BUSINESS ASSOCIATE/TRADING PARTNER AGREEMENT
BY CLICKING THE "I ACCEPT" ICON BELOW, or by otherwise using the software application FREECLAIMS.COM / sFreeClaims.Anvicare.Com operated by Anvicare, Inc., YOU AGREE TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS AGREEMENT, INCLUDING THE WARRANTY DISCLAIMERS AND LIMITATIONS OF LIABILITY PROVISIONS BELOW. IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, YOU MAY CLICK THE "EXIT NOW" ICON TO LEAVE THE ANVICARE, INC., FREECLAIMS.COM SITE.
THIS BUSINESS ASSOCIATE AGREEMENT is made and effective, Monday, March 04, 2013 , by and among (Get Customer name from Registration) , (hereinafter known as “Covered Entity”) and Anvicare, Inc.,(hereinafter known as “Business Associate”). Covered Entity and Business Associate shall collectively be known herein as “the Parties”. WHEREAS, Covered Entity and Business Associate are as defined in 45 CFR § 160.202 WHEREAS, Covered Entity wishes to commence a business relationship with Business Associate whereby Business Associate will provide products and services to Covered Entity pursuant to a separate services agreement;
WHEREAS, the nature of the prospective contractual relationship between Covered Entity and Business Associates may involve the exchange of Protected Health Information (“PHI”) as that term is defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), including all pertinent regulations issued by the Department of Health and Human Services (“HHS”), and which security regulations are codified at 45 C.F.R. Part 160 and Part 164, Subparts A and C (the "Security Rule"), as amended by the Health information Technology for Economic and Clinical Health Act of 2009 ("HITECH Act"). The premises having been considered and with acknowledgment of the mutual promises and of other good and valuable consideration herein contained, the Parties, intending to be legally bound, hereby agree as follows:
1. Individual. “Individual” shall have the same meaning as the term “individual” in 45 CFR § 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502 (G).
2. Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45CFR Part 160 and Part 164, Subparts A and E.
3. Protected Health Information. “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 CFR § 164.501, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
4. Required By Law. “Required By Law” shall have the same meaning as the term “required by law” in 45 CFR § 164.501.
5. Security Rule. "Security rule" security regulations are codified at 45 C.F.R. Part 160 and Part 164, Subparts A and C. by The Health Information Technology for Economic and Clinical Health (HITECH) Act.
6. Secretary. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his designee.
B. Use or Disclosure of PHI by Business Associate.
Business Associate’s use and disclosure of PHI is strictly limited to those instances where it is necessary to the performance of duties contractually delegated to it by Covered Entity in a separate services agreement. These instances include the following situations:
a. For archival purposes; and
b. For the proper management and administration of the Covered Entity as such Covered Entity’s “Business Associate” or to carry out the legal responsibilities of the Covered Entity as such Covered Entity’s “Business Associate”, pursuant to 45 CFR § 164.504(e)(4); provided such use or disclosure is in accordance with 45 CFR § 164.504(e)(4)(ii), and its subsections. Furthermore, any specific listing of duties or functions to be performed by Business Associate for Covered Entity contained in a separate contract (or addendum thereto) between the Parties is hereby incorporated by reference into this agreement for the sole purpose of further elaborating duties and functions that Business Associate is contractually undertaking on behalf of the Covered Entity. In all instances, Business Associate shall not use or disclose PHI obtained from Covered Entity in a manner that would violate the Privacy Rule of HIPAA or the pertinent regulations of HHS.
C. Duties of Business Associate relative to PHI.
1. Business Associate shall not use or disclose PHI other than as permitted or required by this agreement or by law.
2. Business Associate shall use appropriate safeguards recognized under the law and HHS regulations to prevent use or disclosure of the PHI other than as allowed for by this agreement.
3. Business Associate shall report to Covered Entity any use or disclosure of PHI that is in violation of this agreement within ten (days). In the event of disclosure of PHI in violation of this agreement, Business Associate shall mitigate, to the extent practicable, any harmful effects of said disclosure that are known to it.
4. Business Associate shall ensure that any agent or subcontractor to whom it provides PHI received from Covered Entity agrees to the same restrictions and conditions with respect to such information that apply through this agreement to Business Associate.
5. Business Associate shall, upon request with reasonable notice, provide Covered Entity access to its premises for a review and demonstration of its internal practices and procedures for safeguarding PHI.
6. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for a Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 CFR Section 164.528. Should an individual make a request to Covered Entity for an accounting of disclosures of his or her PHI pursuant to 45 CFR Section 164.528, Business Associate agree to promptly provide Covered Entity with information in a format and manner sufficient to respond to the individual’s request.
7. Business Associate shall, upon request with reasonable notice, provide Covered Entity with an accounting of uses and disclosures of PHI provided to it by Covered Entity.
8. To the extent Required by Law, Business Associate shall make its internal practices, books, records, and any other material requested by the Secretary relating to the use, disclosure, and safeguarding of PHI received from Covered Entity available to the Secretary for the purpose of determining compliance with the Privacy Rule. The aforementioned information shall be made available to the Secretary in the manner and place as designated by the Secretary or the Secretary’s fully appointed delegate. Under this agreement, Business Associate shall comply and cooperate with any request for documents or information from the Secretary directed to Business Associate that seeks documents or other information held by Business Associate.
9. Except as otherwise limited in this Agreement, Business Associate may use PHI to provide “data aggregation” services to Covered Entity as permitted by 42 CFR Section 164.504 (e)(2)(i)(B).
10. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 42 CFR sec 164.502 (j)(1).
11. Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
12. If changes are made to PHI, to the extent such PHI exists and is readily accessible, Business Associate will make the change and provide access to the PHI both before and after any such amendments. Business Associate will also notify Covered Entity within ten (10) days of any change in PHI and any requests for change in PHI.
