1. Purpose
This Agreement governs the use and disclosure of Protected Health Information (“PHI”) by the Business Associate in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their implementing regulations.
2. Definitions
Protected Health Information (PHI): Individually identifiable health information, as defined in 45 CFR §160.103.
Business Associate: As defined in 45 CFR §160.103, an entity that creates, receives, maintains, or transmits PHI on behalf of the Covered Entity.
3. Permitted Uses and Disclosures
Business Associate may use or disclose PHI solely to perform services for Kennebec Valley Dental Arts, as required by this Agreement or as required by law. Any use or disclosure not permitted under this Agreement is strictly prohibited.
4. Responsibilities of Business Associate
Business Associate agrees to:
Use appropriate safeguards to prevent unauthorized use or disclosure of PHI
Implement administrative, physical, and technical safeguards under 45 CFR §164.308, §164.310, and §164.312
Report to Covered Entity any breach of unsecured PHI within 10 calendar days of discovery
Ensure that any subcontractors or agents who receive PHI agree in writing to the same restrictions and safeguards
Make PHI available for access, amendment, and accounting as required by HIPAA
Make internal practices and records related to PHI available to the Secretary of HHS for compliance determination
Return or destroy all PHI upon termination of this Agreement, if feasible
5. Breach Notification
In the event of a breach, Business Associate shall provide:
A written notice describing the nature of the breach
A list of affected individuals (if known)
Actions taken to mitigate the effects and prevent future breaches
6. Term and Termination
This Agreement remains in effect for the duration of the services provided.
Kennebec Valley Dental Arts, may terminate this Agreement if the Business Associate violates its terms.
Upon termination, the Business Associate must return or destroy all PHI, or, if not feasible, extend protections for as long as the PHI is retained.
7. Miscellaneous
This Agreement is governed by federal HIPAA regulations and Maine state privacy laws.
Any ambiguities shall be resolved to permit compliance with HIPAA.
This Agreement does not grant rights or remedies to any third party.