Please save or print this form as confirmation that you entered into this agreement with AnswerFirst Communications Inc.
BUSINESS ASSOCIATE CONTRACT
This Business Associate Contract (“BAC”), is effective upon its execution with AnswerFirst Communications, Inc. (the “Business Associate”) and the undersigned health care provider or other services provider (the “Covered Entity”) (each a “Party” and collectively the “Parties”).
The Business Associate is a telephone answering service and the Covered Entity is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) and all pertinent regulations issued by the Department of Health and Human Services (“HHS”). The Parties have a prior oral or written agreement (the “Service Agreement”) which governs the business relationship between these parties and under which the Business Associate regularly may use and/or disclose Protected Health Information (“PHI”) in its performance of the Services thereunder. Both Parties are committed to complying with the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) and all pertinent regulations issued by the Department of Health and Human Services (“HHS”). This BAC sets forth the terms and conditions pursuant to which PHI that is provided to, or provided, created, received, maintained, or transmitted by the Business Associate from or on behalf of the Covered Entity, will be handled between the Business Associate and the Covered Entity and with third parties during the term of their agreement and after its termination. The Parties agrees as follows:
1. PERMITTED USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION
1.1 Services. Pursuant to the Service Agreement, Business Associate provides Services (“Services”) for the Covered Entity that involve the use and disclosure of PHI. Except as otherwise specified herein, the Business Associate may make any and all uses of PHI necessary to perform its obligations under the Service Agreement. All other uses not authorized by this BAC are prohibited. Moreover, Business Associate may disclose PHI for the purposes authorized by this BAC only, (i) to its employees, subcontractors and agents, in accordance with Section 2.1(e), (ii) as directed by the Covered Entity, or (iii) as otherwise permitted by the terms of this BAC including, but not limited to, Section 1.2(b) below.
1.2 Business Activities of the Business Associate. Unless otherwise limited herein, the Business Associate may:
a. use the PHI in its possession for its proper management and administration and to fulfill any present or future legal responsibilities of the Business Associate provided that such uses are permitted under state and federal confidentiality laws.
b. disclose the PHI in its possession to third parties, including but not limited to subcontractors of the Business Associate, for the purpose of its proper management and administration or to fulfill any present or future legal responsibilities of the Business Associate, provided that the Business Associate represents to the Covered Entity, in writing, that (i) the disclosures are required by law, as provided for in 45 C.F.R. § 164.502 and (ii) the Business Associate has received from the third party written assurances regarding its confidential handling of such PHI as required under 45 C.F.R. § 164.504(e)(4) and (iii) and the third party agrees to the same restrictions and conditions that apply through this BAC to Business Associate with respect to PHI.
1.3 Additional Activities of Business Associate. In addition to using the PHI to perform the Services set forth in Section 1.1 of this BAC, the Business Associate may:
a. aggregate the PHI in its possession with the PHI of other covered entities that the Business Associate has in its possession through its capacity as a business associate to said other covered entities provided that the purpose of such aggregation is to provide the Covered Entity with data analyses relating to the Health Care Operations of the Covered Entity. Under no circumstances may the Business Associate disclose PHI of one covered entity to another covered entity absent the explicit authorization of the Covered Entity.
b. deidentify any and all PHI provided that the deidentification conforms to the requirements of 45 C.F.R. § 164.514(b), and further provided that the Covered Entity maintains the documentation required by 45 C.F.R. § 164.514(b) which may be in the form of a written assurance from the Business Associate. Pursuant to 45 C.F.R. § 164.502(d)(2), deidentified information does not constitute PHI and is not subject to the terms of this BAC.
