HIPAA

ADDENDUM TO [SATVA MEMBER’S] GENERAL AGREEMENT
HIPAA Business Associate Agreement
THIS ADDENDUM supplements and is made a part of the [SATVA MEMBER’S] General Agreement. This Business Associate Agreement establishes specific legal obligations regarding the terms of the relationship between [SATVA MEMBER’S] and ___________________________________ ("Licensee"), as it relates to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and 45 C.F.R. Part 160 and Part 164, Subparts A and E, the Standards for Privacy of Individually Identifiable Health Information ("Privacy Rule");

WHEREAS, [SATVA MEMBER] and the Licensee are parties to the Underlying Agreement pursuant to which [SATVA MEMBER] provides certain computer software and related support services to the Licensee and, in connection with the provision of those support services, the Licensee discloses to [SATVA MEMBER] certain Protected Health Information ("PHI") (as defined in 45 C.F.R. §164.501), that is subject to protection under HIPAA and the Privacy Rule;

WHEREAS, the Licensee is a "Covered Entity" as that term is defined in the Privacy Rule;

WHEREAS, [SATVA MEMBER], as a recipient of PHI from the Licensee, is a "Business Associate" as that term is defined in the Privacy Rule;

WHEREAS, pursuant to the Privacy Rule, all Business Associates of Covered Entities must agree in writing to certain mandatory provisions regarding the use and disclosure of PHI; and

WHEREAS, the purpose of this Addendum is to comply with the requirements of the Privacy Rule, including, but not limited to, the Business Associate contract requirements at 45 C.F.R. §164.504(e).

NOW, THEREFORE in consideration of the mutual promises and covenants contained herein, the parties agree as follows:

1. Definitions. Unless otherwise provided in this Addendum, capitalized terms have the same meanings as set forth in the Privacy Rule.
   
2. Services. The services to be provided by Business Associate are identified in a separate agreement between the parties entitled ___________________________ (the "Underlying Agreement") and dated __________________________, to which this agreement serves as an Addendum.
   
3. Scope of Use and Disclosure by [SATVA MEMBER] of Protected Health Information.
   
   1. Contractual Obligations. [SATVA MEMBER] shall be permitted to use and disclose PHI that is disclosed to it by the Licensee as necessary to perform its obligations under the Underlying Agreement. [May need to append an exhibit listing your underlying obligations. Make sure list is accurate and consistent with Underlying Agreement.]
      
   2. Proper Management and Administration. Unless otherwise limited herein, in addition to any other uses and/or disclosures permitted or authorized by this Addendum or required by law, [SATVA MEMBER] may:
      
      1. [SATVA MEMBER’S] Use. Use the PHI in its possession for its proper management and administration and to fulfill any legal responsibilities of [SATVA MEMBER];
         
      2. Disclosure to Third Party. Disclose the PHI in its possession to a third party for the purpose of [SATVA MEMBER]’s proper management and administration or to fulfill any legal responsibilities of [SATVA MEMBER]; provided, however, that the disclosures are required by law or [SATVA MEMBER] has received from the third party written assurances that
         
         1. the information will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the third party; and
            
         2. the third party will notify the [SATVA MEMBER] of any instances of which it becomes aware in which the confidentiality of the information has been breached
            
   3. Data Aggregation Services. Provide Data Aggregation Services to Licensee relating to the Health Care Operations of Licensee if so requested. [Optional: for use only if asked to provide data aggregation services as defined in 45 C.F.R. Section 164.501]
      
4. Obligations of [SATVA MEMBER]. In connection with its use and disclosure of PHI, [SATVA MEMBER] agrees to comply with the following standards:
   
   1. Limited Disclosure. Use or further disclose PHI only as permitted or required by this Addendum or as required by law.
      
   2. Safeguards. Use reasonable and appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Addendum;
      
   3. Mitigation. To the extent practicable, mitigate any harmful effect that is known to [SATVA MEMBER] of a use or disclosure of PHI by [SATVA MEMBER] in violation of this Addendum.
      
   4. Report Unauthorized Disclosures. Report to the Licensee any use or disclosure of PHI not provided for by this Addendum of which [SATVA MEMBER] becomes aware.
   5. Agreements With Contractors. Require contractors or agents to whom [SATVA MEMBER] provides PHI to agree to the same restrictions and conditions that apply to [SATVA MEMBER] pursuant to this Addendum.
      
   6. HHS Access. Make available to the Secretary of Health and Human Services [SATVA MEMBER]’s internal practices, books and records relating to the use and disclosure of PHI for purposes of determining the Licensee’s compliance with the Privacy Rule, subject to any applicable legal privileges.
      
   7. Accounting of Unauthorized Disclosures. Upon notice by Licensee that it has received a request for an accounting of disclosures of PHI regarding an individual during the six (6) years prior to the date on which the accounting was requested, but not for information created prior to April 14, 2003, [SATVA MEMBER] shall make available to Licensee such information then currently in [SATVA MEMBER’S] possession, custody or control (including such information, if any, in the possession, custody or control of [SATVA MEMBER’S] subcontractors) that is required for Licensee to make the accounting required by 45 C.F.R. Section 164.528. Licensee shall reimburse [SATVA MEMBER] for all time and costs incurred to comply with any such requests made under this section.
      
