To print, use Word version [MasterBAA.doc]
Business Associate Agreement
This BUSINESS ASSOCIATE Agreement (this “Agreement”) is made and entered into effective as of the ____ day of ______ 2009 by and between ___________________________(“Covered Entity”) and Corcoran Consulting Group (“Business Associate”).
RECITALS
A. Covered Entity is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and as such must comply with the Administrative Simplification Provisions of HIPAA, including the Privacy Standards (as defined in Article 1 of this Agreement), as of the dates indicated in instructions from the relevant federal agencies.
B. Covered Entity is interested in Business Associate furnishing reimbursement and practice management consulting services to Covered Entity, and Business Associate has the expertise necessary to provide such services.
C. In order for Business Associate to furnish services to Covered Entity in accordance with the Agreement, Covered Entity intends to disclose certain Protected Health Information (as defined in Article 1 of this Agreement) of Covered Entity patients (“PHI”) to Business Associate and expects Business Associate to use the PHI to perform its obligations under the Agreement.
E. Business Associate is a “business associate” within the meaning of the Privacy Standards.
F. Covered Entity will not transfer PHI to a business associate or permit the business associate to receive PHI on behalf of Covered Entity without satisfactory assurances from the business associate that it will appropriately safeguard the information.
G. Business Associate desires to provide the satisfactory assurances required by the Privacy Standards and further define the parties rights and responsibilities under HIPAA for the exchange of PHI.
NOW, THEREFORE, the parties, in consideration of the mutual agreements herein contained and for other good and valuable consideration, the receipt and adequacy of which are hereby acknowledged, do hereby agree as follows:
Article 1: Definitions
1.1. Definitions. For the purposes of this Agreement, the following defined terms shall have the following definitions.
a. “Designated Record Set” shall mean a group of records maintained by or for Covered Entity that is (i) the medical records and billing records about individuals maintained by or for Covered Entity, and (ii) used, in whole or in part, by or for Covered Entity to make decisions about individuals. For the purposes of this paragraph, the term “Record” means any items, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for Covered Entity.
b. “HHS” shall mean the United States Department of Health and Human Services.
c. “Individually Identifiable Health Information” shall mean information that is a subset of the health information, including demographic information, collected from an individual, as defined in 45 C.F.R. § 164.501 of the Privacy Standards.
d. “Privacy Standards” shall mean the Standards for Privacy of Individually Identifiable Health Information found at 45 C.F.R. §§ 160 and 164.
e. “Protected Health Information” shall mean certain Individually Identifiable Health Information, as defined in 45 C.F.R. § 164.501 of the Privacy Standards.
f. “Secretary” shall mean the Secretary of HHS.
Article 2: Business Associate Use and Disclosure of PHI
2.2 Receipt and Use of PHI.
b. Business Associate may use PHI internally to carry out its legal responsibilities, for proper management, internal auditing, and administration.
2.3 Disclosure of PHI.
b. Business Associate also may disclose PHI to its agents to carry out its legal responsibilities, for proper management, internal auditing, and administration.
Article 3: Duties of Business Associate
3.1. Limitations on Use of PHI. Business Associate shall not use PHI except as permitted or required by this Agreement or as required by law.
3.2. Limitations on Disclosure of PHI. Business Associate shall not disclose PHI except as permitted or required by this Agreement or as required by law. Business Associate may disclose PHI (i) for Business Associate’s proper management and administration, and (ii) to carry out the legal responsibilities of Business Associate under this Agreement, assuming either of the following conditions are satisfied: (a) the disclosure is required by law; or (b) Business Associate obtains reasonable assurances from the person to whom Business Associate further discloses the PHI that the information will be held confidentially, that the information will be used or further disclosed only as required by law or for the purposes for which it was disclosed, and the person notifies Business Associate of any instances where the confidentiality of the information has been breached.
3.3 Authorizations. Notwithstanding any other limitation in Sections 3.1 and 3.2, Covered Entity agrees that nothing in this Agreement prohibits Business Associate from using or disclosing PHI to the extent permitted by an authorization from the applicable patient.
3.5. Third Party Agreements. Under certain circumstances, Business Associate may need to enter into agreements with third parties, including subcontractors, in order to satisfy its obligations to provide services under the Agreement. If Business Associate discloses to these third parties any PHI received from Covered Entity in this context, or created or received by Business Associate on behalf of Covered Entity, Business Associate shall require such third parties to agree to be bound by the same restrictions and conditions that apply to Business Associate under this Agreement.
3.6. Reporting of Unauthorized Uses and Disclosures. If Business Associate becomes aware of any use or disclosure of PHI by Business Associate, its employees, or its agents, that is not provided for in this Agreement, Business Associate shall report such violation to Covered Entity.
3.7. Access to Information. Within twenty (20) days of Covered Entity’s written request, Business Associate shall provide Covered Entity with access to PHI in Business Associate’s possession, to the extent that Business Associate’s information consists of a Designated Record Set of the Covered Entity.
3.8 Availability of PHI for Amendment. The parties acknowledge that the Privacy Standards permit an individual who is the subject of PHI to request certain amendments of their records. Upon Covered Entity’s written request, Business Associate shall provide Covered Entity with any PHI contained in a Designated Record Set of the Covered Entity in Business Associate’s possession for amendment.
