Business Associate Agreement
RECITALS
Whereas, Client is a health care practitioner that provides health services.
Whereas, Client has engaged Lakefront Advisors to provide business transition and/or accounting services.
Whereas, Client, as a Covered Entity under the Health Information Portability and Accountability Act of 1996 (“HIPAA”) is required to enter into this Agreement to obtain satisfactory assurances that Lakefront Advisors, a Business Associate under HIPAA, will appropriately safeguard all Protected Health Information (“PHI”) as defined herein, disclosed, created, maintained or received by Lakefront Advisors on behalf of Client.
Whereas, Client desires to engage Lakefront Advisors to perform certain functions for, or on behalf of, Client involving the disclosure of PHI by Client to Lakefront Advisors, or the creation, maintenance or use of PHI by Lakefront Advisors on behalf of Client, and Lakefront Advisors desires to perform such functions.
Whereas, this contract shall be deemed an amendment to any parties’ underlying contract with Lakefront Advisors.
In consideration of the mutual promises below and the exchange of information pursuant to this agreement and in order to comply with all legal requirements for the protection of this information, the parties therefore agree as follows:
Article I. Definition of Terms
1.01 “Agreement” means this Business Associate Agreement.
1.02 “Business Associate” shall have the meaning given to such term in 45 C.F.R. § 160.103.
1.03 “C.F.R.” shall mean the Code of Federal Regulations.
1.04 “Covered Entity” shall have the meaning given to such term in 45 C.F.R. § 160.103, and in reference to the party to this agreement, shall mean Client.
1.05 “Designated Record Set” shall have the meaning given to such term in 45 C.F.R. § 164.501.
1.06 “Electronic Protected Health Information or Electronic PHI” shall have the meaning given to such term under the Privacy Rule and the Security Rule, including, but not
limited to, 45 C.F.R. § 160.103, as applied to the information that Business Associate creates, receives, maintains or transmits from or on behalf of Client.
1.07 “HIPAA Rules” shall mean the Privacy, Security, Breach Notification and Enforcement Rules at 45 C.F.R. Parts 160 and 164.
1.08 “Individual” shall have the same meaning given to such term in 45 C.F.R. § 160.103 and shall include a person who qualifies as the individual’s personal representative in accordance with 45 C.F.R. § 164.502(g).
1.09 “Privacy Rule” shall mean the Privacy Standards at 45 C.F.R. Part 164, Subpart E.
1.10 “Protected Health Information” (“PHI”) shall have the meaning given to such term in 45 C.F.R. § 160.103.
1.11 “Required By Law” shall have the same meaning given to such term in 45 C.F.R. § 1 64.103.
1.12 “Secretary” shall mean the Secretary of Health and Human Services (“HHS”) or his or her designee as provided in 45 C.F.R. § 160.103.
1.13 “Security Incident” shall have the same meaning given to such term under the Security Rule, including, but not limited to, 45 C.F.R. § 164.304.
1.14 “Security Rule” shall mean the Security Standards at 45 C.F.R. Part 164, Subparts A and C.
Article II. Obligations and Activities of Lakefront Advisors
2.01 Protected Health Information. Lakefront Advisors agrees and acknowledge Advisors that any individual’s Protected Health Information that comes within Lakefront Advisors custody, exposure, possession or knowledge Advisors or is created, maintained, retained, transmitted, derived, developed, compiled, prepared or used by Lakefront Advisors in the course of or in connection with the performance of services under this Agreement, is confidential and shall remain the exclusive property of Client and shall be used, disclosed, transmitted and/or maintained solely in accordance with this Agreement and as Required By Law. Lakefront Advisors agrees to comply with its obligations as a Business Associate and acknowledge Advisors that it is subject to and agrees to comply with HIPAA and all applicable guidance and regulations issued by the Secretary to implement HIPAA and all other applicable law.
2.02 Use of Protected Health Information. Lakefront Advisors shall not use or disclose Protected Health Information other than as permitted or required by this Agreement or as Required By Law.
