BUSINESS ASSOCIATE ADDENDUM
This Business Associate Addendum (“Addendum”) sets forth the obligations of______(“Business Associate”) regarding its use of individually identifiable health information (“Protected Health Information”) in connection with the services it provides to The University of Toledo (the “University”). All terms used but not otherwise defined will have the same meaning as set forth in the privacy and security rules found at 45 C.F.R. Parts 160 and 164.
1. Use of Protected Health Information. Business Associate is permitted to use Protected Health Information as necessary to enable it to perform the services specified under its [insert exact title of agreement] ______effective as of ______(the “Agreement”) between Business Associate and the University. These uses are set forth in the Agreement. Business Associate will not use Protected Health Information for any purpose except those expressly permitted by the Agreement or this Addendum or required by law. Any use or disclosure other than as permitted herein or otherwise required by law will be considered an “Unauthorized Use or Disclosure”. All uses and disclosures of Protected Health Information will comply with the minimum necessary requirement as defined under the privacy rule.
2. Disclosure of Protected Health Information. Business Associate will not disclose Protected Health Information in any manner that would constitute a violation of the privacy rule or law if disclosed by the University. Use of Protected Health Information by the Business Associate to perform its internal business functions or its duties under the Agreement is expressly permitted. Business Associate will not disclose or use Protected Health Information, or any information received from the University without the written consent of the University even if de-identified, to any third party unless it enters a written agreement with the third party to abide by this Addendum as if such third party were the Business Associate hereunder and requires such third party to notify Business Associate of any instances of which it is aware in which the confidentiality of the Protected Health Information has been breached. If such third party receives or transmits electronic Protected Health Information on behalf of the University, such third party will implement the same measures required by this Addendum.
Business Associate will not disclose Protected Health Information to a health plan for payment or health care operations purposes if the patient has requested this special restriction and has paid out of pocket in full for the health care item or service to which the Protected Health Information relates. Business Associate will not receive any remuneration, direct or indirect, in exchange for Protected Health Information, except with prior written consent of the University and as permitted under applicable law. Nothing in this provision will be construed to prohibit payment to the Business Associate by the University for services provided pursuant to the Agreement. Business Associate will not use or disclose Protected Health Information for fundraising or marketing purposes.
3. Appropriate Safeguards. Business Associate will adopt reasonable safeguards to prevent any unauthorized use or disclosure of Protected Health Information. Business Associate will notify all employees of their obligations regarding Protected Health Information, and ensure that all employees adhere to the terms of this Addendum. Business Associate agrees to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Protected Health Information it creates, receives, transmits, or maintains on behalf of the University, to include, but not be limited to those safeguards as set forth in Exhibit 1 attached. Business Associate will develop policies and procedures and implement the requirements of the privacy and security rules as applicable to Business Associate.
4. Accounting. Business Associate will maintain an accounting of all disclosures of Protected Health Information to the extent required by the privacy and security regulations and law. A summary of these requirements is set forth in Exhibit 2. Such accounting will include, at a minimum, the date of disclosure, a description of the information disclosed, the identity and address of recipient of the information, and the purpose of the disclosure, or a copy of the request or authorization. Such accounting will be available to the University upon request.
5. Access. Business Associate will make available to the University any information that Business Associate or its agents or subcontractors maintain in designated record sets on behalf of the University for inspection and copying within ten (10) days of request by the University, which request will be made by the University when necessary to allow the University to respond to a request for same. If such information is maintained electronically, it will be provided in an electronic format.
6. Amendment. Business Associate will make available to the University any information Business Associate or its agents or subcontractors maintain on behalf of the University for amendment and incorporate any such amendment upon request of the University, which request will be made to enable the University to comply with its obligations under law.
7. Inspection. Business Associate will make its internal practices, books, and records relating to its use of Protected Health Information and its compliance with this Addendum available to the University upon request. Such request will only be made by the University if the University is required to obtain such information by the Department of Health and Human Services or its agents.
8. Reporting. Business Associate will report to the University any Unauthorized Use or Disclosure of Protected Health Information, any security incident involving electronic Protected Health Information, or of any breach of unsecured Protected Health Information on behalf of Business Associate or any subcontractor of Business Associate of which it becomes aware as soon as reasonably practical and in any event, within ten (10) days of discovery. Such notification will include the identity of the individual patient who is the subject of the breach, together with any other information the University determines necessary.
9. Breach; Termination. The University will, if feasible, immediately terminate the Agreement to which this Addendum is made a part upon a determination by the University in its sole discretion that Business Associate has breached the terms of this Addendum. If termination is not feasible, the University will report the breach to the Secretary of Health and Human Services. This right will be in addition to such other rights of termination as may exist under the Agreement to which this Addendum is made a part or under applicable law. If Business Associate knows of any pattern of activity or practice that constitutes a material breach by the Business Associate’s subcontractor of this Addendum or the Agreement, Business Associate will take reasonable steps to cure or have subcontractor cure the breach or end the violation. If such efforts are unsuccessful, Business Associate will terminate the agreement with subcontractor if feasible, or report the problem to the Secretary of Health and Human Services as required. Business Associate will first notify the University of a suspected pattern or practice in writing and provide a reasonable period of time, not less than thirty (30) days, to cure the alleged problem. Business Associate will indemnify and hold the University harmless for any costs, fees, expenses, attorney fees, court costs or fines as a result of Business Associate’s Unauthorized Use or Disclosure, security incident or breach of unsecured Protected Health Information under applicable law. The obligations of Business Associate under this Section 9 survive termination of the Agreement.