2. RESPONSIBILITIES OF THE PARTIES WITH RESPECT TO PROTECTED HEALTH INFORMATION
2.1 Responsibilities of the Business Associate. With regard to its use and/or disclosure of PHI, the Business Associate hereby agrees to do the following:
a. use and/or disclose the PHI only as permitted or required by this BAC or as otherwise required by law.
b. report to the designated Privacy Officer and/or Security Officer of the Covered Entity, in writing, any use and/or disclosure of the PHI that is not permitted or required by this BAC of which Business Associate becomes aware within 14 days of the Business Associate’s discovery of such unauthorized use and/or disclosure. To the extent possible, the Business Associate should provide the Covered Entity with the identification of each individual affected by the breach as well as any information required to be provided by the Covered Entity in its notification to affected individuals. Business Associates shall comply with all regulations issued by HHS and applicable state agencies regarding breach notification to Covered Entities. Business Associates agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.
c. establish procedures for a mutually satisfactory resolution, regarding any deleterious effects from any improper use and/or disclosure of PHI that the Business Associate reports to the Covered Entity.
d. use commercially reasonable efforts to maintain the security of the PHI and to prevent unauthorized use and/or disclosure of such PHI.
e. require all of its subcontractors and agents that receive or use, or have access to, PHI under this BAC to agree, in writing, to adhere to the same restrictions and conditions on the use and/or disclosure of PHI that apply to the Business Associate pursuant to section 2 of this BAC, as well as to have the subcontractors and agents require of their subcontractors and agents who receive, use, or have access to PHI the same restrictions and conditions as agreed to by them with the Business Associate.
f. make available all internal practices, records, books, agreements, policies, procedures and PHI relating to the use and/or disclosure of PHI received from, or created or received by Business Associate, on behalf of Covered Entity, available to Covered Entity or to the Secretary of HHS in a prompt and commercially reasonable manner for purposes of determining (i) the Business Associate’s compliance with the terms of this BAC and (ii) compliance by the Business Associate and the Covered Entity with all applicable statutory provisions and regulations of and under HIPAA and the HITECH Act, subject to attorney client and other applicable legal privileges.
g. within 14 days of receiving a written request from the Covered Entity, to provide to the Covered Entity or Individual such information as is requested by the Covered Entity to permit the Covered Entity to respond to a request by an individual for an accounting of the disclosures of the individual’s PHI in accordance with 45 C.F.R. § 164.528.
h. subject to Section 4.5 below, return to the Covered Entity or destroy, within 85 days of the termination of this BAC, the PHI in its possession and retain no copies. This includes, but is not limited to; all media, media backups, and any other files (i.e. sound or .wav files) and/or paper which contains PHI.
i. with respect to PHI and/or Electronic Protected Health Information (“EPHI”), as that term is used in 45 CFR, Part 164, Subpart C, implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the EPHI that it creates, receives, maintains, or transmits on behalf of the Covered Entity and ensure that any agent, including a subcontractor, to whom it provides EPHI agrees to implement reasonable and appropriate safeguards to protect EPHI.
j. at the request of the Covered Entity, provide the Covered Entity (or any designate of the Covered Entity) access to PHI in a Designated Record Set in a prompt and commercially reasonably manner in order to meet the requirements under 45 CFR § 164.524.
k. make any amendment(s) to protected PHI in a Designated Record Set that the Covered Entity directs or agrees pursuant to 45 CFR § 164.526 at the request of the Covered Entity or an Individual in a prompt and commercially reasonable manner.
2.2 Responsibilities of the Covered Entity. With regard to the use and/or disclosure of PHI by the Business Associate, the Covered Entity hereby agrees:
a. to inform the Business Associate of any changes in the form of notice of privacy practices (the “Notice”) that the Covered Entity provides to individuals pursuant to 45 C.F.R. §164.520, and provide the Business Associate a copy of the Notice currently in use.
b. to inform the Business Associate of any changes in, or withdrawal of, the consent or authorization provided to the Covered Entity by individuals pursuant to 45 C.F.R. §164.506 or §164.508.
c. to inform the Business Associate of any optouts exercised by any individual from marketing and/or fundraising activities of the Covered Entity pursuant to 45 C.F.R. § 164.514(e).
d. to notify the Business Associate, in writing and in a timely manner, of any arrangements permitted or required of the Covered Entity under 45 C.F.R. part 160 and 164 that may impact in any manner the use and/or disclosure of PHI by the Business Associate under this BAC, including, but not limited to, restrictions on use and/or disclosure of PHI as provided for in 45 C.F.R. § 164.522 agreed to by the Covered Entity.
e. that Business Associate may make any use and/or disclosure of PHI permitted under 45 C.F.R. § 164.512 except uses or disclosure for research are not permitted without prior approval by the Covered Entity.
f. with respect to EPHI, Covered Entity acknowledges that it must provide appropriate security for EPHI, such as encryption and secure wireless communications, and absolves Business Associate of any liability for breaches of EPHI security caused by reception or transmission devices under the control of Covered Entity.
