Business Associate Agreement


BUSINESS ASSOCIATE AGREEMENT

I. PREAMBLE

Pursuant to the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and any amendments thereto (hereinafter “HIPAA”); and the HIPAA Security and Privacy rule, 45 CFR Parts 160 and 164, and any amendments thereto (hereinafter the “HIPAA Security and Privacy Rule”) as well as other applicable federal and state privacy and confidentiality rules, the following parties (referred to jointly as “the parties”) wish to enter into this agreement (“Agreement”) to  address the requirements of the HIPAA Security and Privacy Rule with respect to “business associates,” as that term is defined in the HIPAA Security and Privacy Rule.

 

Tom Lutz & Associates / Lutz Therapy

“Covered Entity”

“Business Associate”

 

WHEREAS, Business Associate acknowledges that it is required to establish and implement appropriate safeguards (including certain administrative requirements) for “Protected Health Information” (“PHI”) as defined by HIPAA in any form or medium, including electronic, the Business Associate may create, receive, maintain, transmit, use, or disclose in connection with certain functions, activities, or services (collectively “services”) to be provided by Business Associate to or on behalf of Covered Entity;

WHEREAS, the services to be provided by Business Associate are identified in a separate agreement (“Service Agreement”) between Employer or Plan Sponsor and Business Associate and include, but are not limited to:

 

WHEREAS, The Parties acknowledge and agree that Business Associate may create, receive, maintain, transmit, use or disclose PHI if within the scope of, and necessary to achieve, the obligations and responsibilities of the Business Associate in performing on behalf of, or providing services to, the Covered Entity pursuant to the Services Agreement;

NOW, THEREFORE, in connection with Business Associate’s creation, receipt, maintenance, transmission, use or disclosure of PHI as a Business Associate of the Covered Entity, Business Associate and Covered Entity agree as follows:

II.   GENERAL TERMS AND CONDITIONS

  1. Definitions: All terms used in this Agreement shall have the meanings set forth in the HIPAA Security and Privacy Rule, unless otherwise defined herein.
  2. Existing Service Agreements: All existing Service Agreements and amendments thereto, between the Employer or Plan Sponsor and Business Associate are subject to this Agreement and are hereby amended by this Agreement. In the event of conflict between the terms of any Service Agreement and this Agreement, the terms and conditions of this Agreement shall govern.
  3. Where provisions of this Agreement are different from those mandated by the HIPAA Security and Privacy Rule, but are nonetheless permitted by the Rule, the provisions of this Agreement shall control.
  4. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Business Associate and the respective successors or assigns of the Business Associate, any rights, remedies, obligations, or liabilities.

III.   USE AND DISCLOSURE OF PHI 

  1. Treatment, Payment and Operations (“TPO”): Business Associate agrees to create, receive, maintain, transmit, use, or disclose PHI only in a manner that is consistent with this Agreement and the HIPAA Security and Privacy Rule and only in connection with providing the services to or on behalf of Covered Entity identified in any existing Service Agreement and amendments thereto. Accordingly, in providing services to or on behalf of the Covered Entity, the Business Associate, for example, will be permitted to use and disclose PHI for Treatment, Payment and Healthcare Operations consistent with the HIPAA Security and Privacy Rule, without obtaining authorization. PHI does not include summary health information or information that has been de-identified in accordance with the standards for de-identification provided for in the HIPAA Security and Privacy
  2. Other Permissible Uses and Disclosures: As permitted by 42 CFR §164.504(e)(4) Business Associate also may use or disclose PHI it receives in its capacity as a Business Associate to the Covered Entity if:
    1. The use relates to: (1) the proper management and administration of the Business Associate or to carry out legal responsibilities of the Business Associate, or (2) data aggregation services relating to the health care operations of the Covered Entity; or
    2. The disclosure of PHI received in such capacity may be made in connection with a function, responsibility, or service identified above in (i)(1), and such disclosure is (1) required by law, or (2) the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidential, and the person agrees to notify the Business Associate of any breaches of confidentiality; or
    3. The disclosure of PHI is made, if applicable, pursuant to 42 CFR §423.884(b), not withstanding any provisions to the contrary, Covered Entity agrees that the Business Associate (on behalf of the Covered Entity) may disclose PHI to the Center for Medicare and Medicaid Services (“CMS”) to the extent necessary to comply with Subpart R of 42 CFR §423 relating to applications for drug subsidy payment to the Plan Sponsor in connection with the prescription drug benefit under the Covered Entity.

