This
Business Associate Contract ("Contract"), effective ______________, 200__
("Effective Date"), is entered into by and between Dictation Store.com, Inc. (the "Contractor"),
with an address at 315-C West Busch Blvd.Tampa, FL 33612 and ________________________________ (the "Organization"), with an address at _______________________________________________________________(each a "Party" and collectively
the "Parties").
WITNESSETH:
WHEREAS, the U.S. Department of
Health and Human Services ("HHS") has issued final regulations, pursuant to the
Health Insurance Portability and Accountability Act of 1996 ("HIPAA"),
governing the privacy and security of individually identifiable health
information obtained, created or maintained by certain entities, including
healthcare providers (the "HIPAA Privacy Rule" and the HIPAA Security Rule");
and
WHEREAS, the HIPAA Privacy and
Security Rules require that the Organization enter into this Agreement with
Contractor in order to protect the privacy and security of individually
identifiable health information maintained by the Organization ("Protected
Health Information", or "PHI", as defined in the HIPAA Privacy and Security
Rules); and
WHEREAS, Contractor provides
software products that enable the organizationto create files that may include "protected health information" ("PHI"),
as defined in 45 C.F.R �160-103. The Contractor,
its employees, affiliates, agents or representatives may access this ("PHI") in carrying out their obligations to the
Organization pursuant to either an existing or contemporaneously executed
agreement for services ("Services Agreement"); and
WHEREAS, the American Recovery and
Reinvestment Act of 2009 requires that the Contractor comply with certain
sections of the HIPAA Privacy and Security Rules in order to protect the use
and disclosure of PHI and EPH; and
WHEREAS, the Parties desire to enter
into this Agreement to protect PHI, and to amend any agreements between them,
whether oral or written, with the execution of this Agreement;
NOW,
THEREFORE, for and in consideration of the premises and mutual covenants and
agreements contained herein the parties agree as follows:
1.Services Agreements
1.1.Existing Services Agreements.Organization and Contractor are parties to the following Services
Agreements executed prior to the Effective Date and currently in effect (if
any):
Agreement:Services:Date of Agreement:
All
existing Services Agreements between the Parties are incorporated into this
Agreement.In the event of conflict
between the terms of any Services Agreement and this Agreement, the terms and
conditions of this Agreement shall govern.
1.2.Contemporaneous Services Agreement.In the event that Organization and Contractor are not parties to a
Services Agreement existing prior to the Effective Date, but instead enter into
a Services Agreement at the same time as executing this Agreement, such
agreement shall be attached as Exhibit A,
and incorporated here by reference.In
the event of conflict between the terms of the Services Agreement and this
Agreement, the terms and conditions of this Agreement shall govern.
1.3.Use and Disclosure of PHI to Provide
Services.The Contractor will not use or further
disclose PHI or EPHI(as such term are defined in the HIPAA Privacy and Security
Rules) other than as permitted or required by the terms of the Service
Agreement or as required by law.Except
as otherwise provided in this document, the Contractor may make any and all
uses of PHI necessary to perform its obligations under the applicable Services
Agreement.All other uses not authorized
by this Agreement are prohibited.
2.Additional Contractor Activities.Except as otherwise provided in this Agreement, the Contractor may also:
2.1.Use
the PHI in its possession for its proper management and administration and/or
to fulfill any present or future legal responsibilities of the Contractor,
provided that such uses are permitted under state and federal privacy and
security laws.
2.2.Disclose
the PHI in its possession for the purpose of its proper management and
administration and/or to fulfill any present or future legal responsibilities
of the Contractor.Contractor represents
to Organization that (i) any disclosure it makes will be permitted under
applicable laws, and (ii) the Contractor will obtain reasonable written
assurances from any person to whom the PHI will be disclosed that the PHI will
be held confidentially and used or further disclosed only as required and
permitted under the HIPAA Privacy and Security Rules and other applicable laws,
that any such person agrees to be governed by the same restrictions and
conditions contained in this Agreement, and that such person will notify the
Contractor of any instances of which it is aware in which the confidentiality
of the PHI has been breached.
