Medical Advantage (“MAG”)
GENERAL CONTRACT TERMS AND CONDITIONS
This Business Associate Agreement (the “Agreement“) shall be effective by and between Client and Michigan Medical Advantage, Inc., a Michigan corporation doing business as Medical Advantage TDC Group or TDCMA or Medical Advantage a downstream business associate (herein “BUSINESS ASSOCIATE”)
WHEREAS, Client is either a “Business Associate” of one or more Covered Entities or is a “Covered Entity” and is required to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA“) and its privacy and security standards, as amended by the Health Information Technology for Economic and Clinical Health Act (Title XIII of the American Recovery and Reinvestment Act of 2009) and its implementing regulations (“HITECH“) including modifications to the HIPAA privacy, security, enforcement and breach notification rules under HITECH. To the extent that Client is a Business Associate of one or more Covered Entities, TDCMA acknowledges that it is a subcontractor of Client and pursuant to HITECH is also considered to be a Business Associate to those Covered Entities, and to the extent that Client is a Covered Entity TDCMA acknowledges that as subcontractor exposed to Protected Healthcare Information on behalf of Client, TDCMA is a Business Associate of Client.
WHEREAS, this Agreement is entered into pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH“) as part of the American Recovery and Reinvestment Act of 2009 (“ARRA“), (hereinafter globally “HIPAA”), and is intended to bind the parties hereto with respect to the HIPAA requirements for Business Associates as defined under the privacy, security, breach notification and enforcement rules at 45 C.F.R. Part 160 and Part 164 (“HIPAA Rules“).
NOW THEREFORE, the parties hereby agree as follows:
- Purpose. This Agreement is intended to ensure that BUSINESS ASSOCIATE will establish and implement appropriate safeguards for the Protected Health Information (“PHI“) (as defined under the HIPAA Rules) that BUSINESS ASSOCIATE may receive, create, maintain, use or disclose in connection with the functions, activities and services that BUSINESS ASSOCIATE performs for Client or its affiliates. This Agreement also reflects BUSINESS ASSOCIATE’S intent to comply with federal breach notification requirements imposed on BUSINESS ASSOCIATE when “Unsecured PHI” (as defined under the HIPAA Rules) is acquired by an unauthorized party and the expanded privacy and security provisions imposed on BUSINESS ASSOCIATE.
- Definitions. Unless the context clearly indicates otherwise, the following terms in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Electronic Media, Electronic Protected Health Information (ePHI), Health Care Operations, individual, Minimum Necessary, Notice of Privacy Practices, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured PHI and Use.
- General Obligations of Business Associate.
- BUSINESS ASSOCIATE agrees not to use or disclose PHI, other than as permitted or required by this Agreement or as Required By Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI and then only to the Minimum Necessary to accomplish the intended purpose.
- BUSINESS ASSOCIATE agrees to use appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this Agreement.
- BUSINESS ASSOCIATE agrees to mitigate, to the extent practicable, any harmful effect that is known to the BUSINESS ASSOCIATE as a result of a use or disclosure of PHI by BUSINESS ASSOCIATE in violation of the Agreement’s requirements or that would otherwise cause a Breach of Unsecured PHI.
- The BUSINESS ASSOCIATE agrees to the following breach notification requirements: BUSINESS ASSOCIATE agrees to report to Client any Breach of Unsecured PHI not provided for by the Agreement of which it becomes aware, as soon as is possible and in any event within no more than twenty (20) calendar days of “discovery” within the meaning of the HITECH Act. Such notice shall include the identification of each involved Covered Entity and the individual(s) whose PHI has been, or is reasonably believed by the BUSINESS ASSOCIATE to have been, accessed, acquired, or disclosed in connection with such Breach. In addition, BUSINESS ASSOCIATE shall provide any additional information reasonably requested by Client on behalf of the Covered Entity/ies, or by the Covered Entity/ies directly, for purposes of investigating the Breach and any other available information that Covered Entity is required to include to the individual under 45 C.F.R. 164.404(c) at the time of notification or promptly thereafter as information becomes available.
