Business Associate Addendum – HST Price Transparency Essentials
- Covered Entity is or will be disclosing and/or making available certain data, which may include Protected Health Information, as that term is defined in 45 C.F.R. §160.103, to Business Associate to perform tasks on behalf of, and under the instructions of, Covered Entity.
- Covered Entity is or may be subject to the requirements of 42 U.S.C. 1171 et seq. enacted by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the privacy, security, and standard transaction regulations promulgated thereunder, as contained in 45 C.F.R. Parts 160, 162, and 164 (“HIPAA Regulations”). As used herein, “PHI” refers to Protected Health Information created or received by Business Associate for or from Covered Entity.
The parties hereby agree as follows:
- Business Associate may use and disclose PHI only as required to satisfy its obligations under the Agreement, as expressly permitted in this Addendum, or as required by law. Business Associate will not use or disclose PHI in any manner that would constitute a violation of the HIPAA Regulations if done by Covered Entity.
- Business Associate agrees to take reasonable precautions to protect PHI from loss, misuse and unauthorized access, disclosure, alteration and destruction.
- Upon becoming aware of any use or disclosure of PHI in violation of this Addendum, Business Associate will promptly report any such use or disclosure to Covered Entity.
- Business Associate will obtain and maintain a written agreement with each agent or subcontractor that has or will have access to the PHI pursuant to which agreement such agent or subcontractor agrees to be bound by substantially the same restrictions, terms, and conditions that apply to Business Associate pursuant to this Addendum with respect to such PHI.
- Within 15 days of a written request by Covered Entity for access to PHI about an individual contained in a Designated Record Set (as defined at 45 C.F.R. § 164.501), Business Associate will make available to Covered Entity such PHI. If any individual requests access to PHI directly from Business Associate, Business Associate will within 10 days forward such request to Covered Entity. Any denials of access to the PHI requested will be the responsibility of Covered Entity.
- Within 15 days of receipt of a written request from Covered Entity for the amendment of an individual’s PHI contained in a Designated Record Set (for so long as the PHI is maintained in the Designated Record Set), Business Associate will provide such information to Covered Entity for amendment and incorporate any such amendments in the PHI as required by 45 C.F.R. §164.526.
- For all disclosures of PHI by Business Associate that are not excluded from the accounting obligation as set forth at 45 C.F.R. § 164.528, Business Associate will record the information required to be recorded by covered entities pursuant to 45 C.F.R. § 164.528. Within 20 days of notice by Covered Entity to Business Associate that it has received a request for an accounting of disclosures of PHI, Business Associate will make available to Covered Entity the information required to be maintained pursuant to this Section 7. If the request for an accounting is delivered directly to Business Associate, Business Associate will within 10 days forward such request to Covered Entity.
- Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the Department of Health and Human Services for purposes of determining Covered Entity’s and Business Associate’s compliance with the HIPAA Regulations.
- Unless otherwise limited herein, Business Associate may:
- Use the PHI for its proper management and administration and to carry out its legal responsibilities.
- Disclose PHI for its proper management and administration and to carry out its legal responsibilities, provided that disclosures are required by law, or Business Associate obtains reasonable assurances from recipient that the PHI will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the recipient, and the recipient notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
- Use and disclose PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R § 164.502(j)(1).
- Aggregate the PHI in its possession with the PHI of other covered entities that Business Associate has in its possession through its capacity as a Business Associate to other covered entities, provided that the purpose of such aggregation is to provide Covered Entity with data analysis relating to the Health Care Operations of Covered Entity.
- Use PHI to create de-identified information and to aggregate any such information as necessary and useful for Business Associate’s reasonable purposes, provided that the de-identification conforms to the requirements of 45 C.F.R. § 164.514(b).
- If Business Associate conducts standard transactions (as defined in 45 C.F.R. Part 160) for or on behalf of Covered Entity, Business Associate will comply, and will require by written contract each agent or contractor (including any subcontractor) involved with the conduct of such standard transactions to comply, with each applicable requirements of the HIPAA Regulations (as set forth at 45 C.F.R. Parts 160 and 162). Business Associate will not enter into, or permit its agents or contractors (including subcontractors) to enter into, any trading partner agreement in connection with the conduct of standard transactions for or on behalf of Covered Entity that: (i) changes the definition, data condition, or use of a data element or segment in a standard transaction; (ii) adds any data elements or segments to the maximum defined data set; (iii) uses any code or data element that is marked not used in the standard transaction’s implementation specification or is not in the standard transaction’s implementation specification; or (iv) changes the meaning or intent of the standard transaction’s implementation specification. Business Associate agrees to participate in any test modification conducted by Covered Entity in accordance with the HIPAA Regulations.
- Business Associate will implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any electronic PHI as required by the security requirements of the HIPAA Regulations as set forth at 45 C.F.R. Parts 160 and 164. Business Associate will employ multiple security mechanisms to ensure the confidentiality, integrity, and availability of the electronic PHI which is exchanged with Covered Entity, including, but not limited to, authentication controls, authorization controls, audit controls, and encryption, as requested by Covered Entity. Business Associate will ensure that any agent, including a subcontractor, to whom it provides such information, agrees to implement reasonable and appropriate safeguards to protect such information.
- Business Associate will promptly report to Covered Entity any Security Incident (as defined at 45 C.F.R. § 164.304) of which it becomes aware. Notwithstanding the foregoing, Covered Entity acknowledges that this section constitutes notice to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Covered Entity is required. “Unsuccessful Security Incidents” include, but are not limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service, and any combination of the above, so long as no such incident results in unauthorized access, use, or disclosure of PHI.
- If Covered Entity determines that Business Associate has materially breached the terms of this Addendum, Covered Entity will provide notice to Business Associate of such material breach, and will provide Business Associate with a reasonable time to cure such breach, which may not be less than 30 days. If the breach is not cured within the specified period, Covered Entity may terminate the Agreement and this Addendum.
- Upon termination of this Addendum, Business Associate will either return or destroy, at no cost to Covered Entity, all PHI that Business Associate still maintains in any form. Business Associate may not retain any copies of such PHI. Notwithstanding the foregoing, to the extent that it is not feasible to return or destroy such PHI, the terms and provisions of this Addendum will survive termination of this Addendum until such PHI has been returned or destroyed, and Business Associate may use or disclose such PHI solely for such purpose or purposes which prevented the return or destruction of such PHI.
- For the avoidance of doubt, the limitations on liability set forth in the Agreement also apply to this Addendum.