HIPAA BUSINESS ASSOCIATE AGREEMENT
This Business Associate Addendum (“HIPAA Addendum”) is an addendum to the InfoSmart WebTM Terms and Conditions (“Terms and Conditions”) pursuant to which Business Associate provides services to you as a Covered Entity that involves the use and/or disclosure of Protected Health Information (“PHI”). This HIPAA Addendum shall be applicable only in the event and to the extent Fisher & Paykel Healthcare, Inc meets, with respect to you, the definition of a Business Associate set forth at 45 C.F.R. § 160.103, or applicable successor provisions. NOW, THEREFORE, for good and valuable consideration, the sufficiency of which is hereby acknowledged, the parties agree as follows:
- Terms used but not otherwise defined in this HIPAA Addendum shall have the same meaning as the meaning ascribed to those terms in the Health Insurance Portability and Accountability Act of 1996, as codified at 42 U.S.C. Parts 160 and 164 (“HIPAA”), the Health Information Technology Act of 2009, as codified at 42 U.S.C § 17901 et seq. (“HITECH Act”), and any current and future regulations promulgated under HIPAA or the HITECH Act (HIPAA, HITECH Act and any current and future regulations promulgated under either are together referred to as the “Regulations”).
- Business Associate means Fisher & Paykel Healthcare, Inc.
- Protected Health Information or PHI shall have the same meaning as the term “Protected Health Information” in 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from you or on your behalf, including, but not limited to, electronic PHI.
OBLIGATIONS OF BUSINESS ASSOCIATE
In order that each party may achieve and maintain compliance with the requirements of HIPAA, Business Associate agrees:
To only use and disclose PHI as permitted by this HIPAA Addendum or as Required By Law. Business Associate may:
- use and disclose PHI to perform its obligations as set forth in the Terms and Conditions;
- use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities;
- disclose PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities, if such disclosure is required by law or if Business Associate obtains reasonable assurances from the recipient that the recipient will keep the PHI confidential, use or further disclose the PHI only as required by law or for the purpose for which it was disclosed to the recipient, and notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached;
- use PHI to provide data aggregation services relating to your health care operations;
- use or disclose PHI to report violations of the law to law enforcement enforcement, consistent with 45 C.F.R. § 164.502(j)(1); and
- use PHI to create de-identified information consistent with the standards set forth at 45 C.F.R. §164.514. Business Associate will not sell PHI or use or disclose PHI for purposes of marketing, as defined and proscribed in the Regulations.
- To limit its uses and disclosures of, and requests for, PHI (a) when practical, to the information making up a Limited Data Set; and (b) in all other cases subject to the requirements of 45 C.F.R. § 164.502(b), to the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure or request.
- To use appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of the PHI in compliance with the Regulations.
- To ensure that all of Business Associate’s employees, subsidiaries and affiliates that receive, use or have access to PHI will adhere to the same restrictions and conditions on the use or disclosure of PHI that apply to Business Associate pursuant to this HIPAA Addendum.
- To require all of its subcontractors and agents that receive, use or have access to PHI to agree, in writing, to adhere to the same restrictions and conditions on the use or disclosure of PHI that apply to Business Associate pursuant to this HIPAA Addendum.
- Upon reasonable notice and prior written request, to make available during normal business hours at Business Associate’s offices all records, books, agreements, internal practices, policies and procedures relating to the use or disclosure of PHI to the Secretary, in a time and manner designated by the Secretary, for purposes of determining your compliance with the Regulations, subject to attorney-client and other applicable legal privileges.
- To make available information regarding any disclosures by Business Associate that would be required to provide an accounting of disclosures to an Actindividual in accordance with 45 C.F.R. § 164.528 and the 42 U.S.C. § 17935(c), within five (5) business days of receipt of a request from you.
- If, and to the extent that Business Associate possesses an applicable Designated Record Set, within five (5) business days of receipt of a request from you for the amendment of an individual's PHI contained in the Designated Record Set, Business Associate shall make available such information to you for amendment and shall also incorporate any such amendments in the PHI maintained by Business Associate as required by 45 C.F.R. § 164.526.
- To make available an individual’s PHI upon that individual’s request no later than thirty (30) days after receipt of the request, in accordance with 45 C.F.R. § 164.524.
- Subject to Section 3.4 of this HIPAA Addendum, return to you or destroy, within thirty (30) days of the termination of this HIPAA Addendum, any and all PHI in its possession and retain no copies (which for purposes of this HIPAA Addendum shall include without limitation destroying all backup tapes and permanently deleting all electronic PHI).
