Last active
August 16, 2024 13:42
-
-
Save sergeliatko/73a24e664d72ded53540680632309c19 to your computer and use it in GitHub Desktop.
SIMANTIKS API Examples - Business Associate Agreement (fake personal data used in this example).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| MODEL BUSINESS ASSOCIATE AGREEMENT | |
| Preface: Introduction and Identification of Parties | |
| Introduction and Identification of Parties. | |
| Introduction and Context of Agreement. | |
| I. Definition and Compliance Obligations of Covered Entity and Business Associate under HIPAA ; | |
| II. Agreement for Provision of Specified Services by Business Associate to Covered Entity ; | |
| III. Access to Protected Health Information by Business Associate ; | |
| IV. Definition of "Business Associate" Under HIPAA ; | |
| V. Commitment to Compliance with Federal and State Confidentiality and Privacy Laws | |
| VI. Commitment to Privacy and Security of Protected Health Information Under HIPAA and Applicable Laws. | |
| Title: Formalization of Mutual Agreement. | |
| Statement of Mutual Covenants and Conditions : | |
| 1. Definitions. | |
| Definitions and Interpretations for Capitalized Terms in the BAA. | |
| A. Definition of "Affiliate" Under HIPAA. | |
| B. Definition of "Breach" under HIPAA Privacy Rule and 45 CFR §164.402. | |
| C. Definition of "Breach Notification Rule" under HIPAA. | |
| D. Definition of "Data Aggregation" Under HIPAA and Privacy Rule. | |
| E. Definition of "Designated Record Set" Under the Privacy Rule Including 45 CFR §164.501.B. | |
| F. Definition of "De-Identify" Under 45 CFR §§164.514(a) and (b). | |
| G. Definition of "Electronic PHI" According to 45 CFR §160.103. | |
| H. Definition of "Health Care Operations" per 45 CFR §164.501. | |
| I. Definition of "HHS" as the U.S. Department of Health and Human Services. | |
| J. Definition of "HITECH Act". | |
| K. Definition of "Individual" Including Personal Representative as per HIPAA Regulations. | |
| L. Definition of "Privacy Rule" Under HIPAA Regulations. | |
| M. Definition of “Protected Health Information” (PHI) under 45 CFR §§164.501 and 160.103. | |
| N. Definition of "Security Incident". | |
| O. Definition of "Security Rule" – Security Standards for the Protection of Electronic Health Information (45 CFR Part 160 & Part 164, Subparts A and C). | |
| P. Definition of "Unsecured Protected Health Information" or "Unsecured PHI". | |
| 2. Use and Disclosure of PHI. | |
| A. Permitted Uses and Disclosures of PHI by Business Associate. | |
| B. Authorization for Business Associate's Use of PHI for Management, Administration, and Legal Responsibilities. | |
| Conditions for Business Associate's Disclosure of PHI for Management and Administration. | |
| C. Restrictions on Use and Disclosure of PHI by Business Associate in Compliance with Privacy Rule and HITECH Act. | |
| D. Access to PHI by Covered Entity Upon Request. | |
| E. Use of PHI for Reporting Legal Violations Consistent with 45 CFR §164.502(j)(1). | |
| 3. Safeguards Against Misuse of PHI. | |
| Implementation of Safeguards to Protect PHI and Electronic PHI. | |
| Employee Training and Compliance Measures to Prevent Breach of BAA. | |
| 4. Reporting Disclosures of PHI and Security Incidents. | |
| Reporting Unauthorized Use or Disclosure of PHI and Security Incidents. | |
| Reporting Timeline for Unauthorized PHI Use or Disclosure and Security Incidents. | |
| 5. Reporting Breaches of Unsecured PHI. | |
| Breach Notification Requirement for Business Associate. | |
| Reimbursement Obligation for Costs Incurred Due to Breach by Business Associate. | |
| 6. Mitigation of Disclosures of PHI. | |
| Mitigation of Harmful Effects from Unauthorized PHI Use or Disclosure. | |
| 7. Agreements with Agents or Subcontractors. | |
| Obligations of Business Associate to Ensure Compliance of Agents and Subcontractors with PHI Safeguards and Restrictions. | |
| Notification of Subcontracts Involving PHI Within 30 Days on Business Associate’s Website. | |
| Requirement for Subcontracts to Maintain Equivalent Privacy and Security Standards. | |
| 8. Audit Report. | |
| Provision of Independent HIPAA Compliance Report and HITRUST Certification Upon Request. | |
| Confidentiality of Business Associate’s Audit Report. | |
| 9. Access to PHI by Individuals. | |
| A. Business Associate's Obligation to Provide PHI Copies to Covered Entity | |
| B. Individual's PHI Access Request Handling by Business Associate and Covered Entity's Disclosure Responsibility. | |
| 10. Amendment of PHI. | |
| A. Amendment of PHI by Business Associate at Covered Entity's Request. | |
| B. Procedure for Forwarding Individual's PHI Amendment Requests to Covered Entity. | |
| 11. Accounting of Disclosures. | |
| A. Documentation and Reporting of PHI Disclosures by Business Associate in Compliance with 45 CFR §164.528 : | |
| B. Provision of Disclosure Information to Covered Entity and Individuals Upon Request. | |
| C. Handling of Direct Requests for Accounting by Business Associate. | |
| 12. Availability of Books and Records. | |
| Disclosure of Internal Practices and Records to HHS for HIPAA Compliance Verification. | |
| 13. Responsibilities of Covered Entity. | |
| Introduction to Covered Entity's Obligations on Use and Disclosure of Protected Health Information : | |
| A. Notification of Privacy Practice Limitations Affecting PHI Use by Business Associate. | |
| B. Notification of Changes or Revocation of Permission to Use or Disclose PHI. | |
| C. Notification of Agreed Restrictions on PHI Use or Disclosure per 45 CFR §164.522. | |
| D. Prohibition on Impermissible Requests for PHI Use or Disclosure by Business Associate. | |
| 14. Data Ownership. | |
| Data Stewardship and Ownership Rights of Business Associate. | |
| 15. Term and Termination. | |
| A. Effective Date and Duration of BAA. | |
| B. Immediate Termination Rights for Material Breach by Business Associate. | |
| C. Business Associate's Right to Notify and Cure Period for Covered Entity's Breach. | |
| Grounds for Immediate Termination and Potential Breach Reporting to HHS. | |
| D. Return or Destruction of PHI Upon Termination of Agreement. | |
| Notification of Infeasibility of PHI Return or Destruction. | |
| Mutual Agreement on Infeasibility of Return or Destruction of PHI and Extended Protections. | |
| Survival of Section 14.D. Post-Termination. | |
| 16. Effect of BAA. | |
| A. BAA Supremacy Clause in Case of Conflict with Agreement. | |
| B. Third-Party Rights Limitation in BAA. | |
| 17. Regulatory References. | |
| Reference to HIPAA Sections as Currently Effective or Amended. | |
| 18. Notices. | |
| Notice and Communication Methods and Addresses : | |
| A. Contact Information for Covered Entity : | |
| B. Business Associate Contact Information : | |
| 19. Amendments and Waiver. | |
| Modification and Waiver Requirements. | |
| Non-Continuing Waiver Clause for Subsequent Events. | |
| 20. HITECH Act Compliance. | |
| Acknowledgment of Significant Changes to Privacy and Security Rules Under HITECH Act. | |
| Changes to Business Associate Requirements and Agreements Under HITECH Act. | |
| Compliance with HITECH Act and HHS Regulations. | |
| Good Faith Negotiation and Termination Rights for HITECH Act Compliance Modifications. | |
| Execution of Agreement Based on Mutual Understanding and Agreement. | |
| Execution Signature of John M. Rogers, Chief Compliance Officer, HealthFirst Medical Services, Inc ... | |
| Signature Line for Sarah J. Miller, Director of Operations, MedSecure Solutions LLC ... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| MODEL BUSINESS ASSOCIATE AGREEMENT | |
| This BUSINESS ASSOCIATE AGREEMENT (the “BAA”) is made and entered into as of August 16, 2024 by and | |
| between HealthFirst Medical Services, Inc., a corporation organized under the laws of the State of | |
| California (“Covered Entity”) and MedSecure Solutions LLC, a limited liability company organized under | |
| the laws of the State of Delaware (“Business Associate”, in accordance with the meaning given to those | |
| terms at 45 CFR §164.501). In this BAA, Covered Entity and Business Associate are each a “Party” and, | |
| collectively, are the “Parties”. | |
| BACKGROUND. | |
| I. Covered Entity is either a “covered entity” or “business associate” of a covered entity as each are | |
| defined under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as | |
| amended by the HITECH Act (as defined below) and the related regulations promulgated by HHS (as defined | |
| below) (collectively, “HIPAA”) and, as such, is required to comply with HIPAA’s provisions regarding the | |
| confidentiality and privacy of Protected Health Information (as defined below); | |
| II. The Parties have entered into or will enter into one or more agreements under which Business Associate | |
| provides or will provide certain specified services to Covered Entity (collectively, the “Agreement”); | |
| III. In providing services pursuant to the Agreement, Business Associate will have access to Protected | |
| Health Information; | |
| IV. By providing the services pursuant to the Agreement, Business Associate will become a “business associate” | |
| of the Covered Entity as such term is defined under HIPAA; | |
| V. Both Parties are committed to complying with all federal and state laws governing the confidentiality | |
| and privacy of health information, including, but not limited to, the Standards for Privacy of Individually | |
| Identifiable Health Information found at 45 CFR Part 160 and Part 164, Subparts A and E (collectively, the “Privacy Rule”); and | |
| VI. Both Parties intend to protect the privacy and provide for the security of Protected Health Information | |
| disclosed to Business Associate pursuant to the terms of this Agreement, HIPAA and other applicable laws. | |
| AGREEMENT. | |
| NOW, THEREFORE, in consideration of the mutual covenants and conditions contained herein and the continued | |
| provision of PHI by Covered Entity to Business Associate under the Agreement in reliance on this BAA, | |
| the Parties agree as follows: | |
| Page 2 of 9 | |
| 1. Definitions. For purposes of this BAA, the Parties give the following meaning to each of the | |
| terms in this Section 1 below. Any capitalized term used in this BAA, but not otherwise defined, has the | |
| meaning given to that term in the Privacy Rule or pertinent law. | |
| A. “Affiliate” means a subsidiary or affiliate of Covered Entity that is, or has been, | |
| considered a covered entity, as defined by HIPAA. | |
| B. “Breach” means the acquisition, access, use, or disclosure of PHI in a manner not | |
| permitted under the Privacy Rule which compromises the security or privacy of the PHI, as | |
| defined in 45 CFR §164.402. | |
| C. “Breach Notification Rule” means the portion of HIPAA set forth in Subpart D of 45 CFR | |
| Part 164. | |
| D. “Data Aggregation” means, with respect to PHI created or received by Business | |
| Associate in its capacity as the “business associate” under HIPAA of Covered Entity, the | |
| combining of such PHI by Business Associate with the PHI received by Business Associate in its | |
| capacity as a business associate of one or more other “covered entity” under HIPAA, to permit | |
| data analyses that relate to the Health Care Operations (defined below) of the respective | |
| covered entities. The meaning of “data aggregation” in this BAA shall be consistent with the | |
| meaning given to that term in the Privacy Rule. | |
| E. “Designated Record Set” has the meaning given to such term under the Privacy Rule, | |
| including 45 CFR §164.501.B. | |
| F. “De-Identify” means to alter the PHI such that the resulting information meets the | |
| requirements described in 45 CFR §§164.514(a) and (b). | |
| G. “Electronic PHI” means any PHI maintained in or transmitted by electronic media as | |
| defined in 45 CFR §160.103. | |
| H. “Health Care Operations” has the meaning given to that term in 45 CFR §164.501. | |
| I. “HHS” means the U.S. Department of Health and Human Services. | |
| J. “HITECH Act” means the Health Information Technology for Economic and Clinical | |
| Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law | |
| 111-005. | |
| K. “Individual” has the same meaning given to that term i in 45 CFR §§164.501 and 160.130 | |
| and includes a person who qualifies as a personal representative in accordance with 45 CFR | |
| §164.502(g). | |
| L. “Privacy Rule” means that portion of HIPAA set forth in 45 CFR Part 160 and Part 164, | |
| Subparts A and E. | |
| Page 3 of 9 | |
| M. “Protected Health Information” or “PHI” has the meaning given to the term “protected | |
| health information” in 45 CFR §§164.501 and 160.103, limited to the information created or | |
| received by Business Associate from or on behalf of Covered Entity. | |
| N. “Security Incident” means the attempted or successful unauthorized access, use, | |
| disclosure, modification, or destruction of information or interference with system operations in | |
| an information system. | |
| O. “Security Rule” means the Security Standards for the Protection of Electronic Health | |
| Information provided in 45 CFR Part 160 & Part 164, Subparts A and C. | |
| P. “Unsecured Protected Health Information” or “Unsecured PHI” means any “protected | |
| health information” as defined in 45 CFR §§164.501 and 160.103 that is not rendered unusable, | |
| unreadable or indecipherable to unauthorized individuals through the use of a technology or | |
| methodology specified by the HHS Secretary in the guidance issued pursuant to the HITECH Act | |
| and codified at 42 USC §17932(h). | |
| 2. Use and Disclosure of PHI. | |
| A. Except as otherwise provided in this BAA, Business Associate may use or disclose PHI as | |
| reasonably necessary to provide the services described in the Agreement to Covered Entity, and | |
| to undertake other activities of Business Associate permitted or required of Business Associate | |
| by this BAA or as required by law. | |
| B. Except as otherwise limited by this BAA or federal or state law, Covered Entity | |
| authorizes Business Associate to use the PHI in its possession for the proper management and | |
| administration of Business Associate’s business and to carry out its legal responsibilities. | |
| Business Associate may disclose PHI for its proper management and administration, provided | |
| that (i) the disclosures are required by law; or (ii) Business Associate obtains, in writing, prior to | |
| making any disclosure to a third party (a) reasonable assurances from this third party that the | |
| PHI will be held confidential as provided under this BAA and used or further disclosed only as | |
| required by law or for the purpose for which it was disclosed to this third party and (b) an | |
| agreement from this third party to notify Business Associate immediately of any breaches of the | |
| confidentiality of the PHI, to the extent it has knowledge of the breach. | |
| C. Business Associate will not use or disclose PHI in a manner other than as provided in this | |
| BAA, as permitted under the Privacy Rule, or as required by law. Business Associate will use or | |
| disclose PHI, to the extent practicable, as a limited data set or limited to the minimum necessary | |
| amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with | |
| Section 13405(b) of the HITECH Act (codified at 42 USC §17935(b)) and any of the act’s | |
| implementing regulations adopted by HHS, for each use or disclosure of PHI. | |
| D. Upon request, Business Associate will make available to Covered Entity any of Covered | |
| Entity’s PHI that Business Associate or any of its agents or subcontractors have in their | |
| possession. | |
| E. Business Associate may use PHI to report violations of law to appropriate Federal and | |
| State authorities, consistent with 45 CFR §164.502(j)(1). | |
| Page 4 of 9 | |
| 3. Safeguards Against Misuse of PHI. Business Associate will use appropriate safeguards to | |
| prevent the use or disclosure of PHI other than as provided by the Agreement or this BAA and Business | |
| Associate agrees to implement administrative, physical, and technical safeguards that reasonably and | |
| appropriately protect the confidentiality, integrity and availability of the Electronic PHI that it creates, | |
| receives, maintains or transmits on behalf of Covered Entity. Business Associate agrees to take | |
| reasonable steps, including providing adequate training to its employees to ensure compliance with this | |
| BAA and to ensure that the actions or omissions of its employees or agents do not cause Business | |
| Associate to breach the terms of this BAA. | |
| 4. Reporting Disclosures of PHI and Security Incidents. Business Associate will report to Covered | |
| Entity in writing any use or disclosure of PHI not provided for by this BAA of which it becomes aware and | |
| Business Associate agrees to report to Covered Entity any Security Incident affecting Electronic PHI of | |
| Covered Entity of which it becomes aware. Business Associate agrees to report any such event within | |
| five business days of becoming aware of the event. | |
| 5. Reporting Breaches of Unsecured PHI. Business Associate will notify Covered Entity in writing | |
| promptly upon the discovery of any Breach of Unsecured PHI in accordance with the requirements set | |
| forth in 45 CFR §164.410, but in no case later than 30 calendar days after discovery of a Breach. Business | |
| Associate will reimburse Covered Entity for any costs incurred by it in complying with the requirements | |
| of Subpart D of 45 CFR §164 that are imposed on Covered Entity as a result of a Breach committed by | |
| Business Associate. | |
| 6. Mitigation of Disclosures of PHI. Business Associate will take reasonable measures to mitigate, | |
| to the extent practicable, any harmful effect that is known to Business Associate of any use or disclosure | |
| of PHI by Business Associate or its agents or subcontractors in violation of the requirements of this BAA. | |
| 7. Agreements with Agents or Subcontractors. Business Associate will ensure that any of its | |
| agents or subcontractors that have access to, or to which Business Associate provides, PHI agree in | |
| writing to the restrictions and conditions concerning uses and disclosures of PHI contained in this BAA | |
| and agree to implement reasonable and appropriate safeguards to protect any Electronic PHI that it | |
| creates, receives, maintains or transmits on behalf of Business Associate or, through the Business | |
| Associate, Covered Entity. Business Associate shall notify Covered Entity, or upstream Business | |
| Associate, of all subcontracts and agreements relating to the Agreement, where the subcontractor or | |
| agent receives PHI as described in section 1.M. of this BAA. Such notification shall occur within 30 | |
| (thirty) calendar days of the execution of the subcontract by placement of such notice on the Business | |
| Associate’s primary website. Business Associate shall ensure that all subcontracts and agreements | |
| provide the same level of privacy and security as this BAA. | |
| 8. Audit Report. Upon request, Business Associate will provide Covered Entity, or upstream | |
| Business Associate, with a copy of its most recent independent HIPAA compliance report (AT-C 315), | |
| HITRUST certification or other mutually agreed upon independent standards based third party audit | |
| report. Covered entity agrees not to re-disclose Business Associate’s audit report. | |
| 9. Access to PHI by Individuals. | |
| A. Upon request, Business Associate agrees to furnish Covered Entity with copies of the | |
| PHI maintained by Business Associate in a Designated Record Set in the time and manner | |
| Page 5 of 9 | |
| designated by Covered Entity to enable Covered Entity to respond to an Individual’s request for | |
| access to PHI under 45 CFR §164.524. | |
| B. In the event any Individual or personal representative requests access to the Individual’s | |
| PHI directly from Business Associate, Business Associate within ten business days, will forward | |
| that request to Covered Entity. Any disclosure of, or decision not to disclose, the PHI requested | |
| by an Individual or a personal representative and compliance with the requirements applicable | |
| to an Individual’s right to obtain access to PHI shall be the sole responsibility of Covered Entity. | |
