Business Associate and Covered Entity are parties to a business agreement, (the “Business Arrangement”) pursuant to which Business Associate performs certain services for the Covered Entity, (the “Services”) which may include the transmission, receipt, maintenance, use and disclosure of protected health information. The Business Associate and Covered Entity (jointly “the Parties”) wish to enter into this BAA to comply with the following requirements: (i) implementing the regulations at 45 C.F.R. Parts 160, 162, and 164 for the Administrative Simplification provisions of Title II, Subtitle F of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) (i.e., the HIPAA Privacy, Security, Electronic Transaction, Breach Notification, and Enforcement Rules (“the Implementing Regulations”)), (ii) the requirements of the Health Information Technology for Economic and Clinical Health Act, as incorporate by the American Recovery and Reinvestment Act of 20009 (the “HITECH Act”) that are applicable to business associates, and (iii) the requirements of the final modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules as issued on January 25, 2013 and effective March 26, 2013 (75 Fed. Reg. 5566 (Jan. 25, 2013)) (“the Final Regulations”). The Implementing Regulations, the HITECH Act, and the Final Regulations are collectively referred to in this Agreement as “the HIPAA Requirements.”
The Parties agree to incorporate into this BAA any regulations issued by the U.S. Department of Health and Human Services (“DHHS”) in respect to any HIPAA Requirements that relate to the obligations of business associates subcontractors that are required to be (or should be) reflected in an agreement. Business Associate recognizes and agrees that it is obligated by law to meet the applicable provisions of the HIPAA Requirements and that it has direct liability for any violations of the HIPAA Requirements. Accordingly, the Parties agree as follows:
I. GENERAL TERMS
1. As set forth in the HIPAA Requirements at 45 C.F.R. § 160.103, “Protected Health Information” (also known as “PHI”) is defined as individually identifiable health information maintained or transmitted in any form or medium, including, without limitation, all information (including demographic, medical, and financial information), data, documentation, and materials that related to: (i) the past, present or future physical or mental health or condition of an individual,; (ii) the provision of health care to an individual; or (iii) any payment for health care to an individual be that past, present, or future. “Privacy Standards” shall mean the Standards for Privacy of Individually Identifiable Health Information as set forth in 45 C.F.R. Parts 160 and 164. “Security Standards” shall mean the Security Standards for the Protection of Electronic Protected Health Information as set forth in 45 C.F.R. Parts 160 and 164. All other capitalized terms used in this BAA shall have the meanings set forth in HIPAA Requirements, unless this BAA indicates otherwise.
2. In the event of an inconsistency between the provisions of this BAA and the mandatory terms of the HIPAA Requirements, as they may be expressly amended from time to time by DHHS or amending as the result of interpretations by DHHS, a court, or any other regulatory agency with authority over Parties, the interpretation of DHHS, the court or regulatory agency shall prevail. In the case of a conflict of interpretations between these entities, then the conflict shall be resolved in accordance with the rules of precedence.
3. In the case the provisions of this BAA are more restrictive than the provisions of the HIPAA Requirements, the provisions of this BAA shall control.
4. In the case of an inconsistency between this BAA and any other agreement now in affect between the Parties, the provisions of this BAA shall control with respect to the permitted uses and disclosures of (and any other requirements with respect to) PHI.
5. This BAA does not create any rights to third parties except for any right expressly provided for in the HIPAA Requirements or this BAA.
II. BUSINESS ASSOCIATE OBLIGATIONS
1. Business Associate may receive from Covered Entity, or create, receive, maintain, or transmit on behalf of Covered Entity, health information that is protected under applicable state and/or federal law, including without limitation, PHI and Electronic PHI (EPHI); any references to PHI herein shall be construed to include EPHI. Business Associate Agrees not to Use or Disclose (or permit the Use or Disclosure of) PHI in a manner that would be found to be in violation of the requirements of the Privacy Standards, Security Standards, or the minimum necessary policies and procedures of the Covered Entity, in the case the PHI were used or disclosed by the Covered Entity in the same manner. All appropriate safeguards shall be maintained by the Business associate to prevent the Use or Disclosure of PHI other than as expressly permitted under this BAA. In the case of a violation of any of the requirements of this BAA the Business Associate shall take all practicable steps possible to mitigate any harmful effects that may be caused.
