Business Associate Agreement
To the extent HIPAA and HITECH require a Business Associate Agreement between you and DrFirst, and DrFirst is acting on your behalf as a Business Associate, you agree to the terms of this Business Associate Agreement, unless you have a different Business Associate Agreement in place with DrFirst, in which case that agreement will govern.
This Business Associate Agreement (“Agreement”) is made and entered into as of the date executed (“Effective Date”) by and between DrFirst.com, Inc. (the “Business Associate,” as further defined below), whose address is 9420 Key West Avenue, Suite 101, Rockville, MD 20850, and End User (the “Covered Entity,” as further defined below), (collectively, the “Parties”).
WHEREAS, the End User may be a “Covered Entity” as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the regulations promulgated pursuant to the Health Information Technology for Economic and Clinical Health (“HITECH”) Act (Division A, Title XIII and Division B, Title IV of Public L. 111–5) (which was part of the American Recovery and Reinvestment Act of 2009 (“ARRA”)), and DrFirst.com, Inc. is a “Business Associate” as defined under HIPAA;
WHEREAS, the Parties enter into this Agreement for the purpose of ensuring compliance with HIPAA and relevant implementing regulations, including the Privacy Rule (defined below), the Security Rule (defined below), and the Breach Notification Rule (defined below);
NOW THEREFORE, in consideration of the mutual promises and covenants herein, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows:
I. DEFINITIONS AND INTERPRETATION
1.1 Definitions Generally.
1.1.1 “Breach” shall have the meaning given to such term in 45 C.F.R. § 164.402.
1.1.2 “Breach Notification Rule” shall mean the rule related to breach notification for Unsecured Protected Health Information at 45 C.F.R. Parts 160 and 164.
1.1.3 “Electronic Protected Health Information” or (“EPHI”) shall have the same meaning given to such term under the Security Rule, including, but not limited to, 45 C.F.R. § 160.103 limited to the information created or received by Business Associate from or on behalf of Covered Entity.
1.1.4 “Privacy Rule” shall mean the Standards for Privacy of
1.1.5 Individually Identifiable Health Information, codified at 45 C.F.R. Parts 160 and Part 164, Subparts A and E.
1.1.6 “Protected Health Information” or “PHI” shall have the meaning given to such term under the Privacy and Security Rules at 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
1.1.7 “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information, codified at 45 C.F.R. § 164 Subparts A and C.
1.1.8 Other capitalized terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the Privacy, Security or Breach Notification Rules.
1.2 Inconsistencies. In the event that the provisions of this Agreement are inconsistent with HIPAA or its implementing regulations or any binding interpretation thereof, said conflict will be resolved in accordance with the rules of presence. To the extent that any such conflicts are nonetheless permitted under the Regulations, the provisions of this Agreement will prevail.
1.3 State Law and Preemption. Where any provision of applicable State law is more stringent or otherwise constitutes a basis upon which the Regulation is preempted, state law controls and the Parties agree to comply fully therewith.
1.4 Third-Parties. Except as expressly provided for in the Regulations and/or within the terms contained herein, this Agreement does not create any rights in third parties.
II. PERMITTED USES AND DISCLOSURES BY THE BUSINESS ASSOCIATE
2.1 Permitted Uses. Except as otherwise limited in the Service Agreement, this Agreement or as Required By Law, the Business Associate may use or disclose PHI received by the Business Associate as necessary to perform functions, activities or services for or on behalf of the Covered Entity as specified in the Service Agreement and including but not limited to:
2.1.1 Facilitating the processing of administrative, clinical and financial healthcare transactions;
2.1.2 Treatment of patients of the Covered Entity;
2.1.3 Establishing and maintaining Business Management Programs;
2.2 Data Aggregation. Except as otherwise limited in this Agreement, the Business Associate may use PHI to provide data aggregation services to the Covered Entity to the fullest extent permitted by the Privacy Rule, the Service Agreement and any applicable provisions in this Agreement.
2.3 De-Identification. The Business Associate may de-identify PHI received or created pursuant to the Service Agreement consistent with 45 C.F.R. § 164.514.
2.4 Other Permitted Uses. The Business Associate may use PHI to facilitate the management and administration of the Business Associate or to carry out legal responsibilities thereof.