IV.   OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE

  1. Business Associate acknowledges that Business Associate is required by law to comply with sections 164.308, 164.310, 164.312 and 164.316 of the HIPAA Security Rule, and all additional security requirements of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, Title XIII of the American Recovery and Reinvestment Act of 2009 (ARRA), that are applicable to Covered Entities. Business Associate further acknowledges that Business Associate is required by law to comply with the use and disclosure requirements of section 162.504(e) of the HIPAA Privacy Rule and all other privacy requirements of Subtitle D of the HITECH Act that are applicable to Covered Entities. HIPAA compliance requirements include, but are not limited to:
    1. Subcontractors: Business Associate represents to Covered Entity that [i] any disclosure it makes will be permitted or required under applicable laws, and [ii] that Business Associate will obtain reasonable written assurances from any person or entity to whom Business Associate discloses the PHI that the PHI will be held confidentially and used or further disclosed only as required and permitted under the HIPAA Security and Privacy Rule and other applicable laws, and [iii] any such person or entity agrees to be governed by the same restrictions and conditions contained in this Agreement, and will notify Business Associate of any breaches of confidentiality of the PHI.
    2. Permissible Disclosures: Except as otherwise limited in this Agreement, Business Associate may disclose PHI to other Business Associates of the Covered Entity [i] as directed by the plan sponsor, or [ii] to perform its duties under the Service Agreement. Notwithstanding any provision hereof, or any other prior agreement by the Parties, it shall be the Covered Entity’s sole responsibility (and not the responsibility of Business Associate) to ensure that the Covered Entity has entered into the appropriate Business Associate agreements with its Business Associate’s.
    3. Safeguards: [i] Business Associate shall maintain safeguards as necessary to ensure that PHI is not used or disclosed except as provided for by this Agreement. [ii] Business Associate shall implement administrative, physical and technical safeguards that reasonably protect the confidentiality, integrity and availability of PHI that it creates, receives, maintains or transmits on behalf of Covered Entity as required by the HIPAA Security and Privacy Rule.
    4. Impermissible Use and Disclosure: Business Associate shall report to Authorized Representative of Covered Entity within ten calendar days of knowledge of any use or disclosure of PHI that is in violation of this Agreement and not permitted under the HIPAA Security and Privacy Rule.
    5. Accounting of Disclosures: Business Associate shall respond to Authorized Representative of Covered Entity’s request for the information it has which would be appropriate for an accounting of disclosures of PHI as provided for in CFR §164.528 of the HIPAA Security and Privacy Rule within ten calendar days of receipt of request. Business Associate shall not be required to maintain a record of disclosures of PHI: (a) made for the purpose of Treatment, Payment or Healthcare Operations, (b) made to an individual who is the subject of the PHI, or (c) made pursuant to an authorization that is valid under HIPAA.
    6. Access to PHI: Business Associate shall report to Covered Entity a request from an individual for access to PHI provided for in 45 CFR § 164.524 within ten calendar days of receipt of a request for access to PHI. Business Associate shall not respond to the individual requesting access to PHI without written authorization of Covered Entity.
    7. Amendment of PHI: Business Associate shall report to Covered Entity within ten calendar days of receipt of a request for amendment to PHI. Business Associate shall not alter or amend PHI it receives from Covered Entity without specific written authorization of Covered Entity as provided for in CFR §164.526 of the HIPAA Privacy Rule.
    8. Requests for Restrictions. If an individual submits a request for restriction or request for confidential communications as provided for in 45 CFR § 164.522 to Business Associate, then Business Associate shall report such request to Covered Entity within five business days of receipt. Business Associate shall not respond to such requests without written authorization of Covered Entity.
    9. Disclosures Required by Law: Business Associate may disclose PHI to report violations of law to appropriate Federal or State authorities, consistent with CFR 164.502.
    10. Access to Secretary of Health and Human Services (“HHS”): Business Associate shall make available to the Covered Entity, HHS, or its agents, the Business Associate’s internal practices, books, and records relating to the use and disclosure of PHI as required in CFR §164.504 of the HIPAA Security and Privacy Rule.
    11. Business Associate shall cooperate with Covered Entity to comply with the HIPAA Security and Privacy Rule.
    12. Business Associate, it’s agents, and subcontractors shall comply with applicable requirements of Standards for Electronic Transactions (45 CFR §§160 and 162).
    13. Of the transactions that Business Associate performs in its role as Business Associate of Covered Entity, Business Associate, its agents, and subcontractors shall do the following:
      1. be prepared to transmit and accept transactions electronically in the Standard Formats identified in 45 CFR §§162.1101 through 162.1802;
      2. adapt implementation plans and standards pursuant to applicable Implementation Guides;
      3. implement contingencies for non-compliant transactions as necessary to facilitate timely acceptance and payment of claims, particularly in light of state claim payment laws; and
      4. to the extent practicable, communicate with those providers, agents, or subcontractors who are submitting or receiving transactions electronically in order to facilitate compliant transactions.
    14. Business Associate understands and agrees that from time-to time the Department of Health and Human Services might modify the standard transactions now identified in 45 CFR §§162.1101 through 162.1802. Business Associate, its agents, and subcontractors agree to abide by any changes to such standard transactions that are applicable to services supplied by Business Associate in connection with the referenced Services Agreement.
    15. Business Associate shall implement administrative, physical, and technical safeguards that reasonably protect the confidentiality, integrity, and availability of electronic PHI (“ePHI”) that it creates, maintains, or transmits on behalf of Covered Entity as required by 45 CFR 164.314.
    16. Business Associate shall insure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it.
    17. Security Incidents. Business Associate shall report to Covered Entity any security incident, as defined in 45 CFR § 164.304,of which it becomes aware within ten calendar days of knowledge of such incident.
    18. Pursuant to 45 CFR § 164.410, in the event of a breach by Business Associate of unsecured PHI, as the terms “breach” and “unsecured PHI” are defined in 45 CFR § 164.402, Business Associate shall report such breach to Covered Entity within ten calendar days of knowledge of such breach. Business Associate’s report shall include all information available to allow Covered Entity to provide a notification of breach consistent with 45 CFR § 164.404.

V.   OBLIGATIONS OF COVERED ENTITY

  1. If Covered Entity wishes to receive PHI, it shall provide Business Associate with name or identity/job title of the individual(s) authorized to represent Covered Entity who can receive and disclose PHI for purposes of TPO below, and shall further notify Business Associate of any changes with respect to the persons so identified:

Name / Title:   

  1. Covered Entity shall provide Business Associate with the Notice of Privacy Practices produced in accordance with 45 CFR §164.520, as well as any changes to such
  2. Covered Entity shall provide Business Associate with the plan amendment produced in accordance with 45 CFR 164.504.
  3. Covered Entity shall provide Business Associate with any changes in, or revocation of, or authorization by Individual to use or disclose PHI, if such changes affect Business Associate’s permitted or required uses and disclosures.
  4. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR 164.522.
  5. Covered Entity shall cooperate with Business Associate to provide Accounting of Disclosures when requested.

VI.   TERMINATION

  1. Term: The term of this Agreement shall be effective . Unless otherwise terminated, this Agreement shall end when all of the PHI provided by Covered Entity or the Health Plan to Business Associate is destroyed, returned to the Covered Entity or Health Plan, or protected as described in (C) below.
  2. Termination for Cause: Upon Covered Entity’s knowledge of a material breach of Business Associate’s obligation under this Agreement or of HIPAA, or upon Business Associate’s knowledge of a material breach of Covered Entity’s obligation under this Agreement or of HIPAA, and subject to (c) below, Covered Entity or Business Associate may commence termination of this Agreement by providing 60 days prior written Notice of Termination to the other Party.
  3. Termination not feasible: If termination would cause irreparable business interruption or harm to Individuals covered under the Covered Entity’s Health Plan, or is otherwise not feasible, Parties shall make all efforts reasonable to cure breach or mitigate harm to Individuals caused by such breach. If this occurs and this Agreement is not terminated, Covered Entity or Business Associate shall report the situation to the Secretary of Health and Human Services.
  4. Return or Destruction of PHI: Upon the termination or expiration of this Agreement, Business Associate agrees to return the PHI to Covered Entity, destroy the PHI (and retain no copies), or further protect the PHI if Business Associate determines that return or destruction is not feasible. If return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.

VII.   LEGAL PROVISIONS

  1. Each Party shall, to the fullest extent permitted by law, protect, defend, indemnify and hold harmless the other Party and that Party’s respective employees, directors, and agents (“Indemnitees”) from and against any and all losses, costs, claims, penalties, fines, demands, liabilities, legal actions, judgments, and expenses of every kind (including reasonable attorneys fees, including at trial and on appeal) asserted or imposed against any Indemnitees arising out of the acts or omissions of the Party or any subcontractor of or consultant of the Party or any of the Party’s employees, directors, or agents related to material breach of this Agreement or willful or grossly negligent failure to comply with HIPAA.
  2. If any provision of this Agreement is held invalid or unenforceable, such invalidity or non- enforceability shall not invalidate or render unenforceable any other portion of this Agreement. The entire Agreement will be construed as if it did not contain the particular invalid or unenforceable provision(s), and the rights and obligations of Business Associate and Covered Entity will be construed and enforced accordingly.
  3. The failure by one Party to require performance of any provision of this Agreement shall not affect that Party’s right to require performance at any time thereafter, nor shall a waiver of any breach or default of this Agreement constitute a waiver of any subsequent breach or default or a waiver of the provision itself.
  4. Covered Entity and Business Associate may amend this Agreement by mutual written consent.
  5. Entire Agreement. This Agreement supersedes and replaces any and all prior Business Associate Agreements between the Parties. To the extent that the Service Agreement addresses the rights and obligations contained in this Agreement, this Agreement supersedes and replaces all provisions in the Service Agreement related to the subject matter of this Agreement.
Covered Entity: Tom Lutz & Associates/Lutz Therapy
Authorized Agent: Anne Hewitt, Owner
Business Associate: 
Representative:  

Leave this empty:

Signed by Anne Hewitt
Signed On: April 24, 2020

Tom Lutz and Associates https://lutztherapy.com
Signature Certificate
Document name: Business Associate Agreement
Unique Document ID: 326d83d751a4196c7ddcb53b338f6448d28f23ae
Timestamp Audit
April 21, 2020 7:00 pm CDTBusiness Associate Agreement Uploaded by Anne Hewitt - admin@lutztherapy.com IP 174.53.135.153
April 21, 2020 7:41 pm CDTAnne Hewitt - anne.s.hewitt@gmail.com added by Anne Hewitt - admin@lutztherapy.com as a CC'd Recipient Ip: 75.72.214.61
April 21, 2020 7:44 pm CDTAnne Hewitt - anne.s.hewitt@gmail.com added by Anne Hewitt - admin@lutztherapy.com as a CC'd Recipient Ip: 75.72.214.61
April 21, 2020 7:56 pm CDTAnne Hewitt - anne.s.hewitt@gmail.com added by Anne Hewitt - admin@lutztherapy.com as a CC'd Recipient Ip: 75.72.214.61
April 24, 2020 2:32 pm CDTAnne Hewitt - anne.s.hewitt@gmail.com added by Anne Hewitt - admin@lutztherapy.com as a CC'd Recipient Ip: 174.53.135.153