| 10. Amendment of PHI. | |
| A. Upon request and instruction from Covered Entity, Business Associate will amend PHI or | |
| a record about an Individual in a Designated Record Set that is maintained by, or otherwise | |
| within the possession of, Business Associate as directed by Covered Entity in accordance with | |
| procedures established by 45 CFR §164.526. Any request by Covered Entity to amend such | |
| information will be completed by Business Associate within 15 business days of Covered Entity’s | |
| request. | |
| B. In the event that any Individual requests that Business Associate amend such | |
| Individual’s PHI or record in a Designated Record Set, Business Associate within ten business | |
| days will forward this request to Covered Entity. Any amendment of, or decision not to amend, | |
| the PHI or record as requested by an Individual and compliance with the requirements | |
| applicable to an Individual’s right to request an amendment of PHI will be the sole responsibility | |
| of Covered Entity. | |
| 11. Accounting of Disclosures. | |
| A. Business Associate will document any disclosures of PHI made by it to account for such | |
| disclosures as required by 45 CFR §164.528(a). Business Associate also will make available | |
| information related to such disclosures as would be required for Covered Entity to respond to a | |
| request for an accounting of disclosures in accordance with 45 CFR §164.528. At a minimum, | |
| Business Associate will furnish Covered Entity the following with respect to any covered | |
| disclosures by Business Associate: (i) the date of disclosure of PHI; (ii) the name of the entity or | |
| person who received PHI, and, if known, the address of such entity or person; (iii) a brief | |
| description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure | |
| which includes the basis for such disclosure. | |
| B. Business Associate will furnish to Covered Entity information collected in accordance | |
| with this Section 10, within ten business days after written request by Covered Entity, to permit | |
| Covered Entity to make an accounting of disclosures as required by 45 CFR §164.528, or in the | |
| event that Covered Entity elects to provide an Individual with a list of its business associates, | |
| Business Associate will provide an accounting of its disclosures of PHI upon request of the | |
| Individual, if and to the extent that such accounting is required under the HITECH Act or under | |
| HHS regulations adopted in connection with the HITECH Act. | |
| C. In the event an Individual delivers the initial request for an accounting directly to | |
| Business Associate, Business Associate will within ten business days forward such request to | |
| Covered Entity. | |
| Page 6 of 9 | |
| 12. Availability of Books and Records. Business Associate will make available its internal practices, | |
| books, agreements, records, and policies and procedures relating to the use and disclosure of PHI, upon | |
| request, to the Secretary of HHS for purposes of determining Covered Entity’s and Business Associate’s | |
| compliance with HIPAA, and this BAA. | |
| 13. Responsibilities of Covered Entity. With regard to the use and/or disclosure of Protected Health | |
| Information by Business Associate, Covered Entity agrees to: | |
| A. Notify Business Associate of any limitation(s) in its notice of privacy practices in | |
| accordance with 45 CFR §164.520, to the extent that such limitation may affect Business | |
| Associate’s use or disclosure of PHI. | |
| B. Notify Business Associate of any changes in, or revocation of, permission by an | |
| Individual to use or disclose Protected Health Information, to the extent that such changes may | |
| affect Business Associate’s use or disclosure of PHI. | |
| C. Notify Business Associate of any restriction to the use or disclosure of PHI that Covered | |
| Entity has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may | |
| affect Business Associate’s use or disclosure of PHI. | |
| D. Except for data aggregation or management and administrative activities of Business | |
| Associate, Covered Entity shall not request Business Associate to use or disclose PHI in any | |
| manner that would not be permissible under HIPAA if done by Covered Entity. | |
| 14. Data Ownership. Business Associate’s data stewardship does not confer data ownership rights | |
| on Business Associate with respect to any data shared with it under the Agreement, including any and all | |
| forms thereof. | |
| 15. Term and Termination. | |
| A. This BAA will become effective on the date first written above, and will continue in | |
| effect until all obligations of the Parties have been met under the Agreement and under this | |
| BAA. | |
| B. Covered Entity may terminate immediately this BAA, the Agreement, and any other | |
| related agreements if Covered Entity makes a determination that Business Associate has | |
| breached a material term of this BAA and Business Associate has failed to cure that material | |
| breach, to Covered Entity’s reasonable satisfaction, within 30 days after written notice from | |
| Covered Entity. Covered Entity may report the problem to the Secretary of HHS if termination is | |
| not feasible. | |
| C. If Business Associate determines that Covered Entity has breached a material term of | |
| this BAA, then Business Associate will provide Covered Entity with written notice of the | |
| existence of the breach and shall provide Covered Entity with 30 days to cure the breach. | |
| Covered Entity’s failure to cure the breach within the 30-day period will be grounds for | |
| immediate termination of the Agreement and this BAA by Business Associate. Business | |
| Associate may report the breach to HHS. | |
| Page 7 of 9 | |
| D. Upon termination of the Agreement or this BAA for any reason, all PHI maintained by | |
| Business Associate will be returned to Covered Entity or destroyed by Business Associate. | |
| Business Associate will not retain any copies of such information. This provision will apply to PHI | |
| in the possession of Business Associate’s agents and subcontractors. If return or destruction of | |
| the PHI is not feasible, in Business Associate’s reasonable judgment, Business Associate will | |
| furnish Covered Entity with notification, in writing, of the conditions that make return or | |
| destruction infeasible. Upon mutual agreement of the Parties that return or destruction of the | |
| PHI is infeasible, Business Associate will extend the protections of this BAA to such information | |
| for as long as Business Associate retains such information and will limit further uses and | |
| disclosures to those purposes that make the return or destruction of the information not | |
| feasible. The Parties understand that this Section 14.D. will survive any termination of this BAA. | |
| 16. Effect of BAA. | |
| A. This BAA is a part of and subject to the terms of the Agreement, except that to the | |
| extent any terms of this BAA conflict with any term of the Agreement, the terms of this BAA will | |
| govern. | |
| B. Except as expressly stated in this BAA or as provided by law, this BAA will not create any | |
| rights in favor of any third party. | |
| 17. Regulatory References. A reference in this BAA to a section in HIPAA means the section as in | |
| effect or as amended at the time. | |
| 18. Notices. All notices, requests and demands or other communications to be given under this BAA | |
| to a Party will be made via either first class mail, registered or certified or express courier, or electronic | |
| mail to the Party’s address given below: | |
| A. If to Covered Entity, to: | |
| Attn: John M. Rogers, Chief Compliance Officer | |
| T: (213) 555-1234 | |
| E: john.rogers@healthfirst.com | |
| B. If to Business Associate, to: | |
| Attn: Sarah J. Miller, Director of Operations | |
| T: (302) 555-6789 | |
| E: sarah.miller@medsecure.com | |
| 19. Amendments and Waiver. This BAA may not be modified, nor will any provision be waived or | |
| amended, except in writing duly signed by authorized representatives of the Parties. A waiver with | |
| respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy | |
| as to subsequent events. | |
| Page 8 of 9 | |
| 20. HITECH Act Compliance. The Parties acknowledge that the HITECH Act includes significant | |
| changes to the Privacy Rule and the Security Rule. The privacy subtitle of the HITECH Act sets forth | |
| provisions that significantly change the requirements for business associates and the agreements | |
| between business associates and covered entities under HIPAA and these changes may be further | |
| clarified in forthcoming regulations and guidance. Each Party agrees to comply with the applicable | |
| provisions of the HITECH Act and any HHS regulations issued with respect to the HITECH Act. The Parties | |
| also agree to negotiate in good faith to modify this BAA as reasonably necessary to comply with the | |
| HITECH Act and its regulations as they become effective but, in the event that the Parties are unable to | |
| reach agreement on such a modification, either Party will have the right to terminate this BAA upon 30- | |
| days’ prior written notice to the other Party. | |
| Page 9 of 9 | |
| In light of the mutual agreement and understanding described above, the Parties execute this BAA as of | |
| the date first written above. | |
| By: ____________________________________ | |
| Name: John M. Rogers | |
| Title: Chief Compliance Officer, HealthFirst Medical Services, Inc. | |
| By: ____________________________________ | |
| Name: Sarah J. Miller | |
| Title: Director of Operations, MedSecure Solutions LLC |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| MODEL BUSINESS ASSOCIATE AGREEMENT | |
| This BUSINESS ASSOCIATE AGREEMENT (the “BAA”) is made and entered into as of August 16, 2024 by and between HealthFirst Medical Services, Inc., a corporation organized under the laws of the State of California (“Covered Entity”) and MedSecure Solutions LLC, a limited liability company organized under the laws of the State of Delaware (“Business Associate”, in accordance with the meaning given to those terms at 45 CFR §164.501). In this BAA, Covered Entity and Business Associate are each a “Party” and, collectively, are the “Parties”. | |
| BACKGROUND. I. Covered Entity is either a “covered entity” or “business associate” of a covered entity as each are defined under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended by the HITECH Act (as defined below) and the related regulations promulgated by HHS (as defined below) (collectively, “HIPAA”) and, as such, is required to comply with HIPAA’s provisions regarding the confidentiality and privacy of Protected Health Information (as defined below); | |
| II. The Parties have entered into or will enter into one or more agreements under which Business Associate provides or will provide certain specified services to Covered Entity (collectively, the “Agreement”); | |
| III. In providing services pursuant to the Agreement, Business Associate will have access to Protected Health Information; | |
| IV. By providing the services pursuant to the Agreement, Business Associate will become a “business associate” of the Covered Entity as such term is defined under HIPAA; | |
| V. Both Parties are committed to complying with all federal and state laws governing the confidentiality and privacy of health information, including, but not limited to, the Standards for Privacy of Individually Identifiable Health Information found at 45 CFR Part 160 and Part 164, Subparts A and E (collectively, the “Privacy Rule”); and | |
| VI. Both Parties intend to protect the privacy and provide for the security of Protected Health Information disclosed to Business Associate pursuant to the terms of this Agreement, HIPAA and other applicable laws. | |
| AGREEMENT. NOW, THEREFORE, in consideration of the mutual covenants and conditions contained herein and the continued provision of PHI by Covered Entity to Business Associate under the Agreement in reliance on this BAA, the Parties agree as follows: | |
| Page 2 of 9 | |
| 1. Definitions. | |
| For purposes of this BAA, the Parties give the following meaning to each of the terms in this Section 1 below. Any capitalized term used in this BAA, but not otherwise defined, has the meaning given to that term in the Privacy Rule or pertinent law. | |
| A. “Affiliate” means a subsidiary or affiliate of Covered Entity that is, or has been, considered a covered entity, as defined by HIPAA. | |
| B. “Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR §164.402. | |
| C. “Breach Notification Rule” means the portion of HIPAA set forth in Subpart D of 45 CFR Part 164. | |
| D. “Data Aggregation” means, with respect to PHI created or received by Business Associate in its capacity as the “business associate” under HIPAA of Covered Entity, the combining of such PHI by Business Associate with the PHI received by Business Associate in its capacity as a business associate of one or more other “covered entity” under HIPAA, to permit data analyses that relate to the Health Care Operations (defined below) of the respective covered entities. The meaning of “data aggregation” in this BAA shall be consistent with the meaning given to that term in the Privacy Rule. | |
| E. “Designated Record Set” has the meaning given to such term under the Privacy Rule, including 45 CFR §164.501.B. | |
| F. “De-Identify” means to alter the PHI such that the resulting information meets the requirements described in 45 CFR §§164.514(a) and (b). | |
| G. “Electronic PHI” means any PHI maintained in or transmitted by electronic media as defined in 45 CFR §160.103. | |
| H. “Health Care Operations” has the meaning given to that term in 45 CFR §164.501. | |
| I. “HHS” means the U.S. Department of Health and Human Services. | |
| J. “HITECH Act” means the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005. | |
| K. “Individual” has the same meaning given to that term i in 45 CFR §§164.501 and 160.130 and includes a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g). | |
| L. “Privacy Rule” means that portion of HIPAA set forth in 45 CFR Part 160 and Part 164, Subparts A and E. | |
| Page 3 of 9 | |
| M. “Protected Health Information” or “PHI” has the meaning given to the term “protected health information” in 45 CFR §§164.501 and 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity. | |
| N. “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. | |
| O. “Security Rule” means the Security Standards for the Protection of Electronic Health Information provided in 45 CFR Part 160 & Part 164, Subparts A and C. | |
| P. “Unsecured Protected Health Information” or “Unsecured PHI” means any “protected health information” as defined in 45 CFR §§164.501 and 160.103 that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary in the guidance issued pursuant to the HITECH Act and codified at 42 USC §17932(h). | |
| 2. Use and Disclosure of PHI. | |
| A. Except as otherwise provided in this BAA, Business Associate may use or disclose PHI as reasonably necessary to provide the services described in the Agreement to Covered Entity, and to undertake other activities of Business Associate permitted or required of Business Associate by this BAA or as required by law. | |
| B. Except as otherwise limited by this BAA or federal or state law, Covered Entity authorizes Business Associate to use the PHI in its possession for the proper management and administration of Business Associate’s business and to carry out its legal responsibilities. | |
| Business Associate may disclose PHI for its proper management and administration, provided that (i) the disclosures are required by law; or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from this third party that the PHI will be held confidential as provided under this BAA and used or further disclosed only as required by law or for the purpose for which it was disclosed to this third party and (b) an agreement from this third party to notify Business Associate immediately of any breaches of the confidentiality of the PHI, to the extent it has knowledge of the breach. | |
| C. Business Associate will not use or disclose PHI in a manner other than as provided in this BAA, as permitted under the Privacy Rule, or as required by law. Business Associate will use or disclose PHI, to the extent practicable, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH Act (codified at 42 USC §17935(b)) and any of the act’s implementing regulations adopted by HHS, for each use or disclosure of PHI. | |
| D. Upon request, Business Associate will make available to Covered Entity any of Covered Entity’s PHI that Business Associate or any of its agents or subcontractors have in their possession. | |
| E. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1). | |
| Page 4 of 9 | |
| 3. Safeguards Against Misuse of PHI. | |
| Business Associate will use appropriate safeguards to prevent the use or disclosure of PHI other than as provided by the Agreement or this BAA and Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity. Business Associate agrees to take reasonable steps, including providing adequate training to its employees to ensure compliance with this BAA and to ensure that the actions or omissions of its employees or agents do not cause Business Associate to breach the terms of this BAA. | |
| 4. Reporting Disclosures of PHI and Security Incidents. | |
| Business Associate will report to Covered Entity in writing any use or disclosure of PHI not provided for by this BAA of which it becomes aware and Business Associate agrees to report to Covered Entity any Security Incident affecting Electronic PHI of Covered Entity of which it becomes aware. Business Associate agrees to report any such event within five business days of becoming aware of the event. | |
| 5. Reporting Breaches of Unsecured PHI. | |
| Business Associate will notify Covered Entity in writing promptly upon the discovery of any Breach of Unsecured PHI in accordance with the requirements set forth in 45 CFR §164.410, but in no case later than 30 calendar days after discovery of a Breach. Business Associate will reimburse Covered Entity for any costs incurred by it in complying with the requirements of Subpart D of 45 CFR §164 that are imposed on Covered Entity as a result of a Breach committed by Business Associate. | |
| 6. Mitigation of Disclosures of PHI. | |
| Business Associate will take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of any use or disclosure of PHI by Business Associate or its agents or subcontractors in violation of the requirements of this BAA. | |
| 7. Agreements with Agents or Subcontractors. | |
| Business Associate will ensure that any of its agents or subcontractors that have access to, or to which Business Associate provides, PHI agree in writing to the restrictions and conditions concerning uses and disclosures of PHI contained in this BAA and agree to implement reasonable and appropriate safeguards to protect any Electronic PHI that it creates, receives, maintains or transmits on behalf of Business Associate or, through the Business Associate, Covered Entity. Business Associate shall notify Covered Entity, or upstream Business Associate, of all subcontracts and agreements relating to the Agreement, where the subcontractor or agent receives PHI as described in section 1.M. of this BAA. Such notification shall occur within 30 (thirty) calendar days of the execution of the subcontract by placement of such notice on the Business Associate’s primary website. Business Associate shall ensure that all subcontracts and agreements provide the same level of privacy and security as this BAA. | |
| 8. Audit Report. | |
| Upon request, Business Associate will provide Covered Entity, or upstream Business Associate, with a copy of its most recent independent HIPAA compliance report (AT-C 315), HITRUST certification or other mutually agreed upon independent standards based third party audit report. Covered entity agrees not to re-disclose Business Associate’s audit report. | |
| 9. Access to PHI by Individuals. | |
| A. Upon request, Business Associate agrees to furnish Covered Entity with copies of the PHI maintained by Business Associate in a Designated Record Set in the time and manner | |
| Page 5 of 9 | |
| designated by Covered Entity to enable Covered Entity to respond to an Individual’s request for access to PHI under 45 CFR §164.524. | |