2.03 Forwarding Requests for Disclosure from Government to Client. Lakefront Advisors shall forward all requests for the disclosure of Protected Health Information from a law enforcement or government official, or pursuant to a subpoena, other legal request or court or administrative order, to Client as soon as possible before making the requested disclosure, but no later than five (5) business days following its receipt of such request or order.
2.04 Assisting Client Respond to Requests for Disclosure from Government. Lakefront Advisors shall provide to Client all Protected Health Information necessary to respond to a request for the disclosure of Protected Health Information by a law enforcement or government official, or pursuant to a subpoena, other legal request, or court or administrative order as soon as possible, but no later than two (2) business days following its receipt of such written request from Client.
2.05 Restrictions on Use and/or Disclosure of Protected Health Information. Lakefront Advisors shall comply with all granted restrictions on the use and/or disclosure of Protected Health Information, pursuant to 45 C.F.R. § 164.522(a), upon notice from Client. Lakefront Advisors shall forward to Client any requests for restriction on the use and/or disclosure of Protected Health Information within five (5) business days of receipt.
2.06 Requests for Confidential Communication of Protected Health Information. Lakefront Advisors shall comply with all granted requests for confidential communication of Protected Health Information, pursuant to 45 C.F.R. § 164.522(b), upon notice from Client. Lakefront Advisors shall forward to Client any requests for confidential communication of Protected Health Information within ten (10) business days of receipt.
2.07 Appropriate Safeguards. Lakefront Advisors shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Client, as required by the Security Rule.
2.08 Duty to Mitigate. Lakefront Advisors shall take immediate steps to mitigate, to the extent practicable or as reasonably directed by Client, any harmful effect that is known to Lakefront Advisors of a use or disclosure of Protected Health Information by Lakefront Advisors in violation of the requirements of this Agreement, the Privacy Rule or the Security Rule, such as obtaining the recipient’s satisfactory assurances that the information will not be further used or disclosed (through a confidentiality agreement or similar means) or will be destroyed.
2.09 Reporting of Unauthorized Uses or Disclosures. Lakefront Advisors shall report to Client any use or disclosure of the Protected Health Information not provided for by this Agreement, the Privacy Rule or the Security Rule, including breaches of unsecured Protected Health Information, as required at 45 C.F.R. § 164.410, and any security incident of which it becomes aware, as soon as possible, but no later than five (5) business days after discovery, stating (to the extent known by Lakefront Advisors) the nature of such use or disclosure, the names and addresses of the individuals who are the subject of such Protected Health Information and the names of the individuals who made or engaged in such use or disclosure and any other available information that the Client is required to include in notifications to the affected individuals.
2.10 Subcontractors, Consultants, Agents and Other Third Parties. Lakefront Advisors shall in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2) ensure that any subcontractors, consultant, agent, or other third party that creates, receives, maintains, or transmits Protected Health Information on behalf of Lakefront Advisors agrees to the same restrictions, conditions, and requirements that apply to Lakefront Advisors with regard to its creation, use, and disclosure of Protected Health Information. Lakefront Advisors shall, upon request from Client, provide Client with a list of all such third parties. Lakefront Advisors shall ensure that any subcontractor, consultant, agent, or other third party to whom it provides Electronic Protected Health Information agrees to implement reasonable and appropriate safeguards to protect such information. Lakefront Advisors must terminate its agreement with any subcontractor, consultant, agent or other third party, and obtain all Protected Health Information provided to such subcontractor, consultant, agent or other third party, if Lakefront Advisors becomes aware that the subcontractor, consultant, agent or other third party has breached its contractual duties relating to HIPAA or this agreement. If any subcontractor, consultant, agent, or other third party of Lakefront Advisors are not subject to the jurisdiction or laws of the United States, or if any use or disclosure of Protected Health Information in performing services under the Agreement will be outside of the jurisdiction of the United States, such entities must agree by written contract with the Lakefront Advisors to be subject to the jurisdiction of the Secretary, the laws and the courts of the United States, and waive any available jurisdictional defenses as they pertain to the parties’ obligations under this Agreement, the Privacy Rule or the Security Rule.
