• No results found

SaaS. Business Associate Agreement

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "SaaS. Business Associate Agreement"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)

SaaS

Business Associate Agreement

This Business Associate Agreement (“BA Agreement”) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement (“EUSA”) between Customer (“Covered Entity”) and Citrix.

Covered Entity and Citrix are parties to the EUSA, pursuant to which Citrix distributes services to Covered Entity and, in connection with such services, may receive, use and/or disclose for or on behalf of Covered Entity certain Protected Health Information relating to patients of Covered Entity that is subject to protection under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act”). By reason of such activities, the parties believe that Citrix is a Business Associate of Covered Entity. Covered Entity and Business Associate wish to comply in all respects with the requirements of HIPAA and the HITECH Act applicable to the relationship between covered entities and their business associates. Covered Entity and Business Associate further wish to comply with the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act, which was published on January 25, 2013.

1. Definitions. Terms used, but not otherwise defined in this BA Agreement shall have the same meaning as those terms set forth in the Privacy Rule or the Security Rule.

(a) Breach. “Breach” shall mean the unauthorized acquisition, access, use or disclosure of Protected Health Information in a manner not permitted under the Privacy Rule which compromises the security or privacy of such information. “Breach” excludes:

(i) any unintentional acquisition, access, or use of Protected Health Information by a workforce member or person acting under the authority of Covered Entity or Business Associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule.

(ii) any inadvertent disclosure by a person who is authorized to access Protected Health

Information at Covered Entity or Business Associate to another person authorized to access Protected Health Information at Covered Entity or Business Associate, if the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule.

(iii) a disclosure of Protected Health Information where Covered Entity or Business Associate has

a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

Except as provided in exceptions (i)-(iii) above, the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under the Privacy Rule is presumed to be a Breach unless the Covered Entity or Business Associate, as applicable, demonstrates that there is a low probability that the Protected Health Information has been compromised based on a risk assessment of at least the following factors:

(i) the nature and extent of the Protected Health Information involved, including the types of identifiers and the likelihood of re-identification;

(ii) the unauthorized person who used the Protected Health Information or to whom the disclosure

was made;

(iii) whether the Protected Health Information was actually acquired or viewed; and

(iv) the extent to which the risk to the Protected Health Information has been mitigated.

(b) Electronic Protected Health Information. “Electronic Protected Health Information” shall mean Protected Health Information that is transmitted by Electronic Media (as defined in the Security Rule) or maintained in Electronic Media.

(c) Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E.

(2)

(d) Protected Health Information. “Protected Health Information” shall have the same meaning as the term “protected health information” in 45 CFR § 160.103, limited to the information received by Business Associate from or on behalf of Covered Entity.

(e) Secretary. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his or her designee.

(f) Security Incident. “Security Incident” shall mean the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system that provides access to Protected Health Information.

(g) Security Rule. “Security Rule” shall mean the Security Standards for the Protection of Electronic Protected Health Information at 45 CFR part 164 subpart C.

2. Obligations and Activities of Business Associate. Business Associate agrees to:

(a) not use or further disclose Protected Health Information other than as permitted or required by this BA Agreement or as Required By Law.

(b) use, disclose, and request only the minimum necessary amount of Protected Health Information necessary to perform its services for Covered Entity.

(c) use appropriate safeguards, and comply with the Security Rule with respect to Electronic Protected Health Information, to prevent use or disclosure of the Protected Health Information other than in accordance with this BA Agreement.

(d) mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this BA Agreement or the Privacy Rule.

(e) report to Covered Entity any use or disclosure of the Protected Health Information not in accordance with this BA Agreement of which Business Associate becomes aware, including any Breach of unsecured Protected Health Information and any Security Incident. For all reporting obligations under this BA Agreement, the parties acknowledge that, because Business Associate does not know the nature of the Protected Health Information contained in any of the Covered Entity’s accounts, it will not be possible for Business Associate to provide information about the identities of the Individuals who may have been affected, or a description of the type of information that may been subject to a Security Incident or Breach.