| B. In the event any Individual or personal representative requests access to the Individual’s PHI directly from Business Associate, Business Associate within ten business days, will forward that request to Covered Entity. Any disclosure of, or decision not to disclose, the PHI requested by an Individual or a personal representative and compliance with the requirements applicable to an Individual’s right to obtain access to PHI shall be the sole responsibility of Covered Entity. | |
| 10. Amendment of PHI. | |
| A. Upon request and instruction from Covered Entity, Business Associate will amend PHI or a record about an Individual in a Designated Record Set that is maintained by, or otherwise within the possession of, Business Associate as directed by Covered Entity in accordance with procedures established by 45 CFR §164.526. Any request by Covered Entity to amend such information will be completed by Business Associate within 15 business days of Covered Entity’s request. | |
| B. In the event that any Individual requests that Business Associate amend such Individual’s PHI or record in a Designated Record Set, Business Associate within ten business days will forward this request to Covered Entity. Any amendment of, or decision not to amend, the PHI or record as requested by an Individual and compliance with the requirements applicable to an Individual’s right to request an amendment of PHI will be the sole responsibility of Covered Entity. | |
| 11. Accounting of Disclosures. | |
| A. Business Associate will document any disclosures of PHI made by it to account for such disclosures as required by 45 CFR §164.528(a). Business Associate also will make available information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosures in accordance with 45 CFR §164.528. At a minimum, Business Associate will furnish Covered Entity the following with respect to any covered disclosures by Business Associate: | |
| (i) the date of disclosure of PHI; | |
| (ii) the name of the entity or person who received PHI, and, if known, the address of such entity or person; | |
| (iii) a brief description of the PHI disclosed; and | |
| (iv) a brief statement of the purpose of the disclosure which includes the basis for such disclosure. | |
| B. Business Associate will furnish to Covered Entity information collected in accordance with this Section 10, within ten business days after written request by Covered Entity, to permit Covered Entity to make an accounting of disclosures as required by 45 CFR §164.528, or in the event that Covered Entity elects to provide an Individual with a list of its business associates, Business Associate will provide an accounting of its disclosures of PHI upon request of the Individual, if and to the extent that such accounting is required under the HITECH Act or under HHS regulations adopted in connection with the HITECH Act. | |
| C. In the event an Individual delivers the initial request for an accounting directly to Business Associate, Business Associate will within ten business days forward such request to Covered Entity. | |
| Page 6 of 9 | |
| 12. Availability of Books and Records. | |
| Business Associate will make available its internal practices, books, agreements, records, and policies and procedures relating to the use and disclosure of PHI, upon request, to the Secretary of HHS for purposes of determining Covered Entity’s and Business Associate’s compliance with HIPAA, and this BAA. | |
| 13. Responsibilities of Covered Entity. | |
| With regard to the use and/or disclosure of Protected Health Information by Business Associate, Covered Entity agrees to: | |
| A. Notify Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 CFR §164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI. | |
| B. Notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of PHI. | |
| C. Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI. | |
| D. Except for data aggregation or management and administrative activities of Business Associate, Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity. | |
| 14. Data Ownership. | |
| Business Associate’s data stewardship does not confer data ownership rights on Business Associate with respect to any data shared with it under the Agreement, including any and all forms thereof. | |
| 15. Term and Termination. | |
| A. This BAA will become effective on the date first written above, and will continue in effect until all obligations of the Parties have been met under the Agreement and under this BAA. | |
| B. Covered Entity may terminate immediately this BAA, the Agreement, and any other related agreements if Covered Entity makes a determination that Business Associate has breached a material term of this BAA and Business Associate has failed to cure that material breach, to Covered Entity’s reasonable satisfaction, within 30 days after written notice from Covered Entity. Covered Entity may report the problem to the Secretary of HHS if termination is not feasible. | |
| C. If Business Associate determines that Covered Entity has breached a material term of this BAA, then Business Associate will provide Covered Entity with written notice of the existence of the breach and shall provide Covered Entity with 30 days to cure the breach. | |
| Covered Entity’s failure to cure the breach within the 30-day period will be grounds for immediate termination of the Agreement and this BAA by Business Associate. Business Associate may report the breach to HHS. | |
| Page 7 of 9 | |
| D. Upon termination of the Agreement or this BAA for any reason, all PHI maintained by Business Associate will be returned to Covered Entity or destroyed by Business Associate. | |
| Business Associate will not retain any copies of such information. This provision will apply to PHI in the possession of Business Associate’s agents and subcontractors. If return or destruction of the PHI is not feasible, in Business Associate’s reasonable judgment, Business Associate will furnish Covered Entity with notification, in writing, of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of the PHI is infeasible, Business Associate will extend the protections of this BAA to such information for as long as Business Associate retains such information and will limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible. The Parties understand that this Section 14.D. will survive any termination of this BAA. | |
| 16. Effect of BAA. | |
| A. This BAA is a part of and subject to the terms of the Agreement, except that to the extent any terms of this BAA conflict with any term of the Agreement, the terms of this BAA will govern. | |
| B. Except as expressly stated in this BAA or as provided by law, this BAA will not create any rights in favor of any third party. | |
| 17. Regulatory References. | |
| A reference in this BAA to a section in HIPAA means the section as in effect or as amended at the time. | |
| 18. Notices. | |
| All notices, requests and demands or other communications to be given under this BAA to a Party will be made via either first class mail, registered or certified or express courier, or electronic mail to the Party’s address given below: | |
| A. If to Covered Entity, to: | |
| Attn: John M. Rogers, Chief Compliance Officer | |
| T: (213) 555-1234 | |
| E: john.rogers@healthfirst.com | |
| B. If to Business Associate, to: | |
| Attn: Sarah J. Miller, Director of Operations | |
| T: (302) 555-6789 | |
| E: sarah.miller@medsecure.com | |
| 19. Amendments and Waiver. | |
| This BAA may not be modified, nor will any provision be waived or amended, except in writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events. | |
| Page 8 of 9 | |
| 20. HITECH Act Compliance. | |
| The Parties acknowledge that the HITECH Act includes significant changes to the Privacy Rule and the Security Rule. The privacy subtitle of the HITECH Act sets forth provisions that significantly change the requirements for business associates and the agreements between business associates and covered entities under HIPAA and these changes may be further clarified in forthcoming regulations and guidance. Each Party agrees to comply with the applicable provisions of the HITECH Act and any HHS regulations issued with respect to the HITECH Act. The Parties also agree to negotiate in good faith to modify this BAA as reasonably necessary to comply with the HITECH Act and its regulations as they become effective but, in the event that the Parties are unable to reach agreement on such a modification, either Party will have the right to terminate this BAA upon 30-days’ prior written notice to the other Party. | |
| Page 9 of 9 | |
| In light of the mutual agreement and understanding described above, the Parties execute this BAA as of the date first written above. | |
| By: ... | |
| Name: John M. Rogers | |
| Title: Chief Compliance Officer, HealthFirst Medical Services, Inc. | |
| By: ... | |
| Name: Sarah J. Miller | |
| Title: Director of Operations, MedSecure Solutions LLC |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "index": 0, | |
| "title": "MODEL BUSINESS ASSOCIATE AGREEMENT", | |
| "name": "", | |
| "content": "", | |
| "type": "container", | |
| "path": "000", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "Preface: Introduction and Identification of Parties", | |
| "content": "", | |
| "type": "container", | |
| "path": "000:000", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "Introduction and Identification of Parties", | |
| "content": "This BUSINESS ASSOCIATE AGREEMENT (the \u201cBAA\u201d) is made and entered into as of August 16, 2024 by and between HealthFirst Medical Services, Inc., a corporation organized under the laws of the State of California (\u201cCovered Entity\u201d) and MedSecure Solutions LLC, a limited liability company organized under the laws of the State of Delaware (\u201cBusiness Associate\u201d, in accordance with the meaning given to those terms at 45 CFR \u00a7164.501). In this BAA, Covered Entity and Business Associate are each a \u201cParty\u201d and, collectively, are the \u201cParties\u201d.", | |
| "type": "body", | |
| "path": "000:000:000", | |
| "children": [] | |
| }, | |
| { | |
| "index": 1, | |
| "title": "", | |
| "name": "Introduction and Context of Agreement", | |
| "content": "BACKGROUND.", | |
| "type": "container", | |
| "path": "000:000:001", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "I. Definition and Compliance Obligations of Covered Entity and Business Associate under HIPAA", | |
| "content": "I. Covered Entity is either a \u201ccovered entity\u201d or \u201cbusiness associate\u201d of a covered entity as each are defined under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended by the HITECH Act (as defined below) and the related regulations promulgated by HHS (as defined below) (collectively, \u201cHIPAA\u201d) and, as such, is required to comply with HIPAA\u2019s provisions regarding the confidentiality and privacy of Protected Health Information (as defined below);", | |
| "type": "body", | |
| "path": "000:000:001:000", | |
| "children": [] | |
| }, | |
| { | |
| "index": 1, | |
| "title": "", | |
| "name": "II. Agreement for Provision of Specified Services by Business Associate to Covered Entity", | |
| "content": "II. The Parties have entered into or will enter into one or more agreements under which Business Associate provides or will provide certain specified services to Covered Entity (collectively, the \u201cAgreement\u201d);", | |
| "type": "body", | |
| "path": "000:000:001:001", | |
| "children": [] | |
| }, | |
| { | |
| "index": 2, | |
| "title": "", | |
| "name": "III. Access to Protected Health Information by Business Associate", | |
| "content": "III. In providing services pursuant to the Agreement, Business Associate will have access to Protected Health Information;", | |
| "type": "body", | |
| "path": "000:000:001:002", | |
| "children": [] | |
| }, | |
| { | |
| "index": 3, | |
| "title": "", | |
| "name": "Definition of \"Business Associate\" Under HIPAA", | |
| "content": "IV. By providing the services pursuant to the Agreement, Business Associate will become a \u201cbusiness associate\u201d of the Covered Entity as such term is defined under HIPAA;", | |
| "type": "body", | |
| "path": "000:000:001:003", | |
| "children": [] | |
| }, | |
| { | |
| "index": 4, | |
| "title": "", | |
| "name": "V. Commitment to Compliance with Federal and State Confidentiality and Privacy Laws", | |
| "content": "V. Both Parties are committed to complying with all federal and state laws governing the confidentiality and privacy of health information, including, but not limited to, the Standards for Privacy of Individually Identifiable Health Information found at 45 CFR Part 160 and Part 164, Subparts A and E (collectively, the \u201cPrivacy Rule\u201d); and", | |
| "type": "body", | |
| "path": "000:000:001:004", | |
| "children": [] | |
| }, | |
| { | |
| "index": 5, | |
| "title": "", | |
| "name": "VI. Commitment to Privacy and Security of Protected Health Information Under HIPAA and Applicable Laws", | |
| "content": "VI. Both Parties intend to protect the privacy and provide for the security of Protected Health Information disclosed to Business Associate pursuant to the terms of this Agreement, HIPAA and other applicable laws.", | |
| "type": "body", | |
| "path": "000:000:001:005", | |
| "children": [] | |
| } | |
| ] | |
| } | |
| ] | |
| }, | |
| { | |
| "index": 1, | |
| "title": "", | |
| "name": "Title: Formalization of Mutual Agreement", | |
| "content": "AGREEMENT.", | |
| "type": "container", | |
| "path": "000:001", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "Statement of Mutual Covenants and Conditions", | |
| "content": "NOW, THEREFORE, in consideration of the mutual covenants and conditions contained herein and the continued provision of PHI by Covered Entity to Business Associate under the Agreement in reliance on this BAA, the Parties agree as follows:", | |
| "type": "body", | |
| "path": "000:001:000", | |
| "children": [] | |
| } | |
| ] | |
| }, | |
| { | |
| "index": 2, | |
| "title": "1. Definitions.", | |
| "name": "", | |
| "content": "", | |
| "type": "container", | |
| "path": "000:002", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "Definitions and Interpretations for Capitalized Terms in the BAA", | |
| "content": "For purposes of this BAA, the Parties give the following meaning to each of the terms in this Section 1 below. Any capitalized term used in this BAA, but not otherwise defined, has the meaning given to that term in the Privacy Rule or pertinent law.", | |
| "type": "container", | |
| "path": "000:002:000", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "Definition of \"Affiliate\" Under HIPAA", | |
| "content": "A. \u201cAffiliate\u201d means a subsidiary or affiliate of Covered Entity that is, or has been, considered a covered entity, as defined by HIPAA.", | |
| "type": "body", | |
| "path": "000:002:000:000", | |
| "children": [] | |
| }, | |
| { | |
| "index": 1, | |
| "title": "", | |
| "name": "B. Definition of \"Breach\" under HIPAA Privacy Rule and 45 CFR \u00a7164.402", | |
| "content": "B. \u201cBreach\u201d means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR \u00a7164.402.", | |
| "type": "body", | |
| "path": "000:002:000:001", | |
| "children": [] | |
| }, | |
| { | |
| "index": 2, | |
| "title": "", | |
| "name": "Definition of \"Breach Notification Rule\" under HIPAA", | |
| "content": "C. \u201cBreach Notification Rule\u201d means the portion of HIPAA set forth in Subpart D of 45 CFR Part 164.", | |
| "type": "body", | |
| "path": "000:002:000:002", | |
| "children": [] | |
| }, | |
| { | |
| "index": 3, | |
| "title": "", | |
| "name": "Definition of \"Data Aggregation\" Under HIPAA and Privacy Rule", | |
| "content": "D. \u201cData Aggregation\u201d means, with respect to PHI created or received by Business Associate in its capacity as the \u201cbusiness associate\u201d under HIPAA of Covered Entity, the combining of such PHI by Business Associate with the PHI received by Business Associate in its capacity as a business associate of one or more other \u201ccovered entity\u201d under HIPAA, to permit data analyses that relate to the Health Care Operations (defined below) of the respective covered entities. The meaning of \u201cdata aggregation\u201d in this BAA shall be consistent with the meaning given to that term in the Privacy Rule.", | |
| "type": "body", | |
| "path": "000:002:000:003", | |
| "children": [] | |
| }, | |
| { | |
| "index": 4, | |
| "title": "", | |
| "name": "E. Definition of \"Designated Record Set\" Under the Privacy Rule Including 45 CFR \u00a7164.501.B", | |
| "content": "E. \u201cDesignated Record Set\u201d has the meaning given to such term under the Privacy Rule, including 45 CFR \u00a7164.501.B.", | |
| "type": "body", | |
| "path": "000:002:000:004", | |
| "children": [] | |
| }, | |
| { | |
| "index": 5, | |
| "title": "", | |
| "name": "Definition of \"De-Identify\" Under 45 CFR \u00a7\u00a7164.514(a) and (b)", | |
| "content": "F. \u201cDe-Identify\u201d means to alter the PHI such that the resulting information meets the requirements described in 45 CFR \u00a7\u00a7164.514(a) and (b).", | |
| "type": "body", | |
| "path": "000:002:000:005", | |
| "children": [] | |
| }, | |
| { | |
| "index": 6, | |
| "title": "", | |
| "name": "Definition of \"Electronic PHI\" According to 45 CFR \u00a7160.103", | |
| "content": "G. \u201cElectronic PHI\u201d means any PHI maintained in or transmitted by electronic media as defined in 45 CFR \u00a7160.103.", | |
| "type": "body", | |
| "path": "000:002:000:006", | |
| "children": [] | |
| }, | |
| { | |
| "index": 7, | |
| "title": "", | |
| "name": "H. Definition of \"Health Care Operations\" per 45 CFR \u00a7164.501", | |
| "content": "H. \u201cHealth Care Operations\u201d has the meaning given to that term in 45 CFR \u00a7164.501.", | |
| "type": "body", | |
| "path": "000:002:000:007", | |
| "children": [] | |
| }, | |
| { | |
| "index": 8, | |
| "title": "", | |
| "name": "I. Definition of \"HHS\" as the U.S. Department of Health and Human Services", | |
| "content": "I. \u201cHHS\u201d means the U.S. Department of Health and Human Services.", | |
| "type": "body", | |
| "path": "000:002:000:008", | |
| "children": [] | |
| }, | |
| { | |
| "index": 9, | |
| "title": "", | |
| "name": "Definition of \"HITECH Act\"", | |
| "content": "J. \u201cHITECH Act\u201d means the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005.", | |
| "type": "body", | |
| "path": "000:002:000:009", | |
| "children": [] | |
| }, | |
| { | |
| "index": 10, | |
| "title": "", | |
| "name": "Definition of \"Individual\" Including Personal Representative as per HIPAA Regulations", | |
| "content": "K. \u201cIndividual\u201d has the same meaning given to that term i in 45 CFR \u00a7\u00a7164.501 and 160.130 and includes a person who qualifies as a personal representative in accordance with 45 CFR \u00a7164.502(g).", | |
| "type": "body", | |
| "path": "000:002:000:010", | |
| "children": [] | |
| }, | |
| { | |
| "index": 11, | |
| "title": "", | |
| "name": "Definition of \"Privacy Rule\" Under HIPAA Regulations", | |
| "content": "L. \u201cPrivacy Rule\u201d means that portion of HIPAA set forth in 45 CFR Part 160 and Part 164, Subparts A and E.", | |
| "type": "body", | |
| "path": "000:002:000:011", | |
| "children": [] | |
| }, | |
| { | |
| "index": 12, | |
| "title": "", | |
| "name": "M. Definition of \u201cProtected Health Information\u201d (PHI) under 45 CFR \u00a7\u00a7164.501 and 160.103", | |
| "content": "M. \u201cProtected Health Information\u201d or \u201cPHI\u201d has the meaning given to the term \u201cprotected health information\u201d in 45 CFR \u00a7\u00a7164.501 and 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.", | |
| "type": "body", | |
| "path": "000:002:000:012", | |
| "children": [] | |
| }, | |
| { | |
| "index": 13, | |
| "title": "", | |
| "name": "Definition of \"Security Incident\"", | |
| "content": "N. \u201cSecurity Incident\u201d means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.", | |
| "type": "body", | |
| "path": "000:002:000:013", | |
| "children": [] | |
| }, | |
| { | |
| "index": 14, | |
| "title": "", | |
| "name": "Definition of \"Security Rule\" \u2013 Security Standards for the Protection of Electronic Health Information (45 CFR Part 160 & Part 164, Subparts A and C)", | |
