LAW FIRM BUSINESS ASSOCIATE TERMS AND CONDITIONS Law Firm: Client: Law Firm Engagement: North Carolina Society of Healthcare Attorneys Law Firm and Client desire that Client achieve compliance with the Health Insurance Portability and Accountability Act of 1996 with respect to Client's engagement of Law Firm and disclosure of "protected health information" to Law Firm, as more fully described below. Client is or may be a "Covered Entity" within the meaning of the HIPAA "Privacy Rule," or the Standards for the Privacy of Individually Identifiable Health Information, which is codified at 45 C.F.R. Parts 160 and 164. To the extent that Client is a Covered Entity and discloses protected health information to Law Firm in connection with the legal services provided to Client, Law Firm is or may be a business associate of Client under the Privacy Rule. Law Firm and Client agree to the following terms and conditions ("Terms and Conditions"). The Terms and Conditions are intended to comply with the requirements for business associate agreements under the HIPAA Privacy Rule, and are to be construed to achieve compliance with those requirements. References in brackets, for example, "[45 C.F.R. 164.504(e)(1)]," are references to the specific Privacy Rule provision that the specific provision below is intended to address (the text of these Privacy Rule provisions are attached hereto as Exhibit B to these Terms and Conditions). As used in these Terms and Conditions, "this Agreement" means the agreement(s) between Law Firm and Client regarding the Law Firm Engagement described above. 1. As used in this Agreement, "Protected Health Information" or "PHI" means, subject to the definition provided at 45 C.F.R. 164.501, individually identifiable health information that Law Firm receives from Client or that it creates or receives on behalf of Client for the purposes of performing the services under this Agreement as described in Exhibit A attached hereto and incorporated herein by reference, except that Law Firm may
use and disclose PHI for the proper management and administration of Law Firm or to carry out the legal responsibilities of Law Firm consistent with the provisions of 45 C.F.R. 164.504(e)(4)(i) and (ii). [ 164.504(e)(2)(i)] 2. Law Firm will not use or further disclose PHI other than as permitted or required by this Agreement or as required by law. [ 164.504(e)(2)(ii)(A)] 3. Law Firm will use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by this Agreement. [ 164.504(e)(2)(ii)(B)] 4.Law Firm will report to Client any use or disclosure of PHI not provided for by this Agreement of which it becomes aware. [ 164.504(e)(2)(ii)(C) ] 5. Law Firm will ensure that any agent of Law Firm, including a subcontractor of Law Firm, to whom it provides PHI received from or created or received by Law Firm on behalf of Client, agrees to the same restrictions and conditions that apply to Law Firm with respect to such information. [ 164.504(e)(2)(ii)(D)] 6. L aw Firm will make available PHI to the extent required under 45 C.F.R. 164.524, which describes the requirements applicable to an individual's request for access to the PHI relating to the individual. To the extent permitted by the Privacy Rule, the obligations of Law Firm in this Paragraph apply only to "designated record sets" in Law firm's possession or control as such term is defined at 45 C.F.R. 164.501. [ 164.504(e)(2)(ii)(E)] 7. Law Firm will make available PHI to the extent required for amendment and incorporate any amendments to PHI in accordance with 45 C.F.R. 164.526, which describes the requirements applicable to an individual's request for an amendment to the PHI relating to the individual. To the extent permitted by the Privacy Rule, the obligations of Law Firm in this Paragraph apply only to "designated record sets" in Law Firm's possession or control as such term is defined at 45 C.F.R. 164.501. [ 164.504(e)(2)(ii)(F)] 8. Law Firm will make available PHI to the extent required to provide an accounting of disclosures in accordance with 45 C.F.R. 164.528, which describes the requirements applicable to an individual's request for an accounting of disclosures of PHI relating to the individual. [ 164.504(e)(2)(ii)(G)] 9. If Law Firm receives a request, made on behalf of the Secretary of the Department of Health and Human Services, that Law Firm make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the Department of Health and Human Services for purposes of determining Client's compliance with the HIPAA Privacy Rule, then Law Firm will promptly notify Client that Law Firm has received such a request. Upon Law Firm's receipt of written Directive
to do so from Client in the form attached as Exhibit C, Law Firm will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the Department of Health and Human Services for purposes of determining Client's compliance with the HIPAA Privacy Rule 1 [ 164.504(e)(2)(ii)(H)], provided, however, that this provision shall not apply in the event a court of competent jurisdiction determines, in response to a challenge raised by Client, that the Privacy Rule provision requiring the inclusion of this provision in the Terms and Conditions is unenforceable, invalid, or otherwise inapplicable to: (i) the relationship between Law Firm and Client; or (ii) with respect to the action that the Secretary may request of Law Firm or Client regarding Law Firm's internal practices, books, and records relating to the use and disclosure of PHI; provided further that this Agreement shall not be construed to require Law Firm to engage in any conduct which would be deemed unprofessional conduct under the laws or ethical requirements applicable to lawyers in any State in which Law Firm's lawyers working on the Engagement are licensed to practice. Law Firm disclaims, and Client accepts such disclaimer, that Law Firm is not providing and has not provided legal advice to Client as to whether this Paragraph satisfies Client's obligations under the Privacy Rule provisions at 45 C.F.R. 164.504(e)(2)(ii)(H). Law Firm may delay complying with a request of the Secretary as to this provision while Law Firm makes reasonable efforts to ascertain its applicable professional responsibilities with respect to this Paragraph. Client hereby waives any applicable attorney-client or other privilege in which Client has an interest with respect to Law Firm's performance of the obligations required under this Paragraph.2 10. Upon termination of this Agreement, if feasible, Law Firm will return or destroy all PHI received from Client or created or received by Law Firm on behalf of Client that Law Firm still maintains in any form and retain no copies of such information, or if such return or destruction is not feasible, Law Firm will extend the protections of this Agreement to the information retained and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. [ 164.504(e)(2)(ii)(I)]3 11. Client may terminate this Agreement if Client determines that Law Firm has violated a material term of this Agreement. [ 164.504(e)(2)(iii)] 12. These Terms and Conditions are intended for the sole benefit of the Law Firm and Client and do not create any third party beneficiary rights, except as to the extent that the Privacy Rule validly requires the Secretary of the Department of Health and Human Services or any other person to be a third party beneficiary to this Agreement. 13. These Terms and Conditions cannot be amended except by the mutual written agreement of Law Firm and Client.
