Regarding the HIPAA
Business Associate Agreement
You may be aware that the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) requires Business Associate Agreements with any service providers or vendors with whom protected health information is shared.
Basically, this agreement allows an agent to assist groups and members with any possible issues regarding their account or claims information.
Individual claim information will still require a release of personal health information forms from the individual.
Please sign the following Agreement, make a copy for your records, and return the signed original to the following address:
Group Benefits, Inc.
21 Nob Hill Drive, Lower Level
St. Louis, MO 63138
HIPAA BUSINESS ASSOCIATE
AGREEMENT
This HIPAA Business
Associate Agreement (“Agreement”) is entered into on the last date of signature
below by and between ______________________________________________ and
Business Associate named below (“Business Associate”).
RECITALS
In
consideration of the mutual promises below and the exchange of information
pursuant to this Agreement, the parties agree as follows:
1.
Definitions.
a.
“Designated
Record Set” shall have the same meaning as the term “designated record set”
in 45 CFR Section 164.501.
b.
“Individual”
shall have the same meaning as the term “individual” in 45 CFR Section 164.501
and shall include a person who qualifies as a personal representative in
accordance with 45 CFR Section 164.502(g).
c.
“Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable
Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.
d.
“Protected
Health Information” or “PHI” shall have the same meaning as the term
“protected health information” in 45 CFR Section 164.501, limited to the
information created or received by Business Associate from or on behalf of
__________________________________________.
e.
“Required
by Law” shall have the same meaning as the term “required by law” in 45 CFR
Section 164.501.
f.
“Secretary”
shall mean the Secretary of the Department of Health and Human Services or his
designee.
2.
Permitted Uses and Disclosures of PHI by Business Associate.
a.
General Use and Disclosure Provisions. Except as otherwise limited in this
Agreement, Business Associate may use or disclose PHI to perform functions,
activities or services for, or on behalf of, _________________________________________
provided that such use or disclosure would not violate the Privacy Rule.
b.
Specific Use and Disclosure Provisions.
i.
Except
as otherwise limited in this Agreement or by law, Business Associate may use
PHI for the proper management and administration of Business Associate or to
carry out the legal responsibilities of Business Associate for those functions,
activities, or services performed for, or on behalf of,
________________________________________.
ii.
Except
as otherwise limited in this Agreement or by law, Business Associate may
disclose PHI for the proper management and administration of Business
Associate, provided that the information is disclosed will remain confidential
and be used or further disclosed only for the purpose for which it was
disclosed to the person, and the person notifies Business Associate of any
instances of which it is aware in which the confidentiality of the information
has been breached.
3.
Obligations of Business Associate.
a.
Use and Disclosure. Business Associate agrees to not use or further disclose PHI other
than as permitted or required by this Agreement or as Required by Law.
b.
Appropriate Safeguards. Business Associate shall use appropriate
safeguards to prevent use or disclosure of PHI other than as provided for by
this Agreement.
c.
Reporting of Improper Use or Disclosure. Business Associate shall report to
_______________________________________ any use or disclosure of PHI not
provided for by this Agreement.
d.
Mitigation. Business Associate shall mitigate, to the extent practicable, any
harmful effect that is known to Business Associate of a use or disclosure of
PHI by Business Associate in violation of the requirements of this Agreement.
e.
Business Associate’s Agents . Business Associate shall ensure that any agent, including
a subcontractor, to whom it provides PHI received from, or created or received
by Business Associate on behalf of ___________________________________________,
agrees to the same restrictions and conditions that apply through this
Agreement to Business Associate with respect to such PHI.
f.
Access to PHI. Business Associate shall provide access, at the request of
_______________________________________________, and in the time and manner
designated by __________________________, to PHI in a Designated Record Set, to
_________________________ or, as directed by _____________________, to an
Individual in order to meet the requirements under 45 CFR Section 164.524, if
applicable.
g.
Amendment of PHI. Business Associate shall make any amendment(s) to PHI in a Designated
Record Set that the _______________________________ directs or agrees to
pursuant to 45 CFR Section 164.526 at the request of
_______________________________________________ or an Individual, and in the
time and manner designated by the _______________________________________________,
if applicable.
h.
Documentation of Disclosures. Business Associate agrees to document such
disclosures of PHI and information related to such disclosures as would be
required for _______________________________________________ to respond to a
request by an Individual for an accounting of disclosures of PHI in accordance
with 45 CFR Section 164.528.
i.