| "content": "O. \u201cSecurity Rule\u201d means the Security Standards for the Protection of Electronic Health Information provided in 45 CFR Part 160 & Part 164, Subparts A and C.", | |
| "type": "body", | |
| "path": "000:002:000:014", | |
| "children": [] | |
| }, | |
| { | |
| "index": 15, | |
| "title": "", | |
| "name": "Definition of \"Unsecured Protected Health Information\" or \"Unsecured PHI\"", | |
| "content": "P. \u201cUnsecured Protected Health Information\u201d or \u201cUnsecured PHI\u201d means any \u201cprotected health information\u201d as defined in 45 CFR \u00a7\u00a7164.501 and 160.103 that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary in the guidance issued pursuant to the HITECH Act and codified at 42 USC \u00a717932(h).", | |
| "type": "body", | |
| "path": "000:002:000:015", | |
| "children": [] | |
| } | |
| ] | |
| } | |
| ] | |
| }, | |
| { | |
| "index": 3, | |
| "title": "2. Use and Disclosure of PHI.", | |
| "name": "", | |
| "content": "", | |
| "type": "container", | |
| "path": "000:003", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "Permitted Uses and Disclosures of PHI by Business Associate", | |
| "content": "A. Except as otherwise provided in this BAA, Business Associate may use or disclose PHI as reasonably necessary to provide the services described in the Agreement to Covered Entity, and to undertake other activities of Business Associate permitted or required of Business Associate by this BAA or as required by law.", | |
| "type": "body", | |
| "path": "000:003:000", | |
| "children": [] | |
| }, | |
| { | |
| "index": 1, | |
| "title": "", | |
| "name": "Authorization for Business Associate's Use of PHI for Management, Administration, and Legal Responsibilities", | |
| "content": "B. Except as otherwise limited by this BAA or federal or state law, Covered Entity authorizes Business Associate to use the PHI in its possession for the proper management and administration of Business Associate\u2019s business and to carry out its legal responsibilities.", | |
| "type": "body", | |
| "path": "000:003:001", | |
| "children": [] | |
| }, | |
| { | |
| "index": 2, | |
| "title": "", | |
| "name": "Conditions for Business Associate's Disclosure of PHI for Management and Administration", | |
| "content": "Business Associate may disclose PHI for its proper management and administration, provided that (i) the disclosures are required by law; or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from this third party that the PHI will be held confidential as provided under this BAA and used or further disclosed only as required by law or for the purpose for which it was disclosed to this third party and (b) an agreement from this third party to notify Business Associate immediately of any breaches of the confidentiality of the PHI, to the extent it has knowledge of the breach.", | |
| "type": "body", | |
| "path": "000:003:002", | |
| "children": [] | |
| }, | |
| { | |
| "index": 3, | |
| "title": "", | |
| "name": "Restrictions on Use and Disclosure of PHI by Business Associate in Compliance with Privacy Rule and HITECH Act", | |
| "content": "C. Business Associate will not use or disclose PHI in a manner other than as provided in this BAA, as permitted under the Privacy Rule, or as required by law. Business Associate will use or disclose PHI, to the extent practicable, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH Act (codified at 42 USC \u00a717935(b)) and any of the act\u2019s implementing regulations adopted by HHS, for each use or disclosure of PHI.", | |
| "type": "body", | |
| "path": "000:003:003", | |
| "children": [] | |
| }, | |
| { | |
| "index": 4, | |
| "title": "", | |
| "name": "Access to PHI by Covered Entity Upon Request", | |
| "content": "D. Upon request, Business Associate will make available to Covered Entity any of Covered Entity\u2019s PHI that Business Associate or any of its agents or subcontractors have in their possession.", | |
| "type": "body", | |
| "path": "000:003:004", | |
| "children": [] | |
| }, | |
| { | |
| "index": 5, | |
| "title": "", | |
| "name": "Use of PHI for Reporting Legal Violations Consistent with 45 CFR \u00a7164.502(j)(1)", | |
| "content": "E. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR \u00a7164.502(j)(1).", | |
| "type": "body", | |
| "path": "000:003:005", | |
| "children": [] | |
| } | |
| ] | |
| }, | |
| { | |
| "index": 4, | |
| "title": "3. Safeguards Against Misuse of PHI.", | |
| "name": "", | |
| "content": "", | |
| "type": "container", | |
| "path": "000:004", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "Implementation of Safeguards to Protect PHI and Electronic PHI", | |
| "content": "Business Associate will use appropriate safeguards to prevent the use or disclosure of PHI other than as provided by the Agreement or this BAA and Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity.", | |
| "type": "body", | |
| "path": "000:004:000", | |
| "children": [] | |
| }, | |
| { | |
| "index": 1, | |
| "title": "", | |
| "name": "Employee Training and Compliance Measures to Prevent Breach of BAA", | |
| "content": "Business Associate agrees to take reasonable steps, including providing adequate training to its employees to ensure compliance with this BAA and to ensure that the actions or omissions of its employees or agents do not cause Business Associate to breach the terms of this BAA.", | |
| "type": "body", | |
| "path": "000:004:001", | |
| "children": [] | |
| } | |
| ] | |
| }, | |
| { | |
| "index": 5, | |
| "title": "4. Reporting Disclosures of PHI and Security Incidents.", | |
| "name": "", | |
| "content": "", | |
| "type": "container", | |
| "path": "000:005", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "Reporting Unauthorized Use or Disclosure of PHI and Security Incidents", | |
| "content": "Business Associate will report to Covered Entity in writing any use or disclosure of PHI not provided for by this BAA of which it becomes aware and Business Associate agrees to report to Covered Entity any Security Incident affecting Electronic PHI of Covered Entity of which it becomes aware.", | |
| "type": "container", | |
| "path": "000:005:000", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "Reporting Timeline for Unauthorized PHI Use or Disclosure and Security Incidents", | |
| "content": "Business Associate agrees to report any such event within five business days of becoming aware of the event.", | |
| "type": "body", | |
| "path": "000:005:000:000", | |
| "children": [] | |
| } | |
| ] | |
| } | |
| ] | |
| }, | |
| { | |
| "index": 6, | |
| "title": "5. Reporting Breaches of Unsecured PHI.", | |
| "name": "", | |
| "content": "", | |
| "type": "container", | |
| "path": "000:006", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "Breach Notification Requirement for Business Associate", | |
| "content": "Business Associate will notify Covered Entity in writing promptly upon the discovery of any Breach of Unsecured PHI in accordance with the requirements set forth in 45 CFR \u00a7164.410, but in no case later than 30 calendar days after discovery of a Breach.", | |
| "type": "body", | |
| "path": "000:006:000", | |
| "children": [] | |
| }, | |
| { | |
| "index": 1, | |
| "title": "", | |
| "name": "Reimbursement Obligation for Costs Incurred Due to Breach by Business Associate", | |
| "content": "Business Associate will reimburse Covered Entity for any costs incurred by it in complying with the requirements of Subpart D of 45 CFR \u00a7164 that are imposed on Covered Entity as a result of a Breach committed by Business Associate.", | |
| "type": "body", | |
| "path": "000:006:001", | |
| "children": [] | |
| } | |
| ] | |
| }, | |
| { | |
| "index": 7, | |
| "title": "6. Mitigation of Disclosures of PHI.", | |
| "name": "", | |
| "content": "", | |
| "type": "container", | |
| "path": "000:007", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "Mitigation of Harmful Effects from Unauthorized PHI Use or Disclosure", | |
| "content": "Business Associate will take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of any use or disclosure of PHI by Business Associate or its agents or subcontractors in violation of the requirements of this BAA.", | |
| "type": "body", | |
| "path": "000:007:000", | |
| "children": [] | |
| } | |
| ] | |
| }, | |
| { | |
| "index": 8, | |
| "title": "7. Agreements with Agents or Subcontractors.", | |
| "name": "", | |
| "content": "", | |
| "type": "container", | |
| "path": "000:008", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "Obligations of Business Associate to Ensure Compliance of Agents and Subcontractors with PHI Safeguards and Restrictions", | |
| "content": "Business Associate will ensure that any of its agents or subcontractors that have access to, or to which Business Associate provides, PHI agree in writing to the restrictions and conditions concerning uses and disclosures of PHI contained in this BAA and agree to implement reasonable and appropriate safeguards to protect any Electronic PHI that it creates, receives, maintains or transmits on behalf of Business Associate or, through the Business Associate, Covered Entity.", | |
| "type": "body", | |
| "path": "000:008:000", | |
| "children": [] | |
| }, | |
| { | |
| "index": 1, | |
| "title": "", | |
| "name": "Notification of Subcontracts Involving PHI Within 30 Days on Business Associate\u2019s Website", | |
| "content": "Business Associate shall notify Covered Entity, or upstream Business Associate, of all subcontracts and agreements relating to the Agreement, where the subcontractor or agent receives PHI as described in section 1.M. of this BAA. Such notification shall occur within 30 (thirty) calendar days of the execution of the subcontract by placement of such notice on the Business Associate\u2019s primary website.", | |
| "type": "body", | |
| "path": "000:008:001", | |
| "children": [] | |
| }, | |
| { | |
| "index": 2, | |
| "title": "", | |
| "name": "Requirement for Subcontracts to Maintain Equivalent Privacy and Security Standards", | |
| "content": "Business Associate shall ensure that all subcontracts and agreements provide the same level of privacy and security as this BAA.", | |
| "type": "body", | |
| "path": "000:008:002", | |
| "children": [] | |
| } | |
| ] | |
| }, | |
| { | |
| "index": 9, | |
| "title": "8. Audit Report.", | |
| "name": "", | |
| "content": "", | |
| "type": "container", | |
| "path": "000:009", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "Provision of Independent HIPAA Compliance Report and HITRUST Certification Upon Request", | |
| "content": "Upon request, Business Associate will provide Covered Entity, or upstream Business Associate, with a copy of its most recent independent HIPAA compliance report (AT-C 315), HITRUST certification or other mutually agreed upon independent standards based third party audit report.", | |
| "type": "body", | |
| "path": "000:009:000", | |
| "children": [] | |
| }, | |
| { | |
| "index": 1, | |
| "title": "", | |
| "name": "Confidentiality of Business Associate\u2019s Audit Report", | |
| "content": "Covered entity agrees not to re-disclose Business Associate\u2019s audit report.", | |
| "type": "body", | |
| "path": "000:009:001", | |
| "children": [] | |
| } | |
| ] | |
| }, | |
| { | |
| "index": 10, | |
| "title": "9. Access to PHI by Individuals.", | |
| "name": "", | |
| "content": "", | |
| "type": "container", | |
| "path": "000:010", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "Business Associate's Obligation to Provide PHI Copies to Covered Entity", | |
| "content": "A. Upon request, Business Associate agrees to furnish Covered Entity with copies of the PHI maintained by Business Associate in a Designated Record Set in the time and manner", | |
| "type": "body", | |
| "path": "000:010:000", | |
| "children": [] | |
| }, | |
| { | |
| "index": 1, | |
| "title": "", | |
| "name": "Individual's PHI Access Request Handling by Business Associate and Covered Entity's Disclosure Responsibility", | |
| "content": "B. In the event any Individual or personal representative requests access to the Individual\u2019s PHI directly from Business Associate, Business Associate within ten business days, will forward that request to Covered Entity. Any disclosure of, or decision not to disclose, the PHI requested by an Individual or a personal representative and compliance with the requirements applicable to an Individual\u2019s right to obtain access to PHI shall be the sole responsibility of Covered Entity.", | |
| "type": "body", | |
| "path": "000:010:001", | |
| "children": [] | |
| } | |
| ] | |
| }, | |
| { | |
| "index": 11, | |
| "title": "10. Amendment of PHI.", | |
| "name": "", | |
| "content": "", | |
| "type": "container", | |
| "path": "000:011", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "Amendment of PHI by Business Associate at Covered Entity's Request", | |
| "content": "A. Upon request and instruction from Covered Entity, Business Associate will amend PHI or a record about an Individual in a Designated Record Set that is maintained by, or otherwise within the possession of, Business Associate as directed by Covered Entity in accordance with procedures established by 45 CFR \u00a7164.526. Any request by Covered Entity to amend such information will be completed by Business Associate within 15 business days of Covered Entity\u2019s request.", | |
| "type": "body", | |
| "path": "000:011:000", | |
| "children": [] | |
| }, | |
| { | |
| "index": 1, | |
| "title": "", | |
| "name": "Procedure for Forwarding Individual's PHI Amendment Requests to Covered Entity", | |
| "content": "B. In the event that any Individual requests that Business Associate amend such Individual\u2019s PHI or record in a Designated Record Set, Business Associate within ten business days will forward this request to Covered Entity. Any amendment of, or decision not to amend, the PHI or record as requested by an Individual and compliance with the requirements applicable to an Individual\u2019s right to request an amendment of PHI will be the sole responsibility of Covered Entity.", | |
| "type": "body", | |
| "path": "000:011:001", | |
| "children": [] | |
| } | |
| ] | |
| }, | |
| { | |
| "index": 12, | |
| "title": "11. Accounting of Disclosures.", | |
| "name": "", | |
| "content": "", | |
| "type": "container", | |
| "path": "000:012", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "Documentation and Reporting of PHI Disclosures by Business Associate in Compliance with 45 CFR \u00a7164.528", | |
| "content": "A. Business Associate will document any disclosures of PHI made by it to account for such disclosures as required by 45 CFR \u00a7164.528(a). Business Associate also will make available information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosures in accordance with 45 CFR \u00a7164.528. At a minimum, Business Associate will furnish Covered Entity the following with respect to any covered disclosures by Business Associate:\n(i) the date of disclosure of PHI;\n(ii) the name of the entity or person who received PHI, and, if known, the address of such entity or person;\n(iii) a brief description of the PHI disclosed; and\n(iv) a brief statement of the purpose of the disclosure which includes the basis for such disclosure.", | |
| "type": "body", | |
| "path": "000:012:000", | |
| "children": [] | |
| }, | |
| { | |
| "index": 1, | |
| "title": "", | |
| "name": "Provision of Disclosure Information to Covered Entity and Individuals Upon Request", | |
| "content": "B. Business Associate will furnish to Covered Entity information collected in accordance with this Section 10, within ten business days after written request by Covered Entity, to permit Covered Entity to make an accounting of disclosures as required by 45 CFR \u00a7164.528, or in the event that Covered Entity elects to provide an Individual with a list of its business associates, Business Associate will provide an accounting of its disclosures of PHI upon request of the Individual, if and to the extent that such accounting is required under the HITECH Act or under HHS regulations adopted in connection with the HITECH Act.", | |
| "type": "body", | |
| "path": "000:012:001", | |
| "children": [] | |
| }, | |
| { | |
| "index": 2, | |
| "title": "", | |
| "name": "Handling of Direct Requests for Accounting by Business Associate", | |
| "content": "C. In the event an Individual delivers the initial request for an accounting directly to Business Associate, Business Associate will within ten business days forward such request to Covered Entity.", | |
| "type": "body", | |
| "path": "000:012:002", | |
| "children": [] | |
| } | |
| ] | |
| }, | |
| { | |
| "index": 13, | |
| "title": "12. Availability of Books and Records.", | |
| "name": "", | |
| "content": "", | |
| "type": "container", | |
| "path": "000:013", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "Disclosure of Internal Practices and Records to HHS for HIPAA Compliance Verification", | |
| "content": "Business Associate will make available its internal practices, books, agreements, records, and policies and procedures relating to the use and disclosure of PHI, upon request, to the Secretary of HHS for purposes of determining Covered Entity\u2019s and Business Associate\u2019s compliance with HIPAA, and this BAA.", | |
| "type": "body", | |
| "path": "000:013:000", | |
| "children": [] | |
| } | |
| ] | |
| }, | |
| { | |
| "index": 14, | |
| "title": "13. Responsibilities of Covered Entity.", | |
| "name": "", | |
| "content": "", | |
| "type": "container", | |
| "path": "000:014", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "Introduction to Covered Entity's Obligations on Use and Disclosure of Protected Health Information", | |
| "content": "With regard to the use and\/or disclosure of Protected Health Information by Business Associate, Covered Entity agrees to:", | |
| "type": "container", | |
| "path": "000:014:000", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "Notification of Privacy Practice Limitations Affecting PHI Use by Business Associate", | |
| "content": "A. Notify Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 CFR \u00a7164.520, to the extent that such limitation may affect Business Associate\u2019s use or disclosure of PHI.", | |
| "type": "body", | |
| "path": "000:014:000:000", | |
| "children": [] | |
| }, | |
| { | |
| "index": 1, | |
| "title": "", | |
| "name": "Notification of Changes or Revocation of Permission to Use or Disclose PHI", | |
| "content": "B. Notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate\u2019s use or disclosure of PHI.", | |
| "type": "body", | |
| "path": "000:014:000:001", | |
| "children": [] | |
| }, | |
| { | |
| "index": 2, | |
| "title": "", | |
| "name": "Notification of Agreed Restrictions on PHI Use or Disclosure per 45 CFR \u00a7164.522", | |
| "content": "C. Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR \u00a7164.522, to the extent that such restriction may affect Business Associate\u2019s use or disclosure of PHI.", | |
| "type": "body", | |
| "path": "000:014:000:002", | |
| "children": [] | |
| }, | |
| { | |
| "index": 3, | |
| "title": "", | |
| "name": "Prohibition on Impermissible Requests for PHI Use or Disclosure by Business Associate", | |
| "content": "D. Except for data aggregation or management and administrative activities of Business Associate, Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.", | |
| "type": "body", | |
| "path": "000:014:000:003", | |
| "children": [] | |
| } | |
| ] | |
| } | |
| ] | |
| }, | |
| { | |
| "index": 15, | |
| "title": "14. Data Ownership.", | |
| "name": "", | |
| "content": "", | |
| "type": "container", | |
| "path": "000:015", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "Data Stewardship and Ownership Rights of Business Associate", | |
| "content": "Business Associate\u2019s data stewardship does not confer data ownership rights on Business Associate with respect to any data shared with it under the Agreement, including any and all forms thereof.", | |
| "type": "body", | |
| "path": "000:015:000", | |
| "children": [] | |
| } | |
| ] | |
| }, | |
| { | |
| "index": 16, | |
| "title": "15. Term and Termination.", | |
| "name": "", | |
| "content": "", | |
| "type": "container", | |
| "path": "000:016", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "Effective Date and Duration of BAA", | |
| "content": "A. This BAA will become effective on the date first written above, and will continue in effect until all obligations of the Parties have been met under the Agreement and under this BAA.", | |