(f) in accordance with the Privacy Rule and the Security Rule, ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or received by Business Associate on behalf of, Covered Entity agrees to the same restrictions and conditions that apply to Business Associate.

(g) to the extent any Protected Health Information is in a designated record set, make available Protected Health Information to the extent, for the purposes and in the manner required by 45 CFR § 164.524 (Access of individuals to Protected Health Information) and 45 CFR § 164.526 (Amendment of Protected Health Information) and incorporate any amendment to Protected Health Information as required under 45 CFR

§ 164.526.

(h) to the extent Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations.

(i) make internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or received by Business Associate on behalf of, Covered Entity available to the Secretary for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule or the Security Rule.

(3)

(j) document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528 (Accounting of disclosures of Protected Health Information). For avoidance of doubt, Business Associate will document and make available to you the information required to provide an accounting of disclosures in accordance with 45 CFR § 164.528 of which Business Associate is aware if requested by the Covered Entity. Because Business Associate cannot readily identify which Individuals are identified or what types of Protected Health Information are included in a Covered Entity’s accounts, Covered Entity will be solely responsible for identifying which Individuals, if any, any have been included in Covered Entity data that may have been disclosed and for providing a brief description of the Protected Health Information disclosed.

(k) provide to Covered Entity, at a time and in a manner agreed by the parties, information collected in accordance with Section 2(i) of this BA Agreement to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528.

3. Permitted Uses and Disclosures by Business Associate.

(a) General Use and Disclosure Provisions. Subject to the terms of this BA Agreement, Business Associate may use or disclose Protected Health Information to perform the functions, activities, services for, or on behalf of, Covered Entity, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity.

(b) Specific Use and Disclosure Provisions. Business Associate may use or disclose Protected Health Information for the proper management and administration of Business Associate (such as for the purposes of quality improvement and product or service testing, support; and system maintenance); provided that, Business Associate shall disclose such Protected Health Information only: (i) as Required by Law or (ii) to persons from which Business Associate obtains reasonable assurances that it will remain confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed, and the person shall notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached

(c) Report Violations of Law. Business Associate may use Protected Health Information to report violations of law appropriate to Federal and State authorities consistent with 45 CFR § 164.502 (j)(1).

4. Obligations of Covered Entity. Covered Entity agrees that it:

(a) has included, and will include, in the Covered Entity’s Notice of Privacy Practices required by the Privacy Rule, a provision stating that the Covered Entity may disclose Protected Health Information for health care operations and payment purposes. Upon request, Covered Entity will provide Business Associate with a copy of Covered Entity’s Notice of Privacy Practices, as well as any changes to such Notice.

(b) has provided to Business Associate notice of any limitations in Covered Entity’s Privacy Practices to the extent such limitations may affect Business Associate’s performance of services for Covered Entity or use or disclosure of Protected Health Information.

(c) will provide, upon the reasonable request of Business Associate, copies of any consent, authorization, acknowledgment or permission by an Individual to use or disclose Protected Health Information which may affect Business Associate’s performance of services for Covered Entity or use or disclosure of Protected Health Information.

(d) has obtained, and will obtain, from Individuals consents, authorizations and other permissions (if any) necessary or required by laws applicable to Covered Entity for Business Associate and Covered Entity to fulfill their respective obligations and under this BA Agreement.

(4)

(e) will provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, if such changes affect Business Associate's performance of services for Covered entity or use or disclosure of Protected Health Information.

(f) will, upon request of Business Associate, notify Business Associate of the name of and contact information for the privacy official designated by Covered Entity in accordance with 45 CFR § 164.530.

5. Permissible Requests by Covered Entity

Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity, except as set forth in Section 3(b) above.

6. Term and Termination (a) Term

Covered Entity shall have the right to terminate this BA Agreement upon any material breach of this BA Agreement; provided, however, that prior to any such termination, Covered Entity shall provide Business Associate with notice of the existence of an alleged material breach and provide Business Associate an opportunity to cure the alleged material breach. In the event Business Associate fails to cure the material breach within thirty (30) days of receipt of written notice, Covered Entity may thereafter immediately terminate this BA Agreement.

