Business Associate Agreement Regarding Privacy and Security
If Customer is a Covered Entity or a business associate and includes Protected Health Information in Customer Data provided to ACTdental or affiliates, or Dental Intelligence, Inc. as a business associate or sub-business associate, the Customer Terms of Service between the parties (the “Terms”) will automatically incorporate the terms of this Business Associate Agreement (“BAA”) as part of the overall agreement between the parties. If there is any conflict between a provision in this BAA and a provision in the Terms, this BAA will control. In this BAA, Customer is referred to as “Covered Entity,” ACTdental, and/or affiliates is referred to as “Business Associate.”
DEFINITIONS
Unless otherwise defined in this BAA, all capitalized words, like PHI, have the meanings set forth in the HIPAA Privacy and Security Rules, 45 C.F.R. Parts 160, 162 and 164, as modified from time to time.
A. “Breach” means any acquisition, access, Use, or Disclosure of Unsecured PHI not permitted by this agreement or the Privacy Rule unless specifically excluded under 42 C.F.R. 164.402.
B. "Disclose" and "Disclosure" mean, with respect to Protected Health Information, the release, transfer, providing access to, or divulging to a person or entity not within Business Associate.
C. “Disclosure Information” means the information specified in paragraph 3.3.3.
D. “DHHS” means the United States Department of Health and Human Services.
E. “Electronic PHI” means an electronic record of PHI.
F. “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, as amended by Title XIII of the American Recovery and Reinvestment Act of 2009 (HITECH Act), and the accompanying regulations.
G. “Privacy Rule” means the Standards of Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160, and Part 164, Subparts A and E.
H. “Protected Health Information”, or “PHI”, has the meaning set out in 45 C.F.R. 160.103, but includes only information created, received, maintained, or transmitted by Business Associate on Covered Entity’s behalf.
I. “Security Rule” means the Security Standards and Implementation specifications at 45.
J. C.F.R. Part 164, Subpart C.
K. “Unsecured PHI” means PHI that is not rendered unusable, unreadable, or indecipherable, either through valid encryption processes that meet published standards of DHHS, or by shredding, clearing, purging, or destroying the media on which PHI is stored in a way that does not allow the PHI to be reconstructed or retrieved.
L. "Use" means, with respect to PHI, utilization, employment, examination, analysis, or application.
Scope: This BAA sets forth the terms and conditions pursuant to which any and all PHI, which is provided, created, exchanged or received by and between Business Associate and Covered Entity will be handled. Business Associate and Covered Entity will comply with all applicable laws, including those governing the creation, use, disclosure, access, storage, and maintenance of PHI.
TERMS
2. Privacy of Protected Health Information
2.1.1. Permitted Uses and Disclosures. Business Associate is permitted to Use and Disclose PHI as follows:
2.1.1.1. Functions and Activities on Covered Entity's Behalf. To conduct the activities and further the obligations described in the parties' underlying agreement, as long as the Uses and Disclosures would not violate the Privacy Rule if done by Covered Entity.
2.1.2. Business Associate's Operations. For Business Associate's legitimate and proper management and administration functions, or to carry out Business Associate's legal responsibilities, provided that:
2.1.2.1. The Disclosure is Required by law; or
2.1.2.1.1. Business Associate obtains reasonable assurance from any person or entity to which Business Associate Discloses PHI that the person or entity will:
2.1.2.1.2. Hold the PHI in confidence and use or further Disclose it only for the purpose for which Business Associate Disclosed it to the person or entity as Required by law; and
2.1.2.1.3. Promptly notify Business Associate (who will in turn notify Covered Entity in accordance with paragraph 4.2.1 if PHI is breached.
If the person or entity is a subcontractor or agent of Business Associate, paragraph 2.5 applies.
