. Business Associate will implement and maintain reasonable and appropriate safeguards to secure Covered Entity’s PHI and prevent use or disclosure of Covered Entity’s PHI (other than as authorized by this Agreement) in accordance with the Security Rule, HHS guidance pursuant to HIPAA and other applicable laws, including the administrative, technical and physical safeguard standards as set forth in §164.308, §164.310, and §164.312 of the Security Rule:
- Compliance with Security Rule. Business Associate will comply with the requirements of the Security Rule at all times with respect to Covered Entity’s PHI.
- Administrative and Other Safeguards. Business Associate will implement and maintain a written security program that includes administrative, technical and physical safeguards appropriate to the size and complexity of Business Associate’s operations and the nature and scope of its activities and as reasonably necessary for Business Associate to comply with applicable provisions of the Security Rule, including but not limited to all Required and Addressable Implementation Specifications.
- Documentation. Business Associate will implement and maintain written or electronic policies and procedures developed to comply with the Security Rule. If any action, activity or assessment is required under the Security Rule to be documented, Business Associate will maintain a written (or electronic) record, and retain a copy and make it available to Covered Entity upon request for a period of six years from the date of its creation, or the date when it last was in effect, whichever is later.
- Encryption. Business Associate will encrypt Covered Entity’s PHI when maintained by Business Associate (i.e., at rest) and when transmitted by Business Associate (i.e., in transit) to render it unusable, unreadable and / or indecipherable. This obligation applies to all of Covered Entity’s PHI that Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, transmits or discloses for or on behalf of Covered Entity pursuant to the Services Agreement(s). If the Parties otherwise mutually agree that it is not reasonable or possible for Business Associate to encrypt Covered Entity’s PHI, then Business Associate will implement reasonable alternative security methods, as agreed to by Covered Entity, in its sole discretion, to safeguard Covered Entity’s PHI.
- Security Breach Notification.
- General. Business Associate will comply with the standards and requirements under the provisions relating to Breach as set forth in the HIPAA Rules for Breach Notification for Unsecured Protected Health Information (45 CFR Parts 160 and 164), and all applicable state breach notification requirements, in each case as may be amended in the future (Breach Notification Laws).
- Business Associate’s Obligations in the Event of a Security Incident or Breach.
- Reporting Security Incidents and Breaches. Business Associate will promptly report to Covered Entity’s Privacy Officer and/or Security Officer, either in person or by telephone at a number to be provided by Covered Entity and in writing, any Breach or Security Incident that has or may result in the unauthorized use or disclosure of Covered Entity’s PHI, and in no case later than 48 hours from the date of actual or constructive discovery by Business Associate. Notwithstanding the foregoing, the parties acknowledge the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents (as defined below) for which no additional notice to Covered Entity will be required. Unsuccessful Security Incidents means, without limitation, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful logon attempts, denial of service attacks, and any combination of the above, so long as no incident results in unauthorized access, use, or disclosure of Covered Entity’s PHI.
- In accordance with 45 C.F.R. §164.402, any acquisition, access, use or disclosure of PHI in a manner not permitted under the Privacy Rule is presumed to be a Breach. For purposes of this Agreement, a Breach will be deemed discovered by Business Associate as of the first day on which the Breach is actually known to any person, other than the individual committing the Breach, that is an employee, officer, or other agent of Business Associate, or if the Breach should reasonably have been known to Business Associate to have occurred, including but not limited to notification of a Breach provided to Business Associate by a Subcontractor. Business Associate will take all commercially reasonable steps (e.g., audits, hotlines, technological tools, etc.) to allow it to discover Breaches and Security Incidents involving Covered Entity’s PHI.
- No Delay for Risk Assessment. Business Associate will not delay Breach or Security Incident reporting on the basis of a pending determination of whether the incident may result in a low probability that Covered Entity’s PHI was compromised under the Breach Notification Laws. Covered Entity has the sole right to make any and all risk assessment determinations, and Business Associate will cooperate with investigations if requested by Covered Entity in order for Covered Entity to comply with its obligations under HIPAA.
- Assistance and Cooperation. Business Associate will cooperate and provide Covered Entity with information required for Covered Entity to determine whether an incident is a Security Incident or Breach and provide the notification required to fully comply with the Breach Notification Laws. Business Associate will provide to Covered Entity, at Business Associate’s sole cost, administrative support and other services and resources requested by Covered Entity in order to furnish written notices to individuals affected by the Breach and otherwise comply with the Breach Notification Laws. Business Associate will reimburse Covered Entity for all reasonable and actual costs and expenses (e.g., postage, supplies, administrative staff time, reporting to news outlets, etc.) Incurred by Covered Entity in its efforts to comply with the Breach Notification Laws.
