HITECH Omnibus Business Associate Agreement DU Hybrid CE ra FINAL

Similar documents
HIPAA BUSINESS ASSOCIATE AGREEMENT. ( BUSINESS ASSOCIATE ) and is effective as of ( Effective Date ). RECITALS

Model Business Associate Agreement

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

HIPAA DATA USE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT WITH COVERED ENTITY

BUSINESS ASSOCIATE AGREEMENT (BETWEEN GIOSTARCHICAGO.COM AND GIOSTARORTHOPEDICS.COM AND GODADDY)

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

DATA USE AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION

BUSINESS ASSOCIATE AGREEMENT

SERVICE PROVIDER SECURITY AGREEMENT. Clemson University ( Clemson ) and. Vendor Name Here. ( Service Provider )

Agent/Agency Agreement

EXHIBIT G PRIVACY AND INFORMATION SECURITY PROVISIONS

Site Access Agreement. (hereinafter referred to as the

PODIATRY RESIDENCY RESOURCE, INC. END USER SOFTWARE LICENSE AGREEMENT. IMPORTANT-READ CAREFULLY BEFORE USING THE Podiatry Residency Resource SOFTWARE.

Sales Order (Processing Services)

ELECTRONIC TRANSACTIONS TRADING PARTNER AGREEMENT BETWEEN DIRECT SUBMITTER AND WELLPOINT, INC

Limited Data Set Data Use Agreement

ASTM Supplier s Declaration of Conformity Program Participant Agreement

BUSINESS ASSOCIATE AGREEMENT

AGREEMENT BETWEEN KIDS IN DISTRESS, INC., AND BROWARD COUNTY FOR SUBSTANCE ABUSE SERVICES Contract Number: KID-BARC-CFS-2017

INDEPENDENT CONTRACTOR AGREEMENT

LAW FIRM BUSINESS ASSOCIATE TERMS AND CONDITIONS. North Carolina Society of Healthcare Attorneys

BULK USER AGREEMENT RECITALS

COMMONWEALTH OF MASSACHUSETTS. ) COMMONWEALTH OF MASSACHUSETTS, ) ) Plaintiff, ) ) v. ) ) SOUTH SHORE HOSPITAL, INC., ) ) Defendant.

DATA COLLECTION AGREEMENT MASTER TERMS RECITALS

ARTWORK LICENSING AGREEMENT

Provider Electronic Trading Partner Agreement

rdd Doc 825 Filed 12/11/17 Entered 12/11/17 16:29:55 Main Document Pg 1 of 4

INDEPENDENT AFFILIATE AGREEMENT

TRADEMARK LICENSE AGREEMENT

Home Foundation Subcontractor Services Agreement

GREEN ELECTRONICS COUNCIL UL ECOLOGO/EPEAT JOINT CERTIFICATION LICENSE AND PARTICIPATING MANUFACTURER AGREEMENT

GREEN ELECTRONICS COUNCIL UL ECOLOGO/EPEAT JOINT CERTIFICATION PROGRAM PARTICIPATING MANUFACTURER AGREEMENT

SELECTED INVESTMENT ADVISOR AGREEMENT PREFERRED APARTMENT COMMUNITIES, INC.

GREEN ELECTRONICS COUNCIL UL ECOLOGO/EPEAT JOINT CERTIFICATION PROGRAM PARTICIPATING MANUFACTURER AGREEMENT

SAMPLE FORMS - CONTRACTS DATA REQUEST AND RELEASE PROCESS NON-DISCLOSURE AGREEMENT, Form (See Attached Form)

Drive Trust Alliance Member Services Agreement

SERVICE REFERRAL AGREEMENT

LICENSE AGREEMENT THIS AGREEMENT is dated the of, 2014.

MATERIALS TRANSFER AND EVALUATION LICENSE AGREEMENT. Carnegie Mellon University

DATA USE AGREEMENT RECITALS

Black Ops Logistics, LLC

JOINT MARKETING AND SALES REFERRAL AGREEMENT

DATABASE AND TRADEMARK LICENSE AGREEMENT

ADDENDUM TO STANDARD CONTRACT BETWEEN Community Coordinated Care for Children, Inc. (4C) AND (CONTRACTOR)

Agent Agreement Template

KAISER FOUNDATION HOSPITALS ON BEHALF OF KAISER FOUNDATION HEALTH PLAN OF THE MID-ATLANTIC STATES, INC.