| "type": "body", | |
| "path": "000:016:000", | |
| "children": [] | |
| }, | |
| { | |
| "index": 1, | |
| "title": "", | |
| "name": "Immediate Termination Rights for Material Breach by Business Associate", | |
| "content": "B. Covered Entity may terminate immediately this BAA, the Agreement, and any other related agreements if Covered Entity makes a determination that Business Associate has breached a material term of this BAA and Business Associate has failed to cure that material breach, to Covered Entity\u2019s reasonable satisfaction, within 30 days after written notice from Covered Entity. Covered Entity may report the problem to the Secretary of HHS if termination is not feasible.", | |
| "type": "body", | |
| "path": "000:016:001", | |
| "children": [] | |
| }, | |
| { | |
| "index": 2, | |
| "title": "", | |
| "name": "Business Associate's Right to Notify and Cure Period for Covered Entity's Breach", | |
| "content": "C. If Business Associate determines that Covered Entity has breached a material term of this BAA, then Business Associate will provide Covered Entity with written notice of the existence of the breach and shall provide Covered Entity with 30 days to cure the breach.", | |
| "type": "container", | |
| "path": "000:016:002", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "Grounds for Immediate Termination and Potential Breach Reporting to HHS", | |
| "content": "Covered Entity\u2019s failure to cure the breach within the 30-day period will be grounds for immediate termination of the Agreement and this BAA by Business Associate. Business Associate may report the breach to HHS.", | |
| "type": "body", | |
| "path": "000:016:002:000", | |
| "children": [] | |
| } | |
| ] | |
| }, | |
| { | |
| "index": 3, | |
| "title": "", | |
| "name": "Return or Destruction of PHI Upon Termination of Agreement", | |
| "content": "D. Upon termination of the Agreement or this BAA for any reason, all PHI maintained by Business Associate will be returned to Covered Entity or destroyed by Business Associate. Business Associate will not retain any copies of such information. This provision will apply to PHI in the possession of Business Associate\u2019s agents and subcontractors.", | |
| "type": "container", | |
| "path": "000:016:003", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "Notification of Infeasibility of PHI Return or Destruction", | |
| "content": "If return or destruction of the PHI is not feasible, in Business Associate\u2019s reasonable judgment, Business Associate will furnish Covered Entity with notification, in writing, of the conditions that make return or destruction infeasible.", | |
| "type": "body", | |
| "path": "000:016:003:000", | |
| "children": [] | |
| }, | |
| { | |
| "index": 1, | |
| "title": "", | |
| "name": "Mutual Agreement on Infeasibility of Return or Destruction of PHI and Extended Protections", | |
| "content": "Upon mutual agreement of the Parties that return or destruction of the PHI is infeasible, Business Associate will extend the protections of this BAA to such information for as long as Business Associate retains such information and will limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible.", | |
| "type": "body", | |
| "path": "000:016:003:001", | |
| "children": [] | |
| }, | |
| { | |
| "index": 2, | |
| "title": "", | |
| "name": "Survival of Section 14.D. Post-Termination", | |
| "content": "The Parties understand that this Section 14.D. will survive any termination of this BAA.", | |
| "type": "body", | |
| "path": "000:016:003:002", | |
| "children": [] | |
| } | |
| ] | |
| } | |
| ] | |
| }, | |
| { | |
| "index": 17, | |
| "title": "16. Effect of BAA.", | |
| "name": "", | |
| "content": "", | |
| "type": "container", | |
| "path": "000:017", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "BAA Supremacy Clause in Case of Conflict with Agreement", | |
| "content": "A. This BAA is a part of and subject to the terms of the Agreement, except that to the extent any terms of this BAA conflict with any term of the Agreement, the terms of this BAA will govern.", | |
| "type": "body", | |
| "path": "000:017:000", | |
| "children": [] | |
| }, | |
| { | |
| "index": 1, | |
| "title": "", | |
| "name": "Third-Party Rights Limitation in BAA", | |
| "content": "B. Except as expressly stated in this BAA or as provided by law, this BAA will not create any rights in favor of any third party.", | |
| "type": "body", | |
| "path": "000:017:001", | |
| "children": [] | |
| } | |
| ] | |
| }, | |
| { | |
| "index": 18, | |
| "title": "17. Regulatory References.", | |
| "name": "", | |
| "content": "", | |
| "type": "container", | |
| "path": "000:018", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "Reference to HIPAA Sections as Currently Effective or Amended", | |
| "content": "A reference in this BAA to a section in HIPAA means the section as in effect or as amended at the time.", | |
| "type": "body", | |
| "path": "000:018:000", | |
| "children": [] | |
| } | |
| ] | |
| }, | |
| { | |
| "index": 19, | |
| "title": "18. Notices.", | |
| "name": "", | |
| "content": "", | |
| "type": "container", | |
| "path": "000:019", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "Notice and Communication Methods and Addresses", | |
| "content": "All notices, requests and demands or other communications to be given under this BAA to a Party will be made via either first class mail, registered or certified or express courier, or electronic mail to the Party\u2019s address given below:", | |
| "type": "container", | |
| "path": "000:019:000", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "A. Contact Information for Covered Entity", | |
| "content": "A. If to Covered Entity, to:\nAttn: John M. Rogers, Chief Compliance Officer\nT: (213) 555-1234\nE: john.rogers@healthfirst.com", | |
| "type": "body", | |
| "path": "000:019:000:000", | |
| "children": [] | |
| }, | |
| { | |
| "index": 1, | |
| "title": "", | |
| "name": "Business Associate Contact Information", | |
| "content": "B. If to Business Associate, to:\nAttn: Sarah J. Miller, Director of Operations\nT: (302) 555-6789\nE: sarah.miller@medsecure.com", | |
| "type": "body", | |
| "path": "000:019:000:001", | |
| "children": [] | |
| } | |
| ] | |
| } | |
| ] | |
| }, | |
| { | |
| "index": 20, | |
| "title": "19. Amendments and Waiver.", | |
| "name": "", | |
| "content": "", | |
| "type": "container", | |
| "path": "000:020", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "Modification and Waiver Requirements", | |
| "content": "This BAA may not be modified, nor will any provision be waived or amended, except in writing duly signed by authorized representatives of the Parties.", | |
| "type": "container", | |
| "path": "000:020:000", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "Non-Continuing Waiver Clause for Subsequent Events", | |
| "content": "A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.", | |
| "type": "body", | |
| "path": "000:020:000:000", | |
| "children": [] | |
| } | |
| ] | |
| } | |
| ] | |
| }, | |
| { | |
| "index": 21, | |
| "title": "20. HITECH Act Compliance.", | |
| "name": "", | |
| "content": "", | |
| "type": "container", | |
| "path": "000:021", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "Acknowledgment of Significant Changes to Privacy and Security Rules Under HITECH Act", | |
| "content": "The Parties acknowledge that the HITECH Act includes significant changes to the Privacy Rule and the Security Rule.", | |
| "type": "body", | |
| "path": "000:021:000", | |
| "children": [] | |
| }, | |
| { | |
| "index": 1, | |
| "title": "", | |
| "name": "Changes to Business Associate Requirements and Agreements Under HITECH Act", | |
| "content": "The privacy subtitle of the HITECH Act sets forth provisions that significantly change the requirements for business associates and the agreements between business associates and covered entities under HIPAA and these changes may be further clarified in forthcoming regulations and guidance.", | |
| "type": "body", | |
| "path": "000:021:001", | |
| "children": [] | |
| }, | |
| { | |
| "index": 2, | |
| "title": "", | |
| "name": "Compliance with HITECH Act and HHS Regulations", | |
| "content": "Each Party agrees to comply with the applicable provisions of the HITECH Act and any HHS regulations issued with respect to the HITECH Act.", | |
| "type": "body", | |
| "path": "000:021:002", | |
| "children": [] | |
| }, | |
| { | |
| "index": 3, | |
| "title": "", | |
| "name": "Good Faith Negotiation and Termination Rights for HITECH Act Compliance Modifications", | |
| "content": "The Parties also agree to negotiate in good faith to modify this BAA as reasonably necessary to comply with the HITECH Act and its regulations as they become effective but, in the event that the Parties are unable to reach agreement on such a modification, either Party will have the right to terminate this BAA upon 30-days\u2019 prior written notice to the other Party.", | |
| "type": "body", | |
| "path": "000:021:003", | |
| "children": [] | |
| }, | |
| { | |
| "index": 4, | |
| "title": "", | |
| "name": "Execution of Agreement Based on Mutual Understanding and Agreement", | |
| "content": "In light of the mutual agreement and understanding described above, the Parties execute this BAA as of the date first written above.", | |
| "type": "body", | |
| "path": "000:021:004", | |
| "children": [] | |
| }, | |
| { | |
| "index": 5, | |
| "title": "", | |
| "name": "Execution Signature of John M. Rogers, Chief Compliance Officer, HealthFirst Medical Services, Inc.", | |
| "content": "By: ...\nName: John M. Rogers\nTitle: Chief Compliance Officer, HealthFirst Medical Services, Inc.", | |
| "type": "body", | |
| "path": "000:021:005", | |
| "children": [] | |
| }, | |
| { | |
| "index": 6, | |
| "title": "", | |
| "name": "Signature Line for Sarah J. Miller, Director of Operations, MedSecure Solutions LLC", | |
| "content": "By: ...\nName: Sarah J. Miller\nTitle: Director of Operations, MedSecure Solutions LLC", | |
| "type": "body", | |
| "path": "000:021:006", | |
| "children": [] | |
| } | |
| ] | |
| }, | |
| { | |
| "index": 22, | |
| "title": "", | |
| "name": "", | |
| "content": "", | |
| "type": "other", | |
| "path": "000:022", | |
| "children": [ | |
| { | |
| "index": 0, | |
| "title": "", | |
| "name": "", | |
| "content": "Page 2 of 9", | |
| "type": "other", | |
| "path": "000:022:000", | |
| "children": [] | |
| }, | |
| { | |
| "index": 1, | |
| "title": "", | |
| "name": "", | |
| "content": "Page 3 of 9", | |
| "type": "other", | |
| "path": "000:022:001", | |
| "children": [] | |
| }, | |
| { | |
| "index": 2, | |
| "title": "", | |
| "name": "", | |
| "content": "Page 4 of 9", | |
| "type": "other", | |
| "path": "000:022:002", | |
| "children": [] | |
| }, | |
| { | |
| "index": 3, | |
| "title": "", | |
| "name": "", | |
| "content": "designated by Covered Entity to enable Covered Entity to respond to an Individual\u2019s request for access to PHI under 45 CFR \u00a7164.524.", | |
| "type": "other", | |
| "path": "000:022:003", | |
| "children": [] | |
| }, | |
| { | |
| "index": 4, | |
| "title": "", | |
| "name": "", | |
| "content": "Page 6 of 9", | |
| "type": "other", | |
| "path": "000:022:004", | |
| "children": [] | |
| }, | |
| { | |
| "index": 5, | |
| "title": "", | |
| "name": "", | |
| "content": "Page 7 of 9", | |
| "type": "other", | |
| "path": "000:022:005", | |
| "children": [] | |
| }, | |
| { | |
| "index": 6, | |
| "title": "", | |
| "name": "", | |
| "content": "Page 8 of 9", | |
| "type": "other", | |
| "path": "000:022:006", | |
| "children": [] | |
| }, | |
| { | |
| "index": 7, | |
| "title": "", | |
| "name": "", | |
| "content": "Page 9 of 9", | |
| "type": "other", | |
| "path": "000:022:007", | |
| "children": [] | |
| } | |
| ] | |
| } | |
| ] | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "MODEL BUSINESS ASSOCIATE AGREEMENT", | |
| "name": "", | |
| "content": "", | |
| "outline": "MODEL BUSINESS ASSOCIATE AGREEMENT\n Preface: Introduction and Identification of Parties\n Introduction and Identification of Parties.\n Introduction and Context of Agreement.\n Title: Formalization of Mutual Agreement.\n Statement of Mutual Covenants and Conditions :\n 1. Definitions.\n Definitions and Interpretations for Capitalized Terms in the BAA.\n 2. Use and Disclosure of PHI.\n A. Permitted Uses and Disclosures of PHI by Business Associate.\n B. Authorization for Business Associate's Use of PHI for Management, Administration, and Legal Responsibilities.\n Conditions for Business Associate's Disclosure of PHI for Management and Administration.\n C. Restrictions on Use and Disclosure of PHI by Business Associate in Compliance with Privacy Rule and HITECH Act.\n D. Access to PHI by Covered Entity Upon Request.\n E. Use of PHI for Reporting Legal Violations Consistent with 45 CFR \u00a7164.502(j)(1).\n 3. Safeguards Against Misuse of PHI.\n Implementation of Safeguards to Protect PHI and Electronic PHI.\n Employee Training and Compliance Measures to Prevent Breach of BAA.\n 4. Reporting Disclosures of PHI and Security Incidents.\n Reporting Unauthorized Use or Disclosure of PHI and Security Incidents.\n 5. Reporting Breaches of Unsecured PHI.\n Breach Notification Requirement for Business Associate.\n Reimbursement Obligation for Costs Incurred Due to Breach by Business Associate.\n 6. Mitigation of Disclosures of PHI.\n Mitigation of Harmful Effects from Unauthorized PHI Use or Disclosure.\n 7. Agreements with Agents or Subcontractors.\n Obligations of Business Associate to Ensure Compliance of Agents and Subcontractors with PHI Safeguards and Restrictions.\n Notification of Subcontracts Involving PHI Within 30 Days on Business Associate\u2019s Website.\n Requirement for Subcontracts to Maintain Equivalent Privacy and Security Standards.\n 8. Audit Report.\n Provision of Independent HIPAA Compliance Report and HITRUST Certification Upon Request.\n Confidentiality of Business Associate\u2019s Audit Report.\n 9. Access to PHI by Individuals.\n A. Business Associate's Obligation to Provide PHI Copies to Covered Entity\n B. Individual's PHI Access Request Handling by Business Associate and Covered Entity's Disclosure Responsibility.\n 10. Amendment of PHI.\n A. Amendment of PHI by Business Associate at Covered Entity's Request.\n B. Procedure for Forwarding Individual's PHI Amendment Requests to Covered Entity.\n 11. Accounting of Disclosures.\n A. Documentation and Reporting of PHI Disclosures by Business Associate in Compliance with 45 CFR \u00a7164.528 :\n B. Provision of Disclosure Information to Covered Entity and Individuals Upon Request.\n C. Handling of Direct Requests for Accounting by Business Associate.\n 12. Availability of Books and Records.\n Disclosure of Internal Practices and Records to HHS for HIPAA Compliance Verification.\n 13. Responsibilities of Covered Entity.\n Introduction to Covered Entity's Obligations on Use and Disclosure of Protected Health Information :\n 14. Data Ownership.\n Data Stewardship and Ownership Rights of Business Associate.\n 15. Term and Termination.\n A. Effective Date and Duration of BAA.\n B. Immediate Termination Rights for Material Breach by Business Associate.\n C. Business Associate's Right to Notify and Cure Period for Covered Entity's Breach.\n D. Return or Destruction of PHI Upon Termination of Agreement.\n 16. Effect of BAA.\n A. BAA Supremacy Clause in Case of Conflict with Agreement.\n B. Third-Party Rights Limitation in BAA.\n 17. Regulatory References.\n Reference to HIPAA Sections as Currently Effective or Amended.\n 18. Notices.\n Notice and Communication Methods and Addresses :\n 19. Amendments and Waiver.\n Modification and Waiver Requirements.\n 20. HITECH Act Compliance.\n Acknowledgment of Significant Changes to Privacy and Security Rules Under HITECH Act.\n Changes to Business Associate Requirements and Agreements Under HITECH Act.\n Compliance with HITECH Act and HHS Regulations.\n Good Faith Negotiation and Termination Rights for HITECH Act Compliance Modifications.\n Execution of Agreement Based on Mutual Understanding and Agreement.\n Execution Signature of John M. Rogers, Chief Compliance Officer, HealthFirst Medical Services, Inc ...\n Signature Line for Sarah J. Miller, Director of Operations, MedSecure Solutions LLC ...", | |
| "path": "000", | |
| "parentPath": "", | |
| "parentName": "", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Preface: Introduction and Identification of Parties", | |
| "content": "", | |
| "outline": "Preface: Introduction and Identification of Parties\n Introduction and Identification of Parties.\n Introduction and Context of Agreement.\n I. Definition and Compliance Obligations of Covered Entity and Business Associate under HIPAA ;\n II. Agreement for Provision of Specified Services by Business Associate to Covered Entity ;\n III. Access to Protected Health Information by Business Associate ;\n IV. Definition of \"Business Associate\" Under HIPAA ;\n V. Commitment to Compliance with Federal and State Confidentiality and Privacy Laws\n VI. Commitment to Privacy and Security of Protected Health Information Under HIPAA and Applicable Laws.", | |
| "path": "000:000", | |
| "parentPath": "000", | |
| "parentName": "MODEL BUSINESS ASSOCIATE AGREEMENT", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Introduction and Identification of Parties", | |
| "content": "This BUSINESS ASSOCIATE AGREEMENT (the \u201cBAA\u201d) is made and entered into as of August 16, 2024 by and between HealthFirst Medical Services, Inc., a corporation organized under the laws of the State of California (\u201cCovered Entity\u201d) and MedSecure Solutions LLC, a limited liability company organized under the laws of the State of Delaware (\u201cBusiness Associate\u201d, in accordance with the meaning given to those terms at 45 CFR \u00a7164.501). In this BAA, Covered Entity and Business Associate are each a \u201cParty\u201d and, collectively, are the \u201cParties\u201d.", | |
| "outline": "", | |
| "path": "000:000:000", | |
| "parentPath": "000:000", | |
| "parentName": "Preface: Introduction and Identification of Parties", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Introduction and Context of Agreement", | |
| "content": "BACKGROUND.", | |
| "outline": "Introduction and Context of Agreement.\n I. Definition and Compliance Obligations of Covered Entity and Business Associate under HIPAA ;\n II. Agreement for Provision of Specified Services by Business Associate to Covered Entity ;\n III. Access to Protected Health Information by Business Associate ;\n IV. Definition of \"Business Associate\" Under HIPAA ;\n V. Commitment to Compliance with Federal and State Confidentiality and Privacy Laws\n VI. Commitment to Privacy and Security of Protected Health Information Under HIPAA and Applicable Laws.", | |
| "path": "000:000:001", | |
| "parentPath": "000:000", | |
| "parentName": "Preface: Introduction and Identification of Parties", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 1, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "I. Definition and Compliance Obligations of Covered Entity and Business Associate under HIPAA", | |
| "content": "I. Covered Entity is either a \u201ccovered entity\u201d or \u201cbusiness associate\u201d of a covered entity as each are defined under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended by the HITECH Act (as defined below) and the related regulations promulgated by HHS (as defined below) (collectively, \u201cHIPAA\u201d) and, as such, is required to comply with HIPAA\u2019s provisions regarding the confidentiality and privacy of Protected Health Information (as defined below);", | |
| "outline": "", | |
| "path": "000:000:001:000", | |
| "parentPath": "000:000:001", | |
| "parentName": "Introduction and Context of Agreement", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "II. Agreement for Provision of Specified Services by Business Associate to Covered Entity", | |
| "content": "II. The Parties have entered into or will enter into one or more agreements under which Business Associate provides or will provide certain specified services to Covered Entity (collectively, the \u201cAgreement\u201d);", | |
| "outline": "", | |
| "path": "000:000:001:001", | |
| "parentPath": "000:000:001", | |