2.3.Bring
together the Organization�s PHI in Contractor�s possession with the PHI of
other covered entities that the Contractor has in its possession through its
capacity as a contractor to such other covered entities, provided that the
purpose of bringing the PHI information together is to provide the Organization
with data analyses relating to its Healthcare Operations, as such term is
defined in the HIPAA Privacy Rule.The
Contractor will not disclose the PHI obtained from Organization to another
covered entity without written authorization from Organization.
2.4.De-identify
any and all PHI provided that the de-identification conforms to the requirements
of applicable law as provided for in 42 C.F.R. � 164.514(b) and that Contractor
maintains such documentation as required by applicable law, as provided for in
42 C.F.R. � 164.514(b).The Parties
understand that properly de-identified information is not PHI under the terms
of this Agreement.
3.Contractor Covenants.Contractor agrees to:
3.1.use
or further disclose the minimum necessary PHI in performing the activities
called for under the Services Agreement;
3.2.not
to use or further disclose PHI except as permitted under this Agreement, the
HIPAA Privacy Rule and Security Rule, and applicable State law, each as amended
from time to time;
3.3.use
appropriate safeguards to prevent the use or disclosure of PHI other than as
provided for in this Agreement. Implement administrative, physical , and technical safeguards that reasonably and appropriately
protect the confidentiality, integrity and availability of the PHI that it
creates, receives, maintains, or transmits on Business Associate�s behalf;
3.4.report
to Organization any use or disclosure of the PHI not permitted by this
Agreement within five (5) days of the Contractor becoming aware of such use or
disclosure;
3.5.in
conjunction with the requirements of Section
2.2, ensure that any subcontractors or agents to whom it provides PHI
received from, or created or received by the Contractor on behalf of the
Organization, agree to the same restrictions and conditions that apply to the
Contractorwith respect to the PHI;
3.6.within
ten (10) days of a request by Organization, report to Organization all
disclosures of PHI to a third party.The
report to the Organization shall identify: (i) the subject of the PHI (i.e., individual
name or identifier), (ii) the PHI disclosed, and (iii) the purpose of the
disclosure in accordance with the accounting requirements of 45 C.F.R. �
164.528;
3.7.maintain
the integrity of any PHI transmitted by or received from Organization;
3.8.comply
with Organization policies and procedures with respect to the privacy and
security of PHI and other Organization records, as well as policies and
procedures with respect to access and use of Organization�s equipment and
facilities;
3.9.provide the rights of access,
amendment, and accounting as set forth in Sections 5,
6 and 7.
4.Organization Covenants.Organization agrees to notify Contractor of material limitations to the
consents or authorizations that have been obtained by Organization on an
individual�s PHI and any other restrictions on the use or disclosure of PHI as
agreed to by Organization.
5.Access to PHI.Within five (5) days of a request by Organization for access to PHI
about a individual contained in a Designated Record Set, as such term is
defined in the HIPAA Privacy Rule, the Contractor shall make available to
Organization, or the individual to whom such PHI relates or his or her
authorized representative, such PHI for so long as such information is
maintained in the Designated Record Set as defined in 45 C.F.R.
� 164.524.In the event any individual
requests access to PHI directly from the Contractor, the Contractor shall,
within five (5) days, forward such request to Organization.Any denials of access to the PHI requested
shall be the responsibility of Organization.
6.Amendment of PHI.Within ten (10) days of receipt of a request from Organization for the
amendment of individual�s PHI or a record regarding an individual contained in
a Designated Record Set the Contractor shall, as required by 45 C.F.R.
� 164.526, incorporate any such amendments in the PHI; provided, however,
that Organization has made the determination that the amendment(s) is/are
necessary because the PHI that is the subject of the amendment(s) has been, or
foreseeably could be, relied upon by the Contractor or others to the loss of
the individual who is the subject of the PHI to be amended. The obligation in this Section 6 shall apply only for so long as the PHI is maintained by
Contractor in a Designated Record Set.