Volunteer Services Agreement

SERVICES AGREEMENT No.

DRAFT. OCE Funding Agreement

HARVARD PILGRIM HEALTH CARE, INC. PRIVACY AND SECURITY AGREEMENT

SAN ANTONIO WATER SYSTEM SERVICES AGREEMENT AGREEMENT FOR. THIS IS A SERVICE AGREEMENT (this Agreement ) by and between

Merchant Participation Agreement

SERVICE AGREEMENT XX-XXXX-XXX-XX

The Initial Term of this Agreement shall begin as of the Click here to enter a date., and will end Click here to enter a date. 3.

TRADEMARK LICENSE AGREEMENT

COMMERCIAL EVALUATION LICENSE AGREEMENT PURDUE RESEARCH FOUNDATION [ ] PRF Docket No.:

CONTRACTOR AGREEMENT. WHEREAS, Contractor wishes to provide such goods and/or services to NACCHO; ARTICLE I: SPECIAL PROVISIONS

HBDI Technology and Herrmann Materials Licensing Agreement

DRAFT Do Not Use Without Legal Review DRAFT

SOUTHERN CALIFORNIA EDISON COMPANY ENERGY SERVICE PROVIDER SERVICE AGREEMENT

Banking on Business Agreement

ECHOCARDIOGRAPHY QUALITY IMPROVEMENT PROGRAM FACILITY AGREEMENT

SALES REPRESENTATION AGREEMENT *** SPECIMEN ONLY *** THIS AGREEMENT made and entered into by and among. , a. Specimen

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

WU contract # NON EXCLUSIVE LICENSE AGREEMENT

ORANGE AND ROCKLAND UTILITIES, INC. CONSOLIDATED BILLING AND ASSIGNMENT AGREEMENT

CLINICAL TRIAL AGREEMENT for INVESTIGATOR-INITIATED STUDY

Breach Notification and Enforcement

ANCC COPYRIGHT LICENSE AGREEMENT

Bylaws of the Society of Diagnostic Medical Sonography (SDMS) Foundation

AGREEMENT FOR PROFESSIONAL SERVICES Contract No.

Investigating Privacy Breaches under HITECH and HIPAA

LICENSEE CORNELL UNIVERSITY

AGREEMENT WHEREAS WHEREAS, WHEREAS, NOW, THEREFORE, Grant of License.

Connecticut Multiple Listing Service, Inc.

License Agreement. 1.4 Named User License A Named User License is a license for one (1) Named User to access the Software.

KENTUCKY BROADCASTERS ASSOCIATION

AGREEMENT FOR SERVICES OF INDEPENDENT CONTRACTOR

SAMPLE. Open Access License Agreement. dated as of. this Agreement on the Author s behalf is authorized to do. so;

The Initial Term of this Agreement shall begin as of the Click here to enter a date., and will end Click here to enter a date. 3.

Commonwealth of Massachusetts County of Suffolk The Superior Court NOTICE OF DOCKET ENTRY

BALTIMORE GAS AND ELECTRIC COMPANY. Residential Customer List Agreement

RECITALS: WHEREAS, the Key Indicator Methodology is the intellectual property of RIKI by and through Dr. Fiene;

Sample Licensing Agreement

E-RATE CONSULTING AGREEMENT

PROFESSIONAL SERVICES CONTRACT GENERAL SERVICES BETWEEN COPPER VALLEY ELECTRIC ASSOCIATION, INC. AND

!! 1 Page! 2014 PEODepot. All rights reserved. PEODepot and peodepot.com are trademarks of PEODepot. INITIAL! BROKER AGREEMENT