- BUSINESS ASSOCIATE agrees, in accordance with 45 C.F.R. 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any Subcontractors that create, receive, maintain or transmit PHI on behalf of the BUSINESS ASSOCIATE agree to the same restrictions, conditions and requirements that apply to the BUSINESS ASSOCIATE with respect to such information. BUSINESS ASSOCIATE agrees to maintain records of it dissemination of any PHI it receives and to produce an accounting of same on request.
- BUSINESS ASSOCIATE agrees to make its internal practices, books and records, including policies and procedures regarding PHI, relating to the use and disclosure of PHI and Breach of any Unsecured PHI received from Client on behalf of the Covered Entity/ies available to Client on behalf of the Covered Entity (or the Secretary) for the purpose of determining compliance with the Privacy Rule.
- BUSINESS ASSOCIATE agrees to account for the following disclosures: BUSINESS ASSOCIATE agrees to document disclosures of PHI and Breaches of Unsecured PHI and any information relating to the disclosure of PHI and Breach of Unsecured PHI in a manner as would be required for Covered Entity to respond to a request from the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
- BUSINESS ASSOCIATE agrees to provide to Client, on behalf of the Covered Entity, information collected and maintained to permit Covered Entity to respond to a request by an individual, if permissible under the circumstances presented, or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
- BUSINESS ASSOCIATE agrees to comply with the “Prohibition on Sale of Electronic Health Records or Protected Health Information,” as provided in section 13405(d) of HITECH, and the “Conditions on Certain Contacts as Part of Health Care Operations,” as provided in section 13406 HITECH.
- BUSINESS ASSOCIATE acknowledges that, effective on the Effective Date of this Agreement, it may be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. 1320d-5 and 1320d-6, as amended, for failure to comply with any of the use and disclosure requirements of this Agreement and any guidance issued by the Secretary from time to time with respect to such use and disclosure requirements.
- 4. Permitted Uses and Disclosures by BUSINESS ASSOCIATE.
- BUSINESS ASSOCIATE agrees to receive, create, use or disclose PHI only in a manner that is consistent with this Agreement, the Privacy Rule or Security Rule and only in connection with providing services to Client on behalf of the Covered Entity; provided that the use or disclosure would not violate the Privacy Rule, including 45 C.F.R. 164.504(e), if the use or disclosure would be done by Covered Entity.
- BUSINESS ASSOCIATE may use or disclose PHI as required by law.
- BUSINESS ASSOCIATE agrees to make uses and disclosures and requests for PHI consistent with overarching minimum necessary standard.
- 5. Compliance with Security Rule.
- BUSINESS ASSOCIATE shall comply with the HIPAA Security Rule, which shall mean the Standards for Security of Electronic Protected Health Information at 45 C.F.R. Part 160 and Subparts A and C of Part 164, as amended by ARRA and the HITECH Act. The term “Electronic Health Record” or “EHR” as used in this Agreement shall mean an electronic record of health-related information on an individual that is created, gathered, managed and consulted by authorized health care clinicians and staff.
- In accordance with the Security Rule, BUSINESS ASSOCIATE agrees to Implement the administrative safeguards set forth at 45 C.F.R. 164.308, the physical safeguards set forth at 45 C.F.R. 164.310, the technical safeguards set forth at 45 C.F.R. 164.312, and the policies and procedures set forth at 45 C.F.R. 164.316 to reasonably and appropriately protect the confidentiality, integrity and availability of the ePHI that it creates, receives, maintains or transmits on behalf of Client or on behalf of any Covered Entity as required by the Security Rule. BUSINESS ASSOCIATE acknowledges that, effective on the Effective Date of this Agreement, (i) the foregoing safeguards, policies and procedures requirements shall apply to BUSINESS ASSOCIATE in the same manner that such requirements apply to a Covered Entity, and (ii) BUSINESS ASSOCIATE may be liable under the civil and criminal enforcement provisions set forth at 42 U.S.C. 1320d-5 and 1320d-6, as amended from time to time, for failure to comply with the safeguards, policies and procedures requirements and any guidance issued by the Secretary from time to time with respect to such requirements.
- BUSINESS ASSOCIATE further agrees to secure the agreement of any agent, including a Subcontractor, to whom it provides PHI, to implement reasonable and appropriate safeguards to protect PHI and to report to Client any Security Incident of which it becomes aware.
