MTS Subcontractor BA Provisions

SUBCONTRACTOR BUSINESS ASSOCIATE PROVISIONS

Section 1

Definitions

Capitalized terms used, but not otherwise defined, in this Agreement shall have the meanings given those terms in the HIPAA Privacy and Security Rules and HITECH.

1. 1. Breach:  “Breach” shall mean an acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule, which compromises the security or privacy of the PHI.  For the purposes of this definition, a breach is presumed to be a breach unless the Covered Entity (CE) Business Associate (BA) or Subcontractor, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a four-factor risk assessment as amended in the Final HIPAA Omnibus Rule in §164.402(2).
   2. Business Associate: means Medical Technology Solutions, LLC
   3. Subcontractor:  means Consultant or Subcontractor
   4. Electronic Protected Health Information: “Electronic Protected Health Information” shall mean Protected Health Information that is created, received, transmitted or maintained in electronic format or by electronic media.
   5. Individual:  “Individual” shall have the same meaning as the term “Individual” in 45 C.F.R. §164.501 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. §164.502(g).
   6. Privacy Rule:  “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. parts §160 and §164, Subparts A, D and E.
   7. Protected Health Information:  “Protected Health Information” shall have the same meaning as the term “Protected Health Information” in 45 C.F.R. §160.103, limited to the information created, received, maintained or transmitted  by Subcontractor on behalf of Business Associate/Covered Entity.
   8. Security Incident:  “Security Incident” shall have the same meaning as the term “Security Incident” in 45 C.F.R. §164.304.
   9. Security Rule:  “Security Rule” shall mean the Standards for Security of Electronic Protected Health Information at 45 C.F.R. parts §160 and §164, Subparts A and C
   10. Unsecured Protected Health Information or Unsecured PHI:  “Unsecured PHI” shall mean protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of the HITECH Act.
   11. Secretary:  “Secretary” shall mean the Secretary of the Department of Health and Human Services or his/her designee.

Section 2

Obligations and Activities of Subcontractor

Subcontractor agrees to the following:

1. 1. Not Use or Disclose PHI Unless Permitted or Required.  Subcontractor agrees not to Use or Disclose Protected Health Information other than as permitted or required by this Agreement, the underlying contract or as Required by Law, for the proper management and administration of the Subcontractor, or as otherwise authorized by Business Associate.
   2. Use Safeguards.  Subcontractor agrees to implement and use appropriate administrative, physical and technical safeguards to prevent Use or Disclosure of Protected Health Information other than as provided for by this Agreement and to  comply with the applicable provisions of 45 CFR part 164, Subpart C with respect to Electronic Protected Health Information.
   3. Mitigate Harmful Effects.  Subcontractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Subcontractor of a Use or Disclosure of Protected Health Information by Subcontractor in violation of the requirements of this Agreement including any Breach.
   4. Report Impermissible Disclosures of PHI.  Subcontractor shall report to Business Associate a discovery of Breach or any Use or Disclosure of Protected Health Information not permitted or required by this Agreement within 10 days of discovery of such Use or Disclosure, including those occurrences reported to Subcontractor by its subcontractors or agents even if such improper Use or Disclosure is not a Breach.  Subcontractor also agrees to report to Business Associate any Security Incident related to Electronic Protected Health Information of which Subcontractor becomes aware within 5 days of discovery.
   5. Report Breach of Unsecured PHI.  In the case of a Breach of Unsecured PHI, Subcontractor shall notify Business Associate within two days of becoming aware of the Breach.  Subcontractor may make the initial report orally, but shall provide a full written report to Business Associate within five days of providing oral notice.  Each report (oral or written) shall include, to the extent available at the time of the report, a description of the breach, the Protected Health Information disclosed (including names and contact information), and a description of any remedial action(s) taken by Subcontractor as required by 45 CFR §164.410.
   6. Compliance of Agents and Subcontractors.  Subcontractor agrees to require any agent,  including a subcontractor, that creates, receives, maintains, or transmits Protected Health Information on behalf of Subcontractor to  agree to the same restrictions and conditions that apply to Subcontractor with respect to such information, including, without limitation, restrictions, conditions, and requirements regarding implementation of reasonable and appropriate safeguards to protect Electronic Protected Health Information, and to notify Subcontractor of Breaches and other improper Uses or Disclosures of Protected Health Information. In no event shall Subcontractor, without Business Associate’s prior written approval, provide Protected Health Information received from, or created, received, maintained or transmitted by, Subcontractor on behalf of Business Associate to any employee or agent, including a subcontractor, if such employee, agent or subcontractor receives, processes or otherwise has access to the Protected Health Information outside of the United States.
   7. Provide Access.  In the event Subcontractor maintains Protected Health Information in a Designated Record Set, Subcontractor agrees to provide access, within 5 days of Business Associate’s request, to Protected Health Information in a Designated Record Set to Business Associate in the event Business Associate is provides Covered Entity the Designated Record Set in order to meet the requirements under 45 CFR § 164.524.
   8. Incorporate Amendments.  In the event Subcontractor maintains Protected Health Information in a Designated Record Set, Subcontractor agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity/Business Associate directs or agrees to pursuant to 45 CFR § 164.526 at the request of Covered Entity/Business Associate or an Individual, within 20 days of Covered Entity’s/Business Associate’s request for such amendment.
   9. Disclose Practices, Books, and Records.  Subcontractor agrees to make internal practices, books, and records, including policies and procedures relating to the Use and Disclosure of Protected Health Information received from, or created or received by Subcontractor on behalf of, Business Associate available to Business Associate/Covered Entity, or to the Secretary, for purposes of the Secretary determining compliance with the HIPAA Rules.
   10. Document Disclosures.  Subcontractor agrees to document such disclosures of Protected Health Information and information related to such disclosures as required for Business Associate/Covered Entity to respond to a request by an Individual for an accounting of disclosures in accordance with 45 CFR § 164.528.  Subcontractor agrees to provide to Business Associate/Covered Entity, within 20 days of Business Associate/Covered Entity’s request, the information collected to permit Business Associate/Covered Entity to respond to a request by an  Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. §164.528.
   11. Respond to Requests from Individuals.  Except as this Agreement or any other agreement between Business Associate and Subcontractor may otherwise provide, in the event Subcontractor receives an access, amendment, accounting of disclosure, or other similar request directly from an Individual, Subcontractor will redirect the Individual to Business Associate/Covered Entity.