Trust Italia S.p.A. OnSite SM Agreement

SEI Biobased Participant Agreement

South Carolina Department of Motor Vehicles

DATA COMMONS SERVICES AGREEMENT

HISTORIC PROPERTY PRESERVATION AGREEMENT

NON-EXCLUSIVE LICENSE FOR USE OF SCHOOL WORDMARKS AND LOGOS

CERTIFICATE OF DEPOSIT SELLING GROUP AGREEMENT

COLLABORATIVE RESEARCH AGREEMENT

HDCP RESELLER ASSOCIATE AGREEMENT W I T N E S S E T H

NON-TRANSFERABLE AND NON-EXCLUSIVE LICENSE AGREEMENT

PROFESSIONAL SERVICES AGREEMENT

Transcription:

BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) by and between Drexel University ( Hybrid Entity ), with a principal address at 3141 Chestnut Street, Philadelphia, PA 19104, and ( Business Associate ), with a principal address at, is made as of the day of, 20. BACKGROUND A. Hybrid Entity has components that are Covered Entities. B. Business Associate provides (the Services ) to or on behalf of Hybrid Entity. In the course of furnishing the Services, Business Associate, from time to time, creates, receives, maintains or transmits Protected Health Information ( PHI ), as such term is subsequently defined herein; C. The HIPAA Regulations, as defined herein, require Hybrid Entity to obtain certain satisfactory assurances from Business Associate and to ensure that Business Associate will appropriately safeguard PHI and use, and, if necessary, disclose PHI only as necessary to provide the Services for Hybrid Entity, consistent with its engagement by Hybrid Entity, applicable law, and ethical principles; and D. Business Associate must comply with certain of the HIPAA Regulations and may use and disclose PHI only in compliance with the terms of this Agreement. NOW, THEREFORE, in consideration of the mutual covenants and agreements contained herein, the worth and sufficiency of which as legal consideration are hereby acknowledged, the parties hereto, intending to be legally bound hereby, agree as follows: 1. Definitions. a. For the purposes of this Agreement, all capitalized terms not defined herein shall have the meanings given them in the HIPAA Regulations, as amended from time to time. b. Breach shall mean the same as it means at 45 C.F.R. 164.402. c. Electronic Protected Health Information ( EPHI ) shall mean the same as it means at 45 C.F.R. 160.103. d. HIPAA Regulations shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and Part 164. e. Information System shall mean the same as it means at 45 C.F.R. 164.304. f. Protected Health Information ( PHI ) shall mean the same as it means at 45 C.F.R. 160.103. g. Security Incident shall mean the same as it means at 45 C.F.R. 164.304. h. Subcontractor shall mean the same as it means at 45 C.F.R. 160.103. - 1

2. Term and Termination. a. The Term of this Agreement shall be effective as of the date first set forth above and shall terminate when the agreement for Services between Hybrid Entity and Business Associate terminates or Business Associate ceases to perform Services for Hybrid Entity. b. Upon Hybrid Entity s knowledge of a material breach of this Agreement by Business Associate, Hybrid Entity may either: 1. Provide a fifteen (15) day opportunity for Business Associate to cure the breach or end the violation and, if Business Associate does not cure the breach or end the violation within the fifteen (15) day period, Hybrid Entity may terminate this Agreement and the agreement for Services between Hybrid Entity and Business Associate; 2. If Business Associate has breached a material term of this Agreement and cure is not, in Hybrid Entity s reasonable determination, possible, Hybrid Entity may immediately terminate this Agreement and the agreement between Hybrid Entity and Business Associate pursuant to which Business Associate provides the Services to Hybrid Entity. c. Except as provided in paragraph 2.c.1 of this Section, upon termination of this Agreement for any reason, Business Associate shall return or destroy all PHI received from Hybrid Entity, or created, received, or maintained by Business Associate on behalf of Hybrid Entity. This provision shall also apply to PHI that is in the possession of Subcontractors of Business Associate. Neither Business Associate nor any Subcontractor of Business Associate shall retain copies of the PHI. 1. If Business Associate reasonably determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Hybrid Entity notification of the conditions that make return or destruction infeasible. Upon Hybrid Entity s written consent, which shall not be unreasonably withheld, that return or destruction of PHI is infeasible, Business Associate may retain the PHI that is not feasible to return, for so long as it remains infeasible to return such PHI. In such event, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. 2. The provisions of this Section 2.c shall survive termination of this Agreement. 3. Obligations of Business Associate. a. Business Associate shall not use or disclose PHI other than for the purposes of providing Services for or on behalf of Hybrid Entity or as required by law. b. Business Associate shall implement and use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement. - 2

