Business Associate Addendum
This is an addendum to the Purchasing Terms and Conditions. This Addendum is applicable only in those situations where the Vendor providing goods or services under a purchase order will receive or create Protected Health Information as defined in 45 C.F.R. § 164.501 (e.g. individually identifiable health information of patients of the University of Virginia Health System or employees covered by the University of Virginia Health Plan.)
This Business Associate Addendum (“Addendum”) becomes effective when the Vendor accepts the Purchasing Terms and Conditions. It is entered into by the Vendor (the “Business Associate”) and The Rector and Visitors of the University of Virginia, (the “Covered Entity”) (each a “Party” and collectively the “Parties”).
The Business Associate has agreed to provide goods or services which necessitate the disclosure of Protected Health Information (individually identifiable health information of patients, as defined in 45 C.F.R. § 160.103) by the Covered Entity to the Business Associate, or the Business Associate creates, receives, uses or discloses Protected Health Information. Both Parties are committed to complying with the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Regulation”) and the Security Standards for the Protection of Electronic Protected Health Information (the “Security Regulation”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). This Addendum sets forth the terms and conditions pursuant to which Protected Health Information that is provided by, or created or received by, the Business Associate from or on behalf of the Covered Entity, will be handled between the Business Associate and the Covered Entity and with third parties during the term of their Agreement and after its termination. The Parties agree as follows:
I. PERMITTED USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION
- Services. Pursuant to the Agreement, the Business Associate provides services or goods for the Covered Entity that involve the use and disclosure of Protected Health Information. Except as otherwise specified herein, the Business Associate may make any and all uses of Protected Health Information necessary to perform its obligations under the Agreement, provided that such use or disclosure of protected health information would not violate the Privacy Regulation if done by the Covered Entity or the minimum necessary policies and procedures of the Covered Entity. All other uses not authorized by this Addendum are prohibited. Moreover, Business Associate may disclose Protected Health Information for the purposes authorized by this Addendum only, (i) to its employees, subcontractors and agents, in accordance with Section 2.1(f), (ii) as directed by the Covered Entity, or (iii) as otherwise permitted by the terms of this Addendum including, but not limited to, Section 1.2(b) below.
- Business Activities of the Business Associate. Unless otherwise limited herein, the Business Associate may:
a. use the Protected Health Information in its possession for its proper management and administration and to fulfill any present or future legal responsibilities of the Business Associate provided that such uses are permitted under state and federal confidentiality laws.
b. disclose the Protected Health Information in its possession to third parties for the purpose of its proper management and administration or to fulfill any present or future legal responsibilities of the Business Associate, if (i) the disclosures are required by law; or (ii) the Business Associate has received from the third party reasonable assurances regarding its confidential handling of such Protected Health Information as required under 45 C.F.R. § 164.504(e)(4).
II. RESPONSIBILITIES WITH RESPECT TO PROTECTED HEALTH INFORMATION
- Privacy Responsibilities of the Business Associate. With regard to its use and/or disclosure of Protected Health Information, the Business Associate hereby agrees to do the following:
a. request from the Covered Entity, access, and disclose to its subcontractors, agents or other third parties, only the minimum amount of Protected Health Information necessary to perform or fulfill a specific function required or permitted hereunder.
b. use and/or disclose the Protected Health Information only as permitted or required by this Addendum or as otherwise required by law.
c. report to the designated Privacy Officer of the Covered Entity, in writing, any use and/or disclosure of the Protected Health Information that is not permitted or required by this Addendum of which Business Associate becomes aware within five days of the Business Associate’s discovery of such unauthorized use and/or disclosure.
d. establish procedures for mitigating, to the greatest extent possible, any deleterious effects from any improper use and/or disclosure of Protected Health Information that the Business Associate reports to the Covered Entity.
e. implement appropriate administrative, technical and physical safeguards to maintain the security of the Protected Health Information and to prevent its unauthorized use and/or disclosure.
f. ensure that all of its subcontractors and agents that receive or use, or have access to, Protected Health Information under this Agreement agree to the same restrictions and conditions on the use and/or disclosure of Protected Health Information that apply to the Business Associate pursuant to this Addendum.
