I. INTRODUCTION
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is intended, among other things, to protect the privacy of individual health information. The rule implementing HIPAA applies to all “covered entities,” such as, health care providers, health plans and health care clearinghouses. In addition, financial institutions may be classified as “business associates” under HIPAA, which means that healthcare customers could request that you modify your contracts to become “HIPAA compliant.”
II. PRIVACY AND SECURITY ISSUES
HIPAA privacy standards outline specific rights for individuals regarding protected health information and obligations of healthcare providers, health plans and health care clearinghouses. The privacy regulations grant healthcare consumers a greater level of control over the use and disclosure of personally identifiable health information. In general, healthcare providers, health plans and health care clearinghouses are prohibited from using or disclosing health information except as authorized by the patient or specifically permitted by the regulation. The final rules include all personally identifiable health information, irrespective of form.
The HIPAA privacy rule requires health plans and providers to enter into “business associate contracts” with their vendors and service providers who use, disclose, or store personally identifiable protected health information (PHI), regardless of whether those third parties are “healthcare clearinghouses.” The regulation provides that “A covered entity may disclose protected health information to a business associate and may allow [it] to create or receive protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information.” The assurances must be in a written contract or arrangement.
Financial institutions whose customers are HIPAA “covered entities” (such as health plans and providers) become “business associates” if they have access to PHI in the normal course of business. Accordingly, health plan and provider customers will, as required by HIPAA, incorporate into financial institution contracts, the applicable HIPAA privacy and security requirements.
III. IMPACT ON FINANCIAL INSTITUTIONS
HIPAA may impact financial institutions in one of two ways. First, HIPAA sets transaction standards for the “electronic processing” of healthcare claims and payments. At this juncture, it is unclear whether payment processing activities related to healthcare that use these standards would make financial institutions “covered entities” and therefore subject to HIPAA
HIPAA sets requirements for processing financial EDI transactions using uniform electronic standards. The critical issue for the banking industry is what payment processing activities do – or do not – constitute actions of a “covered entity” under HIPAA. Those who literally interpret HIPAA’s definition of a “healthcare clearinghouse” have suggested that it covers financial institutions that, in the normal course of business: (1) receive a payment instruction from a HIPAA-covered entity (e.g., healthcare provider or insurance company), and send an ACH transaction with addenda in a HIPAA-compliant format; or (2) receive an ACH transaction with addenda in a HIPAA-compliant format and pass this information on to a covered entity in a human-readable or other useable format.
According to the United States Department of Health and Human Services (“DHHS”), financial institutions could be considered “health care clearinghouses” if they process payments (e.g., provide lockbox services) or other transactions for doctors, pharmacies, hospitals, etc. that include personally identifiable “protected health information” (PHI). PHI is patient medical data and may be included in payment remittance data. Demographic data about patients such as name and address or patient IDs will be considered “protected” if it can be linked to a healthcare provider’s name, treatment, product description or other data from which medical facts about the patient may be inferred.
A health care clearinghouse is defined as a public or private entity that (a) processes or facilitates the processing of information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction or (b) receives a standard transaction from another entity and processes or facilitates the processing of information into nonstandard format or nonstandard data content for a receiving entity.
DHHS has not yet determined – and may not determine any time soon – whether certain financial institution payment processing activities make financial institutions subject to the HIPAA Electronic Transactions Rule.
Second, HIPAA establishes requirements for the privacy of personally identifiable “protected health information” (PHI) and security policies for the storage and transmission of that information. Financial institutions that process PHI for their customers that are covered entities may be classified as “business associates” and therefore subject to the privacy and security provisions of HIPAA.
IV. BUSINESS ASSOCIATE CONTRACTS
The HIPAA privacy rule requires health plans and providers to enter into “business associate contracts” with their vendors and service providers who use, disclose, or store PHI, regardless of whether those third parties are “healthcare clearinghouses.” The regulation provides that “A covered entity may disclose protected health information to a business associate and may allow [it] to create or receive protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information.” The assurances must be in a written contract or arrangement.
It is clear that financial institutions whose customers are HIPAA “covered entities” (such as health plans and providers) will become “business associates” if they have access to PHI in the normal course of business. Accordingly, those health plan and provider customers will, as required by HIPAA, seek to revise existing financial institution contracts to incorporate applicable HIPAA privacy and security requirements. An ABA/NACHA Banking Industry HIPAA Task Force has drafted a banking industry version of the HIPAA model business associate contract to supplement the model contract the Department of Health and Human Services developed to protect the privacy and security of customer health information. ABA representatives say the bank model business associate contract was developed because some provisions in the HHS model conflict with the banking law.
Financial institutions can use the ABA-developed model contract language as a freestanding document, or as part of a larger services agreement with HIPAA-covered customers. The provisions are not intended as legal advice, and financial institutions should have attorneys or contract managers review and revise them as needed. For additional information on HIPAA, the following website is suggested: http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html
V. REQUIREMENTS FOR BUSINESS ASSOCIATES
Title XIII of the American Recovery and Reinvestment Act (ARRA) of 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) imposes significant new obligations on “business associates” (as defined by HIPAA). Not only are the potential fines and penalties for violations far higher, but compliance with the new rules requires business associates to implement precise procedures, provide specific notices, conduct staff training, and draft additional documentation.
A. New Requirements for Business Associates
1. Federal Breach Notification Requirements
With the passage of HITECH, health care providers are now obligated to notify patients of breaches of protected health information (PHI). Specifically, no later than 60 days after discovering a breach of unsecured PHI, a health care provider covered by HIPAA is required to notify each effected patient that their information has been, or is reasonably believed to have been, accessed, acquired, or disclosed. Under HITECH, a breach occurs when there is an unauthorized acquisition, access, use or disclosure which compromises the security or privacy of PHI. “Unsecured PHI,” is defined by HITECH as PHI that is not secured through the use of technology or methods to be specified in guidance issued by the HHS Secretary.
HITECH permits breach notices to be made by written or electronic mail, or by a posting on the covered entity’s web site or in a media outlet if there is insufficient contact information for 10 or more individuals. If 500 or more individuals’ information is involved, media notice must be provided and the covered entity must also immediately notify the Secretary of Health and Human Services.
HITECH specifies that the content of breach notices must include a description of what happened, the dates of both the breach and the discovery of the breach, a description of the information involved in the breach, the steps that individuals should take to protect themselves from potential harm from the breach and a description of what the covered entity is doing to investigate, mitigate losses and protect against further breaches.
HITECH also establishes a statutory breach notification requirement directly applicable to HIPAA business associates. Under HITECH, a HIPAA business associate is obligated to notify the covered entity of a breach of unsecured PHI. The notice from the business associate to the covered entity must be provided no later than 60 days from the discovery of the breach and must include the identification of each individual impacted by the breach.
a. Definition of Breach
Under an interim final rule currently in effect, a breach is defined as "the acquisition, access, use, or disclosure of PHI in a manner not permitted under [the Privacy Rule] which compromises the security or privacy of the PHI." For purposes of the definition of breach, the interim final rule defined "compromises the security or privacy of PHI" to mean "poses a significant risk of financial, reputational, or other harm to the individual" (i.e., the harm standard). It was intended to align the HIPAA/HITECH Act breach notification requirement with other federal and state breach notification laws DHHS indicated in the preamble to the interim final rule that, in order for a covered entity or business associate to determine whether an impermissible use or disclosure of PHI constituted a breach, it must perform a risk assessment to determine if there was a significant risk of harm to the individual resulting from the impermissible use or disclosure.
In the final rule, DHHS removed the harm standard and modified the risk assessment requirement to focus more objectively and uniformly, rather than subjectively, on the probability that PHI has been compromised. Under the new language in the final rule, breach notification is not required if a covered entity or business associate can demonstrate through a risk assessment that a low probability exists that the PHI has been compromised, rather than demonstrating that there is no significant risk of harm to the individual (as under the interim final rule).
The following factors must be considered by business associates when they assess the probability of whether PHI was compromised:
b. Notification of Breach by a Business Associate
The HITECH Act requires a business associate of a covered entity that accesses, maintains, retains, modifies, records, destroys, or otherwise holds, uses, or discloses unsecured protected health information to notify the covered entity when it discovers a breach of such information. The Act requires business associates to provide such notification to covered entities without unreasonable delay and in no case later than 60 days from discovery of the breach. Additionally, the Act requires business associates to provide covered entities with the identity of each individual whose unsecured protected health information has, or is reasonably believed to have been, affected by the breach.
A business associate is required to notify the covered entity of the breach of unsecured protected health information so that the covered entity can notify affected individuals.
A breach is treated as discovered by a business associate as of the first day on which such breach is known to the business associate or, by exercising reasonable diligence, would have been known to the business associate. A business associate shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of the business associate
Section 164.410(c)(1) requires business associates, to the extent possible, to provide covered entities with the identity of each individual whose unsecured protected health information has been, or is reasonably believed to have been, breached. Depending on the circumstances, business associates could provide the covered entity with immediate notification of the breach and then follow up with the required information when available but without unreasonable delay and within 60 days.
