Menu

ISMS Hassle Factor Log

*indicates a required field
Please note: Do not send ANY protected health information (PHI) to ISMS, including: patient names, date-of-birth, identification, or claim tracking numbers regardless of whether or not the PHI is blacked out.
*
*
*
*
Yes
No
Please select one or more items that best define the issue for which you are seeking ISMS assistance:
Coding:
Payment related:
Audit or Recoupment:

Plan Data:
ISMS HASSLE FACTOR LOG COMPANION DOCUMENT INCORPORATED BY REFERENCE — ILLINOIS STATE MEDICAL SOCIETY BUSINESS ASSOCIATE AGREEMENT (A) REVISED 2017

This Business Associate Agreement (“Agreement”) is between the Illinois State Medical Society (“ISMS”), 20 North Michigan Avenue, Suite 700, Chicago, IL 60602, and the “Covered Entity” (as such term is defined below) set forth on the executed and attached Hassle Factor Log. This Agreement is to memorialize the relationship between ISMS and Covered Entity and the terms that govern the use and disclosure of Protected Health Information to ISMS from Covered Entity consistent with HIPAA and the HITECH Act (as defined below) and the regulations promulgated thereunder.

I. DEFINITIONS

A. Business Associate. “Business Associate” shall mean ISMS, and all affiliates and subsidiaries.
B. Covered Entity. “Covered Entity” shall mean physicians and their personnel.
C. Electronic Protected Health Information. “Electronic protected health information” shall have the meaning found in the Security Rule [45 CFR § 160.103].
D. HIPAA. “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996 (P.L. 104-91).
E. HITECH Act. “HITECH Act” shall mean the Health Information Technology for Economic and Clinical Health Act (Division A, Title XIII of the American Recovery and Reinvestment Act of 2009, P.L. 111-5).
F. Individual. “Individual” shall mean a person who is the subject of protected health information and includes a personal representative who under law has authority to make health decisions for another person [45 CFR § 164.502(g)].
G. Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at [45 CFR Part 160 and Part 164, Subparts A and E].
H. Protected Health Information. “Protected Health Information” shall mean individually identifiable health information that is transmitted or maintained in any form or medium, limited to the information created or received by Business Associate from or on behalf of Covered Entity [45 CFR § 160.103.].
I. Required By Law. “Required By Law” shall mean a mandate contained in law that compels use or disclosure of protected health information and that is enforceable in a court of law including but not limited to subpoenas [45 CFR § 164.103].
J. Security Incident. “Security Incident” shall have the same meaning as the term “security incident” in 45 CFR § 164.304.
K. Security Rule. “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information at 45 CFR Part 160 and Part 164, Subparts A and C.
L. Secretary. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his designee.
M. Unsecured Protected Health Information. “Unsecured Protected Health Information” shall have the same meaning as “unsecured protected health information” in 45 CFR § 164.402.
N. The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules (which include the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164): Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Minimum Necessary, Notice of Privacy Practices, Subcontractor, and Use.

II. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE

A. Business Associate agrees to not use or disclose Protected Health Information other than as permitted or required by the Agreement or as Required By Law.
B. Business Associate agrees to use appropriate safeguards to prevent unauthorized use or disclosure of the Protected Health Information other than as provided for by this Agreement and to comply with subpart C of Part 164 of the Security Rule, where applicable, with respect to electronic Protected Health Information.
C. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate of which Business Associate becomes aware, in violation of the requirements of this Agreement.
D. Business Associate agrees to report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement of which it becomes aware, including breaches of unsecured Protected Health Information as required by 45 CFR § 164.410.
E. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respectto such information by entering into a written agreement with such agent or subcontractor that complies with 45 CFR 164.504(e)(2).
F. Business Associate agrees to make internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Covered Entity, or to the Secretary, upon 10 business days written notice during regular business hours of 10am - 3pm or as designated by the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule.
G. Business Associate agrees to provide an Individual, within 30 calendar days of a written notice, access to inspect Protected Health Information about the Individual maintained in a designated record set in Business Associate’s possession, or provide to an Individual, or their designee, an electronic copy of the Individual’s Protected Health Information, in order to meet the requirements under 45 CFR § 164.524.
H. Business Associate agrees to make any amendment(s) to Protected Health Information in a designated record set in its possession that the Covered Entity directs or agrees to, within 60 days of receiving a written notice from Covered Entity or an Individual [45 CFR § 164.526].
I. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information. Business Associate agrees to provide to Covered Entity or an Individual, upon 10 business days of receipt of a written request for an accounting of disclosures, such information collected in accordance with this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information [45 CFR § 164.528 and HITECH Act § 13405(c)].
J. Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Covered Entity as required by the Security Rule, and to require its workforce to comply with subpart C of Part 164. Business Associate will reasonably and appropriately protect against reasonably anticipated threats or hazards to the security or integrity of such information. Business Associate acknowledges that the safeguards include those specified in 45 CFR § 164.308 (Administrative Safeguards), 164.310 (Physical Safeguards), 164.312 (Technical Safeguards), and 164.316 (Policies and Procedures and Documentation Requirements). Business Associate will also reasonably and appropriately protect against any reasonably anticipated uses or disclosures that are not permitted or required under the Privacy Rule.
K. Business Associate shall ensure that any agent, including a subcontractor, to whom it provides electronic Protected Health Information, agrees to implement reasonable and appropriate safeguards to protect it.
L. Business Associate agrees to report to Covered Entity any Security Incident involving electronic Protected Health Information of which it becomes aware [45 CFR § 164.314].
M. Business Associate shall not use or disclose Protected Health Information for marketing communications (as “marketing” is defined in 45 CFR 164.501).
N. Business Associate agrees to the prohibition on the sale of Protected Health Information without authorizations unless an exception under § 13405(d) of the HITECH Act applies.
O. Business Associate shall only disclose the minimum amount of Protected Health Information necessary to accomplish the purpose of the disclosure under HITECH Act § 13405(b) and any regulations or guidance issued by the Secretary regarding minimum necessary requirements.
P. Business Associate will comply with an Individual’s request for restrictions on the use or disclosure of Protected Health Information to health plans for payment or health care operations purposes when the health care provider has been paid out of pocket in full consistent with HITECH Act § 13405(a) and Business Associate has been notified of the request for restriction by the health care provider, Covered Entity or the Individual, and the disclosure is not required by law.
Q. Business Associate will comply with, to the extent required, the requirements relating to the provision of access to certain Protected Health Information in electronic format under the HITECH Act § 13405(e).
R. To the extent Business Associate is to carry out an obligation of Covered Entity under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation.


III. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE – GENERAL USE AND DISCLOSURE PROVISIONS

A. Except as otherwise limited in this Agreement or required by applicable law, Business Associate may use or disclose Protected Health Information on behalf of, or to provide services to, Covered Entity, in order for Business Associate to carry out its obligations under this Agreement, including but not limited to the following purposes, if such use or disclosure of Protected Health Information would not violate the Privacy Rule if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity:

1. Investigating matters requested by Covered Entity as necessary to perform into the matters identified in the Hassle Factor Log attached hereto and any subsequent communications.

B. Except as otherwise limited in this Agreement or required by applicable law, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity, in order for Business Associate to carry out its obligations under this Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity.


IV. SPECIFIC USE AND DISCLOSURE PROVISIONS

A. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
B. Except as otherwise limited in this Agreement, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person promptly notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached [45 CFR § 164.504(e)(4)(ii)(B)].
C. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information to provide data aggregation services to Covered Entity [45 CFR § 164.504(e)(2)(i)(B)].
D. Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities [45 CFR § 164.502(j)(1)].
E. Business Associate shall disclose Protected Health Information when required by the Secretary to investigate or determine Business Associate’s compliance with subpart C of Part 164 of the Security Rule.
F. Business Associate shall disclose Protected Health Information to Covered Entity, an Individual, or the Individual’s designee as necessary to satisfy the Covered Entity’s obligations with respect to an Individual’s request for an electronic copy of Protected Health Information.

