Business Associate Agreement
HIPAA Privacy, Security & Breach Notification Rules
RxGranted | ASKARX LLC | Ewing, New Jersey
Pursuant to 45 C.F.R. § 164.504(e) and the HITECH Act
Recitals
WHEREAS, Covered Entity is a healthcare provider subject to the Privacy, Security, and Breach Notification Rules promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), codified at 42 U.S.C. §§ 17921–17954, and the regulations at 45 C.F.R. Parts 160 and 164 (collectively, the “HIPAA Rules”);
WHEREAS, Business Associate provides prior authorization clinical documentation services to Covered Entity, which may involve the use, disclosure, creation, receipt, maintenance, or transmission of Protected Health Information (“PHI”) on behalf of Covered Entity;
WHEREAS, the Parties desire to comply with the HIPAA Rules and to establish the permitted and required uses and disclosures of PHI by Business Associate;
NOW, THEREFORE, in consideration of the mutual promises set forth herein, the Parties agree as follows:
Article I — Definitions
Terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules:
- 1.1 “Breach” shall have the meaning given under 45 C.F.R. § 164.402.
- 1.2 “Designated Record Set” shall have the meaning given under 45 C.F.R. § 164.501.
- 1.3 “Electronic Protected Health Information” or “ePHI” shall have the meaning given under 45 C.F.R. § 160.103.
- 1.4 “Individual” shall have the meaning given under 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative under 45 C.F.R. § 164.502(g).
- 1.5 “Minimum Necessary” shall have the meaning given under 45 C.F.R. § 164.502(b).
- 1.6 “Protected Health Information” or “PHI” shall have the meaning given under 45 C.F.R. § 160.103, limited to PHI created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity.
- 1.7 “Required by Law” shall have the meaning given under 45 C.F.R. § 164.103.
- 1.8 “Secretary” shall mean the Secretary of the U.S. Department of Health and Human Services or designee.
- 1.9 “Security Incident” shall have the meaning given under 45 C.F.R. § 164.304.
- 1.10 “Subcontractor” shall have the meaning given under 45 C.F.R. § 160.103.
- 1.11 “Unsecured Protected Health Information” shall have the meaning given under 45 C.F.R. § 164.402.
- 1.12 “Services” shall mean the prior authorization clinical documentation services, including: preparation of prior authorization letters, clinical justification documentation, appeal letters, and direct submission of prior authorization requests to payers on behalf of Covered Entity.
Article II — Obligations of Business Associate
2.1 Permitted Uses and Disclosures
Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law. Permitted purposes include:
(a) Performing the Services described in Section 1.12;
(b) Proper management and administration of Business Associate, provided such disclosures are Required by Law or the recipient provides reasonable assurances of confidentiality;
(c) Data Aggregation services as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B);
(d) De-identification of PHI in accordance with 45 C.F.R. § 164.514(a)–(c).
2.2 Minimum Necessary Standard
Business Associate shall limit its use, disclosure, and request of PHI to the minimum necessary to accomplish the intended purpose, per 45 C.F.R. § 164.502(b).
2.3 Safeguards
Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI, as required by 45 C.F.R. Part 164, Subpart C. Without limitation, Business Associate shall:
(a) Encrypt all ePHI at rest and in transit using AES-256 or equivalent;
(b) Implement role-based access controls limiting PHI access to authorized personnel only;
(c) Maintain audit logs of all access to and modifications of ePHI;
(d) Conduct risk assessments at least annually;
(e) Ensure all workforce members who access PHI complete HIPAA training prior to access and annually thereafter;
(f) Use HIPAA-compliant communication channels for all PHI transmission.
2.4 Reporting
Business Associate shall report to Covered Entity any use or disclosure of PHI not provided for by this Agreement, including any Breach of Unsecured PHI or Security Incident, per Article IV.
2.5 Subcontractors
Business Associate shall ensure that any Subcontractor that creates, receives, maintains, or transmits PHI agrees to the same restrictions and requirements under this Agreement, by entering into a written agreement per 45 C.F.R. § 164.504(e).
2.6 Access to PHI
Business Associate shall make PHI in a Designated Record Set available to Covered Entity or an Individual within fifteen (15) business days of a request, per 45 C.F.R. § 164.524.
2.7 Amendment of PHI
Business Associate shall make amendments to PHI in a Designated Record Set as directed by Covered Entity within fifteen (15) business days, per 45 C.F.R. § 164.526.