| "parentName": "Introduction and Context of Agreement", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 1, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "III. Access to Protected Health Information by Business Associate", | |
| "content": "III. In providing services pursuant to the Agreement, Business Associate will have access to Protected Health Information;", | |
| "outline": "", | |
| "path": "000:000:001:002", | |
| "parentPath": "000:000:001", | |
| "parentName": "Introduction and Context of Agreement", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 2, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Definition of \"Business Associate\" Under HIPAA", | |
| "content": "IV. By providing the services pursuant to the Agreement, Business Associate will become a \u201cbusiness associate\u201d of the Covered Entity as such term is defined under HIPAA;", | |
| "outline": "", | |
| "path": "000:000:001:003", | |
| "parentPath": "000:000:001", | |
| "parentName": "Introduction and Context of Agreement", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 3, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "V. Commitment to Compliance with Federal and State Confidentiality and Privacy Laws", | |
| "content": "V. Both Parties are committed to complying with all federal and state laws governing the confidentiality and privacy of health information, including, but not limited to, the Standards for Privacy of Individually Identifiable Health Information found at 45 CFR Part 160 and Part 164, Subparts A and E (collectively, the \u201cPrivacy Rule\u201d); and", | |
| "outline": "", | |
| "path": "000:000:001:004", | |
| "parentPath": "000:000:001", | |
| "parentName": "Introduction and Context of Agreement", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 4, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "VI. Commitment to Privacy and Security of Protected Health Information Under HIPAA and Applicable Laws", | |
| "content": "VI. Both Parties intend to protect the privacy and provide for the security of Protected Health Information disclosed to Business Associate pursuant to the terms of this Agreement, HIPAA and other applicable laws.", | |
| "outline": "", | |
| "path": "000:000:001:005", | |
| "parentPath": "000:000:001", | |
| "parentName": "Introduction and Context of Agreement", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 5, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Title: Formalization of Mutual Agreement", | |
| "content": "AGREEMENT.", | |
| "outline": "Title: Formalization of Mutual Agreement.\n Statement of Mutual Covenants and Conditions :", | |
| "path": "000:001", | |
| "parentPath": "000", | |
| "parentName": "MODEL BUSINESS ASSOCIATE AGREEMENT", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 1, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Statement of Mutual Covenants and Conditions", | |
| "content": "NOW, THEREFORE, in consideration of the mutual covenants and conditions contained herein and the continued provision of PHI by Covered Entity to Business Associate under the Agreement in reliance on this BAA, the Parties agree as follows:", | |
| "outline": "", | |
| "path": "000:001:000", | |
| "parentPath": "000:001", | |
| "parentName": "Title: Formalization of Mutual Agreement", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "1. Definitions.", | |
| "name": "", | |
| "content": "", | |
| "outline": "1. Definitions.\n Definitions and Interpretations for Capitalized Terms in the BAA.\n A. Definition of \"Affiliate\" Under HIPAA.\n B. Definition of \"Breach\" under HIPAA Privacy Rule and 45 CFR \u00a7164.402.\n C. Definition of \"Breach Notification Rule\" under HIPAA.\n D. Definition of \"Data Aggregation\" Under HIPAA and Privacy Rule.\n E. Definition of \"Designated Record Set\" Under the Privacy Rule Including 45 CFR \u00a7164.501.B.\n F. Definition of \"De-Identify\" Under 45 CFR \u00a7\u00a7164.514(a) and (b).\n G. Definition of \"Electronic PHI\" According to 45 CFR \u00a7160.103.\n H. Definition of \"Health Care Operations\" per 45 CFR \u00a7164.501.\n I. Definition of \"HHS\" as the U.S. Department of Health and Human Services.\n J. Definition of \"HITECH Act\".\n K. Definition of \"Individual\" Including Personal Representative as per HIPAA Regulations.\n L. Definition of \"Privacy Rule\" Under HIPAA Regulations.\n M. Definition of \u201cProtected Health Information\u201d (PHI) under 45 CFR \u00a7\u00a7164.501 and 160.103.\n N. Definition of \"Security Incident\".\n O. Definition of \"Security Rule\" \u2013 Security Standards for the Protection of Electronic Health Information (45 CFR Part 160 & Part 164, Subparts A and C).\n P. Definition of \"Unsecured Protected Health Information\" or \"Unsecured PHI\".", | |
| "path": "000:002", | |
| "parentPath": "000", | |
| "parentName": "MODEL BUSINESS ASSOCIATE AGREEMENT", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 2, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Definitions and Interpretations for Capitalized Terms in the BAA", | |
| "content": "For purposes of this BAA, the Parties give the following meaning to each of the terms in this Section 1 below. Any capitalized term used in this BAA, but not otherwise defined, has the meaning given to that term in the Privacy Rule or pertinent law.", | |
| "outline": "Definitions and Interpretations for Capitalized Terms in the BAA.\n A. Definition of \"Affiliate\" Under HIPAA.\n B. Definition of \"Breach\" under HIPAA Privacy Rule and 45 CFR \u00a7164.402.\n C. Definition of \"Breach Notification Rule\" under HIPAA.\n D. Definition of \"Data Aggregation\" Under HIPAA and Privacy Rule.\n E. Definition of \"Designated Record Set\" Under the Privacy Rule Including 45 CFR \u00a7164.501.B.\n F. Definition of \"De-Identify\" Under 45 CFR \u00a7\u00a7164.514(a) and (b).\n G. Definition of \"Electronic PHI\" According to 45 CFR \u00a7160.103.\n H. Definition of \"Health Care Operations\" per 45 CFR \u00a7164.501.\n I. Definition of \"HHS\" as the U.S. Department of Health and Human Services.\n J. Definition of \"HITECH Act\".\n K. Definition of \"Individual\" Including Personal Representative as per HIPAA Regulations.\n L. Definition of \"Privacy Rule\" Under HIPAA Regulations.\n M. Definition of \u201cProtected Health Information\u201d (PHI) under 45 CFR \u00a7\u00a7164.501 and 160.103.\n N. Definition of \"Security Incident\".\n O. Definition of \"Security Rule\" \u2013 Security Standards for the Protection of Electronic Health Information (45 CFR Part 160 & Part 164, Subparts A and C).\n P. Definition of \"Unsecured Protected Health Information\" or \"Unsecured PHI\".", | |
| "path": "000:002:000", | |
| "parentPath": "000:002", | |
| "parentName": "1. Definitions.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Definition of \"Affiliate\" Under HIPAA", | |
| "content": "A. \u201cAffiliate\u201d means a subsidiary or affiliate of Covered Entity that is, or has been, considered a covered entity, as defined by HIPAA.", | |
| "outline": "", | |
| "path": "000:002:000:000", | |
| "parentPath": "000:002:000", | |
| "parentName": "Definitions and Interpretations for Capitalized Terms in the BAA", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "B. Definition of \"Breach\" under HIPAA Privacy Rule and 45 CFR \u00a7164.402", | |
| "content": "B. \u201cBreach\u201d means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR \u00a7164.402.", | |
| "outline": "", | |
| "path": "000:002:000:001", | |
| "parentPath": "000:002:000", | |
| "parentName": "Definitions and Interpretations for Capitalized Terms in the BAA", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 1, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Definition of \"Breach Notification Rule\" under HIPAA", | |
| "content": "C. \u201cBreach Notification Rule\u201d means the portion of HIPAA set forth in Subpart D of 45 CFR Part 164.", | |
| "outline": "", | |
| "path": "000:002:000:002", | |
| "parentPath": "000:002:000", | |
| "parentName": "Definitions and Interpretations for Capitalized Terms in the BAA", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 2, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Definition of \"Data Aggregation\" Under HIPAA and Privacy Rule", | |
| "content": "D. \u201cData Aggregation\u201d means, with respect to PHI created or received by Business Associate in its capacity as the \u201cbusiness associate\u201d under HIPAA of Covered Entity, the combining of such PHI by Business Associate with the PHI received by Business Associate in its capacity as a business associate of one or more other \u201ccovered entity\u201d under HIPAA, to permit data analyses that relate to the Health Care Operations (defined below) of the respective covered entities. The meaning of \u201cdata aggregation\u201d in this BAA shall be consistent with the meaning given to that term in the Privacy Rule.", | |
| "outline": "", | |
| "path": "000:002:000:003", | |
| "parentPath": "000:002:000", | |
| "parentName": "Definitions and Interpretations for Capitalized Terms in the BAA", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 3, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "E. Definition of \"Designated Record Set\" Under the Privacy Rule Including 45 CFR \u00a7164.501.B", | |
| "content": "E. \u201cDesignated Record Set\u201d has the meaning given to such term under the Privacy Rule, including 45 CFR \u00a7164.501.B.", | |
| "outline": "", | |
| "path": "000:002:000:004", | |
| "parentPath": "000:002:000", | |
| "parentName": "Definitions and Interpretations for Capitalized Terms in the BAA", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 4, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Definition of \"De-Identify\" Under 45 CFR \u00a7\u00a7164.514(a) and (b)", | |
| "content": "F. \u201cDe-Identify\u201d means to alter the PHI such that the resulting information meets the requirements described in 45 CFR \u00a7\u00a7164.514(a) and (b).", | |
| "outline": "", | |
| "path": "000:002:000:005", | |
| "parentPath": "000:002:000", | |
| "parentName": "Definitions and Interpretations for Capitalized Terms in the BAA", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 5, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Definition of \"Electronic PHI\" According to 45 CFR \u00a7160.103", | |
| "content": "G. \u201cElectronic PHI\u201d means any PHI maintained in or transmitted by electronic media as defined in 45 CFR \u00a7160.103.", | |
| "outline": "", | |
| "path": "000:002:000:006", | |
| "parentPath": "000:002:000", | |
| "parentName": "Definitions and Interpretations for Capitalized Terms in the BAA", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 6, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "H. Definition of \"Health Care Operations\" per 45 CFR \u00a7164.501", | |
| "content": "H. \u201cHealth Care Operations\u201d has the meaning given to that term in 45 CFR \u00a7164.501.", | |
| "outline": "", | |
| "path": "000:002:000:007", | |
| "parentPath": "000:002:000", | |
| "parentName": "Definitions and Interpretations for Capitalized Terms in the BAA", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 7, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "I. Definition of \"HHS\" as the U.S. Department of Health and Human Services", | |
| "content": "I. \u201cHHS\u201d means the U.S. Department of Health and Human Services.", | |
| "outline": "", | |
| "path": "000:002:000:008", | |
| "parentPath": "000:002:000", | |
| "parentName": "Definitions and Interpretations for Capitalized Terms in the BAA", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 8, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Definition of \"HITECH Act\"", | |
| "content": "J. \u201cHITECH Act\u201d means the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005.", | |
| "outline": "", | |
| "path": "000:002:000:009", | |
| "parentPath": "000:002:000", | |
| "parentName": "Definitions and Interpretations for Capitalized Terms in the BAA", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 9, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Definition of \"Individual\" Including Personal Representative as per HIPAA Regulations", | |
| "content": "K. \u201cIndividual\u201d has the same meaning given to that term i in 45 CFR \u00a7\u00a7164.501 and 160.130 and includes a person who qualifies as a personal representative in accordance with 45 CFR \u00a7164.502(g).", | |
| "outline": "", | |
| "path": "000:002:000:010", | |
| "parentPath": "000:002:000", | |
| "parentName": "Definitions and Interpretations for Capitalized Terms in the BAA", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 10, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Definition of \"Privacy Rule\" Under HIPAA Regulations", | |
| "content": "L. \u201cPrivacy Rule\u201d means that portion of HIPAA set forth in 45 CFR Part 160 and Part 164, Subparts A and E.", | |
| "outline": "", | |
| "path": "000:002:000:011", | |
| "parentPath": "000:002:000", | |
| "parentName": "Definitions and Interpretations for Capitalized Terms in the BAA", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 11, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "M. Definition of \u201cProtected Health Information\u201d (PHI) under 45 CFR \u00a7\u00a7164.501 and 160.103", | |
| "content": "M. \u201cProtected Health Information\u201d or \u201cPHI\u201d has the meaning given to the term \u201cprotected health information\u201d in 45 CFR \u00a7\u00a7164.501 and 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.", | |
| "outline": "", | |
| "path": "000:002:000:012", | |
| "parentPath": "000:002:000", | |
| "parentName": "Definitions and Interpretations for Capitalized Terms in the BAA", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 12, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Definition of \"Security Incident\"", | |
| "content": "N. \u201cSecurity Incident\u201d means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.", | |
| "outline": "", | |
| "path": "000:002:000:013", | |
| "parentPath": "000:002:000", | |
| "parentName": "Definitions and Interpretations for Capitalized Terms in the BAA", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 13, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Definition of \"Security Rule\" \u2013 Security Standards for the Protection of Electronic Health Information (45 CFR Part 160 & Part 164, Subparts A and C)", | |
| "content": "O. \u201cSecurity Rule\u201d means the Security Standards for the Protection of Electronic Health Information provided in 45 CFR Part 160 & Part 164, Subparts A and C.", | |
| "outline": "", | |
| "path": "000:002:000:014", | |
| "parentPath": "000:002:000", | |
| "parentName": "Definitions and Interpretations for Capitalized Terms in the BAA", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 14, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Definition of \"Unsecured Protected Health Information\" or \"Unsecured PHI\"", | |
| "content": "P. \u201cUnsecured Protected Health Information\u201d or \u201cUnsecured PHI\u201d means any \u201cprotected health information\u201d as defined in 45 CFR \u00a7\u00a7164.501 and 160.103 that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary in the guidance issued pursuant to the HITECH Act and codified at 42 USC \u00a717932(h).", | |
| "outline": "", | |
| "path": "000:002:000:015", | |
| "parentPath": "000:002:000", | |
| "parentName": "Definitions and Interpretations for Capitalized Terms in the BAA", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 15, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "2. Use and Disclosure of PHI.", | |
| "name": "", | |
| "content": "", | |
| "outline": "2. Use and Disclosure of PHI.\n A. Permitted Uses and Disclosures of PHI by Business Associate.\n B. Authorization for Business Associate's Use of PHI for Management, Administration, and Legal Responsibilities.\n Conditions for Business Associate's Disclosure of PHI for Management and Administration.\n C. Restrictions on Use and Disclosure of PHI by Business Associate in Compliance with Privacy Rule and HITECH Act.\n D. Access to PHI by Covered Entity Upon Request.\n E. Use of PHI for Reporting Legal Violations Consistent with 45 CFR \u00a7164.502(j)(1).", | |
| "path": "000:003", | |
| "parentPath": "000", | |
| "parentName": "MODEL BUSINESS ASSOCIATE AGREEMENT", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 3, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Permitted Uses and Disclosures of PHI by Business Associate", | |
| "content": "A. Except as otherwise provided in this BAA, Business Associate may use or disclose PHI as reasonably necessary to provide the services described in the Agreement to Covered Entity, and to undertake other activities of Business Associate permitted or required of Business Associate by this BAA or as required by law.", | |
| "outline": "", | |
| "path": "000:003:000", | |
| "parentPath": "000:003", | |
| "parentName": "2. Use and Disclosure of PHI.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Authorization for Business Associate's Use of PHI for Management, Administration, and Legal Responsibilities", | |
| "content": "B. Except as otherwise limited by this BAA or federal or state law, Covered Entity authorizes Business Associate to use the PHI in its possession for the proper management and administration of Business Associate\u2019s business and to carry out its legal responsibilities.", | |
| "outline": "", | |
| "path": "000:003:001", | |
| "parentPath": "000:003", | |
| "parentName": "2. Use and Disclosure of PHI.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 1, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Conditions for Business Associate's Disclosure of PHI for Management and Administration", | |
| "content": "Business Associate may disclose PHI for its proper management and administration, provided that (i) the disclosures are required by law; or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from this third party that the PHI will be held confidential as provided under this BAA and used or further disclosed only as required by law or for the purpose for which it was disclosed to this third party and (b) an agreement from this third party to notify Business Associate immediately of any breaches of the confidentiality of the PHI, to the extent it has knowledge of the breach.", | |
| "outline": "", | |
| "path": "000:003:002", | |
| "parentPath": "000:003", | |
| "parentName": "2. Use and Disclosure of PHI.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 2, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Restrictions on Use and Disclosure of PHI by Business Associate in Compliance with Privacy Rule and HITECH Act", | |
| "content": "C. Business Associate will not use or disclose PHI in a manner other than as provided in this BAA, as permitted under the Privacy Rule, or as required by law. Business Associate will use or disclose PHI, to the extent practicable, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH Act (codified at 42 USC \u00a717935(b)) and any of the act\u2019s implementing regulations adopted by HHS, for each use or disclosure of PHI.", | |
| "outline": "", | |
| "path": "000:003:003", | |
| "parentPath": "000:003", | |
| "parentName": "2. Use and Disclosure of PHI.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 3, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Access to PHI by Covered Entity Upon Request", | |
| "content": "D. Upon request, Business Associate will make available to Covered Entity any of Covered Entity\u2019s PHI that Business Associate or any of its agents or subcontractors have in their possession.", | |
| "outline": "", | |
| "path": "000:003:004", | |
| "parentPath": "000:003", | |
| "parentName": "2. Use and Disclosure of PHI.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 4, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Use of PHI for Reporting Legal Violations Consistent with 45 CFR \u00a7164.502(j)(1)", | |
| "content": "E. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR \u00a7164.502(j)(1).", | |
| "outline": "", | |
| "path": "000:003:005", | |
| "parentPath": "000:003", | |
| "parentName": "2. Use and Disclosure of PHI.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 5, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "3. Safeguards Against Misuse of PHI.", | |
| "name": "", | |
| "content": "", | |
| "outline": "3. Safeguards Against Misuse of PHI.\n Implementation of Safeguards to Protect PHI and Electronic PHI.\n Employee Training and Compliance Measures to Prevent Breach of BAA.", | |