2.11 Books and Records. Lakefront Advisors shall make internal practices, books, and records relating to Protected Health Information received from, or created or received by Lakefront Advisors, on behalf of Client, available to Client, or at the request of Client to the Secretary, for purposes of the Secretary determining Client’ compliance with the Privacy Rule.
2.12 Documenting Disclosures. Lakefront Advisors shall document such disclosures of Protected Health Information and information related to such disclosures as would be required for Client to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528.
2.13 Accounting for Disclosures. Lakefront Advisors shall provide to Client, upon request and in the time and manner required by 45 C.F.R. § 164.528(c)(1), an accounting of disclosures of an Individual’s Protected Health Information, collected in accordance with Section 2.11 of this Agreement, to permit Client to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528.
2.14 Minimum Necessary Disclosures. Lakefront Advisors acknowledge Advisors that it shall request from the Client and so disclose to its affiliates, subsidiaries, agents, subcontractors or other third parties, only the minimum Protected Health Information necessary to perform or fulfill a specific function required or permitted hereunder. Lakefront Advisors acknowledge Advisors that the Secretary is required by the Health Information Technology for Economic and Clinical Health “HITECH Act” to issue guidance on what constitutes “minimum necessary” for purposes of the Privacy Standards. Lakefront Advisors agrees to comply with the guidance, once issued by the Secretary, and to only request, use or disclose the minimum amount of Protected Health Information as described in such guidance.
2.15 Training. Lakefront Advisors shall provide training as to the Privacy Rule and the Client’ privacy policy to all of its employees who will handle or be responsible for handling Protected Health Information on the Client’ behalf.
2.16 Independent Lakefront Advisors. The relationship of the Lakefront Advisors with Client shall be one of independent Lakefront Advisors, and not an employee or agent of Client.
2.17 Securing Protected Health Information. Lakefront Advisors will comply with Section II.B of the April 27, 2009 HHS guidance (74 Fed. Reg. 19006 at 19009-19010) setting forth the technologies and methodologies for rendering Protected Health Information unusable, unreadable, or indecipherable to unauthorized individuals such that breach notification is not required. Lakefront Advisors shall insure that any subcontractor, consultant, agent, vendor, or other third party to whom it provides Protected Health Information will implement, in a reasonable and appropriate manner, the technologies and methodologies the HITECH Act and HHS guidance specifies with respect to rendering Client’s Protected Health Information unusable, unreadable or indecipherable to unauthorized individuals.
2.18 Breach Notification. Notwithstanding paragraph 2.17 above, if any Protected Health Information in the possession, custody or control of Lakefront Advisors remains or becomes unsecured, Lakefront Advisors shall, following discovery of a breach (as such term is defined in 45 C.F.R. § 164.402) of such unsecured Protected Health Information, provide the notifications to individuals, the media and the Secretary, as set forth in 45 C.F.R. §§ 164.404 through 164.408.
2.19 Timeliness of Notifications. Except where a law enforcement official states to Client or Lakefront Advisors that a notification would impede a criminal investigation or cause damage to national security, all notifications shall be made without unreasonable delay and in no case later than 60 calendar days from discovery of the breach.