   8. Designated Record Set. To the extent that Licensee does not already have in its possession the patient’s PHI in a Designated Record Set, [SATVA MEMBER] shall provide copies to Licensee of all or a portion of the PHI in the Designated Record Set then currently in [SATVA MEMBER’S] possession within a reasonable time after Licensee’s request in order for Licensee to:
      
      1. make the PHI in the Designated Record Set available in accordance with 45 C.F.R. Part 164.524; and
         
      2. amend the PHI in the Designated Record Set in accordance with 45 C.F.R. Part 164.526. In the event an individual requests access to, or an amendment of, the PHI in a Designated Record Set, such request shall be the responsibility of Licensee. Licensee shall reimburse [SATVA MEMBER] for all time and costs incurred to comply with any request made under this section. Compliance With Security Regulations. No later than April 21, 2005, [SATVA MEMBER] shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains or transmits on behalf of Licensee as required to comply with the HIPAA Security Regulation.
         
5. Obligations of the Licensee. The Licensee agrees that it will comply with the following standards:
   
   1. Notice of Privacy Practices. Has included, and will include, in the Licensee’s Notice of Privacy Practices required by the Privacy Rule that the Licensee may disclose PHI for Health Care Operations purposes.
      
   2. Patient Permission. Has obtained, and will obtain, from Individuals, Authorizations and other permissions necessary or required by laws applicable to the Licensee, for [SATVA MEMBER] and the Licensee to fulfill their obligations under the Underlying Agreement and this Addendum.
      
   3. Restrictions on PHI. Will promptly notify [SATVA MEMBER] in writing of any restrictions on the use and disclosure of PHI about Individuals that the Licensee has agreed to that may affect [SATVA MEMBER]’s ability to perform its obligations under the Underlying Agreement or this Addendum.
      
   4. Notice of Revocation. Will promptly notify [SATVA MEMBER] in writing of any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes or revocation may affect [SATVA MEMBER]’s ability to perform its obligations under the Underlying Agreement or this Addendum.
      
6. Termination.
   
   1. A. Termination for Breach In the event that the [SATVA MEMBER] materially breaches a material term of this Addendum, the Licensee must provide [SATVA MEMBER] with notice of the existence of the alleged material breach and afford [SATVA MEMBER] an opportunity to cure the alleged material breach. In the event [SATVA MEMBER] fails to cure the breach in a reasonable period of time to the satisfaction of the Licensee, the Licensee may terminate this Addendum.
      
   2. Automatic Termination. This Addendum will automatically terminate upon the termination or expiration of the Underlying Agreement, except where otherwise agreed.
      
   3. Effect of Termination.
      
      1. Termination of this Addendum will result in termination of the Underlying Agreement.
         
      2. Upon termination of this Addendum or the Underlying Agreement, [SATVA MEMBER] will return or destroy all PHI received from the Licensee or created or received by [SATVA MEMBER] on behalf of the Licensee that [SATVA MEMBER] still maintains and retain no copies of such PHI; provided that if such return or destruction is not feasible as determined solely by [SATVA MEMBER], [SATVA MEMBER] will continue to protect the PHI pursuant to the terms of this Addendum and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.
         
      3. Licensee shall reimburse [SATVA MEMBER] for all time and costs incurred as a result of identifying and destroying PHI as may be required under this section. Such reimbursement shall include, but not be limited to, the time and cost incurred in the erasure of any PHI embedded in [SATVA MEMBER’S] computer system or computer backup system. [Optional language based on Mike Morris example]
         
7. Amendment. [SATVA MEMBER] and the Licensee agree to amend this Addendum from time to time as is necessary for the Licensee to comply with the requirements of the Privacy Rule.
   
8. Survival. The obligations of [SATVA MEMBER] under section 6.C.(2) of this Addendum shall survive any termination of this Addendum.
   
9. No Third Party Beneficiaries. Nothing express or implied in this Addendum is intended to confer, nor shall anything herein confer, upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
   
10. Indemnification Provision. Each party will indemnify and hold harmless the other party to this Business Associate Agreement from and against any and all losses, liabilities, costs and other expenses incurred as a result, or arising directly or indirectly out of, or in connection with, any breach of any obligation on the part of the responsible party under this Business Associate Agreement.
    
11. Entire Agreement. This Agreement contains the entire agreement between the parties with respect to the subject matter hereof and supersedes any previous or contemporaneous proposals, understandings, commitments or representations whatsoever oral or written. The parties may only modify or change the terms of this Agreement by a written document signed by duly authorized representatives of both parties.
    
12. Governing Law; Jurisdiction. This Agreement shall be governed by and construed in accordance with the laws of the state of [THE SATVA MEMBER] without regard to [THE STATE’S] conflict of law principles. The parties agree that [THE SATVA MEMBER’S STATE] shall be the sole proper venue regarding any dispute relating to or arising out of this Agreement.
    
13. Effective Date. This Addendum shall be effective on ______________.