| "path": "000:004", | |
| "parentPath": "000", | |
| "parentName": "MODEL BUSINESS ASSOCIATE AGREEMENT", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 4, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Implementation of Safeguards to Protect PHI and Electronic PHI", | |
| "content": "Business Associate will use appropriate safeguards to prevent the use or disclosure of PHI other than as provided by the Agreement or this BAA and Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity.", | |
| "outline": "", | |
| "path": "000:004:000", | |
| "parentPath": "000:004", | |
| "parentName": "3. Safeguards Against Misuse of PHI.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Employee Training and Compliance Measures to Prevent Breach of BAA", | |
| "content": "Business Associate agrees to take reasonable steps, including providing adequate training to its employees to ensure compliance with this BAA and to ensure that the actions or omissions of its employees or agents do not cause Business Associate to breach the terms of this BAA.", | |
| "outline": "", | |
| "path": "000:004:001", | |
| "parentPath": "000:004", | |
| "parentName": "3. Safeguards Against Misuse of PHI.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 1, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "4. Reporting Disclosures of PHI and Security Incidents.", | |
| "name": "", | |
| "content": "", | |
| "outline": "4. Reporting Disclosures of PHI and Security Incidents.\n Reporting Unauthorized Use or Disclosure of PHI and Security Incidents.\n Reporting Timeline for Unauthorized PHI Use or Disclosure and Security Incidents.", | |
| "path": "000:005", | |
| "parentPath": "000", | |
| "parentName": "MODEL BUSINESS ASSOCIATE AGREEMENT", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 5, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Reporting Unauthorized Use or Disclosure of PHI and Security Incidents", | |
| "content": "Business Associate will report to Covered Entity in writing any use or disclosure of PHI not provided for by this BAA of which it becomes aware and Business Associate agrees to report to Covered Entity any Security Incident affecting Electronic PHI of Covered Entity of which it becomes aware.", | |
| "outline": "Reporting Unauthorized Use or Disclosure of PHI and Security Incidents.\n Reporting Timeline for Unauthorized PHI Use or Disclosure and Security Incidents.", | |
| "path": "000:005:000", | |
| "parentPath": "000:005", | |
| "parentName": "4. Reporting Disclosures of PHI and Security Incidents.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Reporting Timeline for Unauthorized PHI Use or Disclosure and Security Incidents", | |
| "content": "Business Associate agrees to report any such event within five business days of becoming aware of the event.", | |
| "outline": "", | |
| "path": "000:005:000:000", | |
| "parentPath": "000:005:000", | |
| "parentName": "Reporting Unauthorized Use or Disclosure of PHI and Security Incidents", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "5. Reporting Breaches of Unsecured PHI.", | |
| "name": "", | |
| "content": "", | |
| "outline": "5. Reporting Breaches of Unsecured PHI.\n Breach Notification Requirement for Business Associate.\n Reimbursement Obligation for Costs Incurred Due to Breach by Business Associate.", | |
| "path": "000:006", | |
| "parentPath": "000", | |
| "parentName": "MODEL BUSINESS ASSOCIATE AGREEMENT", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 6, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Breach Notification Requirement for Business Associate", | |
| "content": "Business Associate will notify Covered Entity in writing promptly upon the discovery of any Breach of Unsecured PHI in accordance with the requirements set forth in 45 CFR \u00a7164.410, but in no case later than 30 calendar days after discovery of a Breach.", | |
| "outline": "", | |
| "path": "000:006:000", | |
| "parentPath": "000:006", | |
| "parentName": "5. Reporting Breaches of Unsecured PHI.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Reimbursement Obligation for Costs Incurred Due to Breach by Business Associate", | |
| "content": "Business Associate will reimburse Covered Entity for any costs incurred by it in complying with the requirements of Subpart D of 45 CFR \u00a7164 that are imposed on Covered Entity as a result of a Breach committed by Business Associate.", | |
| "outline": "", | |
| "path": "000:006:001", | |
| "parentPath": "000:006", | |
| "parentName": "5. Reporting Breaches of Unsecured PHI.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 1, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "6. Mitigation of Disclosures of PHI.", | |
| "name": "", | |
| "content": "", | |
| "outline": "6. Mitigation of Disclosures of PHI.\n Mitigation of Harmful Effects from Unauthorized PHI Use or Disclosure.", | |
| "path": "000:007", | |
| "parentPath": "000", | |
| "parentName": "MODEL BUSINESS ASSOCIATE AGREEMENT", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 7, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Mitigation of Harmful Effects from Unauthorized PHI Use or Disclosure", | |
| "content": "Business Associate will take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of any use or disclosure of PHI by Business Associate or its agents or subcontractors in violation of the requirements of this BAA.", | |
| "outline": "", | |
| "path": "000:007:000", | |
| "parentPath": "000:007", | |
| "parentName": "6. Mitigation of Disclosures of PHI.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "7. Agreements with Agents or Subcontractors.", | |
| "name": "", | |
| "content": "", | |
| "outline": "7. Agreements with Agents or Subcontractors.\n Obligations of Business Associate to Ensure Compliance of Agents and Subcontractors with PHI Safeguards and Restrictions.\n Notification of Subcontracts Involving PHI Within 30 Days on Business Associate\u2019s Website.\n Requirement for Subcontracts to Maintain Equivalent Privacy and Security Standards.", | |
| "path": "000:008", | |
| "parentPath": "000", | |
| "parentName": "MODEL BUSINESS ASSOCIATE AGREEMENT", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 8, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Obligations of Business Associate to Ensure Compliance of Agents and Subcontractors with PHI Safeguards and Restrictions", | |
| "content": "Business Associate will ensure that any of its agents or subcontractors that have access to, or to which Business Associate provides, PHI agree in writing to the restrictions and conditions concerning uses and disclosures of PHI contained in this BAA and agree to implement reasonable and appropriate safeguards to protect any Electronic PHI that it creates, receives, maintains or transmits on behalf of Business Associate or, through the Business Associate, Covered Entity.", | |
| "outline": "", | |
| "path": "000:008:000", | |
| "parentPath": "000:008", | |
| "parentName": "7. Agreements with Agents or Subcontractors.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Notification of Subcontracts Involving PHI Within 30 Days on Business Associate\u2019s Website", | |
| "content": "Business Associate shall notify Covered Entity, or upstream Business Associate, of all subcontracts and agreements relating to the Agreement, where the subcontractor or agent receives PHI as described in section 1.M. of this BAA. Such notification shall occur within 30 (thirty) calendar days of the execution of the subcontract by placement of such notice on the Business Associate\u2019s primary website.", | |
| "outline": "", | |
| "path": "000:008:001", | |
| "parentPath": "000:008", | |
| "parentName": "7. Agreements with Agents or Subcontractors.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 1, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Requirement for Subcontracts to Maintain Equivalent Privacy and Security Standards", | |
| "content": "Business Associate shall ensure that all subcontracts and agreements provide the same level of privacy and security as this BAA.", | |
| "outline": "", | |
| "path": "000:008:002", | |
| "parentPath": "000:008", | |
| "parentName": "7. Agreements with Agents or Subcontractors.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 2, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "8. Audit Report.", | |
| "name": "", | |
| "content": "", | |
| "outline": "8. Audit Report.\n Provision of Independent HIPAA Compliance Report and HITRUST Certification Upon Request.\n Confidentiality of Business Associate\u2019s Audit Report.", | |
| "path": "000:009", | |
| "parentPath": "000", | |
| "parentName": "MODEL BUSINESS ASSOCIATE AGREEMENT", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 9, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Provision of Independent HIPAA Compliance Report and HITRUST Certification Upon Request", | |
| "content": "Upon request, Business Associate will provide Covered Entity, or upstream Business Associate, with a copy of its most recent independent HIPAA compliance report (AT-C 315), HITRUST certification or other mutually agreed upon independent standards based third party audit report.", | |
| "outline": "", | |
| "path": "000:009:000", | |
| "parentPath": "000:009", | |
| "parentName": "8. Audit Report.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Confidentiality of Business Associate\u2019s Audit Report", | |
| "content": "Covered entity agrees not to re-disclose Business Associate\u2019s audit report.", | |
| "outline": "", | |
| "path": "000:009:001", | |
| "parentPath": "000:009", | |
| "parentName": "8. Audit Report.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 1, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "9. Access to PHI by Individuals.", | |
| "name": "", | |
| "content": "", | |
| "outline": "9. Access to PHI by Individuals.\n A. Business Associate's Obligation to Provide PHI Copies to Covered Entity\n B. Individual's PHI Access Request Handling by Business Associate and Covered Entity's Disclosure Responsibility.", | |
| "path": "000:010", | |
| "parentPath": "000", | |
| "parentName": "MODEL BUSINESS ASSOCIATE AGREEMENT", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 10, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Business Associate's Obligation to Provide PHI Copies to Covered Entity", | |
| "content": "A. Upon request, Business Associate agrees to furnish Covered Entity with copies of the PHI maintained by Business Associate in a Designated Record Set in the time and manner", | |
| "outline": "", | |
| "path": "000:010:000", | |
| "parentPath": "000:010", | |
| "parentName": "9. Access to PHI by Individuals.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Individual's PHI Access Request Handling by Business Associate and Covered Entity's Disclosure Responsibility", | |
| "content": "B. In the event any Individual or personal representative requests access to the Individual\u2019s PHI directly from Business Associate, Business Associate within ten business days, will forward that request to Covered Entity. Any disclosure of, or decision not to disclose, the PHI requested by an Individual or a personal representative and compliance with the requirements applicable to an Individual\u2019s right to obtain access to PHI shall be the sole responsibility of Covered Entity.", | |
| "outline": "", | |
| "path": "000:010:001", | |
| "parentPath": "000:010", | |
| "parentName": "9. Access to PHI by Individuals.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 1, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "10. Amendment of PHI.", | |
| "name": "", | |
| "content": "", | |
| "outline": "10. Amendment of PHI.\n A. Amendment of PHI by Business Associate at Covered Entity's Request.\n B. Procedure for Forwarding Individual's PHI Amendment Requests to Covered Entity.", | |
| "path": "000:011", | |
| "parentPath": "000", | |
| "parentName": "MODEL BUSINESS ASSOCIATE AGREEMENT", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 11, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Amendment of PHI by Business Associate at Covered Entity's Request", | |
| "content": "A. Upon request and instruction from Covered Entity, Business Associate will amend PHI or a record about an Individual in a Designated Record Set that is maintained by, or otherwise within the possession of, Business Associate as directed by Covered Entity in accordance with procedures established by 45 CFR \u00a7164.526. Any request by Covered Entity to amend such information will be completed by Business Associate within 15 business days of Covered Entity\u2019s request.", | |
| "outline": "", | |
| "path": "000:011:000", | |
| "parentPath": "000:011", | |
| "parentName": "10. Amendment of PHI.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Procedure for Forwarding Individual's PHI Amendment Requests to Covered Entity", | |
| "content": "B. In the event that any Individual requests that Business Associate amend such Individual\u2019s PHI or record in a Designated Record Set, Business Associate within ten business days will forward this request to Covered Entity. Any amendment of, or decision not to amend, the PHI or record as requested by an Individual and compliance with the requirements applicable to an Individual\u2019s right to request an amendment of PHI will be the sole responsibility of Covered Entity.", | |
| "outline": "", | |
| "path": "000:011:001", | |
| "parentPath": "000:011", | |
| "parentName": "10. Amendment of PHI.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 1, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "11. Accounting of Disclosures.", | |
| "name": "", | |
| "content": "", | |
| "outline": "11. Accounting of Disclosures.\n A. Documentation and Reporting of PHI Disclosures by Business Associate in Compliance with 45 CFR \u00a7164.528 :\n B. Provision of Disclosure Information to Covered Entity and Individuals Upon Request.\n C. Handling of Direct Requests for Accounting by Business Associate.", | |
| "path": "000:012", | |
| "parentPath": "000", | |
| "parentName": "MODEL BUSINESS ASSOCIATE AGREEMENT", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 12, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Documentation and Reporting of PHI Disclosures by Business Associate in Compliance with 45 CFR \u00a7164.528", | |
| "content": "A. Business Associate will document any disclosures of PHI made by it to account for such disclosures as required by 45 CFR \u00a7164.528(a). Business Associate also will make available information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosures in accordance with 45 CFR \u00a7164.528. At a minimum, Business Associate will furnish Covered Entity the following with respect to any covered disclosures by Business Associate:\n(i) the date of disclosure of PHI;\n(ii) the name of the entity or person who received PHI, and, if known, the address of such entity or person;\n(iii) a brief description of the PHI disclosed; and\n(iv) a brief statement of the purpose of the disclosure which includes the basis for such disclosure.", | |
| "outline": "", | |
| "path": "000:012:000", | |
| "parentPath": "000:012", | |
| "parentName": "11. Accounting of Disclosures.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Provision of Disclosure Information to Covered Entity and Individuals Upon Request", | |
| "content": "B. Business Associate will furnish to Covered Entity information collected in accordance with this Section 10, within ten business days after written request by Covered Entity, to permit Covered Entity to make an accounting of disclosures as required by 45 CFR \u00a7164.528, or in the event that Covered Entity elects to provide an Individual with a list of its business associates, Business Associate will provide an accounting of its disclosures of PHI upon request of the Individual, if and to the extent that such accounting is required under the HITECH Act or under HHS regulations adopted in connection with the HITECH Act.", | |
| "outline": "", | |
| "path": "000:012:001", | |
| "parentPath": "000:012", | |
| "parentName": "11. Accounting of Disclosures.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 1, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Handling of Direct Requests for Accounting by Business Associate", | |
| "content": "C. In the event an Individual delivers the initial request for an accounting directly to Business Associate, Business Associate will within ten business days forward such request to Covered Entity.", | |
| "outline": "", | |
| "path": "000:012:002", | |
| "parentPath": "000:012", | |
| "parentName": "11. Accounting of Disclosures.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 2, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "12. Availability of Books and Records.", | |
| "name": "", | |
| "content": "", | |
| "outline": "12. Availability of Books and Records.\n Disclosure of Internal Practices and Records to HHS for HIPAA Compliance Verification.", | |
| "path": "000:013", | |
| "parentPath": "000", | |
| "parentName": "MODEL BUSINESS ASSOCIATE AGREEMENT", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 13, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Disclosure of Internal Practices and Records to HHS for HIPAA Compliance Verification", | |
| "content": "Business Associate will make available its internal practices, books, agreements, records, and policies and procedures relating to the use and disclosure of PHI, upon request, to the Secretary of HHS for purposes of determining Covered Entity\u2019s and Business Associate\u2019s compliance with HIPAA, and this BAA.", | |
| "outline": "", | |
| "path": "000:013:000", | |
| "parentPath": "000:013", | |
| "parentName": "12. Availability of Books and Records.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "13. Responsibilities of Covered Entity.", | |
| "name": "", | |
| "content": "", | |
| "outline": "13. Responsibilities of Covered Entity.\n Introduction to Covered Entity's Obligations on Use and Disclosure of Protected Health Information :\n A. Notification of Privacy Practice Limitations Affecting PHI Use by Business Associate.\n B. Notification of Changes or Revocation of Permission to Use or Disclose PHI.\n C. Notification of Agreed Restrictions on PHI Use or Disclosure per 45 CFR \u00a7164.522.\n D. Prohibition on Impermissible Requests for PHI Use or Disclosure by Business Associate.", | |
| "path": "000:014", | |
| "parentPath": "000", | |
| "parentName": "MODEL BUSINESS ASSOCIATE AGREEMENT", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 14, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Introduction to Covered Entity's Obligations on Use and Disclosure of Protected Health Information", | |
| "content": "With regard to the use and\/or disclosure of Protected Health Information by Business Associate, Covered Entity agrees to:", | |
| "outline": "Introduction to Covered Entity's Obligations on Use and Disclosure of Protected Health Information :\n A. Notification of Privacy Practice Limitations Affecting PHI Use by Business Associate.\n B. Notification of Changes or Revocation of Permission to Use or Disclose PHI.\n C. Notification of Agreed Restrictions on PHI Use or Disclosure per 45 CFR \u00a7164.522.\n D. Prohibition on Impermissible Requests for PHI Use or Disclosure by Business Associate.", | |
| "path": "000:014:000", | |
| "parentPath": "000:014", | |
| "parentName": "13. Responsibilities of Covered Entity.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Notification of Privacy Practice Limitations Affecting PHI Use by Business Associate", | |
| "content": "A. Notify Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 CFR \u00a7164.520, to the extent that such limitation may affect Business Associate\u2019s use or disclosure of PHI.", | |
| "outline": "", | |
| "path": "000:014:000:000", | |
| "parentPath": "000:014:000", | |
| "parentName": "Introduction to Covered Entity's Obligations on Use and Disclosure of Protected Health Information", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Notification of Changes or Revocation of Permission to Use or Disclose PHI", | |
| "content": "B. Notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate\u2019s use or disclosure of PHI.", | |
| "outline": "", | |
| "path": "000:014:000:001", | |
| "parentPath": "000:014:000", | |