V. OBLIGATIONS OF COVERED ENTITY – PROVISIONS FOR COVERED ENTITY TO INFORM BUSINESS ASSOCIATE OF RESTRICTIONS

A. Covered Entity shall promptly notify Business Associate in writing and in advance of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information [45 CFR § 164.522].
B. Covered Entity shall promptly notify Business Associate of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR §164.520, to the extent that such limitation may affect Business Associate's use or disclosure of Protected Health Information.
C. Covered Entity shall promptly notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information.
D. Covered Entity shall only disclose to Business Associate the minimum amount of Protected Health Information necessary to accomplish the purpose of the disclosure to Business Associate in accordance with 45 CFR § 164.514(d) and HITECH Act § 13405(b) and any regulations or guidance issued by the Secretary regarding minimum necessary requirements.


VI. PERMISSIBLE REQUESTS BY COVERED ENTITY

Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity. The Business Associate may use or disclose protected health information for data aggregation or management and administrative activities of Business Associate.

VII. TERM AND TERMINATION

A. Term. The Term of this Agreement shall be effective when Covered Entity submits to Business Associate a Hassle Factor Log signed by one of its authorized physicians, and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity for purposes of this Agreement, is returned to Covered Entity or destroyed, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section.

B. Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Business Associate, Covered Entity shall:

1. Provide written notice of 45 days for Business Associate to cure the breach or end the violation and terminate this Agreement if Business Associate does not cure the breach or end the violation within such 45 day period;
2. Immediately terminate this Agreement if Business Associate has breached a material term of this Agreement and cure is not possible; or
3. If neither termination nor cure is feasible, Covered Entity shall report the violation to the Secretary.

C. Effect of Termination.

1. Except as provided in paragraph (2) of this section, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information, except as required by law.

2. In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon notice that the return or destruction of Protected Health Information is infeasible, Business Associate shall extend the protections of this Agreement to Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes stated for so long as Business Associate maintains such Protected Health Information, except as required by law.


D. Automatic Termination. Subject to the terms set forth in this Section 7, this Agreement shall automatically terminate if Covered Entity is no longer a member of ISMS in good standing.

VIII. MISCELLANEOUS

A. Regulatory References. A reference in this Agreement to a section in the Privacy Rule or Security Rule means the section as in effect or as amended.
B. Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of HIPAA or the HITECH Act or any applicable regulations with regard to such laws.
C. Survival. The respective rights and obligations of Business Associate under Section VII (C) of this Agreement shall survive the termination of this Agreement.
D. Interpretation. Any ambiguity in this Agreement shall be resolved to permit the parties to comply with HIPAA or the HITECH Act, or any other applicable regulations with regard to such laws.
E. Notice. Any notice required to be given to either party shall be made in writing to the address set forth on the Hassle Factor Log, or the last known address of the receiving party.
Illinois State Medical Society
20 North Michigan Avenue, 7th Floor
Chicago, IL 60606
ATTN: HIPAA Privacy Officer
Robert John Kane
Illinois State Medical Society
20 North Michigan Avenue, 7th Floor
Chicago, IL 60606
ATTN: HIPAA Assistant Security Officer
Stephen Maes
IX. RED FLAG POLICY

ISMS has adopted an Identity Theft Policy to assist in identifying, detecting, and mitigating risks of identity theft affecting members of ISMS. This policy is intended to comply with the requirements of the Federal Trade Commission’s Identity Theft Rules (the “Red Flag Rules”) (16 CFR § 681) which is a result of the Fair and Accurate Credit Transactions Act of 2003.

X. HHS BREACH NOTIFICATION

Subject to the law enforcement delay exception contained in 45 CFR § 164.412, Business Associate agrees to notify Covered Entity without unreasonable delay, but in no event later than 45 days, following the discovery of a breach of unsecured Protected Health Information and in accordance with the breach notification requirements set forth in 45 CFR § 164.410. “Breach” shall have the same meaning as the term “breach” in 45 CFR § 164.402. Business Associate will reimburse Covered Entity for the direct costs of complying with the federal breach notification requirements resulting from a breach caused by Business Associate, but in no event shall Business Associate be liable to Covered Entity or any third party for any indirect or consequential damages associated or related to any breach.
*

Cookie Consent

Cookies are required for some functionality on our site. View our privacy policy for more information.