In addition to the identification of affected individuals, a business associate is required to provide the covered entity with any other available information that the covered entity is required to include in the notification to the individual under § 164.404(c), either at the time it provides notice to the covered entity of the breach or promptly thereafter as information becomes available.
2. Direct Regulation of HIPAA Business Associates
Currently, HIPAA business associates (those who perform services on behalf of HIPAA covered entities and in so doing access PHI, such as billing companies or TPA’s) are obligated to certain HIPAA privacy and security requirements through the terms of business associate agreements with covered entity customers. However under HITECH, in addition to the new breach notification requirements discussed above, HIPAA busienss associates have other new and direct statutory obligations regarding information security and privacy. HITECH mandates that HIPAA’s obligations to implement administrative, physical and technical safeguards for electronic PHI and to implement security policies and procedures apply to HIPAA business associates in the same manner as covered entities. Additionally, the privacy and security requirements under HITECH will also apply to business associates, and HITECH directs that such privacy and security requirements be incorporated into business associate agreements with covered entities. It is significant to note that HITECH also mandates that HIPAAs penalty provisions related to these privacy and security requirements apply to business associates. These new requirements for HIPAA business associates are effective one year from enactment of ARRA.
3. Restrictions on Selling PHI and Marketing Communications
HITECH prohibits HIPAA business associates from receiving direct or indirect remunerization in exchange for any PHI, unless a HIPAA-compliant authorization is obtained that includes whether the PHI may be further sold by the receiving entity. Exceptions to the sale of PHI include public health, research or treatment purposes, merger or sale of the covered entity, and service payments to business associates. Compliance with the prohibition on selling PHI is required 6 months from the issuance of implementing regulations.
4. Subcontractors of Business Associates are Business Associates
For banks that provide services to HIPAA-covered entities such as hospitals, insurance companies, doctors, etc., the final rule implements the HITECH Act requirement that business associates be covered directly by HIPAA, not just through contractual arrangements with covered entities. Importantly, the final rule expands the definition of business associate to include subcontractors of business associates. Subcontractors of a business associate who use or disclose private health information (PHI) on behalf of the business associate are now directly subject to HIPAA. In the final rule, DHHS noted that it included subcontractors in the definition of business associate “to avoid having privacy and security protections for PHI lapse merely because a function is performed by an entity that is a subcontractor rather than an entity with a direct relationship with a covered entity.”
For purposes of the final rule, subcontractor means: “a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.” Thus, a subcontractor is a person to whom a business associate has delegated a function, activity, or service the business associate has agreed to perform for a covered entity or business associate. A subcontractor is then a business associate where that function, activity, or service involves the creation, receipt, maintenance, or transmission of protected health information.
Where a covered entity or business associate has delegated out an obligation under the HIPAA Rules, the covered entity or business associate remains liable for penalties for the failure of its business associate agent to perform the obligation on the covered entity or business associate’s behalf.
The HITECH Act creates direct liability for impermissible uses and disclosures of protected health information by a business associate of a covered entity ‘‘that obtains or creates’’ protected health information ‘‘pursuant to a written contract or other arrangement’’ and for compliance with the other privacy provisions in the HITECH Act.
Under the final rule, a business associate is directly liable under the Privacy Rule for uses and disclosures of protected health information that are not in accord with its business associate agreement or the Privacy Rule. In addition, a business associate is directly liable for failing to disclose protected health information when required by the Secretary to do so for the Secretary to investigate and determine the business associate’s compliance with the HIPAA Rules, and for failing to disclose protected health information to the covered entity, individual, or individual’s designee, as necessary to satisfy a covered entity’s obligations with respect to an individual’s request for an electronic copy of protected health information. Further, a business associate is directly liable for failing to make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. Finally, business associates are directly liable for failing to enter into business associate agreements with subcontractors that create or receive protected health information on their behalf. As was the case under the Privacy Rule before the HITECH Act, business associates remain contractually liable for all other Privacy Rule obligations that are included in their contracts or other arrangements with covered entities (see below for a discussion of the business associate agreement provisions).
With respect to a business associate’s direct liability for a failure to provide access to a copy of electronic protected health information, business associates are liable for providing electronic access in accordance with their business associate agreements. Therefore, business associates may provide electronic access directly to individuals or their designees, or may provide the electronic protected health information to the covered entity (which then provides the electronic access to individuals or their designees). As with many other provisions in the HIPAA Rules, the Department leaves the details to the contracting parties, and is concerned only that access is provided to the individual, not with which party provides the access.
The final rule modifies the minimum necessary standard to require that when business associates use, disclose, or request protected health information from another covered entity, they limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. Applying the minimum necessary standard is a condition of the permissibility of many uses and disclosures of protected health information. Thus, a business associate is not making a permitted use or disclosure under the Privacy Rule if it does not apply the minimum necessary standard, where appropriate.
How a business associate will apply the minimum necessary standard will vary based on the circumstances. As is the case today, a business associate agreement must limit the business associate’s uses and disclosures of protected health information to be consistent with the covered entity’s minimum necessary policies and procedures. We leave it to the discretion of the parties to determine to what extent the business associate agreement will include specific minimum necessary provisions to ensure a business associate’s uses and disclosures and requests for protected health information are consistent with the covered entity’s minimum necessary policies and procedures.
A business associate may disclose protected health information to a business associate that is a subcontractor and allow the subcontractor to create or receive protected health information on its behalf, if the business associate obtains satisfactory assurances that the subcontractor will appropriately safeguard the information. The business associate is required to obtain such assurances from a subcontractor.
With respect to the satisfactory assurances to be provided by subcontractors, the agreement between a business associate and a business associate that is a subcontractor may not permit the subcontractor to use or disclose protected health information in a manner that would not be permissible if done by the business associate. For example, if a business associate agreement between a covered entity and a contractor does not permit the contractor to de-identify protected health information, then the business associate agreement between the contractor and a subcontractor (and the agreement between the subcontractor and another subcontractor) cannot permit the de-identification of protected health information. Such a use may be permissible if done by the covered entity, but is not permitted by the contractor or any subcontractors if it is not permitted by the covered entity’s business associate agreement with the contractor. In short, each agreement in the business associate chain must be as stringent or more stringent as the agreement above with respect to the permissible uses and disclosures.
A business associate who discloses PHI to a subcontractor must enter into a business associate agreement with the subcontractor that provides assurances that the subcontractor will appropriately safeguard the information.
The effective date of the final rule was March 26, 2013, and covered entities and business associates must be in compliance with the requirements by September 23, 2013. However, an existing business associate agreement may continue to operate beyond the compliance deadline if (i) the agreement is HIPAA-compliant prior to January 25, 2013, and (ii) the agreement will not be modified or renewed from March 26, 2013, until September 23, 2013. An existing business associate agreement that meets such specifications will be deemed compliant until the earlier of the date the agreement is modified or renewed on or after September 23, 2013, or September 22, 2014.
VI. CIVIL MONEY PENALTY AMOUNTS
The final rule revises the range of potential civil money penalty amounts a covered entity (or business associate) will be subject to for violations occurring on or after February 18, 2009.
The pre-HITECH maximum penalty amounts of not more than $100 per violation and $25,000 for identical violations during a calendar year, for violations occurring before February 18, 2009, are retained.
In determining the amount of any civil money penalty, the Secretary will consider the following factors, which may be mitigating or aggravating as appropriate:
(a) The nature and extent of the violation, consideration of which may include but is not limited to:
(1) The number of individuals affected; and
(2) The time period during which the violation occurred;
(b) The nature and extent of the harm resulting from the violation, consideration of which may include but is not limited to:
(1) Whether the violation caused physical harm;
(2) Whether the violation resulted in financial harm;
(3) Whether the violation resulted in harm to an individual’s reputation; and
(4) Whether the violation hindered an individual’s ability to obtain health care;
(c) The history of prior compliance with the administrative simplification provisions, including violations, by the covered entity or business associate, consideration of which may include but is not limited to:
(1) Whether the current violation is the same or similar to previous indications of noncompliance;
(2) Whether and to what extent the covered entity or business associate has attempted to correct previous indications of noncompliance;
(3) How the covered entity or business associate has responded to technical assistance from the Secretary provided in the context of a compliance effort; and
(4) How the covered entity or business associate has responded to prior complaints;
(d) The financial condition of the covered entity or business associate, consideration of which may include but is not limited to:
(1) Whether the covered entity or business associate had financial difficulties that affected its ability to comply;
(2) Whether the imposition of a civil money penalty would jeopardize the ability of the covered entity or business associate to continue to provide, or to pay for, health care; and
(3) The size of the covered entity or business associate; and
(e) Such other matters as justice may require.
