Fill and Sign the Hippa Business Agreement Form

HIPAA Business Associate Agreement between Covered Entity and Business Associate (Compliance with Privacy and Security Rules) This HIPAA Business Associate Agreement ( Agreement ) is between _______________ ___________ (Name of Covered Entity) of _________________________________________ _____________________________________ (street address, city, county, state, zip code) , hereinafter referred to as the Covered Entity , and __________________________ (Name of Business Associate) , hereinafter referred to a Business Associate , located at ___________ ______________________________________________________________ (street address, city, county, state, zip code) , and includes all office locations and other business locations at which Business Associate data may be used or maintained. Covered Entity and Business Associate may be referred to herein individually as Party or collectively as Parties. 1. Covered Entity acknowledges that it is subject to the Privacy and Security Rules (45 CFR Parts 160 and 164) promulgated by the United States Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191. 2. If Business Associate provides services to Covered Entity pursuant to one or more contractual relationships, said Agreements are hereinafter referred to as Service Agreements . A list of said agreements affected by this HIPAA Business Associate Agreement is attached hereto as Exhibit A , and made a part hereto by reference. 3. In the course of executing Service requests, Business Associate may come into contact with, use, or disclose Protected Health Information (PHI) (defined in Section 5-M below). Said Service Agreements are hereby incorporated by reference and shall be taken and considered as a part of this document the same as if fully set out herein. 4. In accordance with the federal privacy and security regulations set forth at 45 C.F.R. Part 160 and Part 164, Subparts A, C, and E, which require Covered Entity to have a written memorandum with each of its internal Business Associate s, the Parties wish to establish satisfactory assurances that Business Associate will appropriately safeguard PHI and, therefore, execute this Agreement. 5. Definitions A. Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in 45 CFR §§ 160.103, 164.304, 164.504 and 164.501. B. Breach of the Security of the Business Associate’s Information System shall mean the unauthorized acquisition, including, but not limited to, access to, use, disclosure, modification or destruction, of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by or on behalf of the Covered Entity under the terms of ________________________ (State Code provision, if applicable) and this Agreement. C. Commercial Use means obtaining protected health information with the intent to sell, transfer or use it for commercial, or personal gain, or malicious harm; sale to third party for consumption, resale, or processing for resale; and application or conversion of data to make a profit or obtain a benefit contrary to the spirit of this Agreement, including but not limited to presentation of data or examples of data in a conference or meeting setting where the ultimate goal is to obtain or gain new business. D. Confidential Information shall mean any non-public, confidential or proprietary information, whether written, graphic, oral, electronic, visual or fixed in any tangible medium or expression, which is supplied by Covered Entity to the Trading Partner under this Agreement. Any information, whether written, graphic, oral, electronic, visual or fixed in any tangible medium or expression, relating to individuals enrolled in the Covered Entity program ( Covered Entity Enrollees ), or relating to individuals who may be potentially enrolled in the Covered Entity program, which is provided to or obtained through the Trading Partner’s performance under this Agreement, shall also be treated as Confidential Information to the extent that confidential status is afforded such information under state and federal laws or regulations. All confidential information shall not be subject to disclosure under the ____________________ (Name of State) Public Records Act. E. Designated Record Set shall have the meaning set out in its definition at 45 C.F.R. § 164.501. F. Electronic Protected Health Information (EPHI) shall have the meaning set out in its definition at 45 C.F.R. § 160.103. G. Encryption means the process using publicly known algorithms to convert plain text and other data into a form intended to protect the data from being able to be converted back to the original plain text by known technological means. H. Health Care Operations shall have the meaning set out in its definition at 45 C.F.R. § 164.501. I. Individual shall have the same meaning as the term individual in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g). J. Marketing shall have the meaning under 45 CFR § 164.501 and the act or process of promoting, selling, leasing or licensing any Covered Entity information or data for profit without the express written permission of Covered Entity . K. Privacy Officer shall have the meaning as set out in its definition at 45 C.F.R. § 164.530(a)(1). The Privacy Officer is the official designated by a Covered Entity or Business Associate to be responsible for compliance with HIPAA regulations. L. Privacy Rule shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, subparts A, and E. M. Protected Health Information shall have the same meaning as the term protected health information in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity . PHI includes information in any format, including but not limited to electronic or paper. N. Required By Law shall have the same meaning as the term required by law in 45 CFR § 164.103. O. Security Incident shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. P. Security Event shall mean an immediately reportable subset of security incidents which incident would include: 1. A suspected penetration of Business Associate ’s information system of which the Business Associate becomes aware but for which it is not able to verify within Forty-Eight (48) hours or no more than Two Business Days (of the time the Business Associate became aware of the suspected incident) that enrollee PHI or other confidential Covered Entity data was not accessed, stolen, used, disclosed, modified, or destroyed; 2. Any indication, evidence, or other security documentation that the Business Associate ’s network resources, including, but not limited to, software, network routers, firewalls, database and application servers, intrusion detection systems or other security appliances, may have been damaged, modified, taken over by proxy, or otherwise compromised, for which Business Associate cannot refute the indication within Forty-Eight (48) or no more than Two Business Days of the time the Business Associate became aware of such indication; 3. A breach of the security of the Business Associate ’s information system(s) (see Paragraph 5-B above), by unauthorized acquisition, including, but not limited to, access to or use, disclosure, modification or destruction, of unencrypted computerized data and which incident materially compromises the security, confidentiality, or integrity of Covered Entity enrollee PHI; and/or 4. The unauthorized acquisition, including but not limited to access to or use, disclosure, modification or destruction, of unencrypted Covered Entity enrollee PHI or other confidential information of the Covered Entity by an employee or authorized user of Business Associate ’s system(s) which materially compromises the security, confidentiality, or integrity of Covered Entity enrollee PHI or other confidential information of the Covered Entity . If data acquired (including but not limited to access to or use, disclosure, modification or destruction of such data) is in encrypted format but the decryption key which would allow the decoding of the data is also taken, the parties shall treat the acquisition as a breach for purposes of determining appropriate response. Q. Security Rule shall mean the Security Standards for the Protection of Electronic Protected Health Information” at 45 CFR Parts 160 and 164, Subparts A and C. 6. Obligations and Activities of BUSINESS ASSOCIATE (Privacy Rule) A. Compliance with the Privacy Rule . Business Associate agrees to fully comply with the requirements under the Privacy Rule applicable to Business Associate s, as that term is defined in the Privacy Rule and not use or further disclose PHI other than as permitted or required by this Agreement, the Service Agreements, or as Required By Law. In case of any conflict between this Agreement and the Service Agreements, this Agreement shall govern. B. Privacy Safeguards and Policies. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by the Service Agreement(s), this Agreement or as Required By Law. This includes the implementation of administrative, physical, and technical safeguards to reasonably and appropriately protect the Covered Entity ’s PHI against any reasonably anticipated threats or hazards, utilizing the technology commercially available to the Business Associate (See also Section 7-B ). The Business Associate shall maintain appropriate documentation of its compliance with the Privacy Rule, including, but not limited to, its policies, procedures, records of training and sanctions of members of its workforce. C. Business Associate Contracts. Business Associate shall require any agent, including a subcontractor, to whom it provides PHI received from, maintained, created or received by Business Associate on behalf of Covered Entity , or that carries out any duties for the Business Associate involving the use, custody, disclosure, creation of, or access to PHI or other confidential Covered Entity information, to agree, by written contract with Business Associate , to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. D. Mitigation of Harmful Effect of Violations . Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement. E. Reporting of Violations in Use and Disclosure of PHI. Business Associate agrees to require its employees, agents, and subcontractors to promptly report to Business Associate any use or disclosure of PHI in violation of this Agreement and to report to Covered Entity any use or disclosure of the PHI not provided for by this Agreement. The Business Associate shall report such violation to Covered Entity within Forty-Eight (48) or no more than Two Business Days of event. F. Access of Individual to PHI and other Requests to Business Associate. If Business Associate receives PHI from Covered Entity in a Designated Record Set, Business Associate agrees to provide access to PHI in a Designated Record Set to Covered Entity in order to meet its requirements under 45 CFR § 164.524. If Business Associate receives a request from an Individual for a copy of the individual's PHI, and the PHI is in the sole possession of the Business Associate , Business Associate will provide the requested copies to the individual in a timely manner. If Business Associate receives a request for PHI not in its possession and in the possession of the Covered Entity , or receives a request to exercise other individual rights as set forth in the Privacy Rule, Business Associate shall promptly forward the request to Covered Entity . Business Associate shall then assist Covered Entity as necessary in responding to the request in a timely manner. If a Business Associate provides copies of PHI to the individual, it may charge a reasonable fee for the copies as the regulations shall permit. G. Requests to Covered Entity for Access to PHI. The Covered Entity shall forward to the Business Associate in a timely manner any Individual’s request for access to or a copy of their PHI that shall require Business Associate ’s participation, after which the Business Associate shall provide access to or deliver such information as follows: 1. The Parties understand that if either Party receives a request for access to or copies of PHI from an Individual which the Party may complete with only its own onsite information, the time for such response shall be thirty (30) days, with notification to the Covered Entity upon completion. 2. If Covered Entity does not have the requested PHI onsite and directs Business Associate to provide access to or a copy of his/her PHI directly to the Individual, the Business Associate shall have sixty (60) days from the date of the Individual’s request to provide access to PHI or deliver a copy of such information to the Individual. The Business Associate shall notify the Covered Entity when it completes the response. 3. If the Covered Entity receives a request and requires information from the Business Associate in addition to the Covered Entity ’s onsite information to fulfill the request, the Business Associate shall have thirty (30) days from date of Covered Entity ’s notice to provide access or deliver such information to the Covered Entity so that the Covered Entity may timely respond to the Individual within the sixty (60) day requirement of 45 CFR § 164.524. 4. If the Party designated above responding to the Individual’s request is unable to complete the response to the request in the time provided, that Party shall provide the Individual with a written statement of the reasons for the delay and the date by which the Party will complete its action on the request. The Party may extend the response time once for no more than thirty (30) additional days. H. Individuals’ Request to Amend PHI. If Business Associate receives PHI from Covered Entity in a Designated Record Set, Business Associate agrees to make any amendments to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 CFR § 164.526, regarding an Individual’s request to amend PHI. The Business Associate shall make the amendment promptly in the time and manner designated by Covered Entity , but shall have thirty (30) days notice from Covered Entity to complete the amendment to the Individual’s PHI and to notify the Covered Entity upon completion. I. Recording of Designated Disclosures of PHI. Business Associate agrees to document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. J. Accounting for Disclosures of PHI. The Business Associate agrees to provide to Covered Entity or to an Individual, in time and manner designated by Covered Entity , information collected in accordance with this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. The Covered Entity shall forward the Individual’s request requiring the participation of the Business Associate to the Business Associate in a timely manner, after which the Business Associate shall provide such information as follows: 1. If Covered Entity directs Business Associate to provide accounting of disclosures of the Individual’s PHI directly to the Individual, the Business Associate shall have sixty (60) days from the date of the Individual’s request to provide access to or deliver such information to the Individual. The Covered Entity shall provide notice to the Business Associate in time to allow the Business Associate a minimum of thirty (30) days to timely complete the Individual’s request. 2. If the Covered Entity elects to provide the accounting to the Individual, the Business Associate shall have thirty (30) days from date of Covered Entity ’s notice of request to provide information for the Accounting to the Covered Entity so that the Covered Entity may timely respond to the Individual within the sixty (60) day period. 3. If either of the Parties is unable to complete the response to the request in the times provided above, that Party shall notify the Individual with a written statement of the reasons for the delay and the date by which the Party will complete its action on the request. The Parties may extend the response time once for no more than thirty (30) additional days. 4. The accounting of disclosures shall include at least the following information: (i) date of the disclosure; (ii) name of the third party to whom the PHI was disclosed, (iii) if known, the address of the third party; (iv) brief description of the disclosed information; and (v) brief explanation of the purpose and basis for such disclosure. 5. The Parties shall provide one (1) accounting in any twelve (12) months to the Individual without charge. The Parties may charge a reasonable, cost-based fee, for each subsequent request for an accounting by the same Individual if he/she is provided notice and the opportunity to modify his/her request. Such charges shall not exceed any applicable State statutes or rules. K. Minimum Necessary. Business Associate agrees it must use reasonable efforts to limit any use, disclosure, or request for use or disclosure of PHI to the minimum amount necessary to accomplish the intended purpose of the use, disclosure, or request in accordance with the requirements of the Privacy Rule. 1. Business Associate represents to Covered Entity that all its uses and disclosures of, or requests for, PHI shall be the minimum necessary in accordance with the Privacy Rule requirements. 2. Covered Entity may, pursuant to the Privacy Rule, reasonably rely on any requested disclosure as the minimum necessary for the stated purpose when the information is requested by Business Associate . 3. Business Associate agrees to adequately and properly maintain all PHI received from, or created or received on behalf of, Covered Entity L. Privacy Compliance Review upon Request. Business Associate agrees to make its internal practices, books and records, including policies, procedures, and PHI, relating to the use and disclosure of PHI received from, created by or received by Business Associate on behalf of Covered Entity available to the Covered Entity or to the Secretary of the United States Department of Health in Human Services or the Secretary’s designee, in a time and manner designated by the requester, for purposes of determining Covered Entity ’s or Business Associate ’s compliance with the Privacy Rule. M. Cooperation in Privacy Compliance. Business Associate agrees to fully cooperate in good faith and to assist Covered Entity in complying with the requirements of the Privacy Rule. 7. Obligations and Activities of Business Associate (Security Rule) A. Compliance with Security Rule. Business Associate agrees to fully comply with the requirements under the Security Rule applicable to Business Associate s, as that term is defined in the Security Rule. In case of any conflict between this Agreement and Service Agreements, this Agreement shall govern. B. Security Safeguards and Policies. Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains, or transmits on behalf of the Covered Entity as required by the Security Rule. This includes specifically, but is not limited to, the utilization of technology commercially available at the time to the Business Associate to protect the Covered Entity ’s PHI against any reasonably anticipated threats or hazards. The Business Associate understands that it has an affirmative duty to perform a regular review or assessment of security risks, conduct active risk management and supply best efforts to assure that only authorized persons and devices access its computing systems and information storage, and that only authorized transactions are allowed. The Business Associate will maintain appropriate documentation of its compliance with the Security Rule. C. Security Provisions in Business Associate Contracts. Business Associate shall ensure that any agent, including a subcontractor, to whom it provides electronic PHI received from, maintained, or created for Covered Entity or that carries out any duties for the Business Associate involving the use, custody, disclosure, creation of, or access to PHI supplied by Covered Entity , shall execute a bilateral contract (or the appropriate equivalent if the agent is a government entity) with Business Associate , incorporating the same restrictions and conditions in this Agreement with Business Associate regarding PHI. D. __________________ (Name of State, if applicable) Consumer Notice of System Breach. Business Associate understands that the Covered Entity is an information holder ( as may be Business Associate ) under the terms of ______________ (State Code Citation if applicable) , and that in the event of a breach of the Business Associate ’s security system as defined by that statute and Section 5-B of this Agreement, the Business Associate shall indemnify and hold the Covered Entity harmless for expenses and/or damages related to the breach. Such obligation shall include, but is not limited to, the mailed notification to any _________________ (Name of State) resident whose personal information is reasonably believed to have been acquired by an unauthorized individual. In the event that the Business Associate discovers circumstances requiring notification of more than one thousand (1,000) persons at one time, the person shall also notify, without unreasonable delay, all consumer reporting agencies and credit bureaus that compile and maintain files on consumers on a nationwide basis, as defined by 15 U.S.C. § 1681a, of the timing, distribution and content of the notices. Substitute notice, as defined by _________________ (State Code Citation if applicable) , shall not be permitted except as approved in writing in advance by the Covered Entity . The parties agree that PHI includes data elements in addition to those included by personal information under _______________ (State Code Citation if applicable) , and agree that Business Associate ’s responsibilities under this paragraph shall include all PHI. E. Reporting of Security Incidents. The Business Associate shall track all security incidents as defined by HIPAA and shall periodically report such security incidents in summary fashion as may be requested by the Covered Entity , but not less than annually within sixty (60) days of the anniversary of this Agreement. The Covered Entity shall not consider as security incidents, for the purpose of reporting, external activities (port enumeration, etc.) typically associated with the footprinting of a computing environment as long as such activities have only identified but not compromised the logical network perimeter, including but not limited to externally facing firewalls and web servers. The Business Associate shall reasonably use its own vulnerability assessment of damage potential and monitoring to define levels of Security Incidents and responses for Business Associate ’s operations. However, the Business Associate shall expediently notify the Covered Entity ’s Privacy Officer of any Security Incident which would constitute a Security Event as defined by this Agreement, including any breach of the security of the system under _________________ (State Code Citation if applicable) , within Forty-Eight (48) hours or no more than Two Business Days of any unauthorized acquisition including but not limited to use, disclosure, modification, or destruction of PHI by an employee or otherwise authorized user of its system of which it becomes aware. The Business Associate shall likewise notify the Covered Entity within Forty-Eight (48) hours or no more than Two Business Days of event. Business Associate