BUSINESS ASSOCIATE AGREEMENT
THIS BUSINESS ASSOCIATE AGREEMENT (this “BA Agreement”) is by and between National Processing Alliance, Inc. (“NPA”) and Customer, each individually a “Party” and together the “Parties.” This BA Agreement shall apply and become effective only to the extent, and as of the date that, NPA acts as a Business Associate, as defined by HIPAA, to Customer (“Effective Date”). This BA Agreement forms part of the commercial agreement (the “Agreement”) between NPA and Customer.
A). Purpose. The purpose of this BA Agreement is to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 and the associated regulations, 45
C.F.R. parts 160-164, as may be amended (including the “Privacy Rule” and the “Security Rule”) (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act and the associated regulations, as may be amended (“HITECH”). “HIPAA” and “HITECH” are hereafter collectively referred to in this BA Agreement as “HIPAA.” Unless otherwise defined in this BA Agreement, capitalized terms have the meanings given in HIPAA. HIPAA requires NPA to provide reasonable assurances to Customer that NPA will appropriately safeguard Protected Health Information (“PHI”).
B). Relationship. Customer and NPA have entered into the Agreement under which NPA may receive, use, obtain, access, maintain, transmit, or create PHI from or on behalf of Customer in the course of performing services for Customer (the “Services”).
The Parties agree as follows:
Permitted Uses and Disclosures.
NPA may use and/or disclose PHI only as permitted or required by this BA Agreement or as otherwise Required by Law. NPA may disclose PHI to, and permit the use of PHI by, its employees, contractors, agents, or other representatives to the extent directly related to and necessary for the performance of the Services. Customer will upload no more than the minimum PHI necessary for NPA to perform the Services. As applicable, NPA will request, use and disclose only PHI that constitutes a Limited Data Set, if practicable, and will otherwise limit its use, request or disclosure (if any), of PHI to the minimum necessary for the intended purpose of the request, use or disclosure. NPA will not use or disclose PHI in a manner that would violate HIPAA if disclosed or used in such a manner by Customer. NPA will comply with the Privacy Rule requirements applicable to Customer if and to the extent NPA’s performance of the Services involves carrying out Customer’s Privacy Rule obligations.
Safeguards for the Protection of PHI.
NPA will implement and maintain appropriate administrative, physical and technical security safeguards to ensure that PHI obtained by or on behalf of Customer is not used or disclosed by NPA in violation of this BA Agreement. Such safeguards will be designed to protect the confidentiality and integrity of such PHI obtained, accessed, created, maintained, or transmitted from or on behalf of Customer. NPA will comply with the applicable requirements of the Security Rule.
Reporting and Mitigating the Effect of Unauthorized Uses and Disclosures.
NPA will promptly report to Customer, upon discovery, any Security Incident or Breach (as defined below) by it or any of its employees, directors, officers, agents, subcontractors or representatives concerning the use or disclosure of PHI. For purposes of this BA Agreement, “Breach” means any acquisition, access, use or disclosure of PHI under this BA Agreement that is (a) in violation of the Privacy Rule or (b) not permitted under this BA Agreement. NPA will be deemed to have discovered a Breach as of the first day on which the Breach is, or should reasonably have been, known to (a) NPA or (b) any employee, officer, or other agent of NPA other than the individual committing the Breach. NPA further will investigate the Breach and promptly provide to Customer information Customer may require to make notifications of the Breach to Individuals and/or other persons or entities (“Notifications”). NPA will cooperate with Customer in addressing the Breach.
Notice is hereby deemed given for attempted but Unsuccessful Security Incidents and no further notice of such Unsuccessful Security Incidents will be given. “Unsuccessful Security Incidents” include but are not limited to firewall pings and other broadcast attacks, port scans, unsuccessful log-on attempts, denial-of-service attacks, and any combination of the foregoing that do not result in unauthorized access, acquisition, use, or disclosure of PHI.
NPA will establish and implement procedures and other reasonable efforts for mitigating any harmful effects arising from any improper use and/or disclosure of PHI.
Use and Disclosure of PHI by Subcontractors, Agents, and Representatives.
NPA will require any subcontractor, agent, or other representative that is authorized to receive, use, maintain, transmit, or have access to PHI obtained or created under the BA Agreement, to agree, in writing, to: (1) adhere to the same restrictions, conditions and requirements regarding the use and/or disclosure of PHI and safeguarding of PHI that apply to NPA under this BA Agreement; and (2) comply with the applicable requirements of the Security Rule.
NPA will comply with the following individual rights requirements as applicable to PHI used or maintained by NPA:
- Right of Access. NPA agrees to provide access to PHI, at the request of Customer, as necessary to satisfy Customer’s obligations with regard to the individual access requirements under HIPPA.
- Right of Amendment. NPA agrees to make any amendment(s) to PHI as directed by Customer to meet the amendment requirements under HIPPA.
- Right to Accounting of Disclosures. NPA agrees to document any disclosures of PHI as would be required for Customer to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with HIPAA, and to provide all such documentation to Customer or to an Individual, as necessary to satisfy Customer’s obligations with regard to an Individual’s right to an accounting of disclosures. NPA will otherwise comply with its obligations regarding an Individual’s right to an accounting of disclosures under HIPPA.
Use and Disclosure for NPA’s Purposes.