(b) Effect of Termination.

(i) Except as provided in paragraph (ii) of this section, upon termination of this BA Agreement for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, or convert such Protected Health Information to a de-identified format consistent with the Privacy Rule. This provision shall also apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information.

(ii) In the event that Business Associate determines that returning or destroying the Protected

Health Information is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Business Associate shall extend the protections of the BA Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information. The parties agree that to the extent that Business Associate is Required by Law to maintain copies of Protected Health Information, return of such Protected Health Information shall be deemed infeasible and Business Associate shall have the right to retain such Protected Health Information as Required by Law; provided, however, that Business Associate shall only use or disclose such Protected Health Information for the purposes of and as Required by Law. The respective rights and obligations of Business Associate under Section 6 of this BA Agreement shall survive the termination of this BA Agreement.

7. Miscellaneous

(a) Regulatory References. A reference in this BA Agreement to a section in the Privacy Rule or the Security Rule means the section as in effect or as amended, and for which compliance is required.

(b) Amendment. Citrix shall update this BA Agreement from time to time as is necessary for Covered Entity or Business Associate, as applicable, to comply with the requirements of HIPAA, the Privacy Rule, the Security Rule, or the HITECH Act.

(5)

(c) Interpretation. Any ambiguity in this BA Agreement shall be resolved in favor of a meaning that permits Covered Entity or Business Associate, as applicable, to comply with HIPAA, the Privacy Rule, the Security Rule or the HITECH Act.

(d) No Beneficiary. There are no third party beneficiaries to this BA Agreement, including but not limited to any Individuals who are subject of the Protected Health Information.

(e) Governing Law. This BA Agreement shall be governed by and construed in accordance with the internal laws as set forth in Section 10 of the EUSA.

(f) Integration. This BA Agreement, as incorporated into the EUSA, is the sole and complete agreement between the parties relating to obligations under HIPAA, the Privacy Rule, the Security Rule and the HITECH Act, and supersedes any prior agreements, understandings, and communications relating thereto.

Notwithstanding the foregoing, the EUSA shall govern all other terms between the parties including without limitation, terms related to the services provided, payment obligations, and limitation of liability with respect to both the Underlying Agreements and this BA Agreement.

CTX_code: SaaS 9/13/13

References

Download now ( PDF - 5 Page - 148.20 KB )

Related documents

REQUEST FOR APPROVAL TO PROVIDE VOCATIONAL REHABILITATION SERVICES UNDER FEE FOR SERVICE EXPLANATION OF APPROVAL PROCESS

Except as otherwise provided in this Business Associate Agreement Addendum, INSERT AGENCY NAME, (hereinafter referred to as “Business Associate”), may use, access or

BUSINESS ASSOCIATE AGREEMENT TERMS

The Term of this Addendum shall be effective upon execution, and shall terminate when all of the Protected Health Information provided by Covered Entity to Business

BUSINESS ASSOCIATE AGREEMENT

Immediately upon termination of this Agreement for any reason, Business Associate shall cease further Use or Disclosure of such Protected Health Information, if any, and Business

BUSINESS ASSOCIATE ADDENDUM. WHEREAS, Provider (as defined below) has a contractual relationship with FHCCP requiring this Addendum;

3.1 Service Agreement Except as otherwise limited in this Addendum, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf

BUSINESS ASSOCIATE CONTRACTUAL ADDENDUM

Except as otherwise limited in this Addendum, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or

Effects of Patient Characteristics on Outpatient Rehabilitation Outcomes in Patients with Lumbar Impairments

FSCH= Functional status (FS) change score (FS score at discharge – FS at admission); FS score at admission= Lumbar Survey score at admission 0-100; # Comorbidities = the number

Ensuring Privacy and Security of Health Information Exchange in Pennsylvania

Except as otherwise limited in this Addendum, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

Permitted Uses and Disclosures by Business Associate; General Use and Disclosure Provisions Except as otherwise limited in this Agreement, Business Associate may only use or