2.2. Minimum Necessary. Business Associate will Use, Disclose, and request the minimum amount of PHI necessary to accomplish the intended purchase of the Use, Disclosure, or request. The entity Disclosing PHI (Covered Entity or Business Associate depending on the situation) will determine what constitutes the minimum necessary amount of information to accomplish the intended purpose of the Disclosure. This paragraph 2.2 does not apply to:
2.2.1. Disclosures to or requests by a health care provider for Treatment.
2.2.2. Disclosures to the subject of the PHI, or their personal representative.
2.2.3. Use or Disclosures authorized in writing under 45 C.F.R. § 164.508 by the subject of the PHI, or by their personal representative.
2.2.4. Disclosure to DHHS in accordance with paragraph 5.1;
2.2.5. Use or Disclosures Required by law; or
2.2.6. Any other Use or Disclosures that is expected from the minimum necessary limitation as specified in45 C.F.R. § 164.502(b)(2).
2.3. Prohibition on Unauthorized Use or Disclosure. Business Associate will not Use or Disclose PHI except as permitted or required by this agreement or in writing by Covered Entity, or as Required by law.
2.4. Information Safeguards.
2.4.1. Privacy of Protected Health Information. Business Associate will develop, implement, and annually update appropriate safeguards to protect the privacy of PHI. The safeguards must reasonably protect the PHI from any Use or Disclosure in violation of the Privacy Rule.
2.4.2. Security of Electronic Protected Health Information. Business Associate will develop, implement, and annually update administrative, technical, and physical safeguards that reasonably protect the confidentiality, integrity, and availability of Electronic PHI.
2.5. Subcontractors and Agents. Business Associate will require its subcontractors and agents that create, receive, maintain, or transmit PHI on Business Associate's behalf, or to which Business Associate is permitted to Disclose PHI, to enter a written agreement with Business Associate substantially similar to this agreement, requiring the subcontractor or agent to comply with the same privacy and security safeguards applicable to Business Associate.
3. Individual Rights
3.1. Access. Business Associate will, within 14 days following Covered Entity's request, make available to Covered Entity or, at Covered Entity's direction, to an individual, PHI about the individual in Business Associate's custody or control. If Covered Entity requests Business Associate make the information available in electronic format and Business Associate maintains the information electronically, Business Associate will make the information available in electronic form.
3.2. Amendment. Business Associate will, upon receipt of written notice from Covered Entity, promptly amend or, in Covered Entity's direction, permit Covered Entity access to amend any PHI.
3.3. Disclosure Accounting.
3.3.1. Disclosures Subject to Accounting. Business Associate will record Disclosure Information for each Disclosure of PHI not expected from Disclosure accounting by 3.3.2.
3.3.2. Disclosures Not Subject to Accounting. Business Associate is not obligated to record Disclosure Information or otherwise account for Disclosures of PHI:
3.3.2.1. For Treatment, Payment or Health Care Operations activities.
3.3.2.2. To an individual who is the subject of the PHI, or to their personal representative.
3.3.2.3. Authorized in writing under 45 C.F.R. § 164.508 by the subject of the PHI, or by their personal representative.
3.3.2.4. To people involved in the care of the subject of the PHI Disclosed (including payment for the care);
3.3.2.5. For disaster relief purposes under HIPAA;
3.3.2.6. To law enforcement officials or correctional institutions in accordance with 45 C.F.R. § 164.512(k)(5);
3.3.2.7. For national security or intelligence purposes in accordance with 45 C.F.R. § 164.512(k)(2);
3.3.2.8. Incident to a Use or Disclosure that Business Associate is otherwise permitted to make; and
3.3.2.9. Otherwise expected from Disclosure accounting by 45 C.F.R. § 164.528.
3.3.3. Disclosure Information. Except as stated in paragraph 3.3.2, Business Associate will record the following Disclosure Information:
3.3.3.1. Disclosure Information Generally. Except as specified in paragraph 3.3.3.2, (i) the Disclosure date, (ii) the name and (if known) the address of the entity to which Business Associate made the Disclosure, (iii) a brief description of the PHI Disclosed, and (iv) a brief statement of the purpose of the Disclosure.