c. Business Associate shall, with respect to EPHI that it creates, receives, maintains, or transmits on behalf of Hybrid Entity, comply with Subpart C (Security Rule) of 45 C.F.R Part 164 in performing Business Associate s obligations under this Agreement. d. Business Associate shall secure PHI to make it unusable, unreadable, or indecipherable to unauthorized Individuals through the use of a technology or methodology specified by the Secretary in its annual guidance issued under Section 13402(h) of the HITECH Act, codified at 42 U.S.C. 17932(h). e. Business Associate shall only request, use and disclose the minimum amount of PHI necessary to reasonably accomplish the purpose of the request, use or disclosure in accordance with 45 C.F. R. 164.502(b). f. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement. g. Business Associate shall promptly, and not later than within three (3) business days, report to Hybrid Entity any use or disclosure of PHI not provided for by this Agreement of which it becomes aware, including, but not limited to, any Security Incident and any unauthorized acquisition, access, use, or disclosure of PHI. h. Business Associate shall, following the discovery of a Breach of PHI, notify Hybrid Entity of such Breach. 1. Business Associate shall provide notice of the Breach no later than three (3) business days after the discovery of the Breach. A Breach shall be treated as discovered as of the first day on which the Breach is known to the Business Associate or, should reasonably have been known to the Business Associate. Business Associate shall be deemed to have knowledge of a Breach if the Breach is known, or should reasonably have been known, to any person, other than the person committing the Breach, who is an employee, officer, or other agent of Business Associate. 2. The notice shall include, to the extent possible, the identification of each Individual whose PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed during such Breach. i. Business Associate shall, following notification to Hybrid Entity of a Breach of PHI, cooperate with the Hybrid Entity in providing any and all information required for Hybrid Entity to comply with the breach notification provisions of Section 13402 of the HITECH Act and the implementing regulations set forth as Breach Notification Rule (45 C.F.R. 164.400 et seq.) and any other applicable breach notification laws and regulations. j. To the extent Business Associate possesses PHI in a Designated Record Set, at the request of Hybrid Entity, Business Associate shall provide prompt access to such PHI to Hybrid Entity or, as directed by Hybrid Entity, to an Individual, in order to meet the Individual s right of access requirements under HIPAA. k. Business Associate shall enter into legally binding agreements with each of its Subcontractors to ensure that any Subcontractor to whom Business Associate provides PHI transmitted or maintained for, received from, or created or received by, Business Associate - 3

4. Notice. on behalf of Hybrid Entity, agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. l. To the extent Business Associate possesses PHI in a Designated Record Set, Business Associate shall make any amendment to such PHI that Hybrid Entity directs, or to which Hybrid Entity agrees, pursuant to an Individual s right to request amendment to his or her PHI under HIPAA. m. For purposes of the Secretary determining Hybrid Entity's compliance with the HIPAA Regulations, Business Associate shall make available to the Secretary, in a time and manner designated by the Secretary, its internal practices, books, and records (including policies and procedures), relating to the use and disclosure of PHI transmitted or maintained for, received from, Hybrid Entity or created or received by, Business Associate on behalf of Hybrid Entity. n. Business Associate shall document such disclosures of PHI and information related to such disclosures as would be required for Hybrid Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with the Individual s right to receive such accounting under HIPAA. o. Business Associate shall provide to Hybrid Entity or an Individual, information collected in accordance with Section 3.n of this Agreement, to permit Hybrid Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with the Individual s right to receive such accounting under HIPAA. p. To the extent that Business Associate is to carry out one or more of Hybrid Entity's obligation(s) under Subpart E of 45 C.F.R. Part 164 (the Privacy Rule), Business Associate shall comply with the requirements of Subpart E that apply to the Hybrid Entity in the performance of such obligation(s). Whenever, under the terms of this Agreement, written notice is required or permitted to be given by one party to the other party, such notice shall be deemed to have been sufficiently given if when delivered (personally, by carrier service such as Federal Express, or by other messenger) or upon actual receipt of registered or certified mail, postage prepaid, return receipt requested, addressed to the last known address of the intended recipient. Notice under this Agreement shall be provided to the following for Hybrid Entity: Robert Asante, MBA, CISSP, CISA, HCISPP Executive Director Interim Chief Privacy Officer Drexel University Bellet Building 1505 Race Street, 13 th Floor Mail Stop 666 Philadelphia, Pa. 19102 267-359-5799 (voice) 267-359-5500 (fax) Robert.Asante@Drexel.edu - 4

