Alliance for Patient Medication Safety® Business Associate Agreement
Updated BAA August 2013
This BUSINESS ASSOCIATE AGREEMENT (this "BA Agreement") is made by and between the Pharmacy ("Provider") and the Alliance for Patient Medication Safety® ("Business Associate") (Provider and Business Associate shall be referred to herein individually, as a "Party" and together, as the "Parties"), Capitalized terms used in this BA Agreement without definition shall have the respective meanings assigned to such terms by the administrative simplification section of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended by HITECH (as defined in Section 1.3 of this BA Agreement) (collectively, "HIPAA").
RECITALS
WHEREAS, Provider and Business Associate are parties to an agreement setting forth services that require Business Associate to have access to Protected Health Information (the "Participation and Confidentiality Agreement"); and
WHEREAS, it is the intent of Provider and Business Associate to append this BA Agreement to the Participation and Confidentiality Agreement for the Parties to comply with HIPAA.
NOW THEREFORE, in consideration of the mutual premises and covenants contained herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, Provider and Business Associate agree as follows:
AGREEMENT
-
GENERAL PROVISIONS
-
-
Effect. The provisions of this BA Agreement shall control with respect to Protected Health Information Business Associate receives from or on behalf of Provider, and the terms and provisions of this BA Agreement shall supersede any conflicting or inconsistent terms and provisions of the Participation and Confidentiality Agreement, including all exhibits or other attachments thereto and all documents incorporated therein by reference, to the extent of such conflict or inconsistency. This BA Agreement shall not modify or supersede any other provision of the Participation and Confidentiality Agreement.
-
No Third Party Beneficiaries. The Parties have not created and do not intend to create by this BA Agreement any third party rights, including, but not limited to, third party rights for Individuals.
-
HIPAA Amendments. The Parties acknowledge and agree that the Health Information Technology for Economic and Clinical Health Act and its implementing regulations ("HITECH") imposes new requirements with respect to privacy, security and breach notification applicable to business associates (collectively, the "HITECH BA Provisions"). The provisions of HITECH and the HITECH BA Provisions are hereby incorporated by reference into this BA Agreement as if set forth in this BA Agreement in their entirety. Notwithstanding anything to the contrary, the HITECH BA Provisions will be effective on the Effective Date or such subsequent date as may be specified in HITECH.
-
OBLIGATIONS OF BUSINESS ASSOCIATE
-
-
Use and Disclosure of Protected Health Information. Business Associate may use and disclose Protected Health Information as permitted or required under this BA Agreement or as Required By Law, but shall not otherwise use or disclose any Protected Health Information. Business Associate shall not and shall assure that its employees, other agents and contractors do not use or disclose Protected Health Information received from Provider in any manner that would constitute a violation of HIPAA if so used or disclosed by Provider. Without limiting the generality of the foregoing, Business Associate is permitted to use or disclose Protected Health Information as set forth below:
-
- Business Associate may use Protected Health Information internally for Business Associate's proper management and administration or to carry out its legal responsibilities.
- Business Associate may disclose Protected Health Information to a third party for Business Associate's proper management and administration, provided that (1) the disclosure is Required by Law, or (2) Business Associate obtains reasonable assurances from the third party to whom the information is disclosed that the Protected Health Information will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the third party, and the third party notifies Business Associate of any instances of which it is aware in which the confidentiality of the Protected Health Information has been breached.
- Business Associate may use Protected Health Information to provide Data Aggregation services relating to the Health Care Operations of Provider if required or permitted under the Participation and Confidentiality Agreement or this BA Agreement.
- Business Associate may de-identify Protected Health Information, consistent with the applicable HIPAA requirements, specifically 45 C.F.R. § 164.514(b).
-
Safeguards. Business Associate shall use appropriate safeguards to prevent the use or disclosure of Protected Health Information other than as permitted or required by this BA Agreement. In addition, Business Associate shall comply with the applicable provisions of 45 C.F.R. Part 164, Subpart C to the extent that Business Associate creates, receives, maintains, or transmits Electronic Protected Health Information on behalf of Provider.
-
Minimum Necessary Standard. To the extent required by the "minimum necessary" requirements of HIPAA, Business Associate shall only request, use and disclose the minimum amount of Protected Health Information necessary to accomplish the purpose of the request, use or disclosure. To the extent practicable, Business Associate shall only request, use or disclose a Limited Data Set and shall comply with the minimum necessary guidance to be issued by the Secretary pursuant to HITECH.
-
Mitigation. Business Associate shall take reasonable steps to mitigate, to the extent practicable, any harmful effect (that is known to Business Associate) of a use or disclosure of Protected Health Information by Business Associate in violation of this BA Agreement.
-
Agreements by Third Parties. In accordance with 45 C.F.R. §§ 164.308(b)(2) and 164.502(e)(1)(ii), Business Associate shall obtain and maintain a written agreement with each agent or subcontractor that creates, receives, maintains, or transmits Protected Health Information on behalf of Business Associate which agreement shall bind the agent or subcontractor to the same obligations that Business Associate has under this BA Agreement with respect to the Protected Health Information.
-
Reporting of Improper Disclosures of Protected Health Information.