shall identify in writing key contact persons for administration, data processing, Marketing, Information Systems and Audit Reporting within thirty (30) days of execution of this Agreement. Business Associate shall notify Covered Entity of any reduction of in-house staff persons during the term of this Agreement in writing within ten (10) business days. F. Contact for Security Event Notice. Notification for the purposes of Sections 6- E, 7-D and 7-E shall be in writing made by certified mail or overnight parcel within Forty- Eight (48) hours or no more than Two Business Days of the event, with supplemental notification by facsimile and/or telephone as soon as practicable, to: ____________________________ Privacy Officer ____________________________ Bureau of Covered Entity ____________________________ Street Address or P.O. Box No. ____________________________ City, State, Zip Code G. Security Compliance Review upon Request. Business Associate agrees to make its internal practices, books, and records, including policies and procedures relating to the security of electronic PHI received from, created by or received by Business Associate on behalf of Covered Entity , available to the Covered Entity or to the Secretary of the United States Department of Health in Human Services or the Secretary’s designee, in a time and manner designated by the requester, for purposes of determining Covered Entity ’s or Business Associate ’s compliance with the Security Rule. H. Cooperation in Security Compliance. Business Associate agrees to fully cooperate in good faith and to assist Covered Entity in complying with the requirements of the Security Rule. 8. Permitted Uses and Disclosures by Business Associate A. Use of PHI for Operations on Behalf of Covered Entity. Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI to perform functions, activities, or services (i.e., treatment, payment or health care operations) for, or on behalf of, Covered Entity as specified in Service Agreements, provided that such use or disclosure would not violate the Privacy and Security Rule, if done by Covered Entity . B. Other Uses of PHI. Except as otherwise limited in this Agreement, Business Associate may use PHI within its workforce as required for Business Associate 's proper management and administration, not to include Marketing or Commercial Use, or to carry out the legal responsibilities of the Business Associate . C. Third Party Disclosure Confidentiality. Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration of the Business Associate , provided that disclosures are Required By Law, or, if permitted by law, this Agreement, and the Service Agreement, provided that, if Business Associate discloses any PHI to a third party for such a purpose, Business Associate shall enter into a written agreement with such third party requiring the third party to: (i) maintain the confidentiality, integrity, and availability of PHI and not to use or further disclose such information except as Required By Law or for the purpose for which it was disclosed, and (ii) notify Business Associate of any instances in which it becomes aware in which the confidentiality, integrity, and/or availability of the PHI is breached within Forty-Eight (48) hours or no more than Two Business Days of event. D. Data Aggregation Services. Except as otherwise limited in this Agreement, Business Associate may use PHI to provide Data Aggregation Services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B). E. Other Uses Strictly Limited . Nothing in this Agreement shall permit the Business Associate to share PHI with Business Associate ’s affiliates or contractors except for the purposes of the Service Agreement(s) between the Covered Entity and Business Associate (s) identified in the L ist of Agreements Affected by this HIPAA Business Associate Agreement in Exhibit A attached hereto. F. Covered Entity Authorization for Additional Uses . Any use of PHI or other confidential Covered Entity information by Business Associate , its affiliate or Contractor, other than those purposes of this Agreement, shall require express written authorization by the Covered Entity , and a Business Associate agreement or amendment as necessary. Activities which are prohibited include, but not are not limited to, Marketing, as defined by 45 CFR § 164.503 or the sharing for Commercial Use or any purpose construed by Covered Entity as Marketing or Commercial use of Covered Entity enrollee personal or financial information with affiliates, even if such sharing would be permitted by federal or state laws. G. Prohibition of Offshore Disclosure. Nothing in this Agreement shall permit the Business Associate to share, use or disclose PHI in any form via any medium with any third party beyond the boundaries and jurisdiction of the United States without express written authorization from the Covered Entity . H. Data Use Agreement - Use and Disclosure of Limited Data Set. Business Associate may use and disclose a Limited Data Set that Business Associate creates for Research, public health activity, or Health Care Operations, provided that Business Associate complies with the obligations below. Business Associate may not make such use and disclosure of the Limited Data Set after any cancellation, termination, expiration, or other conclusion of this Agreement. I. Limitation on Permitted Uses and Disclosures. Business Associate will limit the uses and disclosures it makes of the Limited Data Set to the following: Research, public health activity, or Health Care Operations, to the extent such activities are related to covered functions , including business planning and development such as conducting cost-management and planning-related analysis related to managing and operating Business Associate s functions, formulary development and administration, development and improvement of methods of payment or coverage policies, customer service, including the provision of data analysis for policy holders, plan sponsors, or other customers, to the extent such activities are related to covered functions, provided that PHI is not disclosed and disclosure is not prohibited pursuant to any other provisions in this Agreement related to Marketing or Commercial use. 9. Obligations of Covered Entity A. Notice of Privacy Practices. Covered Entity shall provide Business Associate with the notice of Privacy Practices produced by Covered Entity in accordance with 45 CFR § 164.520, as well as any changes to such notice. B. Notice of Changes in Individual’s Access or PHI. Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes affect Business Associate ’s permitted or required uses. C. Notice of Restriction in Individual’s Access or PHI. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate 's use of PHI. D. Reciprocity for Requests Received by Business Associate. The Parties agree that this Section 9 is reciprocal to the extent Business Associate is notified or receives an inquiry from any individual within Covered Entity ’s covered population. 10. Permissible Requests by Covered Entity Requests Permissible under HIPAA. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy or Security Rule. 11. Term and Termination A. This Agreement shall be effective as of the date on which it has been signed by both parties and shall terminate when all PHI which has been provided, regardless of form, by Covered Entity to Business Associate , or created or received by Business Associate on behalf of Covered Entity , is destroyed or returned to Covered Entity , or, if the Parties agree that it is unfeasible to return or destroy PHI, Subsection C-5 below shall apply. B. Termination for Cause. This Agreement authorizes and Business Associate acknowledges and agrees Covered Entity shall have the right to immediately terminate this Agreement and Service Agreement in the event Business Associate fails to comply with, or violates a material provision of this Agreement and any provision of the Privacy and Security Rules. 1. Upon Covered Entity ’s knowledge of a material breach by Business Associate , Covered Entity shall either: a. Provide notice of breach and an opportunity for Business Associate to reasonably and promptly cure the breach or end the violation, and terminate this BAA if Business Associate does not cure the breach or end the violation within the reasonable time specified by Covered Entity ; or b. Immediately terminate this BAA if Business Associate has breached a material term of this BAA and cure is not possible; or c. If termination, cure, or end of violation is not feasible, Covered Entity shall report the violation to the Secretary. C. Effect of Termination. Upon termination of this Agreement for any reason, except as provided in Subsections C-2 and C-5 below, Business Associate shall at its own expense either return and/or destroy all PHI and other confidential information received, from Covered Entity or created or received by Business Associate on behalf of Covered Entity . This provision applies to all confidential information regardless of form, including but not limited to electronic or paper format. This provision shall also apply to PHI and other confidential information in the possession of sub-contractors or agents of Business Associate . 1. The Business Associate shall consult with the Covered Entity as necessary to assure an appropriate means of return and/or destruction and shall notify the Covered Entity in writing when such destruction is complete. If information is to be returned, the Parties shall document when all information has been received by the Covered Entity . 2. This provision ( Section 11-C and its subsections) shall not prohibit the retention of a single separate, archived file of the PHI and other confidential Covered Entity information by the Business Associate if the method of such archiving reasonably protects the continued privacy and security of such information and the Business Associate obtains written approval at such time from the Covered Entity . Otherwise, neither the Business Associate nor its subcontractors and agents shall retain copies of Covered Entity confidential information, including enrollee PHI, except as provided herein in Subsection C-5 . 3. The Parties agree to anticipate the return and/or the destruction of PHI and other Covered Entity confidential information, and understand that removal of the confidential information from Business Associate ’s information system(s) and premises will be expected in almost all circumstances. The Business Associate shall notify the Covered Entity whether it intends to return and/or destroy the confidential with such additional detail as requested. In the event Business Associate determines that returning or destroying the PHI and other confidential information received by or created for the Covered Entity at the end or other termination of the Service Agreement is not feasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction unfeasible. 4. Except for Business Associate Agreements in effect prior to April 21, 2005 when the Security Rule became effective, for the renewal or amendment of those same Agreements, or for other unavoidable circumstances, the Parties contemplate that PHI and other confidential information of the Covered Entity shall not be merged or aggregated with data from sources unrelated to that Agreement, or Business Associate ’s other business data, including for purposes of data backup and disaster recovery, until the parties identify the means of return or destruction of the Covered Entity data or other confidential information of the Covered Entity at the conclusion of the Service Agreement, or otherwise make an express alternate agreement consistent with the provisions of Section 11-C and its subsections. 