3. REPRESENTATIONS AND WARRANTIES
3.1 Mutual Representations and Warranties of the Parties. Each Party represents and warrants to the other Party:
a. that it is duly organized, validly existing, and in good standing under the laws of the jurisdiction in which it is organized or licensed, it has the full power to enter into this BAC and to perform its obligations hereunder, and that the performance by it of its obligations under this BAC have been duly authorized by all necessary corporate or other actions and will not violate any provision of any license, corporate charter or bylaws.
b. that neither the execution of this BAC, nor its performance hereunder, will directly or indirectly violate or interfere with the terms of another agreement to which it is a party, or give any governmental entity the right to suspend, terminate, or modify any of its governmental authorizations or assets required for its performance hereunder. Each Party represents and warrants to the other Party that it will not enter into any agreement the execution and/or performance of which would violate or interfere with this BAC.
c. that it is not currently the subject of a voluntary or involuntary petition in bankruptcy, does not currently contemplate filing any such voluntary petition, and is not aware of any claim for the filing of an involuntary petition.
d. that all of its employees, agents, representatives and members of its workforce, whose services may be used to fulfill obligations under this BAC are or shall be appropriately informed of the terms of this BAC and are under legal obligation to each Party, respectively, by contract or otherwise, sufficient to enable each Party to fully comply with all provisions of this BAC including, without limitation, the requirement that modifications or limitations that the Covered Entity has agreed to adhere to with regards to the use and disclosure of PHI of any individual that materially affects and/or limits the uses and disclosures that are otherwise permitted under the Standard will be communicated to the Business Associate, in writing, and in a timely fashion.
e. that it will reasonably cooperate with the other Party in the performance of the mutual obligations under this BAC.
f. that neither the Party, nor its shareholders, members, directors, officers, agents, employees or members of its workforce have been excluded or served a notice of exclusion or have been served with a notice of proposed exclusion, or have committed any acts which are cause for exclusion, from participation in, or had any sanctions, or civil or criminal penalties imposed under, any federal or state program. Each Party further agrees to notify the other Party immediately after the Party becomes aware that any of the foregoing representation and warranties may be inaccurate or may become incorrect.
4. TERMS AND TERMINATION
4.1 Term. This BAC shall become effective on the Effective Date and shall continue in effect until all obligations of the Parties have been met, unless terminated as provided in this Section 4. In addition, certain provisions and requirements of this BAC shall survive its expiration or other termination in accordance with Section 7.3 herein.
4.2 Termination by the Covered Entity. As provided for under 45 C.F.R. § 164.504(e)(2)(iii), the Covered Entity may terminate this BAC and any related agreements if the Covered Entity makes the determination that the Business Associate has breached a material term of this BAC. The Covered Entity must: (i) provide the Business Associate with 14 day’s written notice of the existence of an alleged material breach; and (ii) afford the Business Associate an opportunity to cure said alleged material breach upon mutually agreeable terms. Nonetheless, in the event that mutually agreeable terms can not be achieved within 45 days, Business Associate must cure said breach to the satisfaction of the Covered Entity within 85 days. Failure to cure in the manner set forth in this paragraph is grounds for the immediate termination of this BAC.
4.3 Termination by Business Associate. If the Business Associate makes the determination that a material condition of performance has changed under this BAC, or that the Covered Entity has breached a material term of this BAC, Business Associate may provide 14 days notice of its intention to terminate this BAC. Business Associate agrees, however, to cooperate with Covered Entity to find a mutually satisfactory resolution to the matter prior to terminating, and further agrees, that notwithstanding this provision, it shall not terminate this BAC so long as the BAC is in effect.