13. Upon request by Covered Entity, and provided that PHI exists and is readily accessible, Business Associate shall make any amendments or corrections to PHI in a designated record set.
14. If Business Associate conducts Standard Transactions (i.e., Transactions that comply with the Standards for Electronic Transactions Regulations) with or on behalf of Covered Entity, Business Associate will comply by a mutually agreed date, but no later than the compliance date with all applicable final regulations, and will require any subcontractor or agent involved with the conduct of such Standard Transactions to comply, with each applicable requirement of 45 CFR Part 162. Business Associate agrees to demonstrate compliance with the Transactions by allowing Covered Entity to test the Transactions and its content requirements upon a mutually agreed upon date. Business Associate will not enter into, or permit its subcontractors or agents to enter into any trading partner agreement in connection with the conduct of Standard Transactions for or on behalf of Covered Entity that:
a. Changes the definition, data condition, or use of data element or segment in a Standard Transaction;
b. Adds any data elements or segments to the maximum defined data set;
c. Uses any code or data element that is marked “not used” in the Standard Transaction’s implementation specification or
is not in the Standard Transaction’s implementation specification; or
d. Changes the meaning or intent of the Standard Transaction’s implementation specification.
D. Obligations of Covered Entity.
1. Consents and Authorizations. Covered Entity represents that it has obtained or will obtain all consents or authorizations that may be required by the Privacy Rule and applicable state law prior to furnishing Business Associate the PHI.
2. Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity under 45 C.F.R. §164.520, to the extent that such limitation may affect Business Associate's use or disclosure of PHI. If requested by Business Associate, Covered Entity shall provide Business Associate with the Notice of Privacy Practices that Covered Entity produces in accordance with 45 C.F.R. §164.520.
3. Notification of Changes Regarding Individual Permission. Covered Entity shall notify Business Associate in writing promptly, but in no event later than two (2) business days, of any changes in, or revocation of, the permission by an individual to use or disclose his or her PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI.
4. Notification of Restrictions on the Use of Disclosure of PHI. Covered Entity shall notify Business Associate in writing of any restriction on the use or disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 C.F.R. §164.522, to the extent that such restriction may impact in any manner the use or disclosure of PHI by Business Associate under this BAA and the Services Agreement.
5. Permissible Requests by Covered Entity. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.
E. Term and Termination.
1. Term. The Term of this Agreement shall be effective as of the compliance date set out in applicable Regulations, and subject to any extension obtained by either party or granted under the Regulations; and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information in accordance with the termination provisions in this Section.
2. Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Business Associate, Covered Entity shall either:
i. Provide an opportunity for Business Associate to cure the breach or end the violation and terminate this Agreement if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity;
ii. Immediately terminate this Agreement if Business Associate has breached a material term of this Agreement and cure is not possible; or
iii. If neither termination nor cure are feasible, Covered Entity shall report the violation to the Secretary.
3. Effect of Termination.
i. Except as provided in paragraph (3)(ii) of this section, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of the Covered Entity at the end of 7 years. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI.
ii. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity written notification of the conditions that make return or destruction infeasible. After written notification that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosure of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintain such PHI.
iii. Right of Termination of Existing Service Contracts. Should Business Associate make a disclosure of PHI in violation of this Agreement, Covered Entity shall have the right to immediately terminate any contract, other than this Agreement, then in force between the Parties.
Nothing in this Agreement shall be construed as an admission on the part of either Party that the relationship between the Covered Entity and the Business Associate is one of “Covered Entity” and “Business Associate” as those terms are known and construed under HIPAA and pertinent regulations issued by the Secretary. However, the duties and obligations of Business Associate under this agreement remain in full force and effect regardless of whether or not the relationship between the Parties is determined to be one between an “Covered Entity” and a “Business Associate” as those terms are known and construed under HIPAA and pertinent regulations issued by the Secretary.
Remedies in Event of Breach. Business Associate will notify Covered Entity of any use or disclosure of PHI not permitted under this BAA, Breach of Unsecured PHI or Security Incident, without unreasonable delay, and in no event later than twenty (20) business days following discovery; provided, however, that the Parties acknowledge and agree that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which notice to Covered Entity by Business Associate shall be required only upon request. "Unsuccessful Security Incidents" shall include, but not be limited to, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI. Business Associate's notification to Covered Entity of a Breach shall include: (i) the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired or disclosed during the Breach; and (ii) any particulars regarding the Breach that Covered Entity would need to include in its notification, as such particulars are identified in 45 C.F.R. §164.404.
Modification. This Agreement may only be modified through a writing signed by the Parties and, thus, no oral modification hereof shall be permitted. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy Rule and the Health Insurance Portability and Accountability Act of 1996, Pub. L No. 104-191.
Interpretation of this contract in relation to other contracts between the Parties. Should there be any conflict between the language of this contract and any other contract entered into between the Parties (either previous or subsequent to the date of this Agreement), the language and provisions of this Agreement shall control and prevail unless in a subsequent written agreement the Parties specifically refer to this Agreement by its title and date, and also, specifically state that the provisions of the later written agreement shall control over this Agreement.
1. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the Privacy Rule.
2. Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or amended.
3. Notice to Covered Entity. Any notice required under this Agreement to be given to Covered Entity shall be made in writing to:
Practice Information: ____________________________________
Street Address: __________________________________________
City, State, Zip Code: _____________________________________
Phone Number: __________________________________________
4. Notice to Covered Entity. Any notice required under this Agreement to be given to Covered Entity shall be made in writing to:
IN WITNESS WHEREOF and acknowledging acceptance and agreement of the foregoing, the Parties Acknowledge by checking below:
Yes, I accept the terms above.
Print for your records