You have received this Business Associate Agreement from a representative of Carlisle Medical, Inc.
P.O. Box 9814
Mobile, AL 36691
THIS AGREEMENT, made and effective as of the date signed below, is entered into by and between CARLISLE MEDICAL, (referred to hereafter as the “Covered Entity”) and the entity listed as the signatory below (hereafter referred to as “Business Associate”).
A. DEFINITIONS USED IN THIS AGREEMENT
“Business Associate” shall generally have the same meaning as the term “Business Associate” at 45 CFR 160.103, and in reference to the party to this Agreement, shall mean the entity listed as the signatory below.
“Covered Entity” shall generally have the same meaning as the term “Covered Entity” at 45 CFR 160.103, and shall be construed to include any applicable parent entities, subsidiaries and affiliated entities of the party identified in the caption to this Agreement as “Covered Entity”. “Covered Entity” may also include any facility where the business associate performs services as an independent contractor on behalf of the covered entity outlined above.
“Designated Record Set” means a group of records maintained by or for Covered Entity that is (i) the medical records and billing records about individuals maintained by or for Covered Entity, (ii) the enrollment, payment, claims adjudication, and case or medical management records systems maintained by or for a health plan; or (iii) used, in whole or in part, by or for Covered Entity to make decisions about individuals. As used herein the “Record” means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for Covered Entity.
“Electronic Protected Health Information” or “E-PHI” means protected health information that is transmitted or maintained in electronic media.
“Electronic Media” means:
(i) Electronic storage media, including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disc, optical disc, flash drive or digital memory card; or
(ii) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet, extranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.
“HIPAA” means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as in effect from time to time, including any successor statute(s) thereto.
“HITECH” means the Health Information Technology for Economic and Clinical Health Act, Public Law 11- 005, as in effect from time to time, including any successor statute(s) thereto.
“Individually Identifiable Health Information” means information that is a subset of health information, including demographic information collected from an individual, that (i) is created or received by a healthcare provider, health plan, employer or healthcare clearinghouse; and (ii) relates to the past, present or future physical or mental health or condition of an individual; the provision of healthcare of an individual; or the past, present or future payment for the provision of healthcare to an individual; and (a) identifies the individual, or (b) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
“Privacy and Security Laws” means, collectively, HIPAA, HITECH, the Privacy Standards and Security Standards.
“Privacy Standards” means the Standards for Privacy of Individually Identifiable Health Information, 45 CFR Parts 160 and 164, Subparts A and E as in effect from time to time, including any successor regulation(s) thereto.
“Protected Health Information” or “PHI” means individually identifiable Health Information that is (i) transmitted by electronic media; (ii) maintained in any electronic media; or (iii) transmitted or maintained in other form or medium. “Protected Health Information” shall not include (i) education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. §1232g (ii) records described in 20 U.S.C. §1232g(a)(4)(B)(iv), or (iii) employment records.
“Secretary” means the Secretary of the Department of Health and Human Services.
“Security Standards” means the Security Standards for the Protection of Electronic Health Information, 45 CFR Parts 160 and 164, Subparts A and C, as in effect from time to time, including any successor regulation(s) thereto.
B. PURPOSE OF AGREEMENT
Covered Entity and Business Associate have entered into one or more arrangements (collectively, the “Service Agreement”), whereby Business Associate provides certain services to, for or on behalf of Covered Entity. In the course of providing its services, Business Associate may, upon occasion, use or disclose Protected Health Information (PHI) from Covered Entity in performance of the services set forth in the Service Agreement. Business Associate is required by law to maintain, use and disclose such PHI only in compliance with the Privacy and Security Laws. This Agreement sets forth Business Associate’s Responsibilities and Obligations with respect to its obligations to safeguard the confidentiality and security of PHI that is uses, accesses or discloses in the performance of such services.