Section 3

Permitted Uses and Disclosures by Subcontractor

1. 1. Functions and Activities on Business Associate.  Except as otherwise limited in this BAA, Subcontractor may Use and Disclose Protected Health Information necessary to meet its obligations under this Agreement and under the Contract, if such Use or Disclosure would not violate the Privacy Rule if done by Business Associate/ Covered Entity.  All other Uses or Disclosures by Subcontractor not authorized by this Agreement or by specific instruction of Business Associate/Covered Entity are prohibited.

3.2 Minimum Necessary. Subcontractor shall Use and Disclose Protected Health Information, as well as requests for Protected Health Information, in accordance with 45 C.F.R. §164.502.

1. 1. Subcontractor’s Management and Administration.  Except as otherwise limited by this Agreement, Subcontractor may use Protected Health Information for the proper management and administration of Subcontractor or to carry out the legal responsibilities of Subcontractor.
   2. Disclosure by Subcontractor Required by Law or With Reasonable Assurances.  Except as otherwise limited by this Agreement, Subcontractor may Disclose Protected Health Information for the proper management and administration of the Subcontractor and to carry out its legal responsibilities, provided that disclosure is Required By Law, or provided that the Subcontractor reasonable assurances from the person or entity to whom the Protected Health Information is disclosed that:  1) the Protected Health Information will be held confidentially; 2) the Protected Health Information will be used or further disclosed only as Required By Law or for the purpose(s) for which it was disclosed to the person or entity; and 3) the person or entity will notify Subcontractor of any instances of which the person or entity is aware in which the confidentiality of the information has been breached.

Section 4

Term and Termination

Term and Termination

1. 1. Term.  The Term of this Agreement shall be effective as of the effective date of the Agreement and shall terminate when all of the Protected Health Information provided by Business Associate  to Subcontractor, or created, maintained or received by Subcontractor on behalf of Business Associate, is destroyed or returned to Business Associate, or, if it is not feasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this section.
   2. Termination for Cause.  Upon Business Associate’s reasonable determination that Subcontractor has breached or violated a material term of this Agreement, Business Associate shall give Subcontractor written notice of such breach and provide reasonable opportunity for Subcontractor to cure the breach or end the violation. Business Associate may terminate the Contract, and Subcontractor agrees to such termination, if Subcontractor has breached a material term of this Agreement and does not cure the breach or cure is not possible. 
   3. Effect of Termination.  Upon termination of this Contract and receipt of written demand from Business Associate, Subcontractor agrees to, if feasible, return or destroy all Protected Health Information received from, or created or maintained by Subcontractor on behalf of, Business Associate/Covered Entity.  In the event the return or destruction of such Protected Health Information is not feasible, Contractor shall also provide to Business Associate written notification of the conditions that make return or destruction infeasible and the protections of this Agreement will remain in force and Subcontractor shall make no further Uses and Disclosures of Protected Health Information except for the proper management and administration of its business or to carry out its legal responsibilities or as Required By Law.  This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Subcontractor.

Section 5

Indemnification and Injunctive Relief

1. 1. Indemnification.  Subcontractor agrees to indemnify, defend and hold harmless Business Associate and its directors, officers, agents, and employees from and against any and all claims, demands, losses, expenses, costs (including reasonable attorneys’ fees), damages and causes of action arising from or relating to Subcontractor’s breach of this Agreement.  In the event of a Breach by Subcontractor, its agents, employees, or subcontractors, Subcontractor will reimburse and indemnify Business Associate/Covered Entity’s expenses and costs, including attorney’s fees, that are reasonably incurred due to the Breach, including costs associated with the notification of Individuals, and the media, as well as credit monitoring and other mitigating actions if determined necessary by Business Associate/Covered Entity.

1. 1. Injunctive Relief.  The parties acknowledge that the remedy at law for any breach of the terms of this Agreement are inadequate and that the damages resulting from such breach are not readily susceptible to being measured in monetary terms.  Accordingly, in the event of a breach or threatened breach by Subcontractor or any of its subcontractors of the terms of this Agreement, Business Associate/Covered Entity shall be entitled to immediate injunctive relief and may obtain a temporary order restraining any threatened or further breach.

Section 6

Miscellaneous Provisions

1. 1. Regulatory References.  A reference in this Agreement to a section in the Privacy Rule,  Security Rule and HITECH means the Section in effect or as amended and for which compliance is required.
   2. Amendment.  The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the HIPAA Privacy Rule, Security Rule and HITECH.
   3. Survival.  The rights and obligations of Subcontractor under Sections 4.3, 5.1 and 5.2 of this Agreement shall survive the termination of this Agreement and the termination of the Contract.
   4. Interpretation.  Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the Privacy Rule, Security Rule and HITECH.