Accounting of Disclosures. Business Associate agrees to provide to
_______________________________________________ or an Individual, in time and
manner designated by _______________________________________________,
information collected in accordance with Section 3(e) of this Agreement, to
permit _______________________________________________ to respond to a request
by an Individual for an accounting of disclosures of PHI in accordance with 45
CFR Section 164.528.
j.
Governmental Access to Records. Business Associate shall make its internal
practices, books and records relating to the use and disclosure of PHI received
from, or created or received by Business Associate on behalf of,
_______________________________________________ available to
_______________________________________________ or, at the request of
_______________________________________________, to the Secretary for purposes
of the Secretary determining _______________________________________________’
compliance with the Privacy Rule.
k.
Minimum Necessary Standard. In the performance of functions and activities on
_______________________________________________’ behalf, Business Associate
agrees to use, disclose or request only the minimum amount of PHI necessary to
accomplish the purpose of the use, disclosure or request.
l.
Chain of Trust. To the extent PHI is electronically exchanged between
_______________________________________________ and Business Associate,
Business Associate shall provide and maintain the equipment, software, services
and testing necessary to effectively, reliably and confidentially transmit,
process, convert, receive and interchange PHI in accordance with this Agreement
and HIPAA Regulations. Further, Business Associate shall ensure that all
electronic transmissions of PHI shall be protected from improper disclosure. In
the event that such transmissions travel across lines of communication where both
ends are not under the control of
_______________________________________________, Business Associate agrees to
use appropriate authentication and encryption systems designed to protect PHI
from improper disclosures.
4.
Obligations
of _______________________________________________.
a.
Notice of Privacy Practices. _______________________________________________
shall provide Business Associate, upon request, with the notice of privacy
practices that _______________________________________________ produces in accordance
with 45 CFR Section 164.520.
b.
Notification of Changes Regarding Individual Permission.
_______________________________________________ shall provide Business
Associate with any changes in, or revocation of, permission by an Individual to
use or disclose PHI, if such changes affect Business Associate’s permitted or
required uses and disclosures.
c.
Notification of Restrictions to Use or Disclosure of PHI.
_______________________________________________ shall notify Business Associate
of any restriction to the use or disclosure of PHI that
_______________________________________________ has agreed to in accordance
with 45 CFR Section 164.522.
5.
Permissible Requests by_______________________________________________.
_______________________________________________ shall not request Business
Associate to use or disclose PHI in any manner that would not be permissible
under the Privacy Rule if done by
______________________________________________, except as permitted pursuant
to the provisions of Sections 2(a) and 2(b) of this Agreement.
6.
Term and Termination.
a.
Term.
The term of this Agreement shall commence as of the last date of signature
below.
b.
Termination for Cause. Upon
_______________________________________________ knowledge of a material breach
by Business Associate of this Agreement,
_______________________________________________ shall provide an opportunity
for Business Associate to cure the breach or end the violation within the time
specified by _______________________________________________, or immediately
terminate this Agreement.
c.
Effect of Termination.
(i)
Business
Associate shall extend the protections of this Agreement to such PHI and limit
further
uses and disclosures of such, for so
long as Business Associate maintains such PHI.
7. Regulatory References. A reference in this
Agreement to a section in the Privacy Rule means the section as in effect or as
amended, and for which compliance is required.
8. Amendment. The parties agree to take such
action as is necessary to amend this Agreement from time to time as is
necessary for
______________________________________________ to comply with the
requirements of the Privacy Rule and HIPAA.
9. Survival. The respective rights and
obligations of Business Associate under Section 6(c) of this Agreement shall
survive the termination of this Agreement.
10. No Third Party Beneficiaries. Nothing
express or implied in this Agreement is intended to confer, nor shall anything
herein confer, upon any person other than
_______________________________________________, Business Associate and their
respective successors or assigns, any rights, remedies, obligations or
liabilities whatsoever.
11. Effect on Agreement. Except as
specifically required to implement the purposes of this Agreement, or to the
extent inconsistent with this Agreement, all other terms of any other agreement
by and between _______________________________________________ and Business
Associate shall remain in force and effect.
IN WITNESS WHEREOF, the parties hereto have duly
executed this Agreement effective as of the last date signed below.
___________________________________ Business Associate
By:
_______________________________ By: ____________________________
Print Name:
________________________ Print
Name: _____________________
Title:
_____________________________ Title: ___________________________
Date:
_____________________________ Date: ___________________________
Address:
________________________
City, State, Zip:
___________________
Phone Number:
___________________
Agent Number:
___________________