C. OBLIGATIONS OF BUSINESS ASSOCIATE
Section 1. Use and Disclosure of PHI. Business Associate shall not, and shall ensure that its directors, managers, officers, employees, contractors, subcontractors and agents do not, use or disclose PHI received from Covered Entity in any manner that would constitute a violation of the Privacy and Security Laws if used or disclosed by Covered Entity, except that Business Associate may use or disclose PHI in a manner permitted by the Service Agreement or as required by law. Business Associate agrees to make uses and disclosures and requests for PHI consistent with Covered Entity’s minimum necessary Policies and Procedures. In addition, Business Associate may use or disclose PHI (i) for Business Associate’s proper management and administrative services and (ii) to carry out the legal responsibilities of Business Associate. To the extent Business Associate discloses PHI to a third party, Business Associate must obtain, prior to making any such disclosure, (a) reasonable assurances from each such third party that such PHI will be held confidential as provided pursuant to this Agreement and only disclosed as required by law or for the purposes for which it was disclosed to such third party, and (b) a written agreement from such third party to immediately notify Business Associate of any breaches of the confidentiality of the PHI, to the extent it has obtained knowledge of such breach.
Section 2. Deidentification of PHI. Business Associate is not authorized to de-identify PHI (45 CFR 164.514) without prior written consent from Covered Entity.
Section 3. Safeguards Against Misuse of Information. Business Associate agrees that it will implement and maintain appropriate safeguards to prevent the use or disclosure of PHI other than pursuant to the terms and conditions of this Agreement, including with respect to electronic protected health information, and shall otherwise comply with all requirements of the Privacy and Security Laws applicable to Business Associate, including, but not limited to, all policies and procedures and documentation requirements of the Security Standards.
Section 4. Reporting of Disclosures of PHI. Business Associate shall report immediately but no later than five (5) business days of becoming aware of a disclosure of PHI in violation of this Agreement, including breaches of unsecured PHI, by Business Associate, by its officers, directors, employees, contractors or agents, or by a third party to which Business Associate disclosed PHI pursuant to Section B(1) of this Agreement, any such disclosure to Covered Entity in writing.
Section 5. Agreements by Third Parties. Business Associate shall enter into a written agreement with any third party, agent, contractor or subcontractor that creates, receives, maintains or transmits PHI from, or created or received by Business Associate in carrying out its services on behalf of or for Covered Entity, pursuant to which such third party agrees to be bound by the same restrictions, terms and conditions that apply to Business Associate with respect to such PHI pursuant to this Agreement.
Section 6. Access to Information. Within five (5) business days of a notice to Business Associate by Covered Entity that an individual has requested access to PHI about that individual contained in a Designated Record Set, Business Associate shall make available to Covered Entity such PHI maintained by Business Associate, if any, for so long as, and to the extent that, such information is maintained in the Designated Record Set. In the event any individual requests access to PHI directly from Business Associate, Business Associate shall within two (2) business days forward such request to Covered Entity. Any denials of individuals’ requests for access to the PHI requested shall be the responsibility of Covered Entity.
Section 7. Availability of PHI for Amendment. Within ten (10) days of receipt of notice from Covered Entity that an individual has requested amendment of the individual’s PHI or a record regarding an individual contained in a Designated Record Set (for so long as, and to the extent that the PHI is maintained in the Designated Record Set), Business Associate shall provide such information to Covered Entity for amendment and incorporate any such amendments in the PHI as required by 45 CFR §164.526.
Section 8. Accounting of Disclosures. Within ten (10) days of written notice by Covered Entity to Business Associate that it has received a request for an accounting of disclosures of PHI regarding an individual during the six (6) years prior to the date on which the accounting was requested, Business Associate shall make available to Covered Entity such information as is in Business Associate’s possession as is required for Covered Entity to make the accounting required by 45 CFR §164.528, if any. If such accounting is required, at a minimum, Business Associate shall provide Covered Entity with the following information: (i) the date of the disclosure, (ii) the name of the entity or person who received the PHI, and if none, the address of such entity or person, (iii) a brief description of the PHI disclosed, and (iv) a brief statement of the purpose of such disclosure which includes an explanation of the basis for such disclosure. In the event the request for an accounting is delivered directly to Business Associate, Business Associate shall within two (2) business days forward such request to Covered Entity. It shall be Covered Entity’s responsibility to prepare and deliver any such accounting requested. Business Associate hereby agrees to implement an appropriate record keeping process to enable it to comply with the requirements of this Section.
Section 9. Compliance with Privacy Standards. To the extent Business Associate is to carry out one or more of Covered Entity’s obligations under Subpart E of 45 CFR Part 164 (or Privacy Standards) it shall comply with the requirements of Subpart E that apply to a Covered Entity in the performance of such obligations.