- Responsibility for Failures to Discover or Report Breaches. Notwithstanding anything to the contrary set forth in the Services Agreement(s), Business Associate will indemnify, defend, and hold harmless Covered Entity and each of its affiliates and their respective officers, directors, employees and agents (Covered Entity Indemnitees) from and against any and all penalties, claims, losses, liabilities, damages, costs and expenses including reasonable attorneys’ fees and expenses incurred by Covered Entity Indemnitees arising out of or in connection with Business Associate’s negligent failure to: (a) discover a Breach, (b) timely notify Covered Entity of a Breach that is known or should have been known to Business Associate or (c) otherwise comply with Business Associate’s obligations under the Breach Notification Laws and this Agreement. Any limitation of liability provision set forth in the Services Agreement(s) will not apply to Business Associate’s indemnification obligations set forth above.
- Requested Restrictions. Business Associate acknowledges that Covered Entity is required under HIPAA to comply with an individual’s requested restriction regarding his or her PHI if (unless the disclosure is otherwise required by law):
- the disclosure is to a health plan only for purposes of carrying out payment or Health Care Operations (but not treatment), and
- Covered Entity’s PHI pertains solely to a Health Care item or service for which Covered Entity has been paid out-of-pocket in full by the individual or the individual’s representative.
Business Associate will comply with any requested restriction that applies to Business Associate’s further use or disclosure of Covered Entity’s PHI and of which Business Associate is made aware.
- Availability of Information to Covered Entity. Business Associate will make information available to Covered Entity that it requires to fulfill its obligations to provide access to, provide a copy of, and account for disclosures with respect to Covered Entity’s PHI pursuant to HIPAA, including, but not limited to, 45 CFR § 164.524, and make available PHI maintained in an electronic designated record set in an electronic form and format as requested by an individual if readily producible. Nothing in this provision precludes or limits Business Associate’s obligations under applicable law, specifically with respect to the provision of individuals’ access of PHI and an accounting of disclosures of their PHI.
- Amendment of PHI. Business Associate will make Covered Entity’s PHI available to Covered Entity as Covered Entity may require to fulfill Covered Entity’s obligations to amend Covered Entity’s PHI pursuant to HIPAA, including, but not limited to, 45 CFR §164.526, and Business Associate will, as directed by Covered Entity, incorporate any amendments to Covered Entity’s PHI into copies of the PHI maintained by Business Nothing in this provision precludes or limits Business Associate’s obligations under the law, specifically with respect to the amendment of Covered Entity’s PHI by Business Associate.
- Business Associate’s Business Associate will not transmit Covered Entity’s PHI to any Subcontractor or prospective Subcontractor except as otherwise provided herein. In accordance with HIPAA, Business Associate will enter into a written Subcontractor agreement (Subcontractor Agreement) with any Subcontractor that creates, receives, maintains, or transmits Covered Entity’s PHI on behalf of Business Associate. In the event that Business Associate knows of a pattern of activity or practice of a Subcontractor that constitutes a material breach or violation of the Subcontractor’s obligation under the Subcontractor Agreement or other arrangements, Business Associate will take reasonable steps promptly to cure the breach or end the violation, as applicable, and, if those steps are unsuccessful, terminate the Subcontractor Agreement or other arrangements, if feasible. The Subcontractor Agreement will contain the same restrictions and conditions that apply to Business Associate under this Agreement.
- Internal Practices. Business Associate will make its internal practices, books and records relating to the use and disclosure of Covered Entity’s PHI available to the HHS for purposes of determining Covered Entity’s compliance with HIPAA.
- Accounting of Disclosures. Business Associate will maintain and make available documentation as required under § 164.528 of the Privacy Rule to allow Covered Entity to respond to an individual’s request for an accounting of disclosures by Business Associate. Business Associate will provide necessary information for Covered Entity to respond to an individual’s request for an accounting of disclosures as required by 45 C.F.R. § 164.528, as modified by HIPAA and its implementing accounting of disclosure rules and regulations.
- State Law. Business Associate will comply with any provision or requirement concerning privacy or security of information under any State law that is more stringent than a similar provision or requirement under HIPAA and this Agreement.
- Audits, Inspection and Covered Entity may, upon reasonable notice, inspect the facilities, systems, books and records of Business Associate and its Subcontractors, and Business Associate will cooperate, and cause its Subcontractors to cooperate, with and respond to audit requests designed to confirm compliance with HIPAA by Business Associate in order to monitor compliance with this Agreement. Business Associate will promptly remedy any violation of any term of this Agreement and notify Covered Entity of the outcome.