3.3.3.2. Disclosure Information for Repetitive Disclosures. Business Associate is not obligated to record the information specified in paragraph 3.3.3.1. for each repetitive Disclosure of PHI Business Associate makes for a single purpose to the same person or entity (including Covered Entity); provided, however, that Business Associate records (i) the information specified in paragraph 3.3.3.1 for the first of the repetitive accountable Disclosures, (ii) the frequency, periodicity, or number of the repetitive accountable Disclosures, and (iii) the date of the last of the repetitive accountable Disclosures.
3.3.4. Availability of Disclosure Information. Business Associate will maintain the Disclosure Information for at least 6 years following the date the applicable Disclosure was made. Business Associate will make the Disclosure Information available to Covered Entity as soon as administratively practicable, but in no case after 30 days following Covered Entity's request for Disclosure Information.
3.4. Restriction Agreements and Confidential Communications. Business Associate will comply with any agreement Covered Entity makes to restrict Use or Disclosure of PHI or require confidential communication about PHI, provided that Covered Entity notified Business Associate in writing of its obligations. Covered Entity will promptly notify Business Associate in writing of the termination of these obligations.
3.5. Individual's Right to Restrict Disclosure. Business Associate may not Disclose PHI if the subject requests that the PHI not be Disclosed, the Disclosure is to a provider for purposes of payment or health care operations, and the PHI pertains only to a health care item or service for which the individual paid a health care provider out-of-pocket in full.
4. Privacy Obligation Breach and Security Incidents.
4.1. Remedial Obligations. In the event Business Associate or any of its subcontractors, agents, or other workforce members cause a Breach, Business Associate will:
4.1.1. Discipline. Take disciplinary action it deems appropriate against any workforce member, and initiate contract remedies against any contractor or agent, responsible for the Breach.
4.1.2. Mitigate Loss. Take reasonable measures to mitigate any loss occasioned by the Breach.
4.1.3. Compliance Plan. Participate in and complete a plan of compliance, including monitoring by Covered Entity and reporting by Business Associate, as Covered Entity, in its sole discretion, determines necessary to maintain compliance with this agreement and applicable law.
4.2. Reporting.
4.2.1. Privacy Breach. Business Associate will promptly report to Covered Entity any Breach, and in no case more than five days after Business Associate learns of the Breach. Business Associate's report will at least:
4.2.1.1. Identify each individual whose Unsecured PHI has been or is reasonably believed to have been compromised;
4.2.1.2. Identify the date of the Breach and the date of discovery of the Breach;
4.2.1.3. Identify the nature of the Breach;
4.2.1.4. Identify the PHI involved in the Breach;
4.2.1.5. Identify who caused the Breach and the unauthorized recipient of the PHI;
4.2.1.6. Identify corrective actions Business Associate took or will take to prevent further Breaches;
4.2.1.7. Identify mitigating steps Business Associate took or will take following the Breach; and
4.2.1.8. Provide other information Covered Entity reasonably requests.
4.2.2. Security Incidents. In addition to the requirements of paragraph 4.2.1, Business Associate will, within 10 days, report to Covered Entity any attempted or successful unauthorized access, Use, Disclosure, modification, or destruction of Electronic PHI, and any unauthorized interference in Business Associate's information systems.
4.2. Termination of Agreement.
4.3.1. Right to Terminate for Breach of Agreement. Upon determining, in its sole discretion, that Business Assoiate has materially breached this agreement, Covered Entity may terminate the agreement in writing:
4.3.1.1. After providing Business Associate written notice of an opportunity to cure and Business Associate fails to cure in the time specified by Covered Entity. At a minimum, Business Associate will have ten days from the date notice is sent to cure; or
4.3.1.2. Immediately, if cure is not possible.
4.3.2. Effective Date of Termination Due to Breach. Termination due to breach of this agreement will be effective immediately or at the date specified in Covered Entity's notice of termination.
