Information about http://www.mthealth.org/pdf/broker_agreement.pdf
MONTANA COMPREHENSIVE HEALTH ASSOCIATION …
Tags: 45 cfr 164, accountability act of 1996, administrative simplification, associate agreement, association business, bcbsmt, business associates, cfr, comprehensive health, contractual agreements, health association, health insurance, health insurance portability, health insurance portability and accountability, health insurance portability and accountability act, health insurance portability and accountability act of 1996, hipaa, mcha, recitals, subcontractors,Pages: 7
Language: english
Created: Wed Jan 30 08:54:21 2008
Display cached document
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
MONTANA COMPREHENSIVE HEALTH ASSOCIATION
BUSINESS ASSOCIATE AGREEMENT
Montana Comprehensive Health Association, ("MCHA") and __________________________
_______________ ("Business Associate") hereby enter into this Business Associate Agreement
("Agreement") for purposes of compliance with federal law, as set forth below. This Agreement
is effective when fully executed by the parties.
Recitals
MCHA may provide Business Associate with certain information or Business Associate may
collect certain information on behalf of MCHA that may include Protected Health Information
("PHI") so that Business Associate may perform its responsibilities under its agreement(s) with
and on behalf of MCHA.
MCHA and Business Associate intend to protect the privacy of and provide for the security of
any electronic PHI received from BCBSMT, or created or received by Business Associate on
behalf of BCBSMT in compliance with the Administrative Simplification portion of the Health
Insurance Portability and Accountability Act of 1996, Public Law 104-191 ("HIPAA") and
regulations promulgated pursuant to HIPAA at 45 CFR Part 160 and 164.
Federal regulations promulgated pursuant to HIPAA, at 45 CFR § 164.314, 45 CFR § 164.502(e)
and 45 CFR § 164.504(e) require MCHA, as a Covered Entity under HIPAA, to enter into
contractual agreements with all Business Associates.
Therefore, MCHA and Business Associate agree as follows:
1. Definitions
For purposes of this Agreement, the following definitions apply:
a) Business Associate. "Business Associate" means ___________________________
and includes all employees, contractors, subcontractors, and agents of Business
Associate.
b) Covered Entity. "Covered Entity" means Montana Comprehensive Health
Association.
c) Designated Record Set. "Designated Record Set" has the same meaning as provided
in 45 CFR § 164.501.
d) Electronic Protected Health Information. "Electronic Protected Health Information"
(PHI) has the same meaning as provided in 45 CFR § 160.103, limited to the
electronic information created, maintained or received by Business Associate from or
on behalf of MCHA.
MCHA Business Associate Agreement 2008 1 of 7
e) Individual. "Individual" has the meaning as provided in 45 CFR § 160.103 and
includes a person who qualifies as a personal representative in accordance with
45 CFR § 164.502(g).
f) Privacy Rule. "Privacy Rule" means the Standards for Privacy of Individually
Identifiable Health Information at 45 CFR § Part 160 and 164, Subparts A and E.
g) Protected Health Information. "Protected Health Information" or "PHI" has
the meaning as provided in 45 CFR § 164.103 limited to the information created,
maintained or received by Business Associate from or on behalf of MCHA.
h) Required By Law. "Required By Law" has the meaning as provided in 45 CFR §
164.103 and as defined by any applicable Montana law or regulation that is not
preempted by HIPAA.
i) Secretary. "Secretary" means the Secretary of the U.S. Department of Health and
Human Services or the Secretary's designee.
j) Security Incident. "Security Incident" has the meaning as provided in 45 CFR §
164.304.
k) Security Rule. "Security Rule" means the Security Standards for the Protection of
Electronic Protected Health Information at 45 CFR § Part 160 and 164, Subparts A
and C.
2. Obligations and Activities of Business Associate
Business Associate agrees not to use or disclose PHI other than as permitted or required
by this Agreement or as Required By Law.
a) Business Associate agrees to use appropriate safeguards to prevent use or disclosure
of PHI other than as provided for by this Agreement. Business Associate agrees to
implement administrative, physical, and technical safeguards that reasonably and
appropriately protect the confidentiality, integrity, and availability of Electronic PHI.
b) Business Associate agrees to mitigate, to the extent practicable, any harmful effect
that is known to Business Associate, of a use or disclosure of PHI by Business
Associate in violation of the requirements of this Agreement.
c) Business Associate agrees to promptly report to MCHA any use or disclosure of PHI
that is not permitted by this Agreement of which the Business Associate becomes
aware. Business Associate agrees to promptly report to MCHA any Security Incident
of which Business Associate becomes aware.
