Business Associate Agreement Template - Maine

This fillable "Business Associate Agreement Template" is a document issued by the Maine Department of Health and Human Services specifically for Maine residents.

Download the PDF by clicking the link below and complete it directly in your browser or through the Adobe Desktop application.

ADVERTISEMENT
Maine Department of Health and Human Services
Business Associate Agreement
This Business Associate Agreement (“Agreement”) is made this ___ day of _________, 20___
(the “Effective Date”) by and between the State of Maine, Department of Health and Human
Services (the Covered Entity, hereinafter, the “Department”) and ________________________
(“Business Associate”), together (the “Parties”); and
WHEREAS, Business Associate may use, disclose, create, receive, maintain or transmit
protected health information in a variety of form or formats, including verbal, paper and
electronic (together, “PHI”) on behalf of the Department in connection with Business
Associate’s performance of its obligations under the following agreement between the parties:
____________________________________________________________________________
dated ___________, 20___ (the “Underlying Agreement”); and
WHEREAS, the Parties intend to ensure the confidentiality, privacy and security of
Department’s PHI as required by law, including the Health Insurance Portability and
Accountability Act of 1996, P.L. 104-191 (HIPAA), and its implementing regulations at 45 CFR
Parts 160 and 164 (the Privacy, Security, Breach Notification and Enforcement Rules or
“HIPAA Rules”) as updated by the Health Information Technology for Economic and Clinical
Care Act (HITECH) enacted under Title XII of the American Recovery and Reinvestment Act of
2009, and its implementing Regulations (together, the “HIPAA and HITECH Rules”); and
WHEREAS, the Parties agree that certain federal and state laws, rules, regulations and
accreditation standards also impose confidentiality restrictions that apply to this business
relationship, and may include, but are not limited to: 42 CFR 2 et. seq;, 5 M.R.S.A. §19203-D;
22 M.R.S.A. §§42, 261, 815, 824, 833, 1494, 1596, 1711-C, 1828, 3173, 3292, 4008, 5328,
7250, 7703, 8754; 10 M.R.S.A 1346 et. seq; 34-B M.R.S.A. §1207; 14-193 C.M.R, Ch. 1, Part
A, § IX; and applicable accreditation standards of The Joint Commission or other appropriate
accreditation body regarding confidentiality.
NOW THEREFORE, the parties agree as follows:
1 of 7
Maine Department of Health and Human Services
Business Associate Agreement
This Business Associate Agreement (“Agreement”) is made this ___ day of _________, 20___
(the “Effective Date”) by and between the State of Maine, Department of Health and Human
Services (the Covered Entity, hereinafter, the “Department”) and ________________________
(“Business Associate”), together (the “Parties”); and
WHEREAS, Business Associate may use, disclose, create, receive, maintain or transmit
protected health information in a variety of form or formats, including verbal, paper and
electronic (together, “PHI”) on behalf of the Department in connection with Business
Associate’s performance of its obligations under the following agreement between the parties:
____________________________________________________________________________
dated ___________, 20___ (the “Underlying Agreement”); and
WHEREAS, the Parties intend to ensure the confidentiality, privacy and security of
Department’s PHI as required by law, including the Health Insurance Portability and
Accountability Act of 1996, P.L. 104-191 (HIPAA), and its implementing regulations at 45 CFR
Parts 160 and 164 (the Privacy, Security, Breach Notification and Enforcement Rules or
“HIPAA Rules”) as updated by the Health Information Technology for Economic and Clinical
Care Act (HITECH) enacted under Title XII of the American Recovery and Reinvestment Act of
2009, and its implementing Regulations (together, the “HIPAA and HITECH Rules”); and
WHEREAS, the Parties agree that certain federal and state laws, rules, regulations and
accreditation standards also impose confidentiality restrictions that apply to this business
relationship, and may include, but are not limited to: 42 CFR 2 et. seq;, 5 M.R.S.A. §19203-D;
22 M.R.S.A. §§42, 261, 815, 824, 833, 1494, 1596, 1711-C, 1828, 3173, 3292, 4008, 5328,
7250, 7703, 8754; 10 M.R.S.A 1346 et. seq; 34-B M.R.S.A. §1207; 14-193 C.M.R, Ch. 1, Part
A, § IX; and applicable accreditation standards of The Joint Commission or other appropriate
accreditation body regarding confidentiality.
NOW THEREFORE, the parties agree as follows:
1 of 7
Specific Definitions for the Purpose of this Agreement:
Breach means the unauthorized acquisition, access, use or disclosure of PHI that compromises
the security or privacy of such PHI. A security or privacy incident that involves PHI is presumed
to be a breach requiring notification unless the Department proves, through specific risk analysis
steps, that there is a low probability that the PHI was compromised or a) the incident does not
involved unsecured PHI, or b) the incident falls into another exception or safe harbor as set forth
in the HIPAA and HITECH Rules.
Business Associate is a person or entity that creates, receives, maintains or transmits PHI on
behalf of, or provides services to, a covered entity, as set forth in the HIPAA Rules and other
than in the capacity of a workforce member.
Covered Entity is a 1) health plan, (2) health care clearinghouse, or 3) health care provider who
