Access Business Associate Agreement
Access Business Associate Agreement
This Business Associate Agreement (“BAA”) is made between the Access company set forth in the client’s agreement (“ACCESS”) and the client (“CLIENT”), and supplements the existing services agreement entered into between ACCESS and CLIENT and/or Access Service Terms and Conditions found at https://www.accesscorp.com/access-service-terms-and-conditions/ (the applicable agreement hereinafter referred to as the “Agreement”) pursuant to which ACCESS is providing records storage, destruction, and information management services (“Services”). Capitalized terms used but not otherwise defined in this BAA shall have the same meaning as ascribed to those terms in the HIPAA Rules and the HITECH Act (as those terms are defined in Section 1 below).
ACCESS and CLIENT are entering into this BAA in order for both parties to meet the relevant statutory and regulatory requirements of HIPAA, as well as the provisions of the HITECH Act. If and to the extent that CLIENT is not, or subsequently ceases to continue to be, a Covered Entity under HIPAA, or ACCESS is not, or ceases to continue to be, a Business Associate under HIPAA, this BAA shall be of no effect.
- Definitions.
“Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this BAA, shall mean ACCESS.
“Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this BAA, shall mean CLIENT.
“HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996, and accompanying regulations, as may be amended from time to time.
“HIPAA Rules” shall mean the HIPAA Privacy, Security, Breach Notification and Enforcement Rules at 45 CFR Part 160 and Part 164. Any reference in this BAA to a section in the HIPAA Rules means the section in effect or as amended.
“HITECH Act” shall mean the applicable provisions of the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009 and any accompanying regulations.
“Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR, Parts 160 and 164.
“Security Rule” shall mean the HIPAA Security Standards codified at 45 CFR Parts 160, 162, and 164.
- Obligations and Activities of Business Associate under the HIPAA Rules to the Extent Applicable to the Services Provided Under the Agreement.
(a) Business Associate may only Use or Disclose PHI as necessary to perform the services set forth in the Agreement, as permitted or required by this BAA, the Agreement or as Required By Law. Additionally, Business Associate may Use or Disclose PHI for the purposes authorized by this BAA only (i) to its employees, Subcontractors, and agents, in accordance with this BAA, or (ii) as directed by Covered Entity, if such Use or Disclosure of PHI would not violate the HIPAA Rules. Except as otherwise limited in this BAA, Business Associate may Use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
(b) Except as otherwise limited in this BAA, Business Associate may use PHI to provide Data Aggregation services relating to the health care operations of the Covered Entity.
(c) Business Associate’s Use, Disclosure or request of PHI shall utilize a limited data set if practicable or otherwise the Minimum Necessary PHI to accomplish the intended results of the Use, Disclosure or request.
(d) Business Associate agrees to implement appropriate safeguards to prevent Use or Disclosure of the PHI other than as permitted by this BAA or the Agreement or as Required By Law. Such safeguards shall include implementing requirements of the Security Rule with regard to electronic PHI.
(e) Business Associate agrees to mitigate, to the extent practicable and within the limits of liability established in the Agreement, or in the absence of a limitation of liability in the Agreement, a maximum of six (6) months of charges paid by CLENT to ACCESS, any harmful effect that is known to Business Associate of a Breach of Unsecured PHI or Use or Disclosure of PHI by Business Associate as a result of Business Associate’s Breach of this BAA. This is ACCESS’ maximum liability for any and all claims, causes of action, fines, penalties, damages, costs, or expenses arising hereunder.
(f) Business Associate agrees to report to Covered Entity (i) any Use or Disclosure of PHI not provided for by this BAA or the Agreement of which it becomes aware, (ii) any Breach of Unsecured Protected Health Information, and/or (iii) any Security Incident. Such notice shall be given promptly and in any event within the timeframe required by 45 CFR § 164.410. Any such report shall include (i) the identification (if known) of each Individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used or disclosed during such Breach, and (ii) any other available information (to the extent known) Covered Entity is required to include in notification to the Individual under 45 CFR § 164.404(c) such as a brief description of the incident and the nature of the information disclosed. Covered Entity shall report any Breach of Unsecured PHI to Individuals, the Secretary, the HHS Office for Civil Rights and/or the media as Required by Law.
(g) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to ensure that any agent, including a Subcontractor, to whom it provides Covered Entity’s PHI, or whom it allows to create, receive, maintain or transmit Covered Entity’s PHI (including electronic PHI) on its behalf, agrees, in writing, to the same restrictions that apply to Business Associate with respect to such PHI.
(h) To the extent (if any) that Business Associate maintains a Designated Record Set for Covered Entity, Business Associate agrees to provide access, to the Covered Entity at its request, to PHI in a Designated Record Set, so that Covered Entity may respond to an Individual in order to meet the requirements under 45 CFR 164.524. Any request from an Individual directly to Business Associate shall promptly be forwarded to Covered Entity for a response.