4.4 Automatic Termination. This BAC will automatically terminate without any further action of the Parties upon the termination or expiration of a previous oral or written agreement between the Parties.
4.5 ffect of Termination. Upon the event of termination pursuant to this Section 4, Business Associate agrees to return or destroy all PHI pursuant to 45 C.F.R. § 164.504(e)(2)(I), if it is feasible to do so. Prior to doing so, the Business Associate further agrees to recover any PHI in the possession of its subcontractors or agents. If it is not feasible for the Business Associate to return or destroy said PHI, the Business Associate will notify the Covered Entity in writing. Said notification shall include: (i) a statement that the Business Associate has determined that it is infeasible to return or destroy the PHI in its possession, and (ii) the specific reasons for such determination, which reasons the Parties agree may include, but are not limited to, backup media. Business Associate further agrees to extend any and all protections, limitations and restrictions contained in this BAC to the Business Associate’s use and/or disclosure of any PHI retained after the termination of this BAC, and to limit any further uses and/or disclosures to the purposes that make the return or destruction of the PHI infeasible.
5. CONFIDENTIALITY
5.1 Confidentiality Obligations. In the course of performing under this BAC, each Party may receive, be exposed to or acquire the Confidential Information including but not limited to, all information, data, reports, records, summaries, tables and studies, whether written or oral, fixed in hard copy or contained in any computer data base or computer readable form, as well as any information identified as confidential (“Confidential Information”) of the other Party. For purposes of this BAC, “Confidential Information” shall include PHI, the security of which is the subject of this BAC and is provided for elsewhere. The Parties including their employees, agents or representatives (i) shall not disclose to any third party the Confidential Information of the other Party except as otherwise permitted by this BAC, (ii) only permit use of such Confidential Information by employees, agents and representatives having a need to know in connection with performance under this BAC, and (iii) advise each of their employees, agents, and representatives of their obligations to keep such Confidential Information confidential. Notwithstanding anything to the contrary herein, each Party shall be free to use, for its own business purposes, any ideas, suggestions, concepts, knowhow or techniques contained in information received from each other that directly relates to the performance under this BAC. This provision shall not apply to Confidential Information: (a) after it becomes publicly available through no fault of either Party; (b) which is later publicly released by either Party in writing; (c) which is lawfully obtained from third parties without restriction; or (d) which can be shown to be previously known or developed by either Party independently of the other Party.
6. INDEMNIFICATION
6.1 Indemnification. The Parties agree to indemnify, defend and hold harmless each other and each other’s respective employees, directors, officers, subcontractors, agents or other members of its workforce, each of the foregoing hereinafter referred to as “indemnified party,” against all actual and direct losses suffered by the indemnified party and all liability to third parties arising from or in connection with any breach of this BAC or of any warranty hereunder or from any negligence or wrongful acts or omissions, including failure to perform its obligations under the Privacy Regulation, by the indemnifying party or its employees, directors, officers, subcontractors, agents or other members of its workforce. The Parties’ obligation to indemnify any indemnified party shall survive the expiration or termination of this BAC for any reason.
7. MISCELLANEOUS
7.1 Covered Entity. For purposes of this BAC, Covered Entity shall include all entities covered by the joint notice of information practices (or privacy notice), which includes hospitals, laboratories, imaging centers, nursing facilities, and medical offices.
7.2 Business Associate. For purposes of this BAC, Business Associate shall include the named Business Associate herein. However, in the event that the Business Associate is otherwise a covered entity under the Privacy and/or Security Regulation, that entity may appropriately designate a health care component of the entity, pursuant to 45 C.F.R. § 164.504(a), as the Business Associate for purposes of this BAC.
7.3 Survival. The respective rights and obligations of Business Associate and Covered Entity under the provisions of Sections 4.5, 6.1, 7.5, and Section 2.1 solely with respect to PHI Business Associate retains in accordance with Section 4.5, because it is not feasible to return or destroy such PHI, shall survive termination of this BAC indefinitely.
