Mutual Business Associate Agreement
This Agreement dated as above is made by and between Alpha Phlebotomy Group, Inc. Powered By Your Health Pro Inc.. (“Covered Entity”) and
The person named Below (“Business Associate”).
Background
This Agreement governs the terms and conditions under which Business Associate will access personal health information belonging to patients of Covered Entity and / or its affiliates in performing services for, or on behalf of, Covered Entity and its affiliates.
Agreement
1. Definitions. Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in 45 CFR 160.103 and 164.501, as amended. For purposes of this section:
a) Individual. “Individual” shall have the same meaning as the term “individual” in 45 CFR 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g).
b) Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E, as amended by the American Recovery and Reinvestment Act of 2009 (Pub.L. 111-5).
c) Security Rule. “Security Rule” shall mean the Health Insurance Reform: Security Standards at 45 CFR Parts 160, 162, and 164, as amended by the American Recovery and Reinvestment Act of 2009 (Pub.L. 111-5).
d) Protected Health Information. “Protected Health Information” shall have the same meaning as the term “protected health information” in 45 CFR 164.501, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
e) Electronic Protected Health Information (“EPHI”). EPHI shall have the same meaning as the term “electronic protected health information” in the Health Insurance Reform: Security Standards at 45 CFR Parts 160, 162, and 164, as amended by the American Recovery and Reinvestment Act of 2009 (Pub.L. 111-5).
f) Required By Law. “Required By Law” shall have the same meaning as the term “required by law” in 45 CFR 164.501, as amended.
g) Secretary. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his designee.
2. Obligations and Activities of the Business Associate. Business Associate agrees to:
a) Not use or further disclose Protected Health Information other than as permitted or required by the Agreement or as Required By Law.
b) Use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement.
c) Mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement.
d) Report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement.
e) Ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
f) In the event that the Business Associate maintains Protected Health Information in a designated records set, Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner designated by Covered Entity, to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR 164.524.
g) In the event that the Business Associate maintains Protected Health Information in a designated records set, Business Associate agrees to make any amendment(s) to Protected Health Information in a designated record set that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity.
h) Make internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Covered Entity, or at the request of the Covered Entity to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule. In the event such a request comes directly from the Secretary, Business Associate agrees to notify Covered Entity immediately of such request.
i) Document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528.
j) Provide to Covered Entity or an Individual, in time and manner designated by Covered Entity, information collected in accordance with this section, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528.
h) Comply with the Security Rule and Privacy Rule as amended in the American Recovery and Reinvestment Act of 2009 (Pub.L. 111-5), including without limitation, adopting written policies and procedures to (i) adopt compliant HIPAA policies (ii) appointing a security official, (iii) adopting technical and physical safeguards and (iv) employing appropriate procedures in the case of a breach, and training its workforce on the same.
3. Permitted Uses and Disclosures of Business Associate. Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information, as follows: on behalf of, Covered Entity, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity. a) Except as otherwise limited in this Agreement, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, provided that disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
4. Obligation of Covered Entity. Covered Entity shall provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 CFR 164.520, as well as any changes to such notice.
5. Permissible Requests by Covered Entity. Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
6. Term and Termination.
a) Term. The obligations set forth in this section shall be effective as of the date the first protected health information is released to Business Associate pursuant to this Agreement, and shall terminate only when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section.
b) Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Business Associate, Covered Entity shall provide an opportunity for Business Associate to cure the breach or end the violation. Covered Entity may terminate this Agreement if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity.
c) Effect of Termination.
(i) Except as provided in paragraph (ii) of this Section 6, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information.
(ii) In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of Protected Health Information is infeasible, Business Associate shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information. d) Survival. The respective rights and obligations of Business Associate under this section shall survive the termination of this Agreement.
7. Ownership of Information. Covered Entity holds all right, title, and interest in and to the PHI and Business Associate does not hold and will not acquire by virtue of this Agreement or by virtue of providing goods or services to Covered Entity, any right, title, or interest in or to the PHI or any portion thereof.
8. Miscellaneous.
a) Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended, and for which compliance is required.
b) Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy Rule and the Health Insurance Portability and Accountability Act, Public Law 104-19, as amended.
c) Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the Privacy Rule.
d) Notice. All notices under this Agreement shall be in writing, and shall be deemed given when personally delivered, or three days after being sent by prepaid certified or registered U.S. mail to the address of the party to be noticed as set forth herein or such other address as such party last provided to the other by written notice.
Covered Party:
Alpha Phlebotomy Group, Inc
Powered By Your Health Pro
60 N 4th Street
Central Point, OR 97502
e) Right to Injunctive Relief. Business Associate expressly acknowledges and agrees that the breach, or threatened breach, by it of any provision of this Agreement may cause Covered Entity to be irreparably harmed and that Covered Entity may not have an adequate remedy at law. Therefore, Business Associate agrees that upon such breach, or threatened breach, Covered Entity will be entitled to seek injunctive relief to prevent Business Associate from commencing or continuing any action constituting such breach without having to prove the inadequacy of any other available remedies. Nothing in this paragraph will be deemed to limit or abridge any other remedy available to Covered Entity at law or in equity.
f. Choice of Law; Entire Agreement. This Agreement shall be governed by and construed in accordance with the laws of the State of Colorado without regard to the conflicts of laws provisions thereof. In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover costs and attorneys fees. This Agreement constitutes the entire agreement and supersedes all prior or contemporaneous oral or written agreement.
g. Counterparts; Facsimile. This Agreement may be executed in two or more identical counterparts, each of which shall be deemed to be an original and all of which taken together shall be deemed to constitute the Agreement when a duly authorized representative of each party has signed a counterpart. Each party agrees that the delivery of the Agreement by facsimile shall have the same force and effect as delivery of original signatures and that each party may use such facsimile signatures as evidence of the execution and delivery of the Agreement by all parties to the same extent that an original signature could be used.
IN WITNESS WHEREOF, the parties hereto have duly executed this Agreement as of the day and year first above written.