HIPAA Privacy Agreement
BUSINESS AFFILIATE AGREEMENT
​
This Agreement is entered into by and between (Health Care Provider) and (Business Affiliate) to set forth the terms and conditions under which “protected health information” (PHI), as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Regulations enacted hereunder, created or received by (“Business Affiliate”) on behalf of the above said Health Care Provider may be used or disclosed.
This Agreement shall commence on (Date) and the obligations herein shall continue in effect so long as Business Affiliate uses, discloses, creates or otherwise possesses any protected health information created or received on behalf of above said Health Care Provider and until all protected health information created or received by Business Affiliate on behalf of the above said Health Care Provider is destroyed or returned to said Health Care Provider pursuant to Paragraph 15 herein.
1) This said Health Care Provider and Business Affiliate hereby agree that Business Affiliate shall be permitted to use and/or disclose protected health information created or received on behalf of said Health Care Provider for the following purposes:
a) Completing and submitting health care claims to health plans, Clearinghouses, and other third party payers.
b) Collection of fees for said Health Care Provider.
c) Establishing and maintaining Business Management Programs for said Health Care Provider.
d) Introducing, maintaining, and programming Electronic Medical Record Systems for said Health Care Provider).
e) Introducing, maintaining, and programming compatible Dictation Systems for said Health Care Provider.
It is to be understood by all parties that the permitted uses and disclosures must be within the scope of and necessary to achieve, the obligations and responsibilities of Business Affiliate in performing on behalf of, or providing services to, the Health Care Provider.
2) Business Affiliate may use and disclose protected health information created or received by Business Affiliate on behalf of said Health Care Provider if necessary for the proper management and administration of Business Affiliate or to carry out. legal responsibilities, provided that any disclosure is:
a) Required by law, or
b) Business Affiliate obtains reasonable assurances from the person to whom the protected health information is disclosed that (i) the protected health information will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person; and (ii) Business Affiliate will be notified of any instances of which the person is aware in which the confidentiality of the information is breached.
3) Business Affiliate hereby agrees to maintain the security and privacy of all protected health information in a manner consistent with State and Federal laws and regulations, including the Health insurance Portability and Accountability Act of 1996 (“HIPAA”) and regulations hereunder, and all other applicable law.
4) Business Affiliate further agrees not to use or disclose protected health information except as expressly permitted by this Agreement, applicable law, or for the purpose of managing Business Affiliate own internal business processes consistent with Paragraph 2 herein.
5) Business Affiliate shall not disclose protected health information to any member of its workforce unless Business Affiliate has advised such person (employee) of Business Affiliate privacy and security obligations and policies under this Agreement, including the consequences for violation of such obligations. Business Affiliate shall take appropriate disciplinary action against any member of its workforce who uses or discloses protected health information in violations of this Agreement and applicable law.
6) Business Affiliate shall not disclose protected health information created or received by Business Affiliate on behalf of said Health Care Provider to a person, including any agent or subcontractor of Business Affiliate but not including a member of Business Affiliate s own workforce, until such person agrees in writing to be bound by the provisions of the Agreement and applicable State or Federal law.
7) Business Affiliate agrees to use appropriate safeguards to prevent use or disclosure of protected health information not permitted by this Agreement or applicable law.
8) Business Affiliate agrees to maintain a record of all disclosures of protected health information, including disclosures not made for the purposes of this Agreement. Such record shall include the date of the disclosure, the name and, if known, the address of the recipient of the protected health information, the name of the individual who is the subject of the protected health information, a brief description of the protected health information disclosed, and the purpose of the disclosure. Business Affiliate shall make such record available to an individual who is the subject of such information or this said Health Care Provider within five (5) working days of a request and shall include disclosures made on or after the date which is six (6) years prior to the request or April 14, 2003, whichever date is later.
9) Business Affiliate agrees to report to said Health Care Provider any unauthorized use or disclosure of protected health information by Business Affiliate or its workforce or subcontractors and the remedial action taken or proposed to be taken with respect to such use or disclosure.
10) Business Affiliate agrees to make its internal practices, books, and records relating to the use and disclosure of protected health information received from said Health Care Provider) or created or received by Business Affiliate on behalf of said Health Care Provider, available to the Secretary of the United States Department of Health and Human Services, for purposes of determining the Covered Entity’s compliance with HIPAA.