7.4 Amendments; Waiver. This BAC may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.
7.5 No Third Party Beneficiaries. Nothing express or implied in this BAC is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.
7.6 Notices. Any notices to be given hereunder to a Party shall be made via U.S. Mail or express courier to such Party’s address given below, and/or (other than for the delivery of fees) via facsimile to the facsimile telephone numbers listed below.
If to Business Associate, to:
AnswerFirst Communications
1602 N. 21st Street
Tampa, FL 33605
Attention: Client Loyalty Mgr
Fax: 813-882-8631
If to Covered Entity, to:
Contact information and address on file with AnswerFirst Communications Inc.
Each Party named above may change its address and that of its representative for notice by the giving of notice thereof in the manner
herein above provided.
7.7 Counterparts; Facsimiles. This BAC may be executed in any number of counterparts, each of which shall be deemed an original. Facsimile copies hereof shall be deemed to be originals.
7.8 Disputes. If any controversy, dispute, or claim arises between the Parties with respect to this BAC, the Parties shall be required to meet and seek a negotiated resolution within 30 days after written notice is given by the complaining Party. If no resolution is reached within said 30 day period, the Parties hereby agree to participate in non-binding mediation before a mediator to be jointly selected equally paid by the Parties. Such mediation shall take place within 60 days after the expiration of the 30 day initial negotiation period, unless the Parties agree to an extension. If the mediation does not result in a resolution, then the Parties further agree to enter upon binding arbitration, pursuant to the rules of the American Arbitration Association.
7.9 LIMITATION OF LIABILITY. NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY FOR ANY INCIDENTAL, CONSEQUENTIAL, SPECIAL, OR PUNITIVE DAMAGES OF ANY KIND OR NATURE, WHETHER SUCH LIABILITY IS ASSERTED ON THE BASIS OF CONTRACT, TORT (INCLUDING NEGLIGENCE OR STRICT LIABILITY), OR OTHERWISE, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGES.
7.10 This BAC does not impose any additional duties, obligations, or responsibilities on any of the parties hereto, other than those set forth in the Service Agreement and/or those imposed by the applicable statutes and regulations promulgated thereunder.
7.11 Choice of Law. This BAC and the rights and the obligations of the Parties hereunder shall be governed by and construed under the laws of the State of Florida , without regard to applicable conflict of laws principles.
7.12 Interpretation. Any ambiguity in this BAC shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules and any applicable state confidentiality laws. The provisions of this BAC shall prevail over the provisions of any other agreement that exists between the Parties that may conflict with, or appear inconsistent with, any provision of this BAC or the HIPAA Rules.
8. DEFINITIONS
8.1 Designated Record Set. Designated Record Set shall have the meaning set out in its definition at 45 C.F.R. § 164.501, as such provision is currently drafted and as it is subsequently updated, amended, or revised.
8.2 Health Care Operations. Health Care Operations shall have the meaning set out in its definition at 45 C.F.R. § 164.501, as such provision is currently drafted and as it is subsequently updated, amended or revised.
8.3 Privacy Officer. Privacy Officer shall have the meaning as set out in its definition at 45 C.F.R. § 164.530 (a)(1) as such provision is currently drafted and as it is subsequently updated, amended or revised.
8.4 Security Officer/ Law Enforcement Official. Security Officer/Law Enforcement Official shall have the meaning as set out in its definition at 45 C.F.R § 164.103 as such provision is currently drafted and as it is subsequently updated, amended or revised.
8.5 Protected Health Information. PHI shall have the meaning as set out in its definition at 45 C.F.R. § 160.103, as such provision is currently drafted and as it is subsequently updated, amended or revised.
8.6 HIPPA Rules. HIPAA Rules shall mean the Privacy, Security, Breach Notification, and Enforcement Rules of 45 CFR Part 160 and Part 164, as amended.
8.7 Miscellaneous Definitions: The following terms shall have the same meaning as those terms are defined and used in the HIPAA Rules: Breach, Data Aggregation, Disclosure, Individual, Required By Law, Secretary, Security Incident, Subcontractor, and Use.