Section 10. Availability of Books and Records. Business Associate hereby agrees to make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary for purposes of performing Covered Entity’s and Business Associate’s compliance with the Privacy Standards.
Section 11. Security of Electronic Protected Health Information. To the extent that Business Associate receives, uses, creates, maintains and/or discloses any Electronic Protected Health Information (“E-PHI”) in the course of providing services for or on behalf of Covered Entity, Business Associate additionally agrees: (i) to implement administrative, physical and technical safeguards to protect the confidentiality, integrity, and availability of the E-PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, as required by the Security Standards; (ii) to notify Covered Entity if the Business Associate becomes aware of a security incident involving Covered Entity’s E-PHI; and (iii) to ensure that any agent, including a subcontractor, to whom it provides such E-PHI agrees to implement reasonable and appropriate safeguards to protect Covered Entity’s E-PHI.
Section 12. Notification of Breach. Business Associate shall notify Covered Entity within one (1) business day within breach of Business Associate’s obligations hereunder or any suspected or actual breach of security, intrusion or unauthorized use or disclosure of PHI of which Business Associate becomes aware and shall take prompt corrective action to cure such breach.
Business Associate shall indemnify Covered Entity for any liability incurred as a result of any unauthorized disclosure or violation of the Privacy and Security Laws by Business Associate or any agent, employee, contractor or subcontractor of Business Associate.
E. TERM OF AGREEMENT
This Agreement shall be in full force and effect beginning on the effective date and continuing until this Agreement or the Service Agreement is terminated, in accordance with Section E.
F. TERMINATION OF AGREEMENT
Section 1. Termination Upon Breach of This Agreement. The Service Agreement between Business Associate and Covered Entity may be terminated by Covered Entity upon five (5) business days written notice to Business Associate in the event that the Business Associate breaches any provision contained in this Agreement and such breach is not cured within such five (5) business day period; provided, however, that in the event that termination of this Agreement is not feasible in Covered Entity’s sole discretion, Business Associate hereby acknowledges that Covered Entity shall have the right to report the breach to the Secretary, notwithstanding any other provision of this Agreement to the contrary.
Section 2. Return or Destruction of PHI Upon Termination. Upon termination of the Service Agreement, Business Associate shall either return or destroy all PHI received from Covered Entity or created or received by Business Associate, on behalf of Covered Entity and which Business Associate still maintains in any form. Business Associate shall not retain any copies of such PHI. Notwithstanding the foregoing, to the extent that it is not feasible to return or destroy such PHI, the terms and provisions of this Agreement shall survive termination of this Agreement and of the Service Agreement and such PHI shall be used or disclosed solely in compliance with this Agreement.
Section 1. Entire Agreement. This Agreement represents the entire and sole Agreement between the Parties with respect to the subject matter hereof and supercedes all prior discussions and Agreements between Covered Entity and Business Associate regarding the privacy and/or security of patient information.
Section 2. Assignment. Business Associate may not delegate its obligations or assign its rights hereunder without the prior written consent of Covered Entity.
Section 3. Amendment, Modification or Waiver. Except as provided in the paragraph below, any amendment, modification or waiver of any of the provisions of this Agreement shall be effective only if made in writing and executed with the same formality as this Agreement. The failure of either Party to insist upon strict performance of any of the provisions of this Agreement shall not be construed as a waiver of any subsequent default of the same or similar nature.
Notwithstanding the foregoing, this Agreement may be unilaterally amended by Covered Entity without the prior consent of Business Associate, to the extent that Covered Entity reasonably determines that such amendment is necessary to conform to any requirements imposed under the Privacy and Security Laws. Any such amendment shall be effective upon written notice from Covered Entity to Business Associate.
Section 4. Headings. All headings contained in this Agreement are for convenience of reference only, and shall not affect the construction or interpretation of this Agreement.
Section 5. Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the Privacy and Security Laws.
Section 6. Authority. Each of the Parties represents and warrants that it has the full and complete power and authority to execute this Agreement and that, assuming the due execution of this Agreement by all other parties hereto, this Agreement constitutes a valid and binding obligation of such party and is enforceable in accordance with its terms.
IN WITNESS WHEREOF, the parties hereto have caused this Agreement to be executed by their duly authorized respective officers or representatives as of the Effective Date.