g. make available all records, books, agreements, policies and procedures relating to the use and/or disclosure of Protected Health Information to the Covered Entity, or at the covered entity’s request, to the Secretary of HHS, in a time and manner designated by the Secretary, for purposes of determining the Covered Entity’s compliance with the Privacy Regulation, subject to attorney-client and other applicable legal privileges.
h. upon prior written request, make available during normal business hours at Business Associate’s offices all records, books, agreements, policies and procedures relating to the use and/or disclosure of Protected Health Information to the Covered Entity within 15 days for purposes of enabling the Covered Entity to determine the Business Associate’s compliance with the terms of this Addendum.
i. within 30 days of receiving a written request from the Covered Entity, provide to the Covered Entity such information as is requested by the Covered Entity to permit the Covered Entity to respond to a request by an individual for an accounting of the disclosures of the individual's Protected Health Information in accordance with 45 C.F.R. §164.528.
j. document such disclosures of Protected Health Information and information related to such disclosures, as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of protected health information in accordance with 45 C.F.R. § 164.528.
- HITECH Act and Security Responsibilities of the Business Associate. Notwithstanding any other provision in the Agreement or this Addendum, no later than February 17, 2010, unless a separate effective date is specified by law or the Agreement or this Addendum for a particular requirement (in which case the separate effective date will be the effective date for that particular requirement), the Business Associate will comply with the HITECH Standards. “HITECH Standards” means the privacy, security and security breach notification provisions applicable to a Business Associate under Subtitle D of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), which is Title XIII of the American Recovery and Reinvestment Act of 2009 (Public Law 111-5), and any regulations promulgated thereunder. The parties recognize that additional regulations and guidance documents may be issued implementing and interpreting the HITECH Act during the term of the Agreement. The Business Associate agrees to comply with all applicable requirements of such additional regulations and guidance as they become effective, and agrees that to the extent such regulations or guidance require the Covered Entity to impose such requirements on the Business Associate, they are deemed imposed as and when they become effective.
The Business Associate further agrees:
a. To implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Protected Health Information that it creates, receives, maintains or transmits on behalf of Covered Entity, and more specifically to secure all electronic Protected Health Information with technologies and methodologies, including encryption, that render such information “secured” as defined in the guidance issued in 74 FR 19006 (April 27, 2009), pursuant to the HITECH Act;
b. To ensure that any agent, including a subcontractor, to whom it provides Protected Health Information agrees to implement reasonable and appropriate safeguards to protect it, including but not limited to encryption that renders such information as “secured” as defined above; To notify the Covered Entity on the first day on which a security breach is known by Business Associate or an employee, officer or agent of Business Associate other than the person committing the breach, or as soon as possible following the first day on which Business Associate or an employee, officer or agent of the Business Associate other than the person committing the breach should have known by exercising reasonable diligence of such breach. “Security Breach” as used herein is defined as an acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted under the HIPAA Privacy Rule. Notification will be made to UVA Information Security, Policy and Records Office at (434) 924-4165. It will include, to the extent possible, the identification of each individual whose unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, used or disclosed during the breach. The Business Associate will also provide any other available information at the time of notification or promptly thereafter as information becomes available. Such additional information will include (i) a brief description of what happened, including the date of the breach; (ii) a description of the types of unsecured PHI that were involved in the breach; (iii) the originals, or if not applicable, complete copies, of all documents containing exposed Protected Health Information and any related correspondence that come into the Business Associate’s possession. (iv) any steps the Business Associate believes individuals should take to protect themselves from potential harm resulting from the breach; and (v) a brief description of what the Business Associate is doing to investigate the breach, mitigate harm to individuals, and protect against any future breaches.
c. To cooperate with the Covered Entity as needed to further investigate and evaluate any Security Breach involving the Business Associate or of which the Business Associate has become aware
d. In the event of impermissible use or disclosure by the Business Associate of unsecured Protected Health Information that constitutes, in the reasonable judgment of the Covered Entity a breach requiring notification under applicable provisions of the HITECH Act and implementing regulations, at the discretion of the Covered Entity either the Business Associate or the Covered Entity will notify in writing all affected individuals as required by Section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act. The Business Associate will be responsible for all costs associated with such notification, including any costs of credit monitoring services that the Covered Entity determines should be offered to affected individuals. For purposes of this paragraph, unsecured PHI means PHI which is not encrypted or destroyed. Breach means the acquisition, access, use or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule or this contract which compromises the security or privacy of the PHI by posing a significant risk of financial, reputational, or other harm to the individual, as reasonably determined by the Covered Entity.