- Noncompliance. If either Party notifies (Notifying Party) the other Party regarding an activity or practice that constitutes a material breach or violation of the other Party’s obligation under this Agreement, HIPAA or any other applicable laws concerning the privacy and security of Health Information, and the other Party does not cure the breach or end the violation, as applicable, within a reasonable time frame as determined by the Notifying Party in its sole discretion, the Notifying Party is permitted to terminate this Agreement and the Services Agreement(s). This remedy is not intended to, and does not limit, any other remedy which may be available to the Notifying Party under the Services Agreement(s), this Agreement, or as a matter of law.
- Return of Covered Entity’s PHI. Upon termination of the Services Agreement(s) for any reason, Business Associate will return to Covered Entity or destroy all of Covered Entity’s PHI that Business Associate or any of its Subcontractors maintains in any form, and Business Associate and its Subcontractors will retain no copies of the PHI. If return or destruction is not feasible, Business Associate agrees to continue to extend the protections of this Agreement to the information, and limit further use and disclosure of Covered Entity’s PHI to those purposes that make the return or destruction of the PHI infeasible, and similarly require any of its Subcontractors to extend those protections and limit further use and disclosure of Covered Entity’s PHI, as applicable.
- Indemnification. Each Party shall defend, indemnify and hold harmless the other Party and their affiliates, directors, officers, employees and agents from and against any claim, cause of action, liability, damage, cost or expense (including reasonable attorneys’ fees) arising out of or relating to any loss, Security Incident, Breach or other non- permitted use or disclosure of PHI, failure to safeguard ePHI, or other breach of this Agreement by that Party or any affiliate, director, officer, employee, or Subcontractor of each Party. The exclusions and limits of liability, if any, provided in the Covered Entity – Business Associate Contract(s) shall apply in the event of a breach of this Business Associate Agreement or with respect to Business Associate’s indemnification obligations.
- Amendment; Waiver. The Parties acknowledge that State and federal laws relating to electronic data security and privacy are evolving and that amendment of this Agreement may be required to ensure compliance with developments in the applicable laws. The Parties specifically agree to take necessary action to implement the standards and requirements of HIPAA and other applicable laws relating to the security or confidentiality of PHI, including promptly amending this Agreement, upon the request of either Party, to comply with the standards and requirements of HIPAA or other applicable laws. Either Party may terminate the Services and Services Agreement(s) upon 30 calendar days’ written notice in the event that the other Party does not promptly enter into negotiations to amend this Agreement to provide appropriate assurances regarding the safeguarding of PHI.
- No Third-Party Beneficiaries. Nothing express or implied in this Agreement confers upon any person other than Covered Entity, the Covered Entity Affiliates and Business Associate and their respective heirs, representatives, successors and assigns, any rights, remedies, obligations or liabilities whatsoever, whether as creditor beneficiary, donor beneficiary or otherwise.
- Entire Agreement. This Agreement supersedes all prior Business Associate Agreements between Covered Entity and Business Associate and contains the entire understanding and agreement between the Parties.
- Governing Law. This Agreement is to be construed in accordance with and governed by the laws of Florida (Marion County) without regard to conflicts of laws principles.
- Binding Effect. This Agreement is binding upon, and inure to the benefit of, each Party hereto and their respective successors and assigns.
- Notices. All notices, demands and other communications to be made pursuant to this Agreement (Notice) must be given in writing and will be deemed to have been duly given if personally delivered or sent by confirmed facsimile transmission, recognized overnight courier service which provides a receipt against delivery, or certified or registered mail, postage prepaid, return receipt requested or sent via e- mail, to the other Party at the address set forth in this Agreement.
Covered Entity Address for Notices:
Business Associate Address for Notices:
101 NE 2nd Street, Ocala, Florida 34470
- Preservation of Rights. No delay on the part of any Party in exercising any right, power or privilege hereunder will operate as a waiver thereof, nor will any waiver on the part of any Party of any right, power, or privilege, nor any single or partial exercise of any right, power, or privilege, preclude any further exercise thereof or the exercise of any other right, power or privilege. The rights and remedies set forth in this Agreement are cumulative and are not exclusive of any rights or remedies that any Party may otherwise have at law, in equity or otherwise.
- Provisions Severable. The provisions of this Agreement are independent of and severable from each other. No provisions will be affected or rendered invalid or unenforceable by virtue of the fact that, for any reason, any one or more of any of the provisions hereof may be invalid or unenforceable in whole or in part.
- Interpretation. The Parties agree that any ambiguity in this Agreement will be resolved in favor of a meaning that complies and is consistent with HIPAA.