(a) The Secretary may not:
(1) Prior to February 18, 2011, impose a civil money penalty on a covered entity or business associate for an act that violates an administrative simplification provision if the covered entity or business associate establishes that the violation is punishable under 42 U.S.C. 1320d–6.
(2) On or after February 18, 2011, impose a civil money penalty on a covered entity or business associate for an act that violates an administrative simplification provision if the covered entity or business associate establishes that a penalty has been imposed under 42 U.S.C. 1320d–6 with respect to such act.
(b) For violations occurring prior to February 18, 2009, the Secretary may not impose a civil money penalty on a covered entity for a violation if the covered entity establishes that an affirmative defense exists with respect to the violation, including the following:
(1) The covered entity establishes, to the satisfaction of the Secretary, that it did not have knowledge of the violation, determined in accordance with the Federal common law of agency, and by exercising reasonable diligence, would not have known that the violation occurred; or
(2) The violation is—
(i) Due to circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated and is not due to willful neglect; and
(ii) Corrected during either:
(A) The 30-day period beginning on the first date the covered entity liable for the penalty knew, or by exercising reasonable diligence would have known, that the violation occurred; or
(B) Such additional period as the Secretary determines to be appropriate based on the nature and extent of the failure to comply.
(c) For violations occurring on or after February 18, 2009, the Secretary may not impose a civil money penalty on a covered entity or business associate for a violation if the covered entity or business associate establishes to the satisfaction of the Secretary that the violation is—
(1) Not due to willful neglect; and
(2) Corrected during either:
(i) The 30-day period beginning on the first date the covered entity or business associate liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred; or
(ii) Such additional period as the Secretary determines to be appropriate based on the nature and extent of the failure to comply.
APPENDIX A
MODEL BUSINESS ASSOCIATE CONTRACT LANGUAGE
DISCLAIMER: This Agreement is for informational purposes only. Should you require legal or accounting advice, the services of a competent professional should be sought.
I. DEFINITIONS
A. Business Associate. “Business Associate” shall mean [Insert Name of Business Associate].
B. Covered Entity. “Covered Entity” shall mean [Insert Name of Covered Entity].
C. Individual. “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. § 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
D. Law. “Law” shall mean all applicable Federal and State Statutes and all relevant regulations thereunder.
E. Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. pt. 160 and pt. 164, subparts A and E.
F. Protected Health Information. “Protected Health Information” shall have the same meaning as the term “Protected Health Information” in 45 C.F.R. § 164.501, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
G. Secretary. “Secretary” shall mean the Secretary of the Department of Health and Human Services, or his designee.
II. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
A. Business Associate agrees not to use or disclose Protected Health Information other than as permitted or required by this Agreement or by Law.
B. Business Associate agrees to use reasonable safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement.
C. Business Associate agrees to report to Covered Entity any use or disclosure of Protected Health Information not provided for by this Agreement after Business Associate has actual knowledge of such use or disclosure.
D. Business Associate agrees to include in any written agreement with any agent, including a subcontractor, to whom it provides Protected Health Information, a requirement that such agent agrees to restrictions and conditions with respect to such information that are at least as restrictive as those that apply through this Agreement to Business Associate.
E. Upon reasonable notice, Business Associate agrees to make Protected Health Information and books and records relating to the use and disclosure of Protected Health Information available to the Secretary at Covered Entity’s expense in a reasonable time and manner, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule.
III. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
A. Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information (i) as is reasonably necessary to perform functions, activities, or services for, or on behalf of Covered Entity as specified in [Insert name of services agreement OR this Agreement]; (ii) for the proper management and administration of the Business Associate; (iii) as may otherwise be required by Law; and, (iv) except as provided otherwise in this Agreement, as may be permitted by Law, provided that Business Associate obtains reasonable assurances from any person to whom the information is disclosed that (A) such information will remain confidential and used or further disclosed only as required by Law or for the purpose for which it was disclosed to the person, and (B) that the person will notify the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
B. Business Associate shall refer to Covered Entity all requests by Individuals for information about or accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528.
C. Business Associate agrees to document disclosures of Protected Health Information, other than for treatment, payment or healthcare operations or disclosures that are incidental to another permissible disclosure, to the extent required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528.