5. Indemnification. The Parties ( Indemnifying Party ) shall indemnify, hold harmless and defend each other and each other s respective employees, other members of its workforce, directors, trustees, officers, subcontractors or agents (Indemnified Party ) from and against any and all claims, losses, liabilities, costs, penalties, fines and other expenses resulting from, or relating to, the acts or omissions of Indemnifying Party or its respective employees, other members of its workforce, directors, trustees, officers, subcontractors or agents, in connection with the duties and obligations under this Agreement, including, without limitation, any expenses Hybrid Entity as Indemnified Party incurs in notifying Individuals of a Breach caused by Business Associate as Indemnifying Party. Section 5 shall survive termination of the Agreement. 6. Miscellaneous. a. This Agreement sets forth the entire understanding and agreement between the parties relating to the use and disclosure of PHI and shall be binding upon the parties and their respective successors, heirs and assigns. For clarification and not limitation, this Agreement shall not be incorporated into, or limited by, any other agreement. All prior negotiations, agreements, and understandings regarding the use and disclosure of PHI, including without limitation prior Business Associate Agreements, are superseded hereby. b. This Agreement may not be amended or revised except with the written consent of the parties. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Hybrid Entity and Business Associate to comply with the requirements of HIPAA, including without limitation implementing regulations under amendments to HIPAA. c. This Agreement shall be automatically assigned to and assumed by any legal successor or affiliate of the assignor who or which assumes responsibility for assignor s obligations under any agreement between the parties concerning the services provided by Business Associate for or on behalf of Hybrid Entity. d. This Agreement shall be construed and enforced pursuant to the laws of the Commonwealth of Pennsylvania. e. The invalidity or unenforceability of any particular provision or part thereof of this Agreement shall not affect the remainder of this Agreement, and this Agreement shall be construed in all respects as if such invalid or unenforceable provision or part thereof had been omitted. f. This Agreement shall not create nor be deemed to create any relationship between Hybrid Entity and Business Associate other than that of independent contractors contracting with each other solely for the purpose of performing the agreement pursuant to which Business Associate provides the Services to Hybrid Entity. g. Any failure or delay by either party in exercising any right under this Agreement shall not operate as a waiver of such party s rights, nor shall any single or partial exercise of any right serve to preclude a subsequent exercise of such right. - 5

h. Any ambiguity in this Agreement shall be resolved to permit Hybrid Entity and Business Associate to comply with the HIPAA Regulations, as amended from time to time. i. This Agreement may be executed in one or more counterparts and each of such counterparts shall, for all purposes, be deemed to be an original, but all of such counterparts shall constitute one and the same instrument. In addition, for purposes of executing this Agreement, a document signed and transmitted by facsimile transmission or as an attachment (in fixed medium, such as, without limitation, Portable Document Format [pdf]) to electronic mail shall be treated as an original document. The signature of any party on such document shall be considered as an original signature, and the document transmitted shall have the same binding effect as an original signature on an original document. At the request of any party, any facsimile document or document sent as an attachment to electronic mail shall by re-executed in original form by the party who executed the facsimile or electronic mail document. No party may raise the use of a facsimile machine or electronic mail attachment as a defense to the enforcement of this Agreement. IN WITNESS WHEREOF, the parties hereto have executed this Agreement as of the date first set forth above. HYBRID ENTITY Drexel University BUSINESS ASSOCIATE By: By: Authorized Officer Robert Asante, MBA, CISSP, CISA, HCISPP Executive Director Interim Chief Privacy Officer Date: Name: Print Name Title: Date: - 6

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback