Version Date: 09-11-2013
BUSINESS ASSOCIATE ADDENDUM
This addendum (“Addendum”) amends and is made part of the Trading Partner Agreement: Provider (“Agreement”) by and between
_________________________________________________________________[THE NAME OF THE TRADING
PARTNER/PROVIDER] (“Covered Entity”) and BLUE CROSS OF IDAHO EDI+CLEARINGHOUSE (“Business Associate”). This
Addendum shall become part of any modification or renewal of Agreement.
Covered Entity and Business Associate mutually agree to modify the Agreement to incorporate the terms of this Addendum to comply
with the requirements of the implementing regulations at 45 Code of Federal Regulations (“C.F.R.”) Parts 160-64 for the Administrative
Simplification provisions of Title II, Subtitle F of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and the
requirements of the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and
Reinvestment Act of 2009 (the “HITECH Act”), that are applicable to business associates, along with any future guidance and/or
regulations issued by the Department of Health and Human Services (DHHS). Covered Entity and Business Associate agree to
incorporate into this Addendum any regulations issued with respect to the HITECH Act that relate to the obligations of business
associates. Business Associate recognizes and agrees that it is obligated by law to meet the applicable provisions of the HITECH Act.
A. Privacy of Protected Health Information.
1. Permitted Uses and Disclosures. Business Associate is permitted to use and disclose Protected Health Information
(PHI) that it creates or receives on Covered Entity’s behalf or receives from Covered Entity (or another business associate of
Covered Entity) and to request PHI on Covered Entity’s behalf (collectively, “Covered Entity’s PHI”) only as follows:
a) Functions and Activities on Covered Entity’s Behalf. To perform functions, activities, services, and
operations on behalf of Covered Entity, consistent with the Privacy Rule and the HITECH Act, as specified in the
b) Business Associate’s Operations. Business Associate may use the minimum necessary PHI it creates or
receives for or from Covered Entity for Business Associate’s proper management and administration or to carry out
Business Associate’s legal responsibilities. Business Associate may disclose the minimum necessary of PHI for Business
Associate’s proper management and administration or to carry out Business Associate’s legal responsibilities only if the
disclosure is required by law, or Business Associate obtains reasonable assurances from the person or organization to
whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law
or for the purpose for which it was disclosed to the person or organization, and the person or organization notifies the
Business Associate (who will in turn promptly notify Covered Entity) of any instances of which it is aware in which the
confidentiality of the information has been breached.
2. Minimum Necessary and Limited Data Set. Business Associate’s use, disclosure or request of PHI shall utilize a
Limited Data Set if practicable. Otherwise, Business Associate will, in its performance of the functions, activities, services, and
operations, make reasonable efforts to use, to disclose, and to request of a Covered Entity only the minimum amount of Covered
Entity’s PHI reasonably necessary to accomplish the intended purpose of the use, disclosure or request.
3. Prohibition on Unauthorized Use or Disclosure. Business Associate will neither use nor disclose Covered Entity’s
PHI, except as permitted or required by this Addendum or in writing by Covered Entity or as required by law. This Addendum
does not authorize Business Associate to use or disclose Covered Entity’s PHI in a manner that will violate the 45 C.F.R. Part
164, Subpart E “Privacy of Individually Identifiable Health Information” (“Privacy Rule”).
4. Information Safeguards.
a) Privacy of Covered Entity’s Protected Health Information. Business Associate will develop, implement,
maintain, and use appropriate administrative, technical, and physical safeguards to protect the privacy of Covered
Entity’s PHI. The safeguards must reasonably protect Covered Entity’s PHI from any intentional or unintentional use
or disclosure in violation of the Privacy Rule, 45 C.F.R. Part 164, Subpart E and this Addendum, and limit incidental
uses or disclosures made pursuant to a use or disclosure otherwise permitted by this Addendum.
b) Security of Covered Entity’s Electronic Protected Health Information (ePHI). Business Associate will
develop, implement, maintain, and use administrative, technical, and physical safeguards that reasonably and
appropriately protect the confidentiality, integrity, and availability of ePHI that Business Associate creates, receives,
maintains, or transmits on Covered Entity’s behalf as required by the Security Rule, 45 C.F.R. Part 164, Subpart C and as
required by the HITECH Act. Business Associate also shall develop and implement policies and procedures and meet
the Security Rule documentation requirements as required by the HITECH Act.
5. Subcontractors and Agents. Business Associate will require any of its subcontractors and agents, to which Business
Associate is permitted by this Addendum or in writing by Covered Entity to disclose Covered Entity’s PHI, to provide reasonable