HIPAA BUSINESS ASSOCIATE AGREEMENT
- Perfect Health Consulting Services, LLC, an Arizona limited liability company (“PHCSLLC”) works with certain professional health care providers, practitioners and entities performing health care services (collectively the “Providers” or “Provider(s)”, and each a “Provider”), each of whom are considered a “covered entity”, as that term is defined in the Health Insurance Portability and Accountability Act of 1996, as amended from time to time (“HIPAA”), the corresponding HIPAA Standards for Privacy of Individually Identifiable Health Information and Standards for Security of Electronic Protected Health Information, 45 C.F.R. Part 160 and Part 164, Subparts A, C and E (the “HIPAA Regulations”), and the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009 (the “HITECH Act”) (collectively, HIPAA, the HIPAA Regulations and the HITECH Act are referred to as the “Requirements”), and each of the Providers must comply with the Requirements.
- The Requirements mandate that each Provider enter into with its “business associates”, as that term is defined in 45 C.F.R. §160.103, an agreement containing certain minimum safeguards related to the Requirements.
- Certain goods and/or services to be provided by Provider to PHCSLLC or by PHCSLLC to Provider in connection with the Hair Mineral Analysis and Increase Your Vitality Program (the “Program”) facilitated by PHCSLLC may cause PHCSLLC to be a “business associate” of a Provider, as that term is defined in 45 C.F.R. §160.103.
- Consequently, each Provider and PHCSLLC agree to comply with the terms and conditions set forth below, with respect to minimum safeguards related to the Requirements.
THEREFORE, for valuable consideration, the receipt and adequacy of which are hereby acknowledged, PHCSLLC and each Provider, as applicable, agree:
- Definitions. Except as otherwise set forth in this Agreement, all capitalized terms in this Agreement have the same meaning as set forth in the Requirements, as such may be amended from time to time.
(a) “Disclose” has the same meaning as the term “disclosure” in 45 C.F.R. § 164.501.
(b) “EPHI” has the same meaning as the term “electronic protected health information” in 45 C.F.R. § 160.103, but limited to information created or received by PHCSLLC as a Business Associate of a Provider.
(c) “PHI” has the same meaning as the term “protected health information” in 45 C.F.R. § 160.103, but limited to information created or received by PHCSLLC as a Business Associate of a Provider.
(d) “Secretary” means the Secretary of the Department of Health and Human Services or his or her designee.
- PHCSLLC’s Obligations. PHCSLLC will:
(a) Not Use or Disclose PHI except as permitted or required by this Agreement or as required by law;
(b) Use appropriate safeguards to prevent the Use or Disclosure of PHI, except as set forth in this Agreement;
(c) Implement Administrative, Physical and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of EPHI;
(d) Promptly report to each Provider, as applicable: (i) any Use or Disclosure of PHI by PHCSLLC or a third party to which PHCSLLC Disclosed PHI that is not contemplated by this Agreement, including any Breach of Unsecured PHI; and (ii) any Security Incident, of which PHCSLLC becomes aware;
(e) Ensure that any agents, including subcontractors, to whom PHCSLLC provides PHI agrees to the same restrictions and conditions set forth in this Agreement;
(f) In accordance with a Provider’s reasonable request, provide such Provider, in accordance with 45 C.F.R. § 164.524, access to PHI in a Designated Record Set;
(g) Make any amendment to PHI in a Designated Record Set that any applicable Provider(s) have agreed to pursuant to 45 C.F.R. § 164.526;
(h) Document any Disclosures of PHI necessary to provide an accounting of Disclosures in accordance with 45 C.F.R. § 164.528;
(i) To the extent PHCSLLC carries out any obligations of one or more Providers under the Requirements, PHCSLLC will comply with the Requirements that apply to such Provider(s) in the performance of such obligation;
(j) Make its internal practices, books and records, relating to the Use and Disclosure of PHI available to the Secretary for purposes of determining any applicable Provider(s)’ compliance with the Requirements; and
(k) Mitigate, to the extent practicable, any harmful effects (known to or reasonably discoverable by PHCSLLC) from any Use or Disclosure of PHI by PHCSLLC not permitted by this Agreement.
- Permitted Uses and Disclosures. Except as otherwise set forth in this Agreement, PHCSLLC may:
(a) Use or Disclose PHI to perform its duties and obligations to any applicable Provider and patient as set forth in writing and to report violations of the law to law enforcement; provided that, such Use or Disclosure complies with the Requirements;
(b) Use PHI for its management and administration or to carry out PHCSLLC’s legal responsibilities in relation to the Program, including without limitation those under the Program’s Internet user terms and conditions applicable to participants in the Program; and
(c) Disclose PHI for the purposes in Section 3(b) of this Agreement, if (i) the Disclosure is required by law, or (ii) PHCSLLC obtains reasonable assurances from the persons to whom the PHI is disclosed that (x) the PHI will remain confidential and will not be Used or further Disclosed except as Required By Law or for the purpose for which it was Disclosed to the person, and (y) the person will notify PHCSLLC of any instances of which it becomes aware that the confidentiality of the PHI has been breached.
- Providers’ Obligations. Each Provider, as applicable, will notify PHCSLLC of any:
(a) Limitation in any Provider(s)’ Notice Of Privacy Practices, as required by the Requirements, that may affect PHCSLLC’s Use or Disclosure of PHI;
(b) Changes in or revocation of an individual’s permission to Use or Disclose PHI, to the extent such change may affect PHCSLLC’s Use or Disclosure of PHI; and
(c) Restriction regarding the Use or Disclosure of an individual’s PHI that any Provider(s) have agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect PHCSLLC’s Use or Disclosure of the PHI.
- Effective Date. The terms and conditions in this Agreement will be effective as to a Provider and PHCSLLC as of the date of such Provider’s initial disclosure of PHI or EPHI to PHCSLLC and will continue until all PHI and EPHI in the possession of PHCSLLC is destroyed or returned to such Provider.
- Termination. Notwithstanding any provision to the contrary, if PHCSLLC materially breaches the terms of this Agreement, the corresponding Provider will provide PHCSLLC a reasonable opportunity to cure the breach or end the violation within the confines of the HIPAA Regulations and HITECH Act. If neither termination nor cure is feasible, the Provider will report the violation to the Secretary.
- Effect of Termination. Except as otherwise provided in therein, upon termination of any agreement between PHCSLLC and a Provider, PHCSLLC will return to such Provider or destroy all related PHI. If it is not feasible for PHCSLLC to return or destroy the PHI, (i) PHCSLLC will notify the Provider of such unfeasibility; (ii) PHCSLLC will limit PHCSLLC’s Use and Disclosure of such PHI to the purpose which makes it unfeasible for PHCSLLC to return or destroy the PHI; and (iii) the terms and conditions set forth in such terminated Agreement will continue with respect to the PHI for so long as PHCSLLC maintains the PHI.
- Amendment. If the Requirements are amended and the amendments require an amendment to this Agreement to comply with the amendments to the Requirements, notwithstanding anything in the Agreement to the contrary, this Agreement will be amended automatically, without any signed, written amendment by PHCSLLC and the Provider(s), to comply with the amendments. All applicable Requirements, including all future applicable Requirements, are hereby incorporated in this Agreement by this reference, as if they were set forth herein in full.
- Patient Authorization. Notwithstanding anything in this Agreement to the contrary, a patient to whom PHI or EPHI pertains may voluntarily authorize disclosure of PHI and EPHI as such patient sees fit and as such may waive or discharge the requirements of this Agreement with respect thereto. Such waiver or discharge shall not operate as a waiver or discharge with respect to PHI or EPHI not expressly covered in such waiver or discharge or for purposes other than those set forth in such waiver or discharge.