MCHA Business Associate Agreement 2008 2 of 7
d) Business Associate will ensure that any agent, including a vendor or subcontractor, to
whom Business Associate provides PHI agrees to the same restrictions and conditions
that apply through this Agreement to Business Associate with respect to such
information. Business Associate will ensure that any agent, including a vendor or
subcontractor, to whom it provides PHI agrees to implement reasonable and
appropriate safeguards to ensure the confidentiality, integrity, and availability of
the PHI.
e) At the request of MCHA, Business Associate will provide MCHA, or as directed by
MCHA, an Individual, access to PHI maintained in a Designated Record Set in a time
and manner that is sufficient to meet the requirements of 45 CFR § 164.524.
f) At the request of MCHA, or if so directed by MCHA, at the written request of an
Individual, Business Associate agrees to make any amendment to PHI in a
Designated Record Set in a time and manner that is sufficient to meet the
requirements of 45 CFR § 164.526.
g) Business Associate agrees to make its internal practices, books, and records,
including policies and procedures, and any PHI, relating to the use and disclosure of
PHI, available to MCHA or to the Secretary (including the Secretary's designee) for
purposes of determining MCHA's compliance with this Agreement. Business
Associate will provide such access in a time and manner that is sufficient to meet any
applicable requirements of the Privacy Rule.
h) Business Associate agrees to document and maintain an accounting of disclosures of
PHI and information related to such disclosures in a manner that is sufficient for
MCHA or Business Associate to respond to a request by MCHA or an Individual for
an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. Such
documentation and record are referred to in this Agreement as an "Accounting."
i) Business Associate agrees to provide to MCHA, upon request or as directed by
MCHA, to an Individual, an accounting of disclosures in a time and manner that is
sufficient to meet the requirements of 45 CFR § 164.528.
j) When using or disclosing PHI or when requesting PHI from or on behalf of MCHA,
Business Associate agrees to make reasonable efforts to limit the PHI to the minimum
necessary to accomplish the intended purpose of the use, disclosure, or request in
accordance with 45 CFR § 164.502.
3. Permitted Uses and Disclosures by Business Associate
Except as otherwise limited in this Agreement, Business Associate may use or disclose
PHI as follows:
MCHA Business Associate Agreement 2008 3 of 7
a) Business Associate may use or disclose PHI or as necessary, perform functions,
activities, or services to or on behalf of MCHA under any service agreement(s) with
MCHA if Business Associate's use of disclosure of PHI would not violate the Privacy
Rule if done by MCHA.
b) Business Associate may use PHI for the proper management and administration of
Business or to carry out the legal responsibilities of the Business Associate.
c) Business Associate may disclose PHI for the proper management and administration
of Business Associate if:
i. Disclosure is Required By Law; or
ii. Business Associate obtains reasonable assurances from the person to whom the
PHI is disclosed that the PHI will remain confidential and will be used or
further disclosed only as Required By Law or for the purpose for which it was
disclosed, and the person agrees to notify the Business Associate of any known
breaches of the PHI's confidentiality.
d) Business Associate may use PHI to provide data aggregation services to MCHA as
permitted by 45 CFR § 164.504(e)(2)(i)(B).
e) Business Associate may use PHI to report violations of law to appropriate Federal
and State authorities consistent with 45 CFR § 164.502(j)(1).
4. Obligations of Montana Comprehensive Health Association
a) MCHA will notify Business Associate of any limitations on uses or disclosures
described in its notice of privacy practices (NOPP) in accordance with 45 CFR §
164.520(b)(2), to the extent that such limitation may affect Business Associate's use
or disclosure of PHI.
b) MCHA will notify Business Associate of any changes in, or revocation of, permission
by an Individual to use or disclose PHI, to the extent that such changes or revocation
affects Business Associate's use or disclosure of PHI.
c) MCHA will notify Business Associate of any restriction of the use or disclosure of
PHI that MCHA has agreed to in accordance with 45 CFR § 164.522, to the extent
that such restriction may affect Business Associate's use or disclosure of PHI.
d) MCHA will notify Business Associate of any alternative means or locations for
receipt of confidential communications by an Individual which must be
accommodated or permitted by MCHA pursuant to 45 CFR § 164.522, to the extent
that such alternative means or locations may affect Business Associate's use or
disclosure of PHI.
MCHA Business Associate Agreement 2008 4 of 7
e) Except as otherwise provided in this Agreement, MCHA will not ask Business
Associate to use or disclose PHI in any manner that would not be permissible under
HIPAA if done by MCHA.