2. Use of PHI: Business Associate may use PHI as necessary for Covered Entity’s benefit, and for the purpose of performing Services for Covered Entity, and (i) as necessary for the proper management and administration of the Business Associate or (ii) for carrying out its legal responsibilities in the case that such uses are permitted under federal and state law. All rights in the PHI not granted herein shall be retained by the Covered Entity. Data Aggregation and creation and disclosure of de-intensified health information by the Business Associate shall be permitted without prior express written authorization by the Covered Entity.
3. Disclosure of PHI: Subject to any limitations that exist in this BAA, Business Associate may Disclose PHI as necessary (i) to perform the Services, (ii) for the proper management and administration of the Business Associate, or (ii) to carry out its legal responsibilities, provided that either (a) the Disclosure is required by law or (b) the Business Associate first obtains reasonable assurances in writing form the person to whom the information is Disclose that the information will be held confidential and further Used and Disclosed only as required by law or for the purpose for which it was Disclosed to the person, and that said person will notify the Business Associate Immediately of any instances of which it is aware of a breach in the confidentiality of the information.
4. Safeguards: Business Associate agrees to establish, develop, implement, maintain, and use appropriate Administrative, Technical, and Physical Safeguards to preserve the Integrity, Confidentiality, and Availability of, and to prevent the non-permitted use or disclosure of, Electronic PHI created for or received from (or on behalf of) the Covered Entity. Business Associate further agrees that with respect to Electronic PHI, these Safeguards, at the minimum, shall meet the requirements of the HIPAA Security Standards applicable to a business associate.
5. Privacy Standards: In the event Covered Entity delegates any task to Business Associate that involves the uses or disclosure of PHI, Business Associate shall comply with the Privacy Standards with respect to such delegated task.
6. Notification and Reporting of Non-Compliance with this BAA
A. Business Associate will notify Covered Entity within 20 calendar days after the discovery (and report to Business Associate as described in Section 6.ii below), of any unauthorized access, use, disclosure, modification, or destruction of PHI not permitted by this BAA, by applicable law, or permitted in writing by Covered Entity (including any successful Security Incident or Beach), whether such non-compliance is by (or at) Business Associate or by (or at) a Downstream Entity.
B. Business Associate will report to Covered Entity the information set forth in Section 6.B(ii) below concerning any successful Security Incident or any Breach of Unsecured Protected health Information, whether such Security Incident or Breach is by (or at) Business Associate or by (or at) a Downstream Entity. The report of a Security Incident or Breach shall be submitted to Covered Entity following discovery of the successful Security Incident or Breach without unreasonable delay, but in no event later than 30 calendar days following discovery.
(i) As provided for in 45 C.F.R. § 164.402, Business Associate recognizes and agrees that any acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule (Subpart E of 45 C.F.R. Part 164) is presumed to be a Breach. As such, Business Associate shall: (i) notify Covered Entity of any and all non-permitted acquisition, access, use or disclosure of PHI, and (ii) assist Covered Entity (or at Covered Entity’s direction, perform), a risk assessment with the purpose for determining if there is a low probability that the PHI has been compromised. Business Associate shall cooperate with Covered Entity in meeting any obligations under the HIPAA Requirements and any other security breach notification laws that may be specified by Covered Entity.
(ii) Business Associate shall provide to Covered Entity a report that specifies: the identity, if known, of each individual whose Unsecured PHI has been (or is reasonably believed to have been) accessed, acquired, or disclosed; the nature of the non-permitted access, used or disclosure, (including the date of the incident as well as the date of the discovery); what corrective actions have been taken (or will be taken) to prevent further non-permitted accesses, uses or disclosures; what was done or will be done to mitigate any deleterious effect of the non-permitted access, use or disclosure; and any other information that Covered Entity requests.