electronically transmits any health information in connection with transactions for which HHS
has adopted standards. Generally, these electronic transactions concern billing and payment for
services or insurance coverage.
Designated Record Set means the billing and medical records about individuals maintained by or
for a covered provider: the enrollment, claims adjudication, payment, case or medical
management record systems maintained by or for a health plan; or that are used in whole, or in
part, by the covered entity to make decisions about individuals.
Individual means the person who is the subject of the PHI.
Protected Health Information means information that is created or received by a health care
provider, health plan, public health authority, employer, life insurer, school or university, or
health care clearinghouse that relates to the past, present, or future physical or mental health or
condition of an individual; the provision of health care to an individual; or the past, present, or
future payment for the provision of health care to an individual and is transmitted or maintained
in electronic or any other form or medium.
Security Incident means the attempted or successful unauthorized access, use, disclosure,
modification or destruction of information [or PHI] or interference with system operation in an
information system.
Subcontractor means a natural person, trust or estate, partnership, corporation, professional
association or corporation, or other entity, public or private, to whom a business associate has
delegated a function, activity, or service, other than in the capacity of a member of the
workforce of such business associate.
Unsecured Protected Health Information means PHI that is not rendered unusable, unreadable,
or indecipherable to unauthorized individuals through the use of a technology or methodology
specified by the U.S. Department of Health and Human Services (“HHS”) in its guidance.
2 of 7
General Definitions. The following terms used in this Agreement shall have the same meaning
as those terms in the HIPAA and HITECH Rules: Data Aggregation, Disclosure, Health Care
Operations, Minimum Necessary, Notice of Privacy Practices, Required by Law, and Use.
1. Permitted Uses and Disclosures
a. Business Associate agrees to use or disclose the PHI authorized by this Agreement only
to perform the services of the Underlying Agreement between the Parties, or as required
by law.
b. Business Associate may use or disclose PHI for the proper management and
administration of Business Associate or to carry out the legal responsibilities of the
Business Associate, only where a) the use or disclosure does not violate any law
governing the protection of the PHI, including, but not limited to, prohibitions under 42
CFR Part 2 (Part 2 Regulations), and b) the disclosures are required by law or c) Business
Associate agrees only to disclose the minimum necessary PHI to accomplish the intended
purpose and i) obtains reasonable assurances from the person or entity to whom the
information is disclosed that the PHI will remain confidential and used or further
disclosed only as required by law or for the purposes for which it was disclosed to the
person or entity, and ii) the person or entity agree to immediately notify Business
Associate of any instances of which it is aware that the confidentiality, privacy or
security of the information has been actually or potentially breached.
c. Business Associate may provide data aggregation services relating to the health care
operations of the Department, or de-identify the Department’s PHI, only when such
specific services are permissible under the Underlying Agreement or as otherwise
preapproved in writing by the Department.
2. Obligations and Activities of the Business Associate
a. Compliance. Business Associate agrees to comply with the HIPAA and HITECH Rules,
and other applicable state or federal law, to ensure the protection of the Department’s
PHI, and only use and disclose PHI consistent with the Department’s minimum necessary
policy and the legal requirements of this Agreement. Business Associate may not use or
disclose PHI in a manner that would violate the HIPAA or HITECH Rules or other state
or federal law if performed by the Department.
b. Safeguards. In complying with the HIPAA and HITECH Rules, Business Associate
agrees to use appropriate administrative, technical and physical safeguards, and comply
with any required security or privacy obligations, to protect the confidentiality, integrity
and availability of the Department’s PHI.
c. Reporting. Business Associate agrees to report to the Department any inappropriate use
or disclosure of the Department’s PHI of which it becomes aware, i.e. any use or
disclosure not permitted in this Agreement or in violation of any legal requirement,
including actual and suspected breaches of unsecured PHI, and any actual or potential
security incident of which it becomes aware. Such report will be made to the
3 of 7
Department’s Director of Healthcare Privacy or her designee within twenty-four (24)
hours of when the Business Associate becomes aware of an actual or suspected incident
or breach. In the event that a breach is determined to have occurred under the authority
of the Business Associate, Business Associate will cooperate promptly with the
Department to provide all specific information required by the Department for mandatory
notification purposes.