2.20 Indemnification. Lakefront Advisors shall defend, indemnify and hold harmless the Client from and against any or all cost (including but not limited to any and all costs incurred by Covered Entity in complying with the breach notification requirements of 45 C.F.R. Part 164, Subpart D), loss, interest, damage, liability, claim, legal action or demand by third parties, (including costs, expenses and reasonable attorney fees on account thereof) arising out of Lakefront Advisors’s activities under the Agreement, including but not limited to, any breach of unsecured Protected Health Information by the Lakefront Advisors or failure by the Lakefront Advisors to provide the breach notifications required by 45 C.F.R. §§ 164.404 through 164.408, except to the extent that such loss, interest, damage, liability, claim, legal action or demand was incurred as a result of the negligence or willful misconduct of Client. As a condition precedent to the Lakefront Advisors’s obligation to indemnify Client under this Agreement, Client must notify Lakefront Advisors within a reasonable amount of time upon learning of any claim or liability in order to give Lakefront Advisors an opportunity to present any appropriate defense on behalf of Client and Lakefront Advisors. Client shall have the right, but not the obligation, to participate in any defense at its own cost and with its own counsel. The provisions of this paragraph 2.20 will survive the termination of this Agreement.
2.21 Application of Privacy Rule to Lakefront Advisors. Where provided, the standards, requirements, and implementation specifications adopted under 45 C.F.R. Part 164, Subpart E, apply to Lakefront Advisors with respect to the Protected Health Information of Client.
2.22 Fundraising. Lakefront Advisors agrees to clearly and conspicuously provide any recipient of fundraising communications the opportunity to opt out of receiving any further such solicitations.
2.23 Sale of Protected Health Information. Lakefront Advisors shall, except pursuant to and in compliance with 45 C.F.R. § 164.508(a)(4), not engage in the sale of Protected Health Information.
2.24 Compliance and Enforcement. Lakefront Advisors is subject to the compliance, enforcement and civil monetary penalties provisions at 45 C.F.R., Part 160, Subparts C and D.
2.26 Individual’s Access to Protected Health Information. Lakefront Advisors shall cooperate with Client on a timely basis, consistent with 45 C.F.R. § 164.524(b)(2), to fulfill all requests by individuals for access to the individual’s Protected Health Information that are approved by Client. Lakefront Advisors shall make available Protected Health Information in a designated record set to Client as necessary to satisfy Client’s obligations under 45 C.F.R. § 164.524(c). Lakefront Advisors further agrees that to the extent Lakefront Advisors maintains Protected Health Information of Client in an electronic health record (“EHR”), Client must comply with patients’ requests for access to their Protected Health Information by giving them, or any entity that they designate clearly, conspicuously and specifically, the information in an electronic format, and must not charge the requestor more than the labor costs in responding to the request for the copy (or summary or explanation).
2.27 Implement Information Security Program. Lakefront Advisors shall implement a documented information security program that includes administrative, technical and physical safeguards designed to prevent the accidental or otherwise unauthorized use or disclosure of Protected Health Information, and the integrity and availability of electronic Protected Health Information it creates, receives, maintains or transmits on behalf of Client. The security program shall include reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, and other requirements of the HIPAA Security Rule. In addition, Lakefront Advisors agrees to (1) maintain written documentation of its policies and procedures, and any action, activity or assessment which the HIPAA Security Rule requires to be documented, (2) retain this documentation for 6 years from the date of its creation or the date when it last was in effect, whichever is later, (3) make this documentation available to those persons responsible for implementing the procedures to which the documentation pertains, and (4) review this documentation periodically, and update it as needed in response to environmental or operational changes affecting the security of the electronic Protected Health Information. Lakefront Advisors agrees to encrypt all electronic Protected Health Information and destroy all paper Protected Health Information such that it is unusable, unreadable, or indecipherable to unauthorized users. Upon request, Lakefront Advisors shall make available Lakefront Advisors’s security program, including the most recent electronic Protected Health Information risk analysis, policies, procedures, security incidents and responses and evidence of training.
2.28 Amendments to Protected Health Information. Lakefront Advisors shall make any amendment(s) to Protected Health Information in a designated record set as directed or agreed to by Client pursuant to 45 C.F.R. § 164.526, or take other measures as necessary to satisfy Client’s obligations under 45 C.F.R. § 164.526. Lakefront Advisors must act on an individual’s request for an amendment in a manner and within the time period set forth in 45 C.F.R. § 164.526(b)(2).