7. Agents and Subcontractors: If Business Associate discloses PHI received from the Covered Entity, or created by or received by Business Associate on behalf of the Covered Entity, to agents, including a subcontractor (collectively, “Subcontractors”), Business Associate shall require Subcontractors to agree in writing to comply with all the same restrictions and conditions that apply to the Business Associate under this BAA, and to execute a business associate agreement that complies with HIPAA. The Business Associate shall be held fully liable to Covered Entity for any acts, failures, or omissions of Subcontractors with respect to Covered Entity’s PHI as if it were their own acts, failures or omissions.
8. Access to PHI: In accordance with 45 C.F.R. §164.524 of the HIPAA Requirements, to the extent Business Associate. maintains a Designated Record Set, Business Associate will make available to those individuals who are subjects of PHI, their PHI in the Designated Record Set by either (i) providing the PHI to the Covered Entity who will then share the PHI with the individual, or (ii) at the direction of Covered Entity forwarding the PHI directly to the individual or making the PHI available to such individual in a reasonable manner. Business Associate shall make such information available in an electronic format where directed by Covered Entity.
9. Amendment of PHI: In accordance with 45 C.F.R. §164.526 of the HIPAA Requirements, Business Associate shall make the PHI in a Designated Record Set to Covered Entity for amendment and, at the direction of Covered Entity, incorporate any necessary amendment to the PHI.
10. Accounting of Disclosures
A. General Accounting Provisions:
(i) Business Associate shall maintain reliable documentation of its Disclosures of PHI subject to this BAA including: (a) the date of the Disclosure; (b) the name of the person or entity who received the information and, if known, their address; (c) a brief description of the PHI Disclosed; and (d) a brief statement as to the purpose of the Disclosure or, if applicable, a copy of the written request for a Disclosure under 45 C.F.R. §164.502(a)(2)(ii) or §164.512. This section does not apply to Disclosures exempted under 45 C.F.R. § 164.528.
(ii) Business Associate shall make available to the Covered Entity in response to a request from and Individual, the information required for and accounting of Disclosures of PHI with respect to the Individual, in accordance with 45 C.F.R.
§164.528 unless an exception to such Accounting exists under 45 C.F.R.
§164.528. Such Accounting is to be limited to Disclosures that were made six years prior to the request. Business Associate has fifteen days to provide the information necessary to provide an accounting. Business Associate shall immediately, but no later than five days following the request, notify the Covered Entity of such request and shall cooperate in the Covered Entity’s Response.
(iii) Special Provisions for Disclosures made through and Electronic Health Record: In the case that the Covered Entity uses or maintains and Electronic Health Record with respect to PHI and if the Business Associate makes
Disclosures of PHI for purposes of Treatment, Payment, or Health Care Operations through such Electronic Health Record, Business Associate shall provide an accounting of Disclosures that the Covered Entity has determined were for Covered Entity’s Treatment, Payment, and/or Health Care Operations purposes to Individuals who request an accounting directly from the Business Associate. Any accounting made pursuant to this Section 9.III shall be limited to Disclosures made the three prior years to the Individual’s request for the accounting. The content of the accounting shall be in accordance with 45 C.F.R. §164.528.
(iv) Fees for an Accounting: Any accounting made under the provisions of Section 9 will be provided without cost to the Individual or to the Covered Entity if it is the first accounting requested by and Individual within any twelve month period; however, a reasonable, cost based fee may be charged if the Business Associate informs the Covered Entity and the Covered Entity informs the Individual in advance of the fee, and the Individual is afforded and opportunity to either withdraw or modify the request. All such accounting obligations shall survive the termination of this BAA and shall continue as long as the Business Associate maintains PHI.
(v) Records and Audit: Business Associate shall make available to the Secretary or its agents, and to the Covered Entity, or any other health oversight agency, its internal practices, books, and records relating to the Use and Disclosure of PHI received from, created, or received by, Business Associate on behalf of the Covered Entity for the purpose of determining Covered Entity’s compliance with both the Privacy Standards and Security Standards in a timely manner as designated by the Covered Entity or Secretary. Except to the extend prohibited by law, Business Associate agrees to notify Covered Entity immediately upon receipt by Business Associate of any and all request served upon Business Associate by or on behalf of any and all government authorities reacting to PHI received form, or created, or received by Business Associate on behalf of the Covered Entity.