Within thirty (30) days of a written request by said Health Care Provider, Business Affiliate shall allow a person who is the subject of protected health information, such person’s legal representative, or said Health Care Provider to have access to and to copy such person’s protected health information in the format requested by such person, legal representative, or practitioner unless it is not readily producible in such format, in which case it shall be produced in standard hard copy format.
11) Business Affiliate agrees to amend, pursuant to a request by said Health Care Provider, protected health information maintained and created or received by Business Affiliate, on behalf of the Practitioner. Business Affiliate further agrees to complete such amendment within thirty (30) days of a written request by said Health Care Provider, and to make such amendment as directed by said Health Care Provider.
12) In the event Business Affiliate fails to perform the obligations under this Agreement, said Health Care Provider may, at its option:
a) Require Business Affiliate to submit to a plan of compliance, including monitoring by said Health Care Provider and reporting by Business Affiliate, as said Health Care Provider, in its sole discretion, determines necessary to maintain compliance with this Agreement and applicable law. Such plan shall be incorporated into this Agreement by amendment hereto: and
b) Require Business Affiliate to mitigate any loss occasioned by the unauthorized disclosure or use of protected health information.
c) Immediately discontinue providing protected health information to Business Affiliate with or without written notice to Business Affiliate
​
13) The above named Health Care Provider may immediately terminate this Agreement and related agreements if this Health Care Provider determines that Business Affiliate has breached a material term of this Agreement. Alternatively, this Health Care Provider may choose to (i) provide Business Affiliate with ten (10) days written notice of the existence of an alleged material breach; and (ii) afford Business Affiliate an opportunity to cure said alleged material breach to the satisfaction of said Health Care Provider within (10) days. Business Affiliate’s failure to cure shall be grounds for immediate termination of this agreement. This said Health Care Provider’s remedies under this Agreement are cumulative, and the exercise of any remedy shall not preclude the exercise of any other.
​
14) Upon termination of this Agreement, Business Affiliate shall return or destroy all protected health information received from said Health Care Provider, or created or received by Business Affiliate on behalf of said Health care Provider and that Business Affiliate maintains in any form, and shall retain no copies of such information. If the parties mutually agree that return or destruction of protected health information is not feasible, Business Affiliate shall continue to maintain the security and privacy of such protected health information in a manner consistent with the obligations of this Agreement and as required by applicable law, and shall limit further use of the information to those purposes that make the return or destruction of the information infeasible. The duties hereunder to maintain the security and privacy of protected health information shall survive the discontinuance of this Agreement.
​
15) This said Health Care Provider may amend this Agreement by providing ten (10) days prior written notice to Business Affiliate in order to maintain compliance with State & Federal law. Such amendment shall be binding upon Business Affiliate at the end of the ten (10) day period and shall not require the consent of the Business Affiliate.
The Business Affiliate may elect to discontinue the Agreement within the ten (10) day period, but Business Affiliate duties hereunder to maintain the security and privacy of PROTECTED HEALTH INFORMATION shall survive such discontinuance. This Health Care Provider and Business Affiliate may otherwise amend this Agreement by mutual written agreement.
16) Business Affiliate shall, to the fullest extent permitted by law, protect, defend, indemnify and hold harmless this said Health Care Provider and his/her respective employees, directors, and agents (“Indemnities”) from and against any and all losses, costs, claims, penalties, fines, demands, liabilities, legal actions, judgments, and expenses of every kind (including reasonable attorney’s fees, including at trial and on appeal) asserted or imposed against any Indemnities arising out of the acts or omissions of Business Affiliate or any of Business Affiliate’s employees, directors, or agents related to the performance or nonperformance of this Agreement.
17) Business Affiliate also agrees to act in accordance with set rules as described by HIGH TECH RULES set forth in FEBRUARY 2010 as they apply to Personal Health Information (PHI) in relation to Health Care Providers patients and: Internet sharing, Computer Terminal Password Protection, Firewall Protection within Business Affiliates Dwelling and Document Shredding to protect all PHI as it relates to the Health Care Providers patients.