- To mitigate, to the extent practicable, any harmful effects from any use or disclosure of PHI by Business Associate not permitted by this HIPAA Addendum.
- Business Associate agrees to notify your designated Privacy Official of any use or disclosure of PHI by Business Associate not permitted by this HIPAA Addendum, any Security Incident involving electronic PHI, and any breach of unsecured Protected Health Information, of which the Business Associate is aware.
- To the extent, if any, that Business Associate will carry out one or more of your obligation(s) under 45 C.F.R. Part 164, Subpart E, then Business Associate shall comply with the requirements of Subpart E that apply to you in the performance of such obligation(s).
- Business Associate agrees to promptly report to you any use or disclosure of Protected Health Information not permitted by this HIPAA Addendum, as well any Security Incident, of which Business Associate becomes aware.
Business Associate shall provide the following information to you within five (5) business days of discovery of a breach except when despite all reasonable efforts by Business Associate to obtain the information required, circumstances beyond the control of Business Associate necessitate additional time. Under such circumstances Business Associate shall provide to you the following information as soon as possible and without unreasonable delay, but in no event later than thirty (30) calendar days from the date of discovery of a breach:
- the date of the breach;
- the date of the discovery of the breach;
- a description of the types of unsecured PHI that were involved;
- identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed; and
- any other details necessary to complete an assessment of the risk of harm to the individual.
- You will be responsible to provide notification to individuals whose unsecured PHI has been disclosed, as well as the Secretary and the media, as required by 42 U.S.C. § 17932.
- Business Associate agrees to establish procedures to investigate the breach, mitigate losses, and protect against any future breaches, and to provide a description of these procedures and the specific findings of the investigation to you in the time and manner reasonably requested by you.
TERM AND TERMINATION
- This HIPAA Addendum shall become effective on the date of execution of the Terms and Conditions, and shall terminate upon the termination or expiration of the Terms and Conditions. Notwithstanding the foregoing, obligations imposed on either party pursuant to the HITECH Act must be complied with only when the particular provisions referenced become effective or compliance becomes required, whichever is later.
- Either party may immediately terminate this HIPAA Addendum and the Terms and Conditions if the other party has breached or violated a material term of this HIPAA Addendum and has not cured such breach or violation within thirty (30) days of receiving written notice of the material breach.
- Upon termination or expiration of this HIPAA Addendum, Business Associate agrees to return to you or destroy all PHI in the possession of Business Associate and/or in the possession of any subcontractor or agent of Business Associate and to retain no copies of the PHI.
- In the event that returning or destroying the PHI is infeasible, Business Associate shall provide to you a written statement that it is infeasible to return or destroy the PHI and describe the conditions that make return or destruction of the PHI infeasible. Business Associate shall extend the protections of this HIPAA Addendum to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains the PHI.
- This HIPAA Addendum may not be modified, nor shall any provision hereof be waived or amended, except in writing duly signed by authorized representatives of the parties. The parties agree to take such action as is necessary to amend this HIPAA Addendum from time to time as is necessary to achieve and maintain compliance with the requirements of the Regulations.
- Any reference herein to a federal regulatory section within the Code of Federal Regulations shall be a reference to such section as it may be subsequently updated, amended or modified.
- Any ambiguity in this HIPAA Addendum shall be resolved to permit Covered Entities to comply with HIPAA.
- The parties acknowledge and agree that this HIPAA Addendum shall be governed by the laws of the state of California as to all matters, including matters of validity, construction, interpretation, effect, performance and liability, without giving effect to the provisions, policies or principles thereof respecting conflict or choice of law.
- The parties hereby irrevocably and unconditionally submit to the exclusive jurisdiction of any California State or Federal court sitting in Los Angeles County, California in any action or proceeding arising out of or relating to this HIPAA Addendum, any related agreement or any transaction contemplated in this HIPAA Addendum. The parties hereby irrevocably waive, to the fullest extent they may effectively do so, the defense of an improper venue or inconvenient forum to the maintenance of such action or proceeding.
Any notices required to be given to you under this HIPAA Addendum shall be in writing and addressed to the contact details provided on registration for InfoSmart WebTM. Any notices required to be given to Business Associate under this HIPAA Addendum shall be in writing and addressed as follows: Fisher & Paykel Healthcare, Inc.
15365 Barranca Parkway
Irvine, CA 92618
Attention: Privacy Officer