- Use. Except as otherwise limited in this BA Agreement, NPA may use PHI for the proper management and administration of NPA or to carry out the legal responsibilities of NPA
- Disclosure. Except as otherwise limited in this BA Agreement, NPA may disclose PHI for the proper management and administration of NPA or to carry out the legal responsibilities of NPA, provided the disclosures are Required by Law, or NPA obtains reasonable assurances from the person to whom the PHI is disclosed that the PHI will remain confidential and be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies NPA immediately upon discovery of any instances in which the confidentiality of the PHI has been Breached, as defined and described in Section 3 of this BA Agreement.
Access to Records.
NPA will make its internal practices, books, records, and policies and procedures relating to the use and disclosure of PHI received from, or created or received by NPA on behalf of Customer available to the federal Department of Health and Human Services (“HHS”), the Office for Civil Rights (“OCR”), or their agents for purposes of monitoring compliance with HIPAA.
Term and Termination.
- This BA Agreement will become effective on the Effective Date. Unless terminated sooner pursuant to Section 8.2, this BA Agreement will remain in effect for the duration of all Services provided by NPA and for so long as NPA will remain in possession of any PHI received from Customer, or created or received by NPA on behalf of Customer.
- Termination. In the event of a material breach of this BA Agreement, the non-breaching Party may immediately terminate this BA Agreement. Alternatively, in the non- breaching Party’s sole discretion, the non-breaching Party may provide the breaching Party with written notice of the existence of the material breach and afford the breaching party thirty (30) days to cure the material breach. In the event the breaching Party fails to cure the material breach within such time period, the non-breaching Party may immediately terminate this BA Agreement.
- Effect of Termination. Upon termination of this BA Agreement, NPA will recover any PHI relating to this BA Agreement in the possession of its subcontractors, agents or representatives. NPA will return to Customer or destroy all such PHI plus all other PHI relating to this BA Agreement in its possession, and will retain no copies. If NPA cannot feasibly return or destroy the PHI, NPA will ensure that any and all protections, requirements and restrictions contained in this BA Agreement will be extended to any PHI retained after the termination of this BA Agreement, and that any further uses and/or disclosures will be limited to the purposes that make the return or destruction of the PHI infeasible. Customer understands and agrees that NPA’s operations generally make it infeasible to return or destroy PHI upon termination of this BA Agreement, unless Customer specifically directs NPA to return or destroy the PHI.
Each Party will create an escalation process and provide a written copy to the other Party within five (5) business days of any dispute arising out of or relating to this BA Agreement. The escalation process will be used to address disputed issues related to the performance of this BA Agreement. The Parties agree to communicate regularly about any open issues or process problems that require prompt and accurate resolution as set forth in their respective escalation process documentation. The Parties will attempt in good faith to resolve any dispute arising out of or relating to this BA Agreement, before and as a prior condition for commencing legal proceedings of any kind, first as set forth above in the escalation process and next by negotiation between executives who have authority to settle the controversy and who at a higher level of management than the persons with direct responsibility for administration of this BA Agreement. Any Party may give the other Party written notice of any dispute not resolved in the normal course of business. Within five (5) business days after delivery of the notice, the receiving Party shall submit to the other a written response. The notice and the response will include (a) a statement of each Party’s position and a summary of arguments supporting that position and (b) the name and title of the executive who will represent that Party and of any other person who will accompany the executive. Within fifteen (15) business days after delivery of the disputing Party’s notice, the executives of both Parties shall meet at a mutually acceptable time and place, including telephonically, and thereafter as often as they reasonably deem necessary, to attempt to resolve the dispute. All reasonable requests for information made by one Party to the other will be honored. All negotiations pursuant to this section are confidential and compromise and settlement negotiations for purposes of applicable rules of evidence.
- Indemnity and Limitation of Liability. The indemnity and limitation of liability provisions in the Agreement apply to liability arising under this BA Agreement.
- Survival. The respective rights and obligations of the Parties under Sections 7 (Access to Records), 8.3 (Effect of Termination), 9 (Dispute Resolution) and 10 (Miscellaneous) will survive termination of this BA Agreement.
- Amendments. This BA Agreement constitutes the entire agreement between the Parties with respect to its subject matter. It may not be modified, nor will any provision be waived or amended, except in a writing duly signed by authorized representatives of the Parties. The Parties agree to amend this BA Agreement from time to time as necessary for the Parties to comply with their respective obligations under HIPAA.
- Waiver. A waiver with respect to one event will not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent
- Compliance with HIPAA. Any ambiguity in this BA Agreement will be resolved in favor of a meaning that permits the Parties to comply with their respective obligations under HIPAA.
- No Third Party Beneficiaries. Nothing express or implied in this BA Agreement is intended to confer, nor will anything herein confer, upon any person other than the Parties and their respective successors and permitted assigns, any rights, remedies, obligations or liabilities whatsoever.
- Notices. All required reports or notices to Customer under this Agreement will be made by NPA via either a general notice on NPA’s website or web application, an individualized notice to Customer on the NPA web application, or electronic mail to Customer’s e-mail address on record in Customer’s account. Such notice will be deemed to have been given upon the expiration of forty-eight (48) hours after posting or twelve (12) hours after sending by email. Customer will send required notices to NPA via email addressed to [email protected].
- Inconsistencies. If any of the terms of this BA Agreement conflict with or are inconsistent with the terms of the Agreement, the terms of this BA Agreement will prevail.