This Business Associate Agreement (“Agreement”) is between the Illinois State Medical Society (“ISMS”), 20 North Michigan Avenue, Suite 700, Chicago, IL 60602, and the “Covered Entity” (as such term is defined below) set forth on the executed and attached Hassle Factor Log. This Agreement is to memorialize the relationship between ISMS and Covered Entity and the terms that govern the use and disclosure of Protected Health Information to ISMS from Covered Entity consistent with HIPAA and the HITECH Act (as defined below) and the regulations promulgated thereunder.
I. DEFINITIONS
A. Business Associate. “Business Associate” shall mean ISMS, and all affiliates and subsidiaries.
B. Covered Entity. “Covered Entity” shall mean physicians and their personnel.
C. Electronic Protected Health Information. “Electronic protected health information” shall have the meaning found in the Security Rule [45 CFR § 160.103].
D. HIPAA. “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996 (P.L. 104-91).
E. HITECH Act. “HITECH Act” shall mean the Health Information Technology for Economic and Clinical Health Act (Division A, Title XIII of the American Recovery and Reinvestment Act of 2009, P.L. 111-5).
F. Individual. “Individual” shall mean a person who is the subject of protected health information and includes a personal representative who under law has authority to make health decisions for another person [45 CFR § 164.502(g)].
G. Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at [45 CFR Part 160 and Part 164, Subparts A and E].
H. Protected Health Information. “Protected Health Information” shall mean individually identifiable health information that is transmitted or maintained in any form or medium, limited to the information created or received by Business Associate from or on behalf of Covered Entity [45 CFR § 160.103.].
I. Required By Law. “Required By Law” shall mean a mandate contained in law that compels use or disclosure of protected health information and that is enforceable in a court of law including but not limited to subpoenas [45 CFR § 164.103].
J. Security Incident. “Security Incident” shall have the same meaning as the term “security incident” in 45 CFR § 164.304.
K. Security Rule. “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information at 45 CFR Part 160 and Part 164, Subparts A and C.
L. Secretary. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his designee.
M. Unsecured Protected Health Information. “Unsecured Protected Health Information” shall have the same meaning as “unsecured protected health information” in 45 CFR § 164.402.
N. The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules (which include the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164): Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Minimum Necessary, Notice of Privacy Practices, Subcontractor, and Use.
II. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
A. Business Associate agrees to not use or disclose Protected Health Information other than as permitted or required by the Agreement or as Required By Law.
B. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate of which Business Associate becomes aware, in violation of the requirements of this Agreement of which Business Associate becomes aware.
C. Business Associate agrees to report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement of which it becomes aware, including breaches of unsecured Protected Health Information as required by 45 CFR § 164.410.
D. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information by entering into a written agreement with such agent or subcontractor that complies with 45 CFR 164.504(e)(2).
E. Business Associate agrees to make internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Covered Entity, or to the Secretary, upon 10 business days written notice during regular business hours of 10am - 3pm or as designated by the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule.
F. Business Associate agrees to provide an Individual, within 30 calendar days of a written notice, access to inspect Protected Health Information about the Individual maintained in a designated record set in Business Associate’s possession, or provide to an Individual, or their designee, an electronic copy of the Individual’s Protected Health Information, in order to meet the requirements under 45 CFR § 164.524.
G. Business Associate agrees to make any amendment(s) to Protected Health Information in a designated record set in its possession that the Covered Entity directs or agrees to, within 60 days of receiving a written notice from Covered Entity or an Individual [45 CFR § 164.526].
H. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information. Business Associate agrees to provide to Covered Entity or an Individual, upon 10 business days of receipt of a written request for an accounting of disclosures, such information collected in accordance with this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information [45 CFR § 164.528 and HITECH Act § 13405(c)].
I. Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Covered Entity as required by the Security Rule, and to require its workforce to comply with subpart same. Business Associate will reasonably and appropriately protect against reasonably anticipated threats or hazards to the security or integrity of such information. Business Associate will also reasonably and appropriately protect against any reasonably anticipated uses or disclosures that are not permitted or required under the Privacy Rule.
J. Business Associate agrees to report to Covered Entity any Security Incident involving electronic Protected Health Information of which it becomes aware [45 CFR § 164.314].