D. (i) Business Associate agrees to provide to Covered Entity, in time and manner [insert negotiated terms about time and manner], information collected in accordance with Section C to the extent required to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528; (ii) Covered Entity shall provide to Business Associate within [___] days of the effective date of this Agreement, a written explanation of Covered Entity’s requirements under this Section III.D in sufficient detail to enable Business Associate to comply with such requirements; (iii) Covered Entity agrees to respond promptly to requests from Business Associate for clarification of such requirements, and Business Associate may rely on such responses; (iv) The parties agree to work together in good faith to resolve any disagreement over the requirements of 45 C.F.R. § 164.528.
E. Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 42 C.F.R. § 164.502(j)(1).
IV. OBLIGATIONS OF COVERED ENTITY
A. Covered Entity agrees not to use or disclose Protected Health Information other than as permitted or required by this Agreement or by applicable Law.
B. Covered Entity agrees to use reasonable safeguards to prevent use or disclosure of Protected Health Information other than as provided for by this Agreement.
C. Covered Entity shall notify Business Associate of any changes in Covered Entity’s notice of privacy practices that may affect Business Associate’s use or disclosure of Protected Health Information. Business Associate shall have a reasonable period of time to act on such notices.
D. Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, if such changes affect Business Associate’s permitted or required uses and disclosures thereof. Business Associate shall have a reasonable period of time to act on such notice.
E. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of Protected Health Information prior to acceptance of such restriction by Covered Entity in accordance with 45 C.F.R. § 164.522 so that Business Associate can determine whether it is infeasible to comply with such restriction. Once agreed to, Business Associate shall have a reasonable period of time to act on such notice.
F. Covered Entity represents and warrants to Business Associate that Covered Entity will not disclose any Protected Health Information to Business Associate unless Covered Entity has obtained any consents and authorizations that may be required by Law or otherwise necessary for such disclosure.
G. Covered Entity shall have access to Business Associate’s information pursuant to the terms and conditions of this Agreement. The information shall remain confidential and proprietary information. The information shall not be disclosed to any third person, business, or corporation, including any person who serves as Covered Entity’s agent, except as otherwise agreed to in writing by Business Associate. Nothing in this Agreement shall be construed as granting Covered Entity any rights by license or any other intellectual property rights to the information.
V. PERMISSIBLE REQUESTS BY COVERED ENTITY
Covered Entity warrants that it shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under applicable Law if done by Covered Entity.
VI. TERM AND TERMINATION
A. Term. This Agreement shall be in effect beginning on [Insert Date] and shall continue for as long as Protected Health Information is being exchanged by Covered Entity and Business Associate.
B. Termination for Cause. Either party may terminate this Agreement for a material breach by the other party if such breach is not cured within thirty (30) days of receipt of written notice thereof.
C. Effect of Termination. It is infeasible for a financial institution to return or destroy Protected Health Information upon termination of [Insert name of services agreement OR this Agreement]. Business Associate will maintain the protection required under this [Insert name of services agreement OR this Agreement] of that Protected Health Information for the period of time required under applicable Law, or in accordance with Business Associate’s internal record retention schedule as in effect from time to time, whichever is longer, at which time Business Associate shall destroy the Protected Health Information in accordance with procedures accepted in the financial services industry for destruction of financial records.
[THE FOLLOWING GENERAL PROVISIONS SHOULD BE ADDRESSED IN THE UNDERLYING SERVICES CONTRACT OR THIS ONE.]
VII. GENERAL PROVISIONS
A. A specific waiver by either party of any provision of this Agreement on any particular occasion and for any reason will not be deemed to be a basis for any automatic waiver of the same or any other provision in the future.
B. Any approvals required by either party to this Agreement, shall not be unreasonably withheld.
C. It is mutually agreed that neither party shall be responsible for damage caused by delay or failure to perform hereunder, when such delay or failure is due to government regulation, war, terrorism, Act of God, fire, flood, disaster, civil disorder, strike, or labor disruption or other cause that is beyond the control of [the party that has failed to perform] either of the parties to this Agreement, that makes it illegal or impossible to perform this Agreement or any of its terms.
D. All modifications to this Agreement shall be in writing and signed by both parties.
E. This Agreement is intended to bind only the parties hereto and their corporate successors, and may not be otherwise assigned by either party without the express written consent of the other.
F. This Agreement constitutes the entire Agreement between the parties concerning the subject herein, and supersedes all prior oral or written agreements between the parties on same.
G. The Law of the [Business Associate’s Principal Place of Business] shall govern this Agreement.
H. Neither party shall be responsible for consequential, incidental or special damages even if advised of the possibility of same.
I. The parties agree that there shall be no incidental or intended third-party beneficiaries under this agreement. Nor shall any other person or entity have rights arising from the same.
J. Confidentiality provisions.