III. TERM AND TERMINATION
1. This BAA shall commence on the Effective Date and shall remain in effect until terminated in accordance with the terms of this Section II, provided, however, that any termination shall be subject to Section III.F. and shall not affect the respective obligations or rights of the Parties arising under this BAA prior to the effective date of termination, all of which shall continue in accordance with their terms.
2. Either party shall have the right to terminate this BAA for any reason upon thirty days written notice.
3. Covered Entity, at its sole discretion, may terminate this BAA and shall have not further obligations to the Business Associate in the case of the following events occurring:
A. Business Associate fails to observe or perform any material covenant or obligation contained in this BAA for ten day s after receiving written notice from the Covered Entity; or
B. There is a violation by the Business Associate of any provision of the Privacy Standards, Security Standards, or other applicable federal or state law.
4. In the case this BAA is terminated for either of the two reasons set forth in Section III.B. the termination shall be cause for Covered Entity to immediately for cause of any Business Arrangement pursuant to which Business Associate is entitled to receive PHI from Covered Entity.
5. Upon the termination of the all Business Arrangements, either Party may terminate this BAA without having to give any additional notice to the other Party.
6. Return or Destruction of PHI: Upon the termination of this BAA for any reason, the Business Associate shall either return to the Covered Entity or to destroy all PHI received from the Covered Entity or otherwise created through performance of the Services for the Covered Entity, that is in the possession or control of the Business Associate or any of its agents. If Business Associate comes to the determination that destruction is not feasible (to which Covered Entity agrees that such return or destruction is infeasible): (a) continue to extend the protections of this BAA and of the HIPAA Requirements to the PHI, and (b) limit further uses and disclosures of the PHI to the purpose of making return or destruction feasible.
7. Now Warranty: PHI IS PROVIDED TO BUSINESS ASSOICATE SOLELY ON AN “AS IS” BASIS. COVERED ENTITY DISLCAIMS ALL OTHER WARRANTIES, BE THEY EXPRESS OR IMPLIED, INCLIDING BUT NOT LIMITED TO, IMPLIED WARRANTEIS OF MECHANTABLITY, AND FITNESS FOR A PARTICUALR PURPOSE.
8. Ineligible Persons: Business Associate represents and warrants to Covered Entity that neither Business Associate nor any of its employees, agents or representatives (i) are currently excluded, debarred, or otherwise ineligible to participate in any federal health care program as defined in 42 U.S.C. § 1320a- 7b(f)(“Federal Healthcare Programs”) (ii) have been convicted of a criminal offence related to the provision of health care items or services and have not yet been excluded, debarred, or otherwise declared ineligible to participate in the Federal Healthcare Programs, or (iii) are under investigation or otherwise aware of any circumstances which may result in Business Associate or any of its employees, agents or representatives being excluded from participation in the Federal Healthcare Programs. This shall be an ongoing representation and warranty during the term of this BAA and Business Associate shall immediately notify Covered Entity of any change in the statues of the representations and warranty set forth in this section. Any breach of this section shall give the Covered Entity immediate right to terminate this BAA for cause.
9. Standards for Electronic Transactions: In connection with the Services to be provided to the Covered Entity pursuant to this BAA, the Business Associate agrees that if it or any of its agents or subcontractors conducts and electronic transmission for which the Secretary has established a “standard transaction” under 45 CFR Part 164, Subparts A, C, D, and F, as applicable (the “Electronic Transactions Standards”), Business Associate or its agent or subcontractors shall comply with the requirements of the Electronic Transactions Standards. Business Associate specifically represents that it has obtained such compliance. Business Associate understands that Covered Entity reserves the right to request and exception from the uses of a standard as permitted by 45 CFR § 162.940, and, if such an exception is sought, Business Associate agree to participate in a test modification.