7.Accounting for Disclosures of PHI.Within thirty (30) days of notice by Organization to the Contractor that
it has received a request for an accounting of disclosures of PHI regarding an
individual, the Contractor shall make available to Organization such
information as is in the Contractor�s possession and is required for
Organization to make the accounting required by 45 C.F.R. � 164.528.In the event the request for an accounting is
delivered directly to the Contractor, the Contractor shall, within five (5)
days, forward the request to Organization.It shall be Organization�s responsibility to prepare and deliver any
such accounting requested.
8.Access to Books and Records Regarding
PHI.The Contractor will make its internal
practices, books, and records relating to the use and disclosure of PHI
received from, or created or received by the Contractor on behalf of,
Organization available to the Secretary of the U.S. Department of Health and
Human Services for purposes of determining Organization compliance with the
HIPAA Privacy Rule.
9.Disposition of PHI Upon Termination.The Contractor will, at termination or expiration of the Services
Agreement, if feasible, return or destroy all PHI received from, or created or
received by the Contractoron behalf
of, Organization which the Contractorand/or
its subcontractors or agents still maintain in any form, and will not retain
any copies of such information.If such
return or destruction is not feasible, the Contractorwillnotify
Organization of such event in writing, and will therefore extend the
protections of this Agreement to the PHI and limit further uses and disclosures
to those purposes that make the return or destruction of the PHI not feasible.
10.Representations and Warranties
10.1.Mutual Representations and Warranties
of the Parties.
Each Party represents and warrants to the
other Party:
(a)that
it is duly organized, validly existing, and in good standing under the laws of
the jurisdiction in which it is organized or licensed, it has the full power to
enter into this Agreement and to perform its obligations described in this
Agreement, and that the performance by it of its obligations under this
Agreement have been duly authorized by all necessary corporate or other actions
and that such performance will not violate any provision of any organizational
charter or bylaws.
(b)that
neither the execution of this Agreement, nor its performance, will directly or
indirectly violate or interfere with the terms of another agreement to which it
is a party, or give any governmental entity the right to suspend, terminate, or
modify any of its governmental authorizations or assets required for its performance.
(c)that
all of its employees, agents, representatives and members of its workforce,
whose services may be used to fulfill obligations under this Agreement are or
shall be appropriately informed of the terms of this Agreement and are under
legal obligation to each Party, respectively, by contract or otherwise,
sufficient to enable each Party to fully comply with all provisions of this
Agreement.
(d)that
it will reasonably cooperate with the other Party in the performance of the
mutual obligations under this Agreement.
11.Term.Unless otherwise terminated as provided in Section 12, this Agreement shall become
effective on the Effective Date and shall have a term that shall run
concurrently with that of all relevant Services Agreement(s).
12.Termination
12.1.Generally.This Agreement will automatically terminate without any further action
of the Parties upon the termination or expiration of all relevant Services
Agreement(s); provided, however, certain provisions and requirements of this
Agreement shall survive such expiration or termination in accordance with Section 13.
12.2.Termination by the Organization.As provided for under 45 C.F.R. � 164.504(e)(2)(iii), the
Organization may immediately terminate this Agreement, all relevant Services
Agreement(s) and any related agreements if the Organization makes the
determination that Contractor has breached a material term of this
Agreement.Alternatively, and in the
sole discretion of Organization, Organization may choose to provide Contractor
with written notice of the existence of the breach and provide Contractor with
thirty (30) calendar days to cure said breach upon mutually agreeable
terms.Failure by Contractor to cure
said breach or violation in the manner set forth above shall be grounds for
immediate termination of the Services Agreement by the Organization.If termination is not feasible, Organization
shall report the problem to the Secretary of the U.S. Department of Health and
Human Services.
12.3.Termination by the Contractor.If Contractor determines that Organization has breached a material term
of this Agreement, then the Contractor shall provide Organization with written
notice of the existence of the breach and shall provide Organization with
thirty (30) calendar days to cure said breach upon mutually agreeable terms or
end the violation within this thirty (30) day period.Failure by Organization to cure said breach
or violation in the manner set forth above shall be grounds for immediate
termination of the Services Agreement by the Contractor, if feasible.If termination is not feasible, Contractor
shall report the problem to the Secretary of the U.S. Department of Health and
Human Services.