2.8 Accounting of Disclosures
Business Associate shall document disclosures of PHI and make such information available to Covered Entity within thirty (30) days of request, per 45 C.F.R. § 164.528.
2.9 Government Access
Business Associate shall make its internal practices, books, and records relating to PHI available to the Secretary for compliance determination.
2.10 Prohibition on Sale of PHI
Business Associate shall not sell PHI per 45 C.F.R. § 164.502(a)(5)(ii) without prior written authorization of the Individual and Covered Entity.
2.11 Prohibition on Marketing
Business Associate shall not use or disclose PHI for marketing per 45 C.F.R. § 164.501 without prior written authorization.
Article III — Obligations of Covered Entity
3.1
Covered Entity shall provide Business Associate with its Notice of Privacy Practices and any changes thereto.
3.2
Covered Entity shall notify Business Associate of any changes in or revocation of Individual permissions affecting Business Associate’s use of PHI.
3.3
Covered Entity shall notify Business Associate of any restrictions on PHI use or disclosure agreed to under 45 C.F.R. § 164.522.
3.4
Covered Entity shall provide only the minimum necessary PHI for Business Associate to perform Services.
Article IV — Breach Notification
4.1 Discovery and Notification
Business Associate shall report any Breach of Unsecured PHI to Covered Entity without unreasonable delay, and in no case later than thirty (30) calendar days after discovery.
4.2 Content of Notification
Notification shall include, to the extent available:
(a) Identification of affected Individuals;
(b) Description of what happened;
(c) Types of PHI involved;
(d) Recommended protective steps;
(e) Business Associate’s investigation and mitigation actions.
4.3 Security Incidents
Business Associate shall report Security Incidents within five (5) business days of discovery. The Parties acknowledge that unsuccessful incidents (pings, port scans, unsuccessful logins) need not be reported individually.
4.4 Cooperation
Business Associate shall cooperate with Covered Entity in investigation and meeting obligations under 45 C.F.R. Part 164, Subpart D.
4.5 Mitigation
Business Associate shall take prompt corrective action to mitigate harmful effects and prevent recurrence.
Article V — Term and Termination
5.1 Term
Effective as of the Effective Date, continuing for the duration of the service relationship unless earlier terminated.
5.2 Termination for Cause
Either Party may terminate if the other materially breaches and fails to cure within thirty (30) days of written notice. If cure is not possible, immediate termination upon written notice.
5.3 Return or Destruction of PHI
Upon termination, Business Associate shall within thirty (30) days:
(a) Return or destroy all PHI including all copies;
(b) Certify destruction in writing;
(c) If infeasible, extend Agreement protections and limit further use.
5.4 Survival
Articles IV and V survive termination.
Article VI — Data Security Specifications
6.1
All ePHI encrypted using TLS 1.2+ in transit and AES-256 at rest.
6.2
Role-based access controls, unique user IDs, and multi-factor authentication where feasible.
6.3
HIPAA-compliant intake portal with session timeouts, HTTPS, input validation, and access logging.
6.4
PHI stored only on systems with appropriate physical and technical safeguards.
6.5
All personnel complete HIPAA training before PHI access and annually thereafter. Records maintained six (6) years.
6.6
All devices accessing PHI employ encryption, password/biometric protection, auto-lock, and remote wipe capability.
6.7
PHI disposed per NIST SP 800-88 (electronic) or shredded (paper).
6.8
Business continuity plan maintained including backup, disaster recovery, and emergency mode operation.
Article VII — Indemnification and Liability
7.1
Business Associate shall indemnify and hold harmless Covered Entity from claims arising from Business Associate’s breach of this Agreement or negligent/willful handling of PHI.
7.2
Covered Entity shall indemnify and hold harmless Business Associate from claims arising from Covered Entity’s breach of this Agreement or failure to perform obligations under Article III.
7.3
Except for willful misconduct, gross negligence, or PHI breach, neither Party’s aggregate liability shall exceed fees paid in the twelve (12) months preceding the event.
7.4
Business Associate shall maintain professional liability (E&O) insurance with reasonably sufficient coverage.
Article VIII — General Provisions
8.1
Regulatory references are to sections as in effect or amended.
8.2
Amendment requires writing signed by both Parties.
8.3
Ambiguity shall be interpreted to permit HIPAA compliance.
8.4
No third-party beneficiaries.
8.5
Governed by New Jersey law, except as preempted by federal law.
8.6
Entire agreement as to HIPAA compliance; supersedes prior agreements on this subject.
8.7
Severability — invalid provisions do not affect remaining provisions.
8.8
Waiver of one provision does not waive others.