10. Return or Destruction of Protected Health Information. Upon termination or expiration of the Agreement, Business Associate will return or erase, destroy, and render unrecoverable all Protected Health Information. If Protected Health Information is to be destroyed, such destruction will, at a minimum, be performed according to the standards enumerated by the National Institute of Standards, Guidelines for Media Sanitization - see http://csrc.nist.gov/. Business Associate will provide the University with certification of such rendering within seven (7) days of the University’s request. If the University requests the return of Protected Health Information, Business Associate will return the Protected Health Information to the University securely and in a form useable to the University as an extract of the Protected Health Information hosted data including data provided by the University in a mutually agreed upon non-proprietary machine readable format within seven (7) days of the University’s request. If the University determines that such destruction or return is not feasible, Business Associate will continue to maintain the confidentiality of the Protected Health Information in the manner set forth in this Addendum and will limit further uses or disclosures of the Protected Health Information to those uses or disclosures that render destruction infeasible and extend the protections of this Addendum to the Protected Health Information. The obligations of Business Associate under this Section will survive termination of the Agreement.
11. Legal Developments. The University reserves the right to amend this Addendum in the event of any change in the law regarding its use or Business Associate’s use of Protected Health Information, to the extent necessary to enable it to comply with such law. The University will provide written notice of any proposed amendment to Business Associate. If Business Associate does not object in writing to such amendment within ten (10) days of receipt of same, the amendment will be adopted. If Business Associate objects to such amendment, and the parties are unable to agree to the terms of an amendment, the University may terminate the Agreement to which this Addendum is made a part if doing so is necessary to enable it to comply with such change in law.
12. Conflicts. In the event of any disagreement between the terms of the Business Associate Addendum and the Agreement, the terms of this Addendum will govern.
13. Subcontractors. Business Associate will, in accordance with §164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information including but not limited to reporting requirements set forth in §164.410 and Section 8 of this Addendum. Business Associate will ensure that the Security Standards Requirements set forth in §164.314 apply to the Agreement or other arrangement between Business Associate and a subcontractor of Business Associate in the same manner as such requirements apply to this Addendum between the University and Business Associate. Business Associate will ensure that the business associate agreement Privacy Standard Requirements set forth in §164.504 apply to the agreement between the Business Associate and a subcontractor of Business Associate in the same manner as between University and Business Associate.
IN WITNESS WHEREOF, the parties have executed this Addendum effective as of the date set forth above.
The University of Toledo / [insert BUSINESS ASSOCIATE legal name]By: ______/ By: ______
Name: ______/ Name: ______
Title: ______
Date: ______/ Title: ______
Date: ______
2-10-2014 UTCE
Exhibit 1
Safeguards to be implemented by Business Associate:
1. Network Security. Business Associate will at all times maintain its network security in conformance with generally recognized industry standards and best practices which include, but are not limited to: network firewall provisioning, intrusion detection, and regular (three or more times annually) third-party vulnerability assessments.
2. Application Security. Business Associate will at all times provide, maintain, and support its software, subsequent updates, upgrades, and bug fixes to keep its software secure from identified vulnerabilities.
3. Data Security. Business Associate will secure Protected Health Information in conformance to generally recognized industry standards and best practices that Business Associate then applies to its own processing environment. Maintenance of a secure processing environment includes, but is not limited to, the timely application of patches, fixes and updates to operating systems and applications of purchased or open software support.
4. Data Storage. Business Associate will store, process, and maintain all Protected Health Information under the Agreement solely on designated target servers. Business Associate will not, at any time, process Protected Health Information under the Agreement on or transfer Protected Health Information to any portable or laptop computing device or any portable storage medium, unless that device or storage medium is in use as part of Business Associate’s designated backup and recovery processes and encrypted in accordance with the data encryption requirements as identified in Section 5. below.
5. Data Encryption. Business Associate will store all Protected Health Information, including all Protected Health Information stored on any portable or laptop computing device or any portable storage medium as part of Business Associate’s designated backup and recovery processes, in encrypted form using a commercially supported encryption solution. Business Associate will encrypt all Protected Health Information stored on any portable or laptop computing device or any portable storage medium with no less than a 128-bit key for symmetric encryption or a 1024 (or larger) bit key length for asymmetric encryption.
6. Data Transmission. Business Associate will only transmit or exchange Protected Health Information using secure HTTPS or SFTP or equivalent.
7. Right to Audit. The University or its appointee (“Auditor”) has the right to audit Business Associate and Business Associate’s sub-vendors or affiliates that provide service for the processing, transport or storage of Protected Health Information under the Agreement. The University will announce their intent to audit Business Associate by providing at a minimum five (5) day notice to Business Associate. A scope document along with a request for deliverables will be provided at the time of notification of an audit. If the documentation requested cannot be removed from Business Associate’s premises, Business Associate will allow the Auditors access to their site. Where necessary, Business Associate will provide a personal site guide for the Auditors while on site. Business Associate will provide a private accommodation on site for data analysis and meetings; the accommodation will allow for a reasonable workspace, with appropriate lighting, electrical, a printer and internet connectivity. Business Associate will make necessary employees or contractors available for interviews in person or on the phone during the time frame of the audit. If Business Associate has an external audit firm that performs a certified Type II SAS 70 review, University has the right to review the controls tested, as well as the results, and has the right to request additional controls to be added to the certified Type II SAS 70 review for testing the controls that have an impact on Protected Health Information under the Agreement. Audit expenses revealing the Business Associates material non-compliance with the Agreement or this Addendum will be at Business Associate’s sole expense.