-
- Business Associate shall, without unreasonable delay, but in no event later than ten (10) business days after becoming aware of any acquisition, access, use, or disclosure of Protected Health Information in violation of this BA Agreement by Business Associate, its employees, other agents or contractors ("Unauthorized Use or Disclosure"), report such Unauthorized Use or Disclosure to Provider. Without limiting the foregoing, Business Associate shall report the Unauthorized Use or Disclosure even if it determines that the Unauthorized Use or Disclosure did not compromise the privacy or security of the Protected Health Information.
- Business Associate shall, without unreasonable delay, but in no event later than ten (10) business days after becoming aware of any Security Incident, report it to Provider. Notwithstanding the foregoing, Business Associate and Provider acknowledge the ongoing existence and occurrence of attempted but unsuccessful Security Incidents that are trivial in nature, such as pings, failed log-in attempts, and port scans, and Provider acknowledges and agrees that no additional notification to Provider of such unsuccessful Security Incidents is required.
- Business Associate shall, without unreasonable delay, but in no event later than ten (10) business days after discovery of a Breach of Unsecured Protected Health Information report such Breach to Provider.
- Business Associate shall reimburse Provider for all costs, expenses and damages (including reasonable attorneys fees) associated with any notifications to individuals or mitigation steps taken by Provider to comply with HIPAA or state law resulting from any Unauthorized Use or Disclosure, Security Incident or Breach caused directly by Business Associate's actions or omissions. This reimbursement obligation shall survive the expiration or earlier termination of the Participation and Confidentiality Agreement and this BA Agreement.
-
Access to Protected Health Information. Within ten (10) business days of a request by Provider for access to Protected Health Information about an Individual contained in any Designated Record Set of Provider maintained by Business Associate, Business Associate shall make available to Provider such Protected Health Information for so long as Business Associate maintains such information in the Designated Record Set. If Business Associate receives a written request for access to Protected Health Information directly from an Individual, Business Associate shall forward such request to Provider within five (5) business days.
-
Availability of Protected Health Information for Amendment. Within ten (10) business days of receipt of a request from Provider for the amendment of an Individual's Protected Health Information contained in any Designated Record Set of Provider maintained by Business Associate, Business Associate shall provide such Protected Health Information to Provider for amendment and incorporate any such amendments in the Protected Health Information (for so long as Business Associate maintains such information in the Designated Record Set) as required by 45 C.F.R. §164.526. If Business Associate receives a written request for amendment to Protected Health Information directly from an Individual, Business Associate shall forward such request to Provider within five (5) business days.
-
Accounting of Disclosures. Within ten (10) business days of notice by Provider to Business Associate that it has received a request for an accounting of disclosures of Protected Health Information (other than disclosures to which an exception to the accounting requirement applies), Business Associate shall make available to Provider such information as is in Business Associate's possession and is required for Provider to make the accounting required by 45 C.F.R. §164.528.
-
Availability of Books and Records. Business Associate shall make its internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Provider available to the Secretary for purposes of determining Provider's and Business Associate's compliance with HIPAA.
Section 2.11. Delegation of Obligations. To the extent Business Associate is delegated to carry out Provider's HIPAA obligations under 45 C.F.R. Part 164, Subpart E, Business Associate shall comply with the applicable requirements of that part that apply to Provider in the performance of such delegated obligations.
-
Termination of Agreement
-
-
Termination Upon Breach of this BA Agreement. Any other provision of the Participation and Confidentiality Agreement notwithstanding, either Party (the "Non-Breaching Party") may terminate the Participation and Confidentiality Agreement and this BA Agreement upon thirty (30) days advance written notice to the other Party (the "Breaching Party") in the event that the Breaching Party breaches this BA Agreement in any material respect and such breach is not cured within such thirty (30) day period. If termination of the Participation and Confidentiality Agreement and this BA Agreement is not feasible, the Non-Breaching Party shall report the Breaching Party's breach to the Secretary, to the extent Required By Law.
-
Return or Destruction of Protected Health Information Upon Termination. Upon expiration or earlier termination of the Participation and Confidentiality Agreement, this BA Agreement shall automatically terminate and Business Associate shall either return or destroy all Protected Health Information received from Provider or created or received by Business Associate on behalf of Provider and which Business Associate still maintains in any form. Notwithstanding the foregoing, to the extent that Business Associate reasonably determines that it is not feasible to return or destroy such Protected Health Information, Business Associate shall extend the protections of this BA Agreement to such Protected Health Information and limit further uses or disclosures of such Protected Health Information to those purposes that make the return or destruction not feasible, for so long as Business Associate maintains such Protected Health Information.
-
MISCELLANEOUS
Section 4.1 Counterparts. This BA Agreement may be executed in two counterparts, each of which shall be deemed an original but both of which together shall constitute one and the same instrument. Copies of signatures sent by facsimile transmission or scanned and sent by email are deemed to be originals for purposes of execution and proof of this BA Agreement.
Section 4.2 Regulatory References. A reference in this BA Agreement to a section in HIPAA means the section as in effect or as amended and for which compliance is required.
Section 4.3 Amendment. No change, amendment, or modification of this BA Agreement shall be valid unless set forth in writing and agreed to by both parties.
Section 4.4 Interpretation. Any ambiguity in this BA Agreement shall be resolved to permit Provider and Business Associate to comply with HIPAA.
Section 4.5 Notice. Any notice, report or other communication required under this Agreement shall be in writing and shall be delivered personally, telegraphed, emailed, sent by facsimile transmission, or sent by U.S. mail.