business associate aGREEMENT
This Business Associate Agreement, entered into as of the date signed below, is between _____________________, (“Covered Entity”), and Retail Solutions, Ltd., located at 6417 Cliffside Drive Ft. Worth, Texas 76180, (“Business Associate”).
Covered Entity acknowledges that it is subject to 45 CFR Parts 160 and 164 (“Privacy Rule”) issued by the United States Department of Health and Human Services (“HHS”) under the authority of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”).
Business Associate provides Internet switching services (“Services”) to Covered Entity, and in the course of providing Services to Covered Entity, Business Associate may be required to use or disclose Protected Health Information of individuals received from Covered Entity or created or received by Business Associate on behalf of Covered Entity (“PHI”).
1. Legal Effect and Term of this Agreement.
This Agreement shall become effective on April 14, 2003 (“Effective Date”), and shall remain in effect during the entire period Business Associate provides Services to Covered Entity. In addition, this Agreement may remain in effect subsequent to the termination of the provision of Services, as provided in this Agreement.
2. Obligations of Business Associate.
A. Business Associate agrees not to use or disclose PHI other than as permitted or required by this Agreement or as required by law.
B. Business Associate agrees to use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for in this Agreement, and to have written documentation of such safeguards.
C. Business Associate agrees to report to Covered Entity within forty-eight (48) hours any use or disclosure, of which it becomes aware, that is in violation of this Agreement.
D. Business Associate agrees to mitigate, to the extent practical, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this Agreement, in accordance with 45 CFR 164.530(f).
E. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides PHI, agrees in writing to the same restrictions and conditions that apply to Business Associate with respect to such information.
F. Business Associate agrees to provide access to PHI, make amendments to PHI, and provide an accounting of disclosures of PHI, contained in a designated record set, as reasonably requested by an individual, in accordance with 45 CFR 164.524, 164.526, and 164.528, respectively. Business Associate shall document and provide reports to Covered Entity, as reasonably requested by Covered Entity, of Business Associate’s receipt of and response to such requests.
G. Business Associate agrees to provide to Covered Entity in a time and manner reasonably designated by Covered Entity information collected in accordance with this Agreement to permit Covered Entity to respond to a request by an individual for access to PHI, amendment of PHI, or an accounting of disclosures of PHI, in accordance with 45 CFR 164.524, 164.526, and 164.528, respectively.
H. Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI available to Covered Entity and the Secretary of HHS, in the manner lawfully designated by the Secretary, for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule.
3. Permitted Uses and Disclosures by Business Associate.
A. Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI to perform Services for or on behalf of Covered Entity, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity.
B. Except as otherwise limited in this Agreement, Business Associate may use PHI to carry out the legal responsibilities of Business Associate.
C. Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that such disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential, that the person will only use or further disclose the information as required by law or for the purpose for which it was disclosed, and that the person agrees to notify Business Associate of any instances, of which it becomes aware, where the confidentiality of the information has been breached.
D. Except as otherwise limited in this Agreement, Business Associate may use PHI to provide data aggregation services to Covered Entity as permitted by 45 CFR 164.504(e)(2)(i)(B).
E. Business Associate may use or disclose PHI to report violations of law to appropriate federal and state authorities consistent with 45 CFR 164.502(j)(1).
4. Obligations of Covered Entity.
A. Covered Entity shall notify Business Associate of any limitations in its notice of privacy practices, if such limitation may affect Business Associate’s use or disclosure of PHI.
B. Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by an individual to use or disclose PHI, if such changes affect Business Associate's permitted or required uses and disclosures of PHI.
C. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of an individual’s PHI that Covered Entity has agreed to in accordance with 45 CFR 164.522, if such restriction may affect Business Associate’s use or disclosure of PHI.
5. Permissible Requests by Covered Entity.
Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
6. Electronic Transactions.
If Business Associate conducts any electronic transactions on behalf of Covered Entity that are subject to 45 CFR Parts 160 and 162 (“Electronic Transactions Rule”) issued by HHS under the authority of HIPAA, Business Associate shall conduct all such transactions using the uniform formats and code sets, as required by the Electronic Transactions Rule.
Business Associate shall indemnify, defend and hold harmless Covered Entity and its directors, officers, agents, and employees from and against any and all losses, damages, costs, expenses, judgments and liabilities, including reasonable attorneys' fees, arising from or in connection with any claim, action, contest or dispute brought by a third party, including HHS, to the extent caused by or resulting from an act of gross negligence or willful misconduct by Business Associate or its directors, officers, agents, employees relating to the handling of PHI provided by Covered Entity.
A. Termination of the Services Agreement. This Agreement shall terminate upon the termination of the provision of Services by Business Associate to Covered Entity.
B. Termination for Cause. Upon Covered Entity's knowledge of a material breach or violation of this Agreement by Business Associate, Covered Entity shall provide ten (10) days notice to Business Associate to cure the breach or end the violation. If Business Associate does not cure the breach or end the violation within ten (10) days, Covered Entity may immediately terminate the Services Agreement and this Agreement.
C. Effect of Termination.
(1) Except as provided in paragraph (2) of this section, upon termination of the Services Agreement for any reason, Business Associate shall return originals and all copies of, or shall destroy, all PHI. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate.
(2) If Business Associate reasonably determines that returning or destroying PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. If Covered Entity and Business Associate agree that return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
A. Regulatory References. Terms used in this Agreement have the same meaning as those terms are used in the Privacy Rule in effect or as amended.
B. Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy Rule and HIPAA.
C. Survival. The rights and obligations of Business Associate and Covered Entity under the termination provisions of this Agreement shall survive the termination of this Agreement.
D. Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the Privacy Rule.
E. No Third Party Beneficiaries. There are no third party beneficiaries of this Agreement, including those individuals who are the subject of PHI.
AGREED TO ON BEHALF OF
Retail Solutions Ltd. :
By: Retail Solutions Inc., General Partner
Stacy Scribner, President
AGREED TO ON BEHALF OF
Print Name: _____________________