14. Client will not disclose PHI to Law Firm except to the extent permitted under the Privacy Rule. Law Firm does not undertake in these Terms and Conditions to provide legal advice to Client regarding whether the Privacy Rule permits any particular disclosure of PHI to Law Firm. Any such undertaking by Law Firm must be acknowledged by Law Firm and will be addressed separately from these Terms and Conditions. Although Law Firm may discuss with Client various requirements of the HIPAA Privacy Rule, Law Firm is not providing any legal advice to Client in these Terms and Conditions, including whether these Terms and Conditions meet all requirements under HIPAA. 15. In the event that any provision of the Terms and Conditions are held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Agreement will remain in full force and effect. In addition, in the event a party (Law Firm or Client) believes in good faith that any provision of the Terms and Conditions fails to comply with the then-current requirements of the HIPAA Privacy Rule, such party so shall notify the other party in writing. For a period of up to thirty days, the parties shall address in good faith such concern and shall amend the terms of this Agreement, if necessary to bring it into compliance. If after such thirty day period these Terms and Conditions fail to comply with the HIPAA Privacy Rule with respect to the concern(s) raised pursuant to this Paragraph, then either party has the right to terminate this Agreement upon written notice to the other party. 16. [It may be advisable to address other issues, including any State law issues. Also, it may be advisable to consider prospective-looking provisions regarding engagements that may extend through the compliance deadline under the HIPAA "Security Rule;" see generally the Notice of Proposed Rule-Making, 63 Fed. Reg. 43242 (8/12/98).]
EXHIBIT A Permitted Uses and Disclosure of Protected Health Information by Law Firm Law Firm may use and disclose Protected Health Information only for purposes of providing services to Client. Such permitted uses and disclosures include the following:4
EXHIBIT B Text of Cited Privacy Rule Provisions [to be inserted]
EXHIBIT C Directive In response to a request from the Secretary of the Department of Health and Human Services that [Law Firm] make available to the Secretary [Law Firm's] internal practices, books, and records relating to protected health information that [Law Firm] receives from [Client] or that it creates or receives on behalf of [Client], a copy of such request being attached to this Directive, [Client] hereby directs [Law Firm] to comply with the Secretary's request. [CLIENT] By: Title: Date: #483798v3 (333333-72)
Footnotes 1. The HIPAA Privacy Rule does not expressly contemplate that Client may reserve to itself this "trigger" or condition to Law Firm's obligation to make this information available to the Secretary. Since Client and not Law Firm controls the condition, it would arguably seem that the requirement of the HIPAA Privacy Rule is met, but the issue is noted for Counsel's consideration. 2. [State Bar issue-valid prospective waiver?] 3. [address professional responsibility issues] 4. [Describe here the permitted uses and disclosures of PHI that may be made by Law Firm in connection with the engagement. Review the following statement in the Preamble to Privacy Rule for direction regarding the degree of specificity that the Privacy Rule requires in describing permitted uses and disclosures. We retain the requirement that the business associate contract must provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law. We do not mean by this requirement that the business associate contract must specify each and every use and disclosure of protected health information permitted to the business associate, Rather, the contract must state the purposes for which the business associate may use and disclose protected health information, and must indicate generally the reasons and types of person to whom the business associate may make further disclosures. For example, attorneys often need to provide information to potential witnesses, opposing counsel, and others in the course of their representation of a client. The business associate contract pursuant to which protected health information is provided to its attorney may include a general statement permitting the attorney to disclose protected health information to these types of people, within the scope of its representation of the covered entity. 65 Fed. Reg. 82505.] [another issue: In a medical malpractice case, can Law Firm look at PHI in Case A to evaluate issues in Case B [e.g., to compare expert testimony in similar cases], and provide advice back to Client in Case A? Consider whether Law Firm needs permission to provide data aggregation services, or does Law Firm need to get permission to de-identify all PHI, so that the cross-file review will not involve PHI (if that can be practically done)?]
1. Health care clearinghouse means a public or private entity that does either of the following (Entities, including but not limited to, billing services, repricing companies, community health management information systems or community health information systems, and value-added networks and switches are health care clearinghouses for purposes of this subchapter if they perform these functions.): a) Processes or facilitates the processing of information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction. or b)receives a standard transaction from another entity and processes or facilitates the processing of information into nonstandard format or nonstandard data content for a receiving entity.