1. Applicability. This Addendum applies if and to the extent that Business Associate creates, receives, maintains or transmits, directly or indirectly, any PHI in the course of providing Products or Services to Covered Entity.
2. Compliance and Agents. Business Associate agrees that, to the extent it has access to PHI, Business Associate will fully comply with the requirements of this Addendum with respect to such PHI. Business Associate will ensure that every agent, including a subcontractor, of Business Associate to whom it provides PHI received from, or created or received by Business Associate on behalf of, Covered Entity will comply with the same restrictions and conditions as set forth in this Addendum.
3. Use and Disclosure; Rights. Business Associate agrees that it shall not use or disclose PHI except as permitted under this Addendum, including Section 16 hereof, and in compliance with each applicable requirement of 45 CFR Section 164.504(e). Business Associate may use or disclose the PHI received or created by it, (a) to perform its obligations under this Addendum, (b) to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Agreement, or (c) to provide data aggregation functions to Covered Entity as permitted by HIPAA. Further, Business Associate may use the PHI received by it in its capacity as Business Associate, if necessary, to properly manage and administer its business or to carry out its legal responsibilities. Business Associate may disclose the PHI received by it in its capacity as Business Associate to properly manage and administer its business or to carry out its legal responsibilities if: (a) the disclosure is required by law, or (b) the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it is disclosed to the person and the person notifies Business Associate of any instances of which it is aware that the confidentiality of the information has been breached. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity.
4. Safeguards. Business Associate agrees to develop, document, use, and keep current appropriate procedural, physical, and electronic safeguards, as required in 45 C.F.R. §§164.308 - 164.312, sufficient to prevent any use or disclosure of electronic PHI other than as permitted or required by this Addendum.
5. Minimum Necessary. Business Associate will limit any use, disclosure, or request for use or disclosure to the minimum amount necessary to accomplish the intended purpose of the use, disclosure, or request.
6. Report of Improper Use or Disclosure. Business Associate shall report to Covered Entity any information of which it becomes aware concerning any use or disclosure of PHI that is not permitted by this Addendum and any security incident of which it becomes aware. Business Associate will, following the discovery of a breach of “unsecured protected health information,” as defined in 45 C.F.R. § 164.402, notify Covered Entity of such breach within 15 days. The notice shall include the identification of each individual whose unsecured protected health information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such breach. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this Addendum.
7. Individual Access. In accordance with an individual’s right to access to his or her own PHI in a designated record set under 45 CFR §164.524 and the individual’s right to copy or amend such records under 45 CFR §164.524 and §164.526, Business Associate shall make available all PHI in a designated record set to Covered Entity to enable the Covered Entity to provide access to the individual to whom that information pertains or such individual’s representative.
8. Amendment of and Access to PHI. Business Associate shall make available for amendment PHI in a designated record set and shall incorporate any amendments to PHI in a designated record set in accordance with 45 CFR §164.526 and in accordance with any process mutually agreed to by the parties.
9. Accounting. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to an individual’s request for an accounting of disclosures of their PHI in accordance with 45 CFR §164.528. Business Associate agrees to make available to Covered Entity the information needed to enable Covered Entity to provide the individual with an accounting of disclosures as set forth in 45 CFR §164.528.
10. DHHS Access to Books, Records, and Other Information. Business Associate shall make available to the U.S. Department of Health and Human Services ("DHHS"), its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity for purposes of determining the Covered Entity’s compliance with HIPAA.
11. Individual Authorizations; Restrictions. Covered Entity will notify Business Associate of any limitation in its notice of privacy practices, any restriction to the use or disclosure of PHI that Covered Entity has agreed to with an individual and of any changes in or revocation of an authorization or other permission by an individual, to the extent that such limitation, restriction, change, or revocation may affect Business Associate’s use or disclosure of PHI.
12. HITECH Act Compliance. Covered Entity and Business Associate agree to comply with the amendments to HIPAA included in the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), including all privacy and security regulations issued under the HITECH Act that apply to Business Associate.
13. Term. This Addendum shall take effect on the effective date of the Agreement, and shall continue in effect unless and until either party terminates this Addendum or the Agreement.
14. Breach; Termination; Mitigation. If Covered Entity knows of a pattern of activity or practice of Business Associate that constitutes a material breach or violation of Business Associate’s obligations under this Addendum, Covered Entity and Business Associate shall take any steps reasonably necessary to cure such breach and make Business Associate comply, and, if such steps are unsuccessful, Covered Entity may terminate this Addendum. Business Associate shall take reasonable actions available to it to mitigate any detrimental effects of such violation or failure to comply.
15. Return of PHI. Business Associate agrees that upon termination of this Addendum, and if feasible, Business Associate shall (a) return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, that Business Associate has continued to maintain in any form or manner and retain no copies of such information or, (b) if such return or destruction is not feasible, immediately notify Covered Entity of the reasons return or destruction are not feasible, and extend indefinitely the protection of this Addendum to such PHI and limit further uses and disclosures to those purposes that make the return or destruction of the PHI not feasible.
16. De-identified Health Information. Business Associate may de-identify any and all PHI and may create a “Limited Data Set” in accordance with 45 C.F.R. § 164.514(b) & (e). Covered Entity acknowledges and agrees that de-identified information is not PHI and that Business Associate may use such de-identified information for any lawful purpose. Use or disclosure of a Limited Data Set must comply with 45 CFR 164.514(e).
17. Survival. All representations, covenants, and agreements in or under this Addendum shall survive the execution, delivery, and performance of this Addendum.
18. Further Assurances; Conflicts. Each party shall in good faith execute, acknowledge or verify, and deliver any and all documents which may from time to time be reasonably requested by the other party to carry out the purpose and intent of this Addendum. The terms and conditions of this Addendum will override and control any expressly conflicting term or condition of the Agreement. All non-conflicting terms and conditions of the Agreement shall remain in full force and effect. Any ambiguity in this Addendum with respect to the Agreement shall be resolved in a manner that will permit Covered Entity to comply with HIPAA. For the avoidance of doubt, a limitation on liability in the Agreement does not conflict with this Addendum.
19. Applicable Law. The parties acknowledge and agree that HIPAA may be amended and additional guidance or regulations implementing HIPAA may be issued after the date of the execution of this Addendum and may affect the parties’ obligations under this Addendum. The parties agree to take such action as is necessary to amend this Addendum from time in order as is necessary for Covered Entity to comply with HIPAA.