3.9. Accounting of Disclosures. Upon Covered Entity’s written request, Business Associate shall make available information to Covered Entity concerning Business Associate’s disclosure of PHI for which Covered Entity needs to provide an individual with an accounting of disclosure as required by the Privacy Standards. Should an accounting of the PHI of a particular individual be requested more than once in any twelve (12) month period, Business Associate may charge Covered Entity a reasonable, cost-based fee.
3.10. Availability of Books and Records. For purposes of determining Covered Entity’s compliance with the Privacy Standards, Business Associate agrees to make available to the Secretary its internal policies and procedures relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity.
3.11. Return of PHI at Termination.
a. Upon termination of the Agreement, Business Associate shall, where feasible, destroy or return to Covered Entity all PHI received from, or created or received by Business Associate on behalf of Covered Entity in connection with the performance of its services. Where such return or destruction is not feasible, the duties of Business Associate under this Agreement shall be extended to protect the PHI retained by Business Associate. Business Associate agrees to limit further uses and disclosures of the information retained to those purposes which made the return or destruction infeasible.
b. Notwithstanding any other limitation in this section, Covered Entity agrees that it is not necessary for Business Associate to return or destroy PHI received from, or created or received by Business Associate on behalf of Covered Entity if patient authorizations permitting such retention have been executed.
Article 4: Term and Termination
4.1. Basic Term. This Agreement shall be effective as of the date set forth above (“Effective Date”). Except as otherwise provided herein, the term of this Agreement shall commence on the Effective Date and shall run until the relationship between the Business Associate and the Covered Entity is terminated.
4.2. Termination for Material Breach. A material breach of this Agreement which is not addressed within thirty (30) days of written notice by the Covered Entity is grounds for termination by the Business Associate. Covered Entity may elect to terminate this Agreement immediately upon written notice to Business Associate where Business Associate commits a material breach.
Article 5: Indemnification
5.1. Covered Entity hereby saves and holds Business Associate harmless of and from, and indemnifies and agrees to defend it against any and all losses, liability, damages and expenses (including, without limitation, reasonable attorney’s fees and expenses) which Business Associate may incur or be compelled to pay, or for which Business Associate may become liable or compelled to pay in any action, claim, or proceeding against Business Associate, its officers, directors, employees, agents, or servants, for or by reason of any acts, whether of omission or commission, that may be committed or suffered by Business Associate or any of its officers, directors, employees, agents, or servants in connection with Covered Entity’s performance of its obligations under this Agreement and/or the Privacy Standards.
5.2. Business Associate hereby saves and holds Covered Entity harmless of and from, and indemnifies and agrees to defend it against any and all losses, liability, damages and expenses (including, without limitation, reasonable attorney’s fees and expenses) which Covered Entity may incur or be compelled to pay, or for which Covered Entity may become liable or compelled to pay in any action, claim, or proceeding against Covered Entity, its officers, directors, employees, agents, or servants, for or by reason of any acts, whether of omission or commission, that may be committed or suffered by Covered Entity or any of its officers, directors, employees, agents, or servants in connection with Business Associate’s performance of its obligations under this Agreement and/or the Privacy Standards.
5.3. This Section shall survive termination of this Agreement.
Article 6: General Provisions
6.1 The Parties expressly acknowledge that it is, and shall continue to be, their intent to fully comply with all relevant federal, state, and local laws, rules, and regulations.
6.2 This Agreement shall be governed in all respects, whether as to validity, construction, capacity, performance or otherwise, by the laws of the State of __________________.
6.3 All notices or communications required or permitted pursuant to the terms of this Agreement shall be in writing and will be delivered in person or by means of certified or registered mail, postage paid, return receipt requested, to such Party at its address as set forth below, or such other person or address as such Party may specify by similar notice to the other party hereto, or by telephone facsimile with a hard copy sent by mail with delivery on the next business day. All such notices will be deemed given upon delivery or delivered by hand, on the third business day after deposit with the U.S. Postal Service, and on the first business day after sending if by facsimile.
As to Covered Entity: _______________________________
_______________________________
_______________________________
As to Business Associate: Corcoran Consulting Group
560 East Hospitality Lane. Suite 360
San Bernardino, CA 92408
6.4 This Agreement, including any exhibits attached hereto, constitutes the entire Agreement among the Parties hereto with respect to the subject matter hereof, and supersedes any and all prior agreements or statements among the Parties hereto, both oral and written, concerning the subject matter hereof. This Agreement may not be amended, modified, or terminated except by a writing signed by both Parties.
6.5 If any provision of this Agreement shall be held invalid or unenforceable, such invalidity or unenforceability shall attach only to such provision and shall not in any way affect or render invalid or unenforceable any other provision of this Agreement.
6.6 The waiver by either Party of a breach or violation of any provision of this Agreement shall not operate as, or be construed to be, a waiver of any subsequent breach of the same or other provisions of this Agreement.
6.7 This Agreement may be executed in any number of counterparts, all of which together shall constitute one and the same instrument.
6.8 This Agreement shall be binding upon and inure to the benefit of the parties hereto and their respective successors and assigns. Neither Party shall assign or delegate its rights, duties, or obligations under this Agreement, without the prior written consent of the other Party.
6.9 In the performance of the duties and obligations of the Parties pursuant to this Agreement, each of the Parties shall at all times be acting and performing as an independent contractor, and nothing in this Agreement shall be construed or deemed to create a relationship of employer and employee, or partner, or joint venture, or principal and agent between the Parties.
6.10 A reference in this Agreement to a section in the Privacy Standards means the section as in effect or as amended.
6.11 The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for the parties to comply with the requirements of the Privacy Standards.