BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS
The following HIPAA Business Associate Terms and Conditions (referred to hereafter as the “HIPAA Agreement”) are part of the Brevium Software License and Consulting Agreement to which it this Exhibit B is attached, and capitalized terms not otherwise defined herein have the meanings set forth in the Agreement. By signing the Agreement the Customer and Brevium also agree to these terms.
Pursuant to the Agreement, Brevium, its employees, subcontractors, agents and affiliates, if any (individually and collectively, the “Business Associate”) performs functions or activities on behalf of Customer involving the use and/or disclosure of PHI. Business Associate, therefore, agrees to the following terms and conditions set forth in this HIPAA Agreement.
1. Definitions. For purposes of this HIPAA Agreement, the following terms shall have the designated meanings. All other terms
shall have the same meanings as in HIPAA or HITECH.
a) “Administrative Safeguards” shall mean administrative actions, policies and procedures to manage the selection,
development, implementation and maintenance of security measures to protect Electronic PHI and to manage the
conduct of the Business Associate’s workforce in relation to the protection of that information.
b) “Breach” shall have the same meaning as provided in 45 C.F.R. 164.
c) “Designated Record Set”shall have the same meaning provided in 45 C.F.R. §164.501(a).
d) “Electronic PHI” shall have the same meaning provided in 45 C.F.R. § 160.103.
e) “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996, and any amendments thereto.
f) “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and Part 164.
g) “HITECH” shall mean the Health Information Technology for Economic and Clinical Health Act, which is Title XIII of the American Recovery and Reinvestment Act, and any amendments, regulations, rules and guidance issued thereto and the relevant dates for compliance.
h) “Individually Identifiable Health Information” shall mean information that is a subset of health information, including
genetic and demographic information collected from an individual, and is created or received by a healthcare provider,
health plan, employer, or healthcare clearinghouse; and relates to the past, present, or future physical or mental
health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future
payment for the provision of healthcare to an individual; and (i) identifies the individual, or (ii) with respect to which
there is a reasonable basis to believe the information can be used to identify the individual.
i) “Physical Safeguards” shall mean physical measures, policies and procedures to protect Business Associate’s electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.
j) “Privacy Standards”shall mean the Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Parts 160 and 164.
k) “Protected Health Information”or “PHI” shall have the meaning provided in 45 C.F.R. § 160.103, limited to the information created or received by the Business Associate from or on behalf of the Customer.
l) “Secretary”shall mean the Secretary of the United States Department of Health and Human Services.
m) “Security Incident” shall have the same meaning provided in 45 C.F.R. § 164.304.
n) “Security Standards” shall mean the regulations with regard to security standards for health information, 45 C.F.R. Parts 160 and 164.
o) “Technical Safeguards” shall mean the technology, and the policy and procedures for its use, which protects Electronic PHI and controls access to it.
p) “Transaction Standards” shall mean the Standards for Electronic Transactions, 45 C.F.R. Parts 160 and 162.
q) “Unsecured PHI” shall mean protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary under section 13402(h)(2) of Public Law 111-5.
2. Compliance with Applicable Law. The parties acknowledge and agree that as of the Effective Date, Business Associate shall
comply with its obligations under this HIPAA Agreement and with all obligations of a business associate under HIPAA, HITECH
and other related laws and any implementing regulations, as they exist at the time this HIPAA Agreement is executed and as
they are amended. Without limiting the foregoing, Business Associate agrees it will comply with all applicable state laws not
preempted by HIPAA or HITECH.
3. Uses and Disclosures of PHI. Business Associate shall not, and shall ensure that its directors, officers, employees, and agents do not, use or disclose PHI received from Customer in any manner that is not permitted or required by the Agreement or required/permitted by law. All uses and disclosures of and requests by Business Associate for PHI are subject to the minimum necessary rule of the Privacy Standards and shall be limited to the information contained in a limited data set, to the extent practical, unless additional information is needed to accomplish the intended purpose, or as otherwise permitted in accordance with Section 13405(b) of HITECH and any implementing regulations. Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided: (a) the disclosures are required or permitted by law; or (b) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required/permitted by law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances in which it is aware in which the confidentiality of the information has been breached.
4. Required Safeguards To Protect PHI. Business Associate agrees that it will implement any and all necessary Administrative Safeguards, Physical Safeguards, Technical Safeguards or other safeguards, policies and procedures in accordance with the Privacy Standards, Security Standards and Transaction Standards, including but, not limited to Subpart C of 45 C.F.R. Part 164, to prevent the use or disclosure of PHI other than pursuant to the terms and conditions of the Agreement or as required/permitted by law. Business Associate maintains the right to de-identify personal information placed in its database, and to use, disclose, sell and otherwise commercialize de-identified information without restriction.