- Indemnification. BUSINESS ASSOCIATE shall indemnify, defend and hold harmless all applicable Covered Entities, and Client, and their employees, agents and affiliates (“Indemnified Parties“), from and against any and all losses, expense, damage or injury (including, without limitation, all costs and reasonable attorneys’ fees) that the Indemnified Parties may sustain as a result of, or arising out of: (i) a breach of this Agreement by BUSINESS ASSOCIATE or its agents or Subcontractors, including but not limited to any unauthorized use, disclosure or breach of PHI; (ii) BUSINESS ASSOCIATE’S failure to notify any and all parties required to receive notification of any Breach of Unsecured PHI pursuant to this Agreement; or (iii) any negligence or wrongful acts or omissions by BUSINESS ASSOCIATE or its agents or Subcontractors, including without limitations, failure to perform BUSINESS ASSOCIATE’S obligations under this Agreement, the Privacy Rule or the Security Rule. Notwithstanding the foregoing, nothing in this Section shall limit any rights any of the Indemnified Parties may have to additional remedies under the Underlying Agreement, any other agreement between the parties, or under applicable law for any acts or omissions of BUSINESS ASSOCIATE or its agents or Subcontractors.
- Term and Termination. This Agreement shall be in effect as of the Effective Date stated herein, and shall terminate on the earlier of the date that:
- Either party terminates for cause as authorized below.
- All of the PHI received from Client, on behalf of the Covered Entity/ies, is destroyed or returned to Client on behalf of the Covered Entity/ies.
- Upon either party’s knowledge of material breach by the other party, the non-breaching party shall provide an opportunity for the breaching party to cure the breach, end the violation, or terminate the Agreement. If the breaching party does not cure the breach or end the violation within a reasonable period of time not to exceed twenty (20) days from the notification of the breach, or if a material term of the Agreement has been breached and a cure is not possible, the non-breaching party may terminate the Agreement and the Underlying Agreement, upon written notice to the other party.
Upon termination of this Agreement for any reason, BUSINESS ASSOCIATE, with respect to PHI received from Client, on behalf of the Covered Entity/ies, or created, maintained, or received by BUSINESS ASSOCIATE on behalf of Covered Entity/ies, shall retain only that PHI that is necessary for BUSINESS ASSOCIATE to continue its proper management and administration or to carry out its legal responsibilities.
The obligations of BUSINESS ASSOCIATE under this Section 7 shall survive the termination of this Agreement.
- The parties agree to take such action as is necessary to amend this Agreement to comply with the requirements of the Privacy Rule, the Security Rule, HIPAA, ARRA, the HITECH Act, the HIPAA Rules and any other applicable law.
- The respective rights and obligations of BUSINESS ASSOCIATE under Section 3 and Section 4 of this Agreement shall survive the termination of this Agreement.
- This Agreement shall be interpreted in the following manner: Any ambiguity shall be resolved in favor of a meaning that permits Client and the Covered Entity to comply with the HIPAA Rules; Any inconsistency between the Agreement’s provisions and the HIPAA Rules, including all amendments, as interpreted by the HHS, court or another regulatory agency with authority over the Parties, shall be interpreted according to the interpretation of the HHS, the court or the regulatory agency; Any provision of this Agreement that differs from those mandated by the HIPAA Rules, but is nonetheless permitted by the HIPAA Rules, shall be adhered to as stated in this Agreement.
- This Agreement constitutes the entire agreement between the parties related to the subject matter of this Agreement, except to the extent that the Underlying Agreement imposes more stringent requirements related to the use and protection of PHI upon the BUSINESS ASSOCIATE. This Agreement supersedes all prior negotiations, discussions, representations or proposals, whether oral or written. This Agreement may not be modified unless done so in writing and signed by a duly authorized representative of both parties. If any provision of this Agreement, or part thereof, is found to be invalid, the remaining provisions shall remain in effect.
- This Agreement will be binding on the successors and assigns of Client, the Covered Entity/ies and the BUSINESS ASSOCIATE. However, this Agreement may not be assigned, in whole or in part, without the written consent of the other party to this agreement. Any attempted assignment in violation of this provision shall be null and void.
- A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.
- This Agreement may be executed in two or more counterparts, each of which shall be deemed an original.
- Except to the extent preempted by federal law, this Agreement shall be governed by and construed in accordance with the laws of the state of Michigan.