5. Upon written mutual agreement of the Parties that return or destruction of PHI is unfeasible and upon express agreement as to the means of continued protection of the data, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction unfeasible, for so long as Business Associate maintains such PHI. 12. Miscellaneous A. Regulatory Reference. A reference in this Agreement to a section in the Privacy and/or Security Rule means the section as in effect or as amended. B. Amendment. The Parties agree to take such action to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy and Security Rules and the Health Insurance Portability and Accountability Act, Public Law 104-191. Business Associate and Covered Entity shall comply with any amendment to the Privacy and Security Rules, the Health Insurance Portability and Accountability Act, Public Law 104-191, and related regulations upon the effective date of such amendment, regardless of whether this Agreement has been formally amended. C. Survival. The respective rights and obligations of Business Associate under Section 11-C of this Agreement shall survive the termination of this Agreement. D. Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity and the Business Associate to comply with the Privacy and Security Rules. E. Notices and Communications. All instructions, notices, consents, demands, or other communications required or contemplated by this Agreement shall be in writing and shall be delivered by hand, by facsimile transmission, by overnight courier service, or by first class mail, postage prepaid, addressed to the respective party at the facsimile number, or address as may be hereafter specified by written notice. (For purposes of this section, effective notice to Respective Party is not dependent on whether the person named below remains employed by such Party.) The Parties agree to use their best efforts to immediately notify the other Party of changes in address, telephone number, fax numbers and to promptly supplement this Agreement as necessary with corrected information . Notifications relative to Sections 6-E, 7-D and 7-E of this Agreement must be reported to the Privacy Officer pursuant to Section 7-F. F. Covered Entity ______________________ (Name of Contact Person) Department of __________________ (Name of Department) Bureau of __________________ (Covered Entity) ________________________________ (Street Address or Post Office Box No.) ________________________________ (City, State, Zip Code) ______________________ (Phone Number) ______________________ (Fax Number) Business Associate : ______________________ (Name of Contact Person) Department of ___________________ (Name of Department) ______________________________ (Street Address or Post Office Box No.) __________________________ (City, State, Zip Code) _____________________ (Phone Number) _____________________ (Fax Number) All instructions, notices, consents, demands, or other communications shall be considered effectively given as of the date of hand delivery; as of the date specified for overnight courier service delivery; as of three (3) business days after the date of mailing; or on the day the facsimile transmission is received mechanically by the facsimile machine at the receiving location and receipt is verbally confirmed by the sender. G. Strict Compliance. No failure by any Party to insist upon strict compliance with any term or provision of this Agreement, to exercise any option, to enforce any right, or to seek any remedy upon any default of any other Party shall affect, or constitute a waiver of, any Party's right to insist upon such strict compliance, exercise that option, enforce that right, or seek that remedy with respect to that default or any prior, contemporaneous, or subsequent default. No custom or practice of the Parties at variance with any provision of this Agreement shall affect, or constitute a waiver of, any Party's right to demand strict compliance with all provisions of this Agreement. H. Severability . With respect to any provision of this Agreement finally determined by a court of competent jurisdiction to be unenforceable, such court shall have jurisdiction to reform such provision so that it is enforceable to the maximum extent permitted by applicable law, and the Parties shall abide by such court's determination. In the event that any provision of this Agreement cannot be reformed, such provision shall be deemed to be severed from this Agreement, but every other provision of this Agreement shall remain in full force and effect. I. Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of ________________ (Name of State) except to the extent that _________________ (Name of State) law has been pre-empted by HIPAA and without giving effect to principles of conflicts of law. Jurisdiction shall be ______________________________ (Name of County, City, State) , for purposes of any litigation resulting from disagreements of the parties for purpose of this Agreement and the Service Agreement(s). J. Compensation. There shall be no remuneration for performance under this Agreement except as specifically provided by, in, and through, existing administrative requirements of ___________________ (Name of State) State government and Services Agreement(s) referenced herein. Witness our signatures this ________________ (date) . __________________________ ____________________________ (Name of Covered Entity) (Name of Business Associate) By: _____________________________ ________________________________ ________________________ ___________________________ (Printed Name & Signature) (Printed Name & Signature) ________________________ ___________________________ (Office or Department) (Name of Corporate Office)