2.29 Marketing. Lakefront Advisors shall not use or disclose Protected Health Information for marketing purposes without the individual’s authorization, except as provided in 45 C.F.R. §§ 164.508(a)(3)(i)(A) and (B).
Article III. Permitted Uses and Disclosers by Lakefront Advisors
3.01 General Use and Disclosure. Except as otherwise limited in this Agreement, Lakefront Advisors may use or disclose Protected Health Information only to perform its obligations and services to Client or as Required By Law, provided that such use or disclosure would not violate the Privacy or Security Rule if done by Client.
3.02 Specific Use and Disclosure Provisions.
-
3.02.01 Management and Administration of Lakefront Advisors. Except as otherwise limited in this Agreement, Lakefront Advisors may use Protected Health Information for the proper
management and administration of the Lakefront Advisors or to carry out the legal responsibilities of the Lakefront Advisors. -
3.02.02 Other Uses and Disclosures. Except as otherwise limited in this Agreement, and notwithstanding Section 3.01 above, Lakefront Advisors may disclose Protected Health Information for the proper management and administration of the Lakefront Advisors, provided that disclosures are Required by Law, or Lakefront Advisors obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies the Lakefront Advisors of any instances of which it is aware in which the confidentiality of the information has been breached.
-
3.02.03 Data Aggregation Services. Lakefront Advisors may use Protected Health Information to provide data aggregation services to Client as permitted by 42 C.F.R. § 164.504(e)(2)(i)(B).
-
3.02.04 Reporting Violations of the Law. Lakefront Advisors may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.51(f).
-
3.02.05 Reporting to Health Plan. Lakefront Advisors will not disclose Protected Health Information to a health plan if the individual to whom the Protected Health Information pertains has so requested and (1) the disclosure would be for the purposes of payment or health care operations, and not for the purposes of treatment, (2) the Protected Health Information at issue pertains to a health care item or service for which the individual pays out-of-pocket and in full and (3) the disclosure is not required by law.
-
3.02.06 Minimum Necessary. Lakefront Advisors will, in the performance of its obligations and services to Client make reasonable efforts to use, disclose and request only the minimum amount of Client’ Protected Health Information reasonably necessary to accomplish the intended purpose of the use, disclosure or request, except as set forth in 45 C.F.R. § 164.502(b)(2).
Article IV. Obligations of Client
4.01 Provisions for Client to Inform Lakefront Advisors of Privacy Practices and Restrictions.
-
4.01.01 Upon Lakefront Advisors request, Client shall provide Lakefront Advisors with the notice of privacy practices that Client produces in accordance with 45 C.F.R. § 164.520, as well as any changes to that notice.
-
4.01.02 Client shall provide Lakefront Advisors with any changes in, or revocation of, authorization by an Individual to use or disclose Protected Health Information, if such changes affect Lakefront Advisors permitted or required uses and disclosures.
-
4.01.03 Client shall notify Lakefront Advisors, in writing, of any restriction to the use or disclosure of Protected Health Information that Client has agreed to in accordance with 45 C.F.R. § 164.522, and Lakefront Advisors agrees to conform to any such restriction.
-
4.01.04 Client acknowledge Advisors that it shall provide to, or request from, the Lakefront Advisors only the minimum Protected Health Information necessary for Lakefront Advisors to perform or fulfill a specific function required or permitted hereunder.
-
4.01.05 Client shall take immediate steps to mitigate an impermissible use or disclosure of Protected Health Information from Lakefront Advisors to Client, including its staff, employees and agents who send and receive Protected Health Information to and from Lakefront Advisors in the course and scope of their employment, such as obtaining the recipient’s satisfactory assurances that the information will not be further used or disclosed (through a confidentiality agreement or similar means between Client and its staff, employees and agents) or will be destroyed.