(i) To the extent (if any) that Business Associate maintains a Designated Record Set for Covered Entity, and is notified by Covered Entity that an amendment to PHI in a Designated Record Set is required, then Covered Entity shall instruct Business Associate to retrieve the record or any other such document identified by Covered Entity in a Designated Record Set so that Covered Entity may make any such amendment to the PHI as may be required by either the Covered Entity or an Individual.
(j) Business Associate agrees to make its internal practices, books and records relating to the Use and Disclosure of PHI, available to the Secretary, upon request of the Secretary or Covered Entity, upon receiving not less than five (5) days’ advance written notification by Covered Entity, for the purpose of determining compliance with HIPAA Rules.
(k) Business Associate shall document Disclosures of PHI made directly by Business Associate to an Individual and information related to such Disclosures as would be required for Covered Entity to respond to a request by an Individual for an account of Disclosures of PHI in accordance with 45 CFR § 164.528.
(l) Business Associate agrees to provide to Covered Entity, upon receiving not less than five (5) business days advance written notification by Covered Entity, information or a record about an Individual contained in a Designated Record Set that Covered Entity identifies in Business Associate’s inventory management program, to permit Covered Entity to respond to a specific request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR § 164.528.
(m) Covered Entity shall pay Business Associate’s reasonable charges for performing its obligations under this Section 2, provided such fees shall comply with HIPAA Rules.
- Obligations of Covered Entity.
Covered Entity shall not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity (except to the extent Business Associate performs Data Aggregation or for the management and administration and legal responsibilities of the Business Associate). Notwithstanding anything to the contrary herein, Covered Entity acknowledges that any Use or Disclosure of PHI made by Business Associate at the request of Covered Entity is made in reliance that such request is permissible and Covered Entity is requesting the Minimum Necessary to accomplish the intended purpose of the Use or Disclosure or request. Covered Entity shall indemnify Business Associate for any damages, costs, fines or penalties incurred by reason of actions taken by Business Associate pursuant to Covered Entity instructions or requests that are in breach of this provision or applicable law.
(a) Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 CFR § 164.520, to the extent that such limitation may affect Business Associate’s Use or Disclosure of PHI.
(b) Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to Use or disclose his or her PHI, to the extent that such changes may affect Business Associate’s Use or Disclosure of PHI.
(c) Covered Entity shall notify Business Associate of any restriction on the Use or Disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR §164.522, to the extent that such restriction may affect Business Associate’s Use or Disclosure of PHI.
- Term and Termination.
(a) Term. The obligations of Business Associate shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created, received, or maintained by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, Provided however, that is it is infeasible to return or destroy PHI, the terms of this BAA shall extend to the PHI in the Business Associate’s care, custody, and control.
(b) Termination for Cause. Upon Covered Entity’s knowledge of a material breach of this BAA by Business Associate, Covered Entity shall provide at least sixty (60) days’ notice and opportunity for Business Associate to cure the breach or provide reasonable measures to prevent another like breach. If Business Associate does not cure the breach, provide reasonable measures to prevent another like breach, or end the violation within the time specified by this Section, Covered Entity may immediately terminate this BAA. If Business Associate has breached a material term of this BAA and cure is not possible, or if neither cure nor termination is feasible, Covered Entity shall report the violation to the Secretary.
(c) Effect of Termination.
- Upon termination of this BAA, Business Associate shall return or destroy all PHI received from Covered Entity, or created, maintained or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of Subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI.
- In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon the Covered Entity’s acceptance that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this BAA to such PHI and limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. Business Associate shall be entitled to compensation for continued maintenance of PHI as provided for in the Agreement.
(d) Covered Entity shall pay the charges of Business Associate for the return and/or destruction of PHI as set forth in the Agreement. The obligations of Business Associate under this Section 4 shall survive termination of this BAA.
- Miscellaneous.
(a) Interpretation. Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Rules.
(b) No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
(c) ACCESS may amend this BAA from time to time. Material changes to this BAA will be notated under any revision date listed hereof.
Where any of the terms and conditions in this BAA are in conflict with the Agreement and cannot be read in any way to be compatible, those in the Agreement shall prevail, except to the extent said interpretation would violate the HIPAA Rules.
Revised December 1, 2022
Material Revisions:
- Section 2(K) revised to clarify Business Associate’s documentation of Disclosures of PHI to Covered Entity in accordance with 45 CFR § 164.528
- Section 2(l) revised to update notice period from five (5) days to five (5) business days.
Revised August 31, 2016
No material changes from original version
Revised December 1, 2016
Material changes from August 31, 2016 version:
- Update paragraph 1 to clarify and confirm that this BAA applies to Access Service Terms and Conditions located in Access’ website.
- Update Section 5 to describe amendment process of BAA.