K. To the extent Business Associate is to carry out an obligation of Covered Entity under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation.
III. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE –
GENERAL USE AND DISCLOSURE PROVISIONS
A. Except as otherwise limited in this Agreement or required by applicable law, Business Associate may use or disclose Protected Health Information on behalf of, or to provide services to, Covered Entity, in order for Business Associate to carry out its obligations under this Agreement, including but not limited to the following purposes, if such use or disclosure of Protected Health Information would not violate the Privacy Rule if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity:
1. Investigating matters requested by Covered Entity as necessary to perform into the matters identified in the Hassle Factor Log attached hereto and any subsequent communications.
B. Except as otherwise limited in this Agreement or required by applicable law, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity, in order for Business Associate to carry out its obligations under this Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity.
IV. SPECIFIC USE AND DISCLOSURE PROVISIONS
A. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
B. Except as otherwise limited in this Agreement, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person promptly notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached [45 CFR § 164.504(e)(4)(ii)(B)].
C. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information to provide data aggregation services to Covered Entity [45 CFR § 164.504(e)(2)(i)(B)].
D. Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities [45 CFR § 164.502(j)(1)].
V. OBLIGATIONS OF COVERED ENTITY – PROVISIONS FOR COVERED
ENTITY TO INFORM BUSINESS ASSOCIATE OF RESTRICTIONS
A. Covered Entity shall promptly notify Business Associate in writing and in advance of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information [45 CFR § 164.522].
B. Covered Entity shall promptly notify Business Associate of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR §164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of Protected Health Information.
C. Covered Entity shall promptly notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information.
D. Covered Entity shall only disclose to Business Associate the minimum amount of Protected Health Information necessary to accomplish the purpose of the disclosure to Business Associate in accordance with 45 CFR § 164.514(d) and HITECH Act § 13405(b) and any regulations or guidance issued by the Secretary regarding minimum necessary requirements.
VI. PERMISSIBLE REQUESTS BY COVERED ENTITY
Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity. The Business Associate may use or disclose protected health information for data aggregation or management and administrative activities of Business Associate.
VII. TERM AND TERMINATION
A. Term. The Term of this Agreement shall be effective when Covered Entity submits to Business Associate a Hassle Factor Log signed by one of its authorized physicians, and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity for purposes of this Agreement, is returned to Covered Entity or destroyed, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section.
B. Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Business Associate, Covered Entity shall:
1. Provide written notice of 45 days for Business Associate to cure the breach or end the violation and terminate this Agreement if Business Associate does not cure the breach or end the violation within such 45 day period;
2. Immediately terminate this Agreement if Business Associate has breached a material term of this Agreement and cure is not possible; or
3. If neither termination nor cure is feasible, Covered Entity shall report the violation to the Secretary.
C. Effect of Termination.
1. Except as provided in paragraph (2) of this section, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information, except as required by law.
2. In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon notice that the return or destruction of Protected Health Information is infeasible, Business Associate shall extend the protections of this Agreement to Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes stated for so long as Business Associate maintains such Protected Health Information, except as required by law.
D. Automatic Termination. Subject to the terms set forth in this Section VII, this Agreement shall automatically terminate if Covered Entity is no longer a member of ISMS in good standing.
VIII. MISCELLANEOUS
A. Regulatory References. A reference in this Agreement to a section in the Privacy Rule or Security Rule means the section as in effect or as amended.
B. Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of HIPAA or the HITECH Act or any applicable regulations with regard to such laws.
C. Survival. The respective rights and obligations of Business Associate under Section VII (C) of this Agreement shall survive the termination of this Agreement.
D. Interpretation. This Business Associate Agreement shall be interpreted in the following manner:
1. Any ambiguity shall be resolved in favor of a meaning that permits Covered Entity to comply with the HIPAA Rules.
2. Any inconsistency between the Agreement’s provisions and the HIPAA Rules, including all amendments, as interpreted by the DHHS, a court, or another regulatory agency with authority over the Parties.
3. Any provision of this Agreement that differs from those required by the HIPAA Rules, but is nonetheless permitted by the HIPAA Rules, shall be adhered to as stated in this Agreement.
E. Notice. Any notice required to be given to either party shall be made in writing to the address set forth on the Hassle Factor Log, or the last known address of the receiving party.