2.5 Permitted Disclosures. The Business Associate may disclose PHI to facilitate the management and administration of the Business Associate or to carry out legal responsibilities, if:
2.5.1 Required By Law; and/or
2.5.2 Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that: (i) the PHI will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person; and (ii) Business Associate will be notified of any instances of which the person is aware in which the confidentiality of the PHI is breached or suspected to have been breached.
2.6 Report Violations of Law. The Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).
III. PRIVACY RULE OBLIGATIONS OF THE BUSINESS ASSOCIATE
3.1 Limitations on Disclosures. The Business Associate agrees to not use or disclose PHI other than as permitted or required by this Agreement, the Service Agreement, or as Required by Law. The Business Associate shall not use or disclose PHI in a manner that would violate the Privacy Rule if done by the Covered Entity, unless expressly permitted to do so pursuant to the Privacy Rule, the Service Agreement, and this Agreement.
3.2 Safeguards Against Unauthorized Use. The Business Associate agrees to use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by the Service Agreement and this Agreement or as Required by Law.
3.3 Reporting and Mitigation. The Business Associate agrees to report to the Covered Entity any unauthorized use or disclosure of PHI in violation of this Agreement and to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by the Business Associate in violation of the requirements of this Agreement.
3.4 Agreements with Subcontractors. The Business Associate agrees to ensure, consistent with 45 C.F.R. § 164.502(e)(1)(ii), that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of the Business Associate agrees in writing to the same restrictions and conditions that apply to the Business Associate in the Service Agreement and this Agreement with respect to the PHI.
3.5 Obligations on Behalf of the Covered Entity. To the extent the Business Associate carries out an obligation of the Covered Entity’s under the Privacy Rule, the Business Associate must comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligation.
3.6 Access to PHI. The Business Associate shall provide access, at the request of the Covered Entity, and in the time and manner reasonably designated by the Covered Entity, to PHI in a Designated Record Set, to the Covered Entity or, as directed by the Covered Entity, to an Individual or a third party designated by the Individual, in order to meet the requirements under the Privacy Rule at 45 C.F.R. § 164.524.
3.7 Amendment of PHI. The Business Associate shall make PHI contained in a Designated Record Set available to the Covered Entity (or an Individual as directed by the Covered Entity) for purposes of amendment per 45 C.F.R. § 164.526. The Business Associate shall make any amendment(s) to an Individual’s PHI that the Covered Entity directs or agrees to pursuant to the Privacy Rule, at the request of the Covered Entity, and in the time and manner reasonably designed by the Covered Entity. If an Individual requests an amendment of PHI directly from the Business Associate or its Subcontractors, the Business Associate shall notify the Covered Entity in writing promptly after receiving such request. Any denial of amendment of PHI maintained by the Business Associate or its Subcontractors shall be the responsibility of the Covered Entity.
3.8 Accounting of Disclosures.
3.8.1 The Business Associate shall document disclosures of PHI and information related to such disclosures as would be required for the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. At a minimum, such information shall include: (i) the date of disclosure; (ii) the name of the entity or person who received PHI and, if known, the address of the entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure that reasonably informs the Individual of the basis for the disclosure, or a copy of the Individual’s authorization, or a copy of the written request for disclosure.
3.8.2 The Business Associate shall provide to Covered Entity information collected in accordance with Section 4.8.1 of this Agreement, to permit the Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. In the event that the request for an accounting is delivered directly to the Business Associate or its Subcontractors, the Business Associate shall provide a copy of such request to the Covered Entity, in writing, promptly after the Business Associate’s receipt of such request.
3.9 Retention of Protected Health Information. Notwithstanding Section 8.3 of this Agreement, the Business Associate and its Subcontractors shall retain all PHI throughout the term of the Service Agreement and shall continue to maintain the information required under Section 4.8.1 of this Agreement for a period of six (6) years after termination of the Service Agreement.
3.10 Minimum Necessary. The Business Associate shall only request, use and disclose the Minimum Necessary amount of PHI necessary to accomplish the purpose of the request, use or disclosure.
3.11 Availability of Information. The Business Associate agrees to make internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of the Covered Entity available to the Covered Entity, or to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for the purposes of the Secretary determining the Covered Entity’s compliance with the Privacy Rule.
IV. SECURITY RULE OBLIGATIONS OF THE BUSINESS ASSOCIATE
4.1 Compliance with the Security Rule. The Business Associate agrees to comply with the Security Rule with respect to Electronic Protected Health Information and have in place reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of EPHI and to prevent the use or disclosure of EPHI other than as provided for by the Service Agreement and this Agreement or as Required by Law.