5. Term, Termination, and Breach
a) This Agreement is effective when fully executed by the parties and will terminate
when all of the PHI provided by MCHA to Business Associate, or created or received
by Business Associate on behalf of MCHA, is destroyed or returned to MCHA, or, if
it is infeasible to return or destroy all PHI, protections are extended to such
information in accordance with Sections 5(c) and 5(d) below.
b) Upon MCHA's knowledge of a violation or material breach of this Agreement by
Business Associate, MCHA may take any one of the following steps:
i. Provide an opportunity for Business Associate to cure the breach or end the
violation and if Business Associate does not cure the breach or end the violation
within the time specified by MCHA, terminate this Agreement and its other
agreement(s) with Business Associate;
ii. Immediately terminate this Agreement and its other agreement(s) with Business
Associate if Business Associate has committed a material breach of this
Agreement and cure of the material breach is not possible; or
iii. If neither termination nor cure are feasible, elect to continue this Agreement and
any other agreement(s) with Business Associate in effect and report the violation
or material breach to the Secretary.
c) Except as provided in Section 5(d), upon termination of this Agreement for any
reason, Business Associate will return or destroy, at the discretion of MCHA, all PHI
received from MCHA or created or received by Business Associate on behalf of
MCHA. This provision will also apply to PHI that is in the possession of
subcontractors or agents of Business Associate. Neither Business Associate nor any
subcontractor or agent of Business Associate will retain copies of the PHI.
d) If Business Associate determines that returning or destroying the PHI is not feasible,
Business Associate will notify MCHA of the circumstances making the return or
destruction infeasible. If MCHA agrees that return or destruction is infeasible, then
Business Associate will extend the protections of this Agreement to such PHI and
limit further uses and disclosures of such PHI to those purposes that make the return
or destruction infeasible, for so long as Business Associate maintains such PHI.
MCHA Business Associate Agreement 2008 5 of 7
6. Miscellaneous
a) MCHA and Business Associate agree to take any reasonable action necessary to
amend this Agreement from time to time as is necessary for MCHA to comply with
the requirements of HIPAA.
b) The respective rights and obligations of Business Associate under Sections 5(c) and
5(d) related to Business Associate's responsibilities upon termination of this
Agreement survive the termination of this Agreement.
c) In the event the terms of this Agreement conflict with the terms of any other
agreement between MCHA and Business Associate, the terms of this Agreement shall
control.
d) Notices and requests provided for under this Agreement will be made to Business
Associate at:
Name or Office
Title
Address, City, State, Zip
Notices and requests provided for under this Agreement will be made to MCHA at:
Privacy Office
Montana Comprehensive Health Association
560 N. Park Ave.
P.O. Box 4309
Helena, MT 59604
e) MCHA has the right to inspect the records of Business Associate or to audit Business
Associate to determine whether Business Associate is in compliance with the terms of
this Agreement, Privacy Rule. However, this provision does not create any obligation
on the part of MCHA to conduct an inspection or audit.
f) Nothing in this Agreement provides or is intended to provide any benefit to any third
party.
g) Each party will indemnify and hold harmless the other party, its subsidiaries and
affiliates and any officer, director, employee or agent from and against any claim or
liability, including attorney's fees and costs, arising out of or in connection with the
MCHA Business Associate Agreement 2008 6 of 7
party's or the party's agent's violation of the terms of this Agreement, HIPAA, or the
regulations implementing HIPAA.
h) Any ambiguity in this Agreement shall be resolved to permit MCHA to comply with
the Privacy Rule.
i) Business Associate expressly acknowledges that this Agreement is an agreement
between Business Associate and MCHA, and that MCHA is a nonprofit legal entity
with participating membership consisting of all insurers, insurance arrangements,
societies, health maintenance organizations, and health service corporations licensed
or authorized to do business in the State of Montana. Business Associate
acknowledges that it has not entered into this Agreement based on representations by
any person other than MCHA and that no person, entity, or organization other than
MCHA will be held accountable or liable to Business Associate for any of MCHA's
obligations under this Agreement. This paragraph will not create any additional
obligations on the part of MCHA other than those obligations created under other
provisions of this Agreement.
Montana Comprehensive Health
Association, Inc.
560 North Park Avenue Name of Business Associate
P.O. Box 4309
Helena, Montana 59604 Address
City, State, ZIP
Linda Price
Name
Signature Signature
MCHA Specialist
Title Title
Date Date
MCHA Business Associate Agreement 2008 7 of 7