10. Indemnification: Business Associate shall indemnify and hold harmless the Covered Entity for and from all claims demands, lawsuits, losses, damages, liabilities, penalties, fines, or expenses, including reasonable attorney’s fees, asserted by persons or entities against Covered Entity, or incurred by Covered Entity as a result thereof, relating to PHI maintained, used, or disclosed by the Business Associate, or by its agents or subcontractors, or arising in any way from the Business Associate’s, or its agents’ or subcontractors’, obligations or performance under this BAA or violations of all applicable Federal or state laws, rules or regulations.
IV. MISCELLANEOUS:
1. Notice: All notices, requests, demands, and other communications required or permitted to be given or made under this BAA shall be in writing, effective upon receipt or attempted delivery, and be sent by (i) personal delivery, (ii) certified or registered Untied States mail, return receipt requested, or (iii) overnight delivery service with proof of delivery. Notices shall be sent of the addresses below. Neither Party shall refuse delivery of any notice hereunder.
If to Business Associate:
Attn: Independent Pharmacy Distributor, LLC
1107 West Market Center Drive
High Point, NC 27260
2. Waiver: No Provision of this BAA or any breach thereof shall be deemed waived unless such waiver is in writing and signed by the party claimed to have waived such provision or breach. No waiver of a breach shall constitute a waiver of or excuse of any different or subsequent breach.
3. Assignment: Neither party may assign any of its rights or delegate or subcontract any of its obligations under this BAA without the prior written consent of the other party. Notwithstanding the foregoing, Covered Entity
shall have the right to assign its rights and obligations hereunder to any entity that is either and affiliate or successor of the Covered Entity.
4. Amendment: The Parties agree to amend this BAA to the extent necessary to comply with state and federal laws, including without limitation, HIPAA and HITECH, and any regulations promulgated or other guidance issued pursuant to HIPAA and HITECH.
5. Entire Agreement: This BAA constitutes the complete agreement between Business Associate and Covered Entity relating to the matters specified in this BAA, and supersedes all prior representations or agreements, be they oral or written, with respect to such matters. In the event of a conflict between the terms of this BAA and the terms of the Business Arrangements or any such later agreement(s), the terms of this BAA shall control unless the terms of such Business Arrangements are more strict with respect to PHI and comply with the Privacy Standards and/or Security Standards, or the Parties specifically agree otherwise in writing. No oral modification or waiver of any provision of this BAA shall be binding on either Party. No obligation on either party to enter into any transaction is to be implied from the execution of this BAA. This BAA is for the benefit of, and shall be binding upon the parties, their affiliates and respective successors and assigns. No third party shall be considered a third party beneficiary under this BAA, nor shall any third party have any rights as a result of this BAA.
6. Governing Law and Venue: This BAA shall be governed by and construed in accordance with the laws of under the laws of the State of North Carolina, without regard to conflicts of law principles. All suits, proceedings and other actions relating to, arising out of, or in connection with this BAA, whether founded in contract or tort, shall be submitted to any appropriate jurisdiction within the State of North Carolina.
7. Equitable Relief: Business Associate understands and acknowledges that any disclosure or misappropriation of any PHI in violation of this BAA will cause Covered Entity irreparable harm, the amount of which may be difficult to ascertain, and therefore agrees that Covered Entity shall have the right to apply to a court of competent jurisdiction for specific performance and or/ an order restraining and enjoining any such further disclosure or breach and for such other relief as Covered Entity shall deem appropriate. The harmed Party shall be entitled to all remedies that are available to it at law. Upon a final, non-appealable decision by a court of competent jurisdiction, the prevailing party shall be entitled to recover its reasonable attorney’s fees and expenses incurred in seeking or objecting to such available remedies or relief, as the case may be.
8. Severability: If a court finds any provision of this BAA invalid or unenforceable, the remainder of this BAA shall be interpreted so as best to reflect the intent of the Parties.
9. Counterparts. This BAA may be executed in any number of counterparts, each of which shall be deemed an original and all of which, taken together, shall constitute one and the same instrument.