III. TERMS AND TERMINATION
- Term. This Addendum will become effective on the Effective Date and will continue in effect until all obligations of the Parties have been met unless terminated as provided in this Section. In addition, certain provisions and requirements of this Addendum will survive its expiration or other termination in accordance with Section 4.1 herein.
- Termination by the Covered Entity. As provided for under 45 C.F.R. § 164.504(e)(2)(iii), the Covered Entity may immediately terminate the Agreement and this Addendum if the Covered Entity makes the determination that the Business Associate has breached a material term of this Addendum. Alternatively, the Covered Entity may choose to: (i) provide the Business Associate with ten days written notice of the existence of an alleged material breach; and (ii) afford the Business Associate an opportunity to cure said alleged material breach upon mutually agreeable terms. Nonetheless, in the event that mutually agreeable terms cannot be achieved within ten days, Business Associate must cure said breach to the satisfaction of the Covered Entity within ten days. Failure to cure in the manner set forth in this paragraph is grounds for the immediate termination of the Agreement and this Addendum.
If neither termination nor cure is feasible, Covered Entity will report the violation to the Secretary.
- Automatic Termination. This Addendum will automatically terminate without any further action of the Parties upon the termination or expiration of the Agreement between the Parties.
- Effect of Termination. Upon the event of termination pursuant to this Section, the Business Associate agrees to return or destroy all Protected Health Information pursuant to 45 C.F.R. § 164.504(e)(2)(I), if it is feasible to do so. Prior to doing so, the Business Associate further agrees to recover any Protected Health Information in the possession of its subcontractors or agents. If it is not feasible for the Business Associate to return or destroy said Protected Health Information, the Business Associate will notify the Covered Entity in writing. Said notification will include: (i) a statement that the Business Associate has determined that it is infeasible to return or destroy the Protected Health Information in its possession, and (ii) the specific reasons for such determination. The Business Associate further agrees to extend any and all protections, limitations and restrictions contained in this Addendum to the Business Associate’s use and/or disclosure of any Protected Health Information retained after the termination of this Addendum or the Agreement, and to limit any further uses and/or disclosures to the purposes that make the return or destruction of the Protected Health Information infeasible. If it is infeasible for the Business Associate to obtain, from a subcontractor or agent any Protected Health Information in the possession of the subcontractor or agent, the Business Associate must provide a written explanation to the Covered Entity and require the subcontractors and agents to agree to extend any and all protections, limitations and restrictions contained in this Addendum or the Agreement to the subcontractors’ and/or agents’ use and/or disclosure of any Protected Health Information retained after the termination of this Addendum, and to limit any further uses and/or disclosures to the purposes that make the return or destruction of the Protected Health Information infeasible.
- Survival. The respective rights and obligations of the Business Associate and Covered Entity under the provisions of Sections 2.1, 2.2, and 3.4, solely with respect to Protected Health Information that the Business Associate retains in accordance with Section 3.4 because it is not feasible to return or destroy such Protected Health Information, will survive termination of this Addendum indefinitely.
- A waiver with respect to one event will not be construed as continuing or as a bar to or waiver of any right or remedy as to subsequent events.
- No Third-Party Beneficiaries. Nothing express or implied in this Addendum is intended to confer, nor will anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.
- Notices. Any notices to be given will be made via U.S. Mail or express courier to the address given below:
If to the Business Associate, to the address provided by the Business Associate to Procurement Services
If to Covered Entity, to:
1052 McKim Hall, 1st Floor
University of Virginia
P.O. Box 800594
with a copy (which will not constitute notice) to:
Office of the General Counsel
University of Virginia
P.O. Box 400225
- Interpretation. Any ambiguity in this Addendum and the Agreement will be resolved to permit Covered Entity to comply with the Privacy Rule.
- Counterparts; Facsimiles. This Addendum may be executed in any number of counterparts, each of which will be deemed an original. Facsimile copies hereof will be deemed to be originals.
Terms used, but not otherwise defined, in this Addendum will have the same meaning as those terms in 45 C.F.R. § 160.103 and 164.501.