5. Notification in Case of Breach. In the event of an impermissible acquisition, access, use or disclosure of Unsecured PHI created or maintained by Business Associate, Business Associate shall determine if a Breach has occurred.
a) If Business Associate determines that a Breach of Unsecured PHI created or maintained by Business Associate has occurred, Business Associate shall notify Customer of such Breach, in accordance with Section 13402 of HITECH and 45 C.F.R. §164.410, without unreasonable delay and, in no case later than twenty (20) calendar days after discovery of the Breach. Discovery of a Breach by Business Associate shall be deemed to have occurred as of the first day on which such a Breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. Business Associate shall be deemed to have knowledge of a Breach if the Breach is known, or, by exercising reasonable diligence would have been known, to any person, other than the person committing the Breach, who is a workforce member or agent of Business Associate. Such notice (“Breach Notice”) shall include, to the extent known by Business Associate, the following:
i. the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired or disclosed during such Breach;
ii. a description of the nature of the unauthorized acquisition, access, use or disclosure, including the date of the Breach and the date of discovery of the Breach;
iii. a description of the type Unsecured PHI acquired, accessed, used or disclosed in the Breach (e.g. full name, social security number, date of birth, home address, account number or disability code);
iv. a description of what Business Associate is doing to investigate the Breach, to mitigate losses and to protect against any further Breaches; and
v. the contact information for Business Associate’s representative(s) who are knowledgeable of the Breach.
6. Agreements by Third Parties. In accordance with 45 C.F.R. 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate shall enter into an agreement with any agent or subcontractor of Business Associate that will have access to PHI that is received from, or is created or received by, Business Associate on behalf of Customer. Pursuant to such agreement, the agent or subcontractor shall agree to be bound by the same restrictions, terms, and conditions that apply to Business Associate under this HIPAA Agreement with respect to such PHI.
7. Access to Information. Within twenty (20) calendar days of a request by Customer for access to PHI about an individual contained in a Designated Record Set, Business Associate shall make available to Customer such PHI for so long as such information is maintained by Business Associate in the Designated Record Set, as required by 45 C.F.R. § 164.524. In the event any individual delivers directly to Business Associate a request for access to PHI, Business Associate shall within ten (10) calendar days forward such request to Customer.
8. Availability of PHI for Amendment. Within twenty (20) calendar days of receipt of a request from Customer for the amendment of an individual’s PHI or a record regarding an individual contained in a Designated Record Set (for so long as the PHI is maintained in the Designated Record Set), Business Associate shall provide such information to Customer for amendment and incorporate any such amendments in the PHI as required by 45 C.F.R. § 164.526.
9. Documentation of Disclosures. Business Associate agrees to document all disclosures of PHI and information related to such disclosures as would be required for Customer to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. At a minimum, Business Associate shall provide Customer with the following information: (i) the date of the disclosure; (ii) the name of the entity or person who received the PHI, and if known, the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of such disclosure which includes an explanation of the basis for such disclosure.
10. Accounting of Disclosures. Within twenty (20) calendar days of notice by Customer to Business Associate that it has received a request for an accounting of disclosures of PHI regarding an individual during the six (6) years prior to the date on which the accounting was requested, Business Associate shall make available to Customer information collected in accordance with this HIPAA Agreement, to permit Customer to respond to the request for an accounting of disclosures of PHI, as required by 45 C.F.R. § 164.528. In the case of an electronic health record maintained or hosted by Business Associate on behalf of Customer, the accounting period shall be three (3) years and the accounting shall include disclosures for treatment, payment and healthcare operations, in accordance with the applicable effective date of Section 13402(a) of HITECH. In the event the request for an accounting is delivered directly to Business Associate, Business Associate shall within ten (10) calendar days forward such request to Customer. Business Associate hereby agrees to implement an appropriate record keeping process to enable it to comply with the requirements of this Section.
11. Availability of Books and Records. Business Associate hereby agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Customer available to the Secretary for purposes of determining Customer’s compliance with the HIPAA Rules.
12. Electronic PHI. To the extent that Business Associate creates, receives, maintains or transmits Electronic PHI on behalf of Customer, Business Associate shall comply with the Security Standards as of the relevant effective date and further, shall:
a) Implement Administrative, Physical and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI, in accordance with Section 13401(a) of HITECH;
b) Ensure that any agent, including a Business Associate, to whom it provides Electronic PHI agrees to implement reasonable and appropriate safeguards to protect it; and
c) Report to Customer any Security Incident of which Business Associate becomes aware.
13. Termination for Cause. In addition to any other rights Customer may have in the Agreement, Business Associate authorizes the termination of the Agreement by Customer, if Customer determines Business Associate has violated a material term of this HIPAA Agreement and Business Associate has not cured such breach or ended the violation within thirty (30) calendar days written notice from the Customer to the Business Associate.
14. Effect of Termination. Upon the termination of the Agreement for any reason, Business Associate, with respect to PHI received from Customer, or created, maintained, or received by Business Associate on behalf of Customer, shall:
a) Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
b) Return to Customer or destroy the remaining PHI that the Business Associate still maintains in any form;
c) Continue to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic PHI to prevent use or disclosure of the protected health information, other than as provided for in this Section, for as long as Business Associate retains the PHI;
d) Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out in Section 3 of this HIPAA Agreement which applied prior to termination; and
e) Return to Customer or destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.
The obligations of Business Associate under this Section shall survive termination of the Agreement.
15. Changes in the Law. Customer may amend either the Agreement (including this HIPAA Agreement) to conform to any new or revised legislation, rules and regulations to which Customer is subject now or in the future including, without limitation, HIPAA, HITECH, the Privacy Standards, Security Standards or Transactions Standards.