-
4.01.06 Client represents and warrants that it has the right and authority to disclose Protected Health Information to Lakefront Advisors for Lakefront Advisors to perform its obligations and provide services to Client. Client shall not request Lakefront Advisors to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Client.
Article V. Term and Termination
5.01 Term. The provisions of this Agreement shall take effect as of the effective date of the parties’ Underlying Agreement. Except as otherwise provided herein, the Agreement shall terminate when all of the Protected Health Information provided by Client to Lakefront Advisors, or created or received by Lakefront Advisors on behalf of Client, is destroyed or returned to Client.
5.02 Termination for Cause. Upon a Party’s knowledge Advisors of a material breach by the other party, the non-breaching Party shall provide an opportunity for the breaching Party to cure the breach or end the violation and terminate this Agreement if the breaching Party does not cure the breach or end the violation within the time specified by the non-breaching Party or immediately terminate this Agreement if cure of such breach is not possible.
5.03 Termination Without Cause. Either party to this Agreement may terminate the Agreement upon provision of sixty (60) days prior written notice.
5.04 Effect of Termination.
-
5.04.01 Disposal of PHI. Except as provided in paragraph 5.04.02 of this Section, upon termination of this Agreement, for any reason, Lakefront Advisors shall return or destroy all Protected Health Information received from Client, or created or received by Lakefront Advisors on behalf of Client, at the direction of Client. Lakefront Advisors shall request, in writing, Protected Health Information that is in the possession of subcontractors or agents of Lakefront Advisors.
-
5.04.02 In the event the Lakefront Advisors determines that returning or destroying the Protected Health Information is infeasible, Lakefront Advisors shall provide to Client notification of the conditions that make return or destruction infeasible. If return or destruction of Protected Health Information is infeasible, Lakefront Advisors shall extend the protection of this Agreement to such Protected Health Information, for so long as Lakefront Advisors maintains such Protected Health Information. Following the termination of this Agreement, Lakefront Advisors shall not disclose Protected Health Information except to Client or as Required by Law.
Article VI. Miscellaneous
6.01 Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.
6.02 Amendment. This Agreement may be amended upon the mutual written agreement of the parties. Upon the enactment of any law or regulation affecting the use or
disclosure of Protected Health Information, or the publication of any decision of a court of the United States or any state relating to any such law or the publication of any interpretive policy or opinion of any governmental agency charged with the enforcement of any such law or regulation, either party may, by written notice to the other party, and by mutual agreement, amend the Agreement in such manner as such party determines necessary to comply with such law, policy, decision or regulation. If the other party disagrees with such amendment, it shall so notify the first party in writing within thirty (30) days of the notice. If the parties are unable to
agree on an amendment within thirty (30) days thereafter, then either of the parties may terminate the Agreement on thirty (30) days written notice to the other party.
6.03 Survival. The obligations of Lakefront Advisors under Section 5.04.02 of this Agreement shall survive the termination of this Agreement.
6.04 Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Client to comply with the HIPAA Rules. In the event of any inconsistency or conflict between this Agreement and any other agreement between the parties, the terms, provisions and conditions of this Agreement shall govern and control. In the event of an inconsistency between the provisions of the Agreement and the mandatory terms of the HIPAA Rules, as may be amended from time to time by HHS or as a result of interpretations by HHS, a court, or another regulatory agency with authority over the Parties, the interpretation of HHS, such court or regulatory agency shall prevail. In the event of a conflict among the interpretations of these entities, the conflict shall be resolved in accordance with rules of precedence. Where provisions of this Agreement are different from those mandated by the HIPAA Rules, but are nonetheless permitted by the HIPAA Rules, the provisions of the Agreement shall control.
6.05 No Third-Party Beneficiary. Nothing express or implied in this Agreement is intended to confer, and nothing herein shall confer, upon any person other than the parties and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.
6.06 Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of Illinois. Any disputes relating to this Agreement shall be resolved by the state or federal courts located in Kane County, Illinois, and Client consents to venue in those courts as proper.