4.3.3. Right to Terminate on Regulation Change. Either Covered Entity or Business Associate may terminate this agreement if a change to 45 C.F.R. Parts 160-64 adversely affects the obligations of the party exercising the right of termination. The affected party may terminate by giving the other party written notice at least 60 days before the compliance date of the change.
4.3.4. Return of Destruction of Protected Health Information is Feasible. Except as provided in paragraph 4.3.5, Business Associate will return or destroy all PHI received from Covered Entity, or created or received by Business Associate on Covered Entity's behalf, upon termination of this agreement. This provision applies to PHI in the possession of Business Associate's subcontractors and agents.
4.3.5. Procedure When Return or Destruction Is Not Feasible. If Business Associate cannot return or destroy all PHI, Business Associate will promptly explain to Covered Entity why it cannot do so. Business Associate will extend the protections of this agreement to the remaining PHI for as long as Business Associate maintains the PHI, and will destroy or return it at the end of that period. This provision applies to PHI in the possession of Business Associate's subcontractors and agents.
4.4. Indemnity. Business Associate and Covered Entity agree to indemnify and hold harmless the other party (Indemnified) and any of the Indemnified's affiliates, officers, directors, employees, or agents from and against any claim, cause of action, liability, damage, cost or expense, including attorneys' fees and court or proceeding costs, arising out of or in connection with any unauthorized Use or Disclosure of PHI, Breach of Unsecured PHI, or other breach of this agrement by the violating party of any of its subcontractors or agents.
4.4.1. Right to Tender or Undertake Defense. If Indemnified is named a party in any judicial, administrative, or other proceeding arising out of or in connection with any unauthorized acquisition, access, Use or Disclosure of PHI or other breach of this agreement by the violating party of any subcontractor or agency under the violating party's control, Indemnified will have the option at any time either to (i) tender its defense to the violating party, in which case the violating party will provide qualified attorneys, consultants, and other appropriate professionals to represent Indemnified's interests at the violating party's expense, or (ii) undertake its own defense, choosing the attorneys, consultants, and other appropriate professionals to represent its interests, in which case the violating party will be responsible for and pay the associated and reasonable fees and expenses.
4.4.2. Right to Control Resolution. Indemnified will have the sole right and discretion to settle, compromise, or otherwise resolve any and all claims, causes of actions, liabilities, or damages against it, notwithstanding that Indemnified may have tendered its defense to the violating party. Any resolution will not relieve the violating party of its obligation to indemnify Indemnified.
4.5. Right to Recover Costs of Breach Notification. If Business Associate or any of its employees, agents, or subcontractors is responsible for a Breach of Unsecured PHI, Covered Entity may determine, in its sole discretion, which party is responsible for providing notifications required by HIPAA. Regardless of which party provides the required notification, Business Associate will be responsible for the costs of notification.
5. General Provisions.
5.1. Inspection of Internal Practices, Books, and Records. Business Associate will make its internal practices, books, and records relating to its Use and Disclosure of PHI available to Covered Entity and to DHHS to determine the parties' compliance with the Privacy Rule.
5.2 Obligation. If for any reason Business Associate carries out any of the Covered Entity's obligations under HIPAA, Business Associate shall comply with the requirements of HIPAA that apply to Covered Entity in the performance of such obligation.
5.3. Amendment to Agreement. Upon the compliance date of any final regulation or amendment that affects Business Associate's Use or Disclosure of PHI, this agreement will automatically amend such that the agreement remains in compliance with the final regulation or amendment unless Covered Entity or Business Associate elects to terminate this agreement in accordance with paragraph 4.3.
5.4. No Third-Party Beneficiaries. Nothing in this agreement is intended to create any rights in or benefits with respect to third parties.
5.5. Controlling Provisions. In the event the terms of this agreement are in conflict with the terms of the parties' underlying agreement, this agreement controls.
5.6. Signature. An electronic or copy of a signature shall have the same force and effect as an original signature. This agreement may be signed in counterparts.