(2 of 4) CA 0125B 10/2013
Obligations upon Termination. Upon termination, cancellation, expiration or other conclusion of this Agreement or any other agreements for any reason, Broker shall
comply with applicable Privacy Rule requirements regarding the return or destruction of Health Information or Personal and Health Information.
Continuing Privacy Obligation. Broker’s obligation to protect the privacy of the Health Information or Personal and Health Information shall be continuous and survive
termination, cancellation, expiration or other conclusion of this Agreement.
Prohibition on Unauthorized Use or Disclosure. Broker shall neither use nor disclose Health Information or Personal and Health Information it collects, creates for or
receives from the Company, except as permitted or required by this Agreement, or as permitted or required by law.
Compliance with the Company’s Confidentiality/Privacy Policies. Broker shall comply with the Company’s Privacy Statement included at the end of this document and
other Confidentiality, Privacy, and Security Policies the company may make available to the broker over the term of this agreement to meet applicable legal requirements.
De-Identification of Information/Creation of Limited Data Set. Broker shall not De-Identify Health Information it creates or receives for or from the Company, and shall not
use or disclose such de-identified information, unless such de-identification is expressly permitted under the terms and conditions of this Agreement for services to be provided
by Broker to the Company related to the Company’s activities for purposes of “treatment,” “payment” or “health care operations,” as those terms are defined under the HIPAA
Privacy Regulations. Broker further agrees that it will not create a Limited Data Set using Health Information it creates or receives for or from the Company, nor use or
disclose such Limited Data Set unless: (i) such creation, use or disclosure is expressly permitted under the terms and conditions of this Agreement; and (ii) such creation,
use or disclosure is for services provided by Broker that relate to the Company’s activities for purposes of “payment” or “health care operations,” as those terms are defined
under the HIPAA Privacy Regulations.
Information Safeguards. Broker shall develop, implement, maintain and use appropriate administrative, technical and physical safeguards, in compliance with applicable state
and federal laws, to preserve the confidentiality of and to prevent unauthorized disclosures of Health Information or Personal and Health Information collected, created or
received for or from the Company. Broker shall document and keep such safeguards current and, upon the Company’s reasonable request, shall provide the Company with a
copy of policies and procedures related to such safeguards.
C. Personal and Health Information Access, Amendment and Disclosures
Access. Broker shall, upon the Company’s reasonable request permit, within ten (10) business days of receipt of request, an individual (or the individual’s personal
representative) to inspect and obtain copies of any Health Information or Personal and Health Information about the individual which Broker collected, created or received
for or from the Company and that is in Broker’s custody or control.
Amendment. Broker shall, upon receipt of notice from the Company, promptly amend or permit the Company access to amend any portion of an individual’s Health
Information or Personal and Health Information which Broker collected, created or received for or from the Company and that is in Broker’s custody or control.
Disclosures. Broker shall document each disclosure it makes of an individual’s Health Information or Personal and Health Information to a third party. Moreover, for
purposes of this Section, “disclosure” includes: 1) any legal disclosure; 2) any illegal, inadvertent, wrongful, or negligent disclosure; and 3) any instance in which access was
provided to an unauthorized third party to an individual’s Health Information or Personal and Health Information. For the purposes of this Agreement, “legal disclosure”
includes, but is not limited, any disclosures to law enforcement or other governmental authority pursuant to law and in response to a facially valid administrative or judicial
order, such as a search warrant or subpoena.
Legal. In a timely manner but not later than 30 days from the date of the disclosure, Brokers shall forward to the Company a report of such disclosures, as required by 45
CFR § 164.528; however, this requirement shall not apply if Broker has not made any such disclosures. Such report shall include the applicable individual’s name, the
person to whom the Health Information or Personal and Health Information was disclosed, what was disclosed, why the information was disclosed, and the date of such
Illegal, Inadvertent or Wrongful Disclosure. Broker shall report to the Company any use or disclosure of Health Information or Personal and Health Information not
permitted by this Agreement or that would be in violation of the Privacy Rule if made by Company. Business Associate shall make the report to the Company not more
than twenty-four (24) hours after Broker learns of such non-permitted use or disclosure. Broker shall report such disclosure in accordance with Section D of this
Termination of Agreement. Upon termination of this Agreement, Broker shall provide to the Company one final report of any and all disclosures made of all
individuals’ Health Information or Personal and Health Information.
Inspection of Books and Records. Broker shall make its internal practices, books and records, relating to its use and disclosure of the Personal and Health Information it
collects, creates or receives for or from the Company, available to the U.S. Department of Health and Human Services or to the California Insurance Commission to determine
the Company’s compliance, as a Business Associate, with the provisions of the HIPAA Privacy Regulations or the IIPPA Privacy Regulations, whichever is applicable.
Designated Record Set. Broker agrees that all Health Information or Personal and Health Information received by or created for the Company shall be included in an
individual’s Designated Record Set. Broker shall maintain such Designated Record Set with respect to services provided to an individual under this Agreement, and shall allow
such individual to access the Designated Record Set as provided in the HIPAA Privacy Regulations.
Generally In furtherance of Broker’s obligation under Sections C.3. and C.4 above, Broker Business Associate shall, within five (5) days of becoming aware of a Breach of
Unsecured PHI or any other disclosure of protected health information in violation of this Agreement by Broker Business Associate, its officers, directors, employees,
contractors or agents or by a third party to which Broker Business Associate disclosed protected health information pursuant to Broker Business Associate Agreement, report
any such Breach or disclosure to the Company. Such notification shall include, to the extent possible, the identification of each individual whose protected health information
has been, or is reasonably believed by Broker Business Associate to have been, accessed, acquired, used, or disclosed during the Breach. In addition, Broker Business
Associate shall provide Company with the following information, to the extent available at the time initial notice to Company is provided, or promptly thereafter as such
information becomes available:
A brief description of what happened, including the date of the Breach or wrongful disclosure and the date of discovery
A description of the type of protected health information that was involved (e.g., name, Social Security Number, procedure, diagnosis, treatment, etc.)
The steps that BROKER BUSINESS ASSOCIATE recommends that the individual should take to protect himself or herself
A brief description of the steps that BROKER BUSINESS ASSOCIATE is taking to investigate, mitigate harm, and protect against future similar breaches
• Any such other information, including a written report, as the Company may reasonably r
of Agreement. This Agreement shall terminate automatically in the event that Broker ceases performing services for or on behalf of Company or in the event
that Broker otherwise ceases to be a Business Associate of either the Company or a Covered Entity with respect to whom the Company is a Business Associate. The
Company may also, in addition to other available remedies, terminate this Agreement if Business Associate has materially breached any provision(s) of this Agreement and
has failed to cure or take any actions to cure such material breach within five (5) calendar days of the Company informing Broker of such material breach. The Company shall
exercise this right to terminate by providing Broker written notice of termination, which termination shall include the reason for the termination. Any such termination shall be
effective immediately (following any applicable cure period) or at such other date specified in the Company’s notice of termination.
BUSINESS ASSOCIATE PRIVACY AGREEMENT