13.Effect of Termination.Upon termination pursuant to Section 12, Contractor agrees to return or
destroy all PHI pursuant to 45 C.F.R. � 164.504(e)(2)(I), if it is feasible to
do so.Prior to doing so, the Contractor
further agrees to recover any PHI in the possession of its subcontractors or
agents.If it is not feasible for the
Contractor to return or destroy all PHI, the Contractor will notify the
Organization in writing.Such
notification shall include:(i) a
statement that the Contractor has determined that it is infeasible to return or
destroy the PHI in its possession, and (ii) the specific reasons for such
determination.Contractor further agrees
to extend any and all protections, limitations and restrictions contained in
this Agreement to the Contractor�s use and/or disclosure of any PHI retained
after the termination of this Agreement, and to limit any further uses and/or
disclosures to the purposes that make the return or destruction of the PHI not
feasible.If it is not feasible for the
Contractor to obtain from a subcontractor or agent any PHI in the possession of
the subcontractor or agent, the Contractor must provide a written explanation
to the Organization and require the subcontractors and agents to agree to
extend any and all protections, limitations and restrictions contained in this
Agreement to the subcontractors� and/or agents� use and/or disclosure of any
PHI retained after the termination of this Agreement, and to limit any further
uses and/or disclosures to the purposes that make the return or destruction of
the PHI not feasible.
14.Third Party Beneficiaries.Nothing in this Agreement shall be construed to create any third party
beneficiary rights in any person.
15.Amendments; Waiver.Except as set forth herein, this Agreement may not be modified, nor
shall any provision be waived or amended, except in a writing duly signed by
authorized representatives of the Parties.Upon enactment of any law, regulation, court decision or relevant
government publication and/or interpretive policy affecting the use or
disclosure of PHI, the Organization, by written notice to Contractor may amend
this Agreement in such manner as the Organization deems necessary to comply
with same.The failure of either Party
to enforce at any time any provision of this Agreement shall not be construed
to be a waiver of such provision, nor in any way to affect the validity of this
Agreement or the right of either Party thereafter to enforce each and every
such provision.
16.No Third Party Beneficiaries.Nothing expressed or implied in this Agreement is intended to give, nor
shall anything herein give any person other than the Parties and the respective
successors or assigns of the Parties, any rights, remedies, obligations, or
liabilities whatsoever.
17.Notices.Any notice required or permitted under this Agreement shall be given in
writing and delivered by hand, via a nationally recognized overnight delivery
services (e.g., Federal Express), or via registered mail or certified mail,
postage pre-paid and return receipt requested, to the following:
Organization:_________________________
_________________________
_________________________
Attn:____________________
Contractor:Dictation Store.com, Inc.
315-C
West Busch Blvd.
Tampa,
FL 33612
Attn:
Deborah Bromley
Notice of a change in address of one
of the parties shall be given in writing to the other party as provided above.
18.Counterparts; Facsimiles.This Agreement may be executed in any number of counterparts, each of
which shall be deemed an original.Facsimile copies hereof shall be deemed to be originals.
19.Disputes.If any controversy, dispute or claim arises between the Parties with
respect to this Agreement, the Parties shall make good faith efforts to resolve
such matters informally.
20.LIMITATION OF LIABILITY.NEITHER PARTY SHALL BE LIABLE TO THE OTHER
PARTY FOR ANY INCIDENTAL, CONSEQUENTIAL, SPECIAL OR PUNITIVE DAMAGES OF ANY
KIND OR NATURE, WHETHER SUCH LIABILITY IS ASSETED ON THE BASIS OF CONTRACT,
TORT (INCLUDING NEGLIGENCE OR STRICT LIABILITY), OR OTHERWISE, EVEN IF THE
OTHER PARTY HAS BEEN ADVISED OF SUCH LESS OR DAMAGES.
INTENDING
TO BE LEGALLY BOUND,the Parties hereto have duly executed
this Agreement as of the Effective Date.