| "parentName": "Introduction to Covered Entity's Obligations on Use and Disclosure of Protected Health Information", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 1, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Notification of Agreed Restrictions on PHI Use or Disclosure per 45 CFR \u00a7164.522", | |
| "content": "C. Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR \u00a7164.522, to the extent that such restriction may affect Business Associate\u2019s use or disclosure of PHI.", | |
| "outline": "", | |
| "path": "000:014:000:002", | |
| "parentPath": "000:014:000", | |
| "parentName": "Introduction to Covered Entity's Obligations on Use and Disclosure of Protected Health Information", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 2, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Prohibition on Impermissible Requests for PHI Use or Disclosure by Business Associate", | |
| "content": "D. Except for data aggregation or management and administrative activities of Business Associate, Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.", | |
| "outline": "", | |
| "path": "000:014:000:003", | |
| "parentPath": "000:014:000", | |
| "parentName": "Introduction to Covered Entity's Obligations on Use and Disclosure of Protected Health Information", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 3, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "14. Data Ownership.", | |
| "name": "", | |
| "content": "", | |
| "outline": "14. Data Ownership.\n Data Stewardship and Ownership Rights of Business Associate.", | |
| "path": "000:015", | |
| "parentPath": "000", | |
| "parentName": "MODEL BUSINESS ASSOCIATE AGREEMENT", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 15, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Data Stewardship and Ownership Rights of Business Associate", | |
| "content": "Business Associate\u2019s data stewardship does not confer data ownership rights on Business Associate with respect to any data shared with it under the Agreement, including any and all forms thereof.", | |
| "outline": "", | |
| "path": "000:015:000", | |
| "parentPath": "000:015", | |
| "parentName": "14. Data Ownership.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "15. Term and Termination.", | |
| "name": "", | |
| "content": "", | |
| "outline": "15. Term and Termination.\n A. Effective Date and Duration of BAA.\n B. Immediate Termination Rights for Material Breach by Business Associate.\n C. Business Associate's Right to Notify and Cure Period for Covered Entity's Breach.\n Grounds for Immediate Termination and Potential Breach Reporting to HHS.\n D. Return or Destruction of PHI Upon Termination of Agreement.\n Notification of Infeasibility of PHI Return or Destruction.\n Mutual Agreement on Infeasibility of Return or Destruction of PHI and Extended Protections.\n Survival of Section 14.D. Post-Termination.", | |
| "path": "000:016", | |
| "parentPath": "000", | |
| "parentName": "MODEL BUSINESS ASSOCIATE AGREEMENT", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 16, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Effective Date and Duration of BAA", | |
| "content": "A. This BAA will become effective on the date first written above, and will continue in effect until all obligations of the Parties have been met under the Agreement and under this BAA.", | |
| "outline": "", | |
| "path": "000:016:000", | |
| "parentPath": "000:016", | |
| "parentName": "15. Term and Termination.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Immediate Termination Rights for Material Breach by Business Associate", | |
| "content": "B. Covered Entity may terminate immediately this BAA, the Agreement, and any other related agreements if Covered Entity makes a determination that Business Associate has breached a material term of this BAA and Business Associate has failed to cure that material breach, to Covered Entity\u2019s reasonable satisfaction, within 30 days after written notice from Covered Entity. Covered Entity may report the problem to the Secretary of HHS if termination is not feasible.", | |
| "outline": "", | |
| "path": "000:016:001", | |
| "parentPath": "000:016", | |
| "parentName": "15. Term and Termination.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 1, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Business Associate's Right to Notify and Cure Period for Covered Entity's Breach", | |
| "content": "C. If Business Associate determines that Covered Entity has breached a material term of this BAA, then Business Associate will provide Covered Entity with written notice of the existence of the breach and shall provide Covered Entity with 30 days to cure the breach.", | |
| "outline": "C. Business Associate's Right to Notify and Cure Period for Covered Entity's Breach.\n Grounds for Immediate Termination and Potential Breach Reporting to HHS.", | |
| "path": "000:016:002", | |
| "parentPath": "000:016", | |
| "parentName": "15. Term and Termination.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 2, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Grounds for Immediate Termination and Potential Breach Reporting to HHS", | |
| "content": "Covered Entity\u2019s failure to cure the breach within the 30-day period will be grounds for immediate termination of the Agreement and this BAA by Business Associate. Business Associate may report the breach to HHS.", | |
| "outline": "", | |
| "path": "000:016:002:000", | |
| "parentPath": "000:016:002", | |
| "parentName": "Business Associate's Right to Notify and Cure Period for Covered Entity's Breach", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Return or Destruction of PHI Upon Termination of Agreement", | |
| "content": "D. Upon termination of the Agreement or this BAA for any reason, all PHI maintained by Business Associate will be returned to Covered Entity or destroyed by Business Associate. Business Associate will not retain any copies of such information. This provision will apply to PHI in the possession of Business Associate\u2019s agents and subcontractors.", | |
| "outline": "D. Return or Destruction of PHI Upon Termination of Agreement.\n Notification of Infeasibility of PHI Return or Destruction.\n Mutual Agreement on Infeasibility of Return or Destruction of PHI and Extended Protections.\n Survival of Section 14.D. Post-Termination.", | |
| "path": "000:016:003", | |
| "parentPath": "000:016", | |
| "parentName": "15. Term and Termination.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 3, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Notification of Infeasibility of PHI Return or Destruction", | |
| "content": "If return or destruction of the PHI is not feasible, in Business Associate\u2019s reasonable judgment, Business Associate will furnish Covered Entity with notification, in writing, of the conditions that make return or destruction infeasible.", | |
| "outline": "", | |
| "path": "000:016:003:000", | |
| "parentPath": "000:016:003", | |
| "parentName": "Return or Destruction of PHI Upon Termination of Agreement", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Mutual Agreement on Infeasibility of Return or Destruction of PHI and Extended Protections", | |
| "content": "Upon mutual agreement of the Parties that return or destruction of the PHI is infeasible, Business Associate will extend the protections of this BAA to such information for as long as Business Associate retains such information and will limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible.", | |
| "outline": "", | |
| "path": "000:016:003:001", | |
| "parentPath": "000:016:003", | |
| "parentName": "Return or Destruction of PHI Upon Termination of Agreement", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 1, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Survival of Section 14.D. Post-Termination", | |
| "content": "The Parties understand that this Section 14.D. will survive any termination of this BAA.", | |
| "outline": "", | |
| "path": "000:016:003:002", | |
| "parentPath": "000:016:003", | |
| "parentName": "Return or Destruction of PHI Upon Termination of Agreement", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 2, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "16. Effect of BAA.", | |
| "name": "", | |
| "content": "", | |
| "outline": "16. Effect of BAA.\n A. BAA Supremacy Clause in Case of Conflict with Agreement.\n B. Third-Party Rights Limitation in BAA.", | |
| "path": "000:017", | |
| "parentPath": "000", | |
| "parentName": "MODEL BUSINESS ASSOCIATE AGREEMENT", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 17, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "BAA Supremacy Clause in Case of Conflict with Agreement", | |
| "content": "A. This BAA is a part of and subject to the terms of the Agreement, except that to the extent any terms of this BAA conflict with any term of the Agreement, the terms of this BAA will govern.", | |
| "outline": "", | |
| "path": "000:017:000", | |
| "parentPath": "000:017", | |
| "parentName": "16. Effect of BAA.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Third-Party Rights Limitation in BAA", | |
| "content": "B. Except as expressly stated in this BAA or as provided by law, this BAA will not create any rights in favor of any third party.", | |
| "outline": "", | |
| "path": "000:017:001", | |
| "parentPath": "000:017", | |
| "parentName": "16. Effect of BAA.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 1, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "17. Regulatory References.", | |
| "name": "", | |
| "content": "", | |
| "outline": "17. Regulatory References.\n Reference to HIPAA Sections as Currently Effective or Amended.", | |
| "path": "000:018", | |
| "parentPath": "000", | |
| "parentName": "MODEL BUSINESS ASSOCIATE AGREEMENT", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 18, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Reference to HIPAA Sections as Currently Effective or Amended", | |
| "content": "A reference in this BAA to a section in HIPAA means the section as in effect or as amended at the time.", | |
| "outline": "", | |
| "path": "000:018:000", | |
| "parentPath": "000:018", | |
| "parentName": "17. Regulatory References.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "18. Notices.", | |
| "name": "", | |
| "content": "", | |
| "outline": "18. Notices.\n Notice and Communication Methods and Addresses :\n A. Contact Information for Covered Entity :\n B. Business Associate Contact Information :", | |
| "path": "000:019", | |
| "parentPath": "000", | |
| "parentName": "MODEL BUSINESS ASSOCIATE AGREEMENT", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 19, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Notice and Communication Methods and Addresses", | |
| "content": "All notices, requests and demands or other communications to be given under this BAA to a Party will be made via either first class mail, registered or certified or express courier, or electronic mail to the Party\u2019s address given below:", | |
| "outline": "Notice and Communication Methods and Addresses :\n A. Contact Information for Covered Entity :\n B. Business Associate Contact Information :", | |
| "path": "000:019:000", | |
| "parentPath": "000:019", | |
| "parentName": "18. Notices.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "A. Contact Information for Covered Entity", | |
| "content": "A. If to Covered Entity, to:\nAttn: John M. Rogers, Chief Compliance Officer\nT: (213) 555-1234\nE: john.rogers@healthfirst.com", | |
| "outline": "", | |
| "path": "000:019:000:000", | |
| "parentPath": "000:019:000", | |
| "parentName": "Notice and Communication Methods and Addresses", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Business Associate Contact Information", | |
| "content": "B. If to Business Associate, to:\nAttn: Sarah J. Miller, Director of Operations\nT: (302) 555-6789\nE: sarah.miller@medsecure.com", | |
| "outline": "", | |
| "path": "000:019:000:001", | |
| "parentPath": "000:019:000", | |
| "parentName": "Notice and Communication Methods and Addresses", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 1, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "19. Amendments and Waiver.", | |
| "name": "", | |
| "content": "", | |
| "outline": "19. Amendments and Waiver.\n Modification and Waiver Requirements.\n Non-Continuing Waiver Clause for Subsequent Events.", | |
| "path": "000:020", | |
| "parentPath": "000", | |
| "parentName": "MODEL BUSINESS ASSOCIATE AGREEMENT", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 20, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Modification and Waiver Requirements", | |
| "content": "This BAA may not be modified, nor will any provision be waived or amended, except in writing duly signed by authorized representatives of the Parties.", | |
| "outline": "Modification and Waiver Requirements.\n Non-Continuing Waiver Clause for Subsequent Events.", | |
| "path": "000:020:000", | |
| "parentPath": "000:020", | |
| "parentName": "19. Amendments and Waiver.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Non-Continuing Waiver Clause for Subsequent Events", | |
| "content": "A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.", | |
| "outline": "", | |
| "path": "000:020:000:000", | |
| "parentPath": "000:020:000", | |
| "parentName": "Modification and Waiver Requirements", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "20. HITECH Act Compliance.", | |
| "name": "", | |
| "content": "", | |
| "outline": "20. HITECH Act Compliance.\n Acknowledgment of Significant Changes to Privacy and Security Rules Under HITECH Act.\n Changes to Business Associate Requirements and Agreements Under HITECH Act.\n Compliance with HITECH Act and HHS Regulations.\n Good Faith Negotiation and Termination Rights for HITECH Act Compliance Modifications.\n Execution of Agreement Based on Mutual Understanding and Agreement.\n Execution Signature of John M. Rogers, Chief Compliance Officer, HealthFirst Medical Services, Inc ...\n Signature Line for Sarah J. Miller, Director of Operations, MedSecure Solutions LLC ...", | |
| "path": "000:021", | |
| "parentPath": "000", | |
| "parentName": "MODEL BUSINESS ASSOCIATE AGREEMENT", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 21, | |
| "type": "container" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Acknowledgment of Significant Changes to Privacy and Security Rules Under HITECH Act", | |
| "content": "The Parties acknowledge that the HITECH Act includes significant changes to the Privacy Rule and the Security Rule.", | |
| "outline": "", | |
| "path": "000:021:000", | |
| "parentPath": "000:021", | |
| "parentName": "20. HITECH Act Compliance.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Changes to Business Associate Requirements and Agreements Under HITECH Act", | |
| "content": "The privacy subtitle of the HITECH Act sets forth provisions that significantly change the requirements for business associates and the agreements between business associates and covered entities under HIPAA and these changes may be further clarified in forthcoming regulations and guidance.", | |
| "outline": "", | |
| "path": "000:021:001", | |
| "parentPath": "000:021", | |
| "parentName": "20. HITECH Act Compliance.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 1, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Compliance with HITECH Act and HHS Regulations", | |
| "content": "Each Party agrees to comply with the applicable provisions of the HITECH Act and any HHS regulations issued with respect to the HITECH Act.", | |
| "outline": "", | |
| "path": "000:021:002", | |
| "parentPath": "000:021", | |
| "parentName": "20. HITECH Act Compliance.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 2, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Good Faith Negotiation and Termination Rights for HITECH Act Compliance Modifications", | |
| "content": "The Parties also agree to negotiate in good faith to modify this BAA as reasonably necessary to comply with the HITECH Act and its regulations as they become effective but, in the event that the Parties are unable to reach agreement on such a modification, either Party will have the right to terminate this BAA upon 30-days\u2019 prior written notice to the other Party.", | |
| "outline": "", | |
| "path": "000:021:003", | |
| "parentPath": "000:021", | |
| "parentName": "20. HITECH Act Compliance.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 3, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Execution of Agreement Based on Mutual Understanding and Agreement", | |
| "content": "In light of the mutual agreement and understanding described above, the Parties execute this BAA as of the date first written above.", | |
| "outline": "", | |
| "path": "000:021:004", | |
| "parentPath": "000:021", | |
| "parentName": "20. HITECH Act Compliance.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 4, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Execution Signature of John M. Rogers, Chief Compliance Officer, HealthFirst Medical Services, Inc.", | |
| "content": "By: ...\nName: John M. Rogers\nTitle: Chief Compliance Officer, HealthFirst Medical Services, Inc.", | |
| "outline": "", | |
| "path": "000:021:005", | |
| "parentPath": "000:021", | |
| "parentName": "20. HITECH Act Compliance.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 5, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "Signature Line for Sarah J. Miller, Director of Operations, MedSecure Solutions LLC", | |
| "content": "By: ...\nName: Sarah J. Miller\nTitle: Director of Operations, MedSecure Solutions LLC", | |
| "outline": "", | |
| "path": "000:021:006", | |
| "parentPath": "000:021", | |
| "parentName": "20. HITECH Act Compliance.", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 6, | |
| "type": "body" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "", | |
| "content": "", | |
| "outline": "", | |
| "path": "000:022", | |
| "parentPath": "000", | |
| "parentName": "MODEL BUSINESS ASSOCIATE AGREEMENT", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 22, | |
| "type": "other" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "", | |
| "content": "Page 2 of 9", | |
| "outline": "", | |
| "path": "000:022:000", | |
| "parentPath": "000:022", | |
| "parentName": "", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 0, | |
| "type": "other" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "", | |
| "content": "Page 3 of 9", | |
| "outline": "", | |
| "path": "000:022:001", | |
| "parentPath": "000:022", | |
| "parentName": "", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 1, | |
| "type": "other" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "", | |
| "content": "Page 4 of 9", | |
| "outline": "", | |
| "path": "000:022:002", | |
| "parentPath": "000:022", | |
| "parentName": "", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 2, | |
| "type": "other" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "", | |
| "content": "designated by Covered Entity to enable Covered Entity to respond to an Individual\u2019s request for access to PHI under 45 CFR \u00a7164.524.", | |
| "outline": "", | |
| "path": "000:022:003", | |
| "parentPath": "000:022", | |
| "parentName": "", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 3, | |
| "type": "other" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "", | |
| "content": "Page 6 of 9", | |
| "outline": "", | |
| "path": "000:022:004", | |
| "parentPath": "000:022", | |
| "parentName": "", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 4, | |
| "type": "other" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "", | |
| "content": "Page 7 of 9", | |
| "outline": "", | |
| "path": "000:022:005", | |
| "parentPath": "000:022", | |
| "parentName": "", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 5, | |
| "type": "other" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "", | |
| "content": "Page 8 of 9", | |
| "outline": "", | |
| "path": "000:022:006", | |
| "parentPath": "000:022", | |
| "parentName": "", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 6, | |
| "type": "other" | |
| } | |
| }, | |
| { | |
| "class": "Element", | |
| "properties": { | |
| "title": "", | |
| "name": "", | |
| "content": "Page 9 of 9", | |
| "outline": "", | |
| "path": "000:022:007", | |
| "parentPath": "000:022", | |
| "parentName": "", | |
| "document": "12345678-1234-1234-1234-123456789012", | |
| "order": 7, | |
| "type": "other" | |
| } | |
| } | |
| ] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
See more examples here: SIMANTIKS API Examples