d. Subcontractors and Agents. In accordance with 45 CFR 164.502(e)(1)(ii) and
164.308(b)(2), if applicable, Business Associate shall ensure that any third parties, agents
or subcontractors (together, “Subcontractors”) that use, disclose, create, acquire, receive,
maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions,
conditions, and requirements that apply to Business Associate with respect to such PHI.
Business Associate shall obtain and maintain a written agreement with each
Subcontractor that has or will have access, through Business Associate, to the
Department’s PHI, ensuring that the Subcontractor agrees to be bound to the same
restrictions, terms and conductions that apply to Business Associate under this
Agreement.
e. Mitigation. The Business Associate shall exhaust, at its sole expense, all reasonable
efforts to mitigate any harmful effect known to the Business Associate arising from the
use or disclosure of PHI by Business Associate in violation of the terms of this
Agreement.
f. Accounting of Disclosures. To the extent required by the terms of this Agreement,
Business Associate will maintain and make available the information and/or
documentation required to provide an accounting of disclosures as necessary to satisfy
the Department’s obligations under 45 CFR 164.528.
g. Access. In the event that Business Associate creates or maintains PHI in a designated
record set, Business Associate will use commercially reasonable efforts to make PHI
available in the format requested, and as necessary to satisfy the Department’s obligation
under 45 C.F.R. 164.524, within 30 days from the time of request. Business Associate
will inform the Department of the individual’s request within 5 (five) business days of the
request.
h. Amendment. In the event that Business Associate creates or maintains PHI in a
designated record set, Business Associate agrees to make any amendment(s) to the PHI as
directed or agreed to by the Department, or take other measures as necessary to satisfy
the Department’s obligations under 45 CFR 164.526, in such time period and in such
manner as the Department may direct.
i. Restrictions. Upon notification from the Department, Business Associate shall adhere to
any restrictions on the use or disclosure of PHI agreed to by or required of the
Department pursuant to 45 CFR 164.522.
j. Audit by the Department or the HHS Secretary. The Business Associate will make its
internal practices, books and records relating to the use or disclosure of PHI received
4 of 7
from the Department or used, acquired, maintained, created or received by the Business
Associate on behalf of the Department, available to either the Department or the HHS
Secretary for the purposes of determining the compliance of either the Department or the
Business Associate with the Medicaid Act, and the HIPAA and HITECH Rules, or any
other federal, state or accreditation requirement. 45 C.F.R. 164.504.
k. Other Obligations: To the extent that Business Associate is to carry out one or more of
the Department’s obligations under the HIPAA and HITECH Rules or other federal or
state law, Business Associate agrees to comply with the legal requirements that apply to
the Department in performing that obligation;
3. Obligations of the Department
a. The Department shall notify Business Associate of a) any limitation in any applicable
Notice of Privacy Practices that would affect the use or disclosure of PHI by the Business
Associate and b) any changes, revocations, restrictions or permissions by an individual to
the use and disclosure of his/her PHI to which the Department has agreed, to the extent
such restrictions or limitations may affect the performance of Business Associate’s
services on behalf of the Department.
b. The Department shall not request that Business Associate use or disclose PHI in any
format, and in any manner, that would be prohibited if performed by the Department.
4. Hold Harmless
Business Associate agrees to indemnify and hold harmless the Department, its directors, officers,
agents, shareholders, and employees against any and all claims, demands, expenses, liabilities or
causes of action that arise from any use or disclosure of PHI not specifically permitted by this
Agreement, applicable state or federal laws, licensing, accreditation or other requirements.
5. Term of Agreement
a. Term. This Agreement shall be effective as of the Effective Date and shall terminate at
the end of the term of the Underlying Agreement. To the extent that the Underlying
Agreement automatically renews, this Agreement shall also automatically renew itself for
the same renewal period unless the Department terminates this Agreement for cause as
set forth in Section 5(c). Either party may terminate the Agreement consistent with the
written notice provision regarding termination in the Underlying Agreement.
b. Auto-renewal. In the event that this Agreement is automatically renewed, the Business
Associate agrees to be bound by the terms of this Agreement and laws referenced in this
Agreement that are current and in effect at the time of renewal.
c. Termination for Cause. Notwithstanding the foregoing, Business Associate authorizes
termination of this Agreement by the Department if the Department determines that
Business Associate has violated a material term of the Agreement. The Department shall
either, at its sole discretion:
5 of 7

Download Business Associate Agreement Template - Maine

459 times
Rate
4.8(4.8 / 5) 32 votes
ADVERTISEMENT
Page of 7