4.2 Subcontractors. The Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits EPHI on behalf of the Business Associate agrees in writing to comply with the Security Rule with respect to such EPHI.
4.3 Security Incident/Breach Notification Reporting. The Business Associate shall report any successful Security Incident promptly upon becoming aware of such incident.
V. BREACH NOTIFICATION RULE OBLIGATIONS OF THE BUSINESS ASSOCIATE
5.1 Notification Requirement. To the extent the Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses or discloses Unsecured PHI, it will, following discovery of the Breach of such information, notify the Covered Entity of such Breach.
5.2 Content of Notification. Any notice referenced above in Section 6.1 of this Agreement will include, to the extent known to the Business Associate, the identification of each individual whose Unsecured PHI has been, or is reasonably believed by the Business Associate to have been accessed, acquired, or disclosed during such Breach. Business Associate will also provide to the Covered Entity other available information that the Covered Entity is required to include in its notification to the individual pursuant to the Breach Notification Rule.
VI. OBLIGATIONS OF THE COVERED ENTITY
6.1 Notification Regarding Limitations and Restrictions on Disclosure. The Covered Entity shall notify the Business Associate of any limitation(s) in its Notice of Privacy Practices of Covered Entity which may affect the Business Associate’s use or disclosure of PHI in accordance with the Privacy Rule.
6.2 Notification of Changes to Limitations and Restrictions on Disclosure. The Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
6.3 Limitations and Restrictions on Disclosure Arising Under Third-Party Agreements. The Covered Entity shall further notify the Business Associate of any restriction to the use or disclosure of PHI that the Covered Entity has agreed to which may affect the Business Associate’s use or disclosure of PHI in accordance with the Privacy Rule.
6.4 Requests by the Covered Entity. The Covered Entity shall not request the Business Associate to use or disclose PHI in any manner that would be prohibited to the Covered Entity under the applicable Regulations.
VII. TERM AND TERMINATION
7.1 Term. The term of this Agreement shall be effective as of the Effective Date and shall terminate when all of the PHI provided to the Business Associate, or created or received by the Business Associate on behalf of the Covered Entity, is destroyed or returned to the Covered Entity; or in the event that it is not feasible to return or destroy said PHI, protections are extended to such information with the termination provisions herein provided or as permissible by the applicable Regulations.
7.2 Termination for Cause. Upon the Covered Entity’s knowledge of a material breach by the Business Associate of this Agreement, the Covered Entity shall provide an opportunity for the Business Associate to cure the breach or terminate this Agreement if the Business Associate does not cure the breach or end the violation within thirty (30) days after receipt of written notice from the Covered Entity.
7.3 Disposition of PHI Upon Termination. Except as otherwise provided in this Section, upon termination of this Agreement for any reason, the Business Associate shall return or destroy all PHI received from the Covered Entity, or created or received by the Business Associate on behalf of the Covered Entity. This provision shall also be applicable to any PHI in the possession of Subcontractors of the Business Associate. In the event that the Business Associate determines that returning or destroying the PHI is infeasible, the Business Associate shall provide to the Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of PHI is infeasible, the Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of PHI to those purposes that make the return or destruction infeasible, for so long as the Business Associate maintains such PHI.
7.4 Retention of Certain Information. The Business Associate shall retain no copies of the aforementioned PHI; however, the Covered Entity understands and agrees that information relating to individual prescription transactions submitted by use of the services provided under the Service Agreement will be retained as necessary by the Business Associate for purposes of financial reporting, insurance claims, and other legal and business purposes.
8.1 Regulatory References. Any references in this Agreement to any law, rule or regulation shall be interpreted to include the section as in current effect or as may from time to time be amended and for which compliance is required.
8.2 Amendments. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for the Covered Entity and the Business Associate to comply with the requirements of the Privacy, Security, or Breach Notification Rules, as well as HIPAA and the HITECH Act; however, all amendments to any of the provisions contained herein shall be made in writing.
8.3 Survival. The respective rights and obligations of Business Associate under Article V of this Agreement shall survive the termination of this Agreement.
8.4 Entire Agreement. This Agreement is the entire agreement between the Parties with regard to its subject matter and shall supersede any prior agreements.