
SBAA
Sub-Business Associate Schedule
Effective: 10-01-2018
RECITALS
- • To the extent that NextGen Healthcare (“Sub-Business Associate”), acting as a subcontractor of Partner (“Business Associate”), is providing through Partner NextGen® services to Client (“Business Associate”) that involve the use of Protected Health Information (“PHI”, as defined below), then Sub-Business Associate agrees to perform as set forth herein.
- • Business Associate and Sub-Business Associate intend to protect the privacy and provide for the security of PHI disclosed to Business Associate pursuant to the Agreement in place between Business Associate and Business Associate in compliance with (i) the Health Insurance Portability and Accountability Act of 1996, Public Law No. 104-191 (“HIPAA”); (ii) Subtitle D of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), also known as Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009, Public Law No. 111-005 (“ARRA”); and (iii) regulations promulgated thereunder by the U.S. Department of Health and Human Services, including the HIPAA Omnibus Final Rule, which amended the HIPAA Privacy and Security Rules (as those terms are defined below) and implemented a number of provisions of the HITECH Act (the “HIPAA Final Rule”) and caused Business Associates and their subcontractors to be directly regulated under HIPAA.
- • The purpose of this BAA is to satisfy certain standards and requirements of HIPAA, the Privacy Rule and the Security Rule (as those terms are defined below), and the HITECH Act, including, but not limited to, Title 45, §§ 164.314(a)(2)(i), 164.502(e) and 164.504(e) of the Code of Federal Regulations (“C.F.R.”).
In consideration of the mutual promises below and the exchange of information pursuant to this BAA, the Parties agree as follows:
- DEFINITIONS. Capitalized terms used in this BAA and not otherwise defined herein shall have the meanings set forth in the Privacy Rule, the Security Rule, and the HITECH Act, which definitions are incorporated in this BAA by reference.
- “Breach” shall have the same meaning given to such term in 45 C.F.R. § 164.402.
- “Designated Record Set” shall have the same meaning given to such term in 45 C.F.R. § 164.501.
- “Electronic Protected Health Information” or “Electronic PHI” shall have the same meaning given to such term under the Privacy Rule and the Security Rule, including, but not limited to, 45 C.F.R. § 160.103, as applied to the information that Sub-Business Associate creates, receives, maintains or transmits from or on behalf of Business Associate.
- “Individual” shall have the same meaning given to such term in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
- “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E.
- “Protected Health Information” or “PHI” shall have the same meaning given to such term in 45 C.F.R. § 160.103, as applied to the information created or received by Sub-Business Associate from or on behalf of Business Associate.
- “Required by Law” shall have the same meaning given to such term in 45 C.F.R. § 164.103.
- “Secretary” shall mean the Secretary of the Department of Health and Human Services or his or her designee.
- “Security Incident” shall have the same meaning given to such term in 45 C.F.R. § 164.304 but shall not include (i) unsuccessful attempts to penetrate computer networks or servers maintained by Sub-Business Associate; and (ii) immaterial incidents that occur on a routine basis, such as general “pinging” or “denial of service” attacks.
- “Security Rule” shall mean the Security Standards at 45 C.F.R. Part 160 and Part 164, Subparts A and C.
- “Unsecured PHI” shall have the same meaning given to such term in 45 C.F.R. § 164.402, and guidance promulgated thereunder.
- PERMITTED USES AND DISCLOSURES OF PHI.
- Uses and Disclosures of PHI Pursuant to Master Agreement. Except as otherwise limited in this BAA, Sub-Business Associate may use or disclose PHI to perform functions, activities or services for, or on behalf of, Business Associate as specified in the Master Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Business Associate. To the extent Sub-Business Associate is carrying out one or more of Business Associates obligations under the Privacy Rule pursuant to the terms of the Master Agreement or this BAA, Sub-Business Associate shall comply with the requirements of the Privacy Rule that apply to Business Associate in the performance of such obligation(s).
- Permitted Uses of PHI by Sub-Business Associate. Except as otherwise limited in this BAA, Sub-Business Associate may use PHI for the proper management and administration of Sub-Business Associate or to carry out the legal responsibilities of Sub-Business Associate.
- Permitted Disclosures of PHI by Sub-Business Associate. Except as otherwise limited in this BAA, Sub-Business Associate may disclose PHI for the proper management and administration of Sub-Business Associate, provided that the disclosures are Required by Law, or Sub-Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person (which purpose must be consistent with the limitations imposed upon Sub-Business Associate pursuant to this BAA), and that the person agrees to notify Sub-Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. Sub-Business Associate may use PHI to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. § 164.502(j)(1).
- Data Aggregation. Except as otherwise limited in this BAA, Sub-Business Associate may use PHI to provide Data Aggregation services as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B), including use of PHI for statistical compilations, reports and all other purposes allowed under applicable law.
- De-identified Data. Sub-Business Associate may create de-identified PHI in accordance with the standards set forth in 45 C.F.R. § 164.514(b) and may use or disclose such de-identified data for any purpose.
- OBLIGATIONS OF SUB-BUSINESS ASSOCIATE.
- Appropriate Safeguards.
- Privacy of PHI. Sub-Business Associate will continue to develop, implement, maintain, and use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by the Master Agreement and this BAA. The safeguards will reasonably protect PHI from any intentional or unintentional use or disclosure in violation of the Privacy Rule and this BAA, and limit incidental uses or disclosures made pursuant to a use or disclosure otherwise permitted by this BAA.
- Security of PHI. Sub-Business Associate shall use appropriate safeguards and shall, after the compliance date of the HIPAA Final Rule, comply with the Security Rule with respect to Electronic PHI, to prevent use or disclosure of such information other than as provided for by the Master Agreement and this BAA.
- Reporting of Improper Use or Disclosure, Security Incident or Breach. Sub-Business Associate shall report to Business Associate any use or disclosure of PHI not permitted under this BAA or any Security Incident, without unreasonable delay, and in any event no more than thirty (30) days following discovery; provided, however, that the Parties acknowledge and agree that this Section constitutes notice by Sub-Business Associate to Business Associate of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which notice to Business Associate by Sub-Business Associate shall be required only upon request. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Sub-Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI. Sub-Business Associate’s notification to Business Associate of a Breach shall include: (i) the identification of each individual whose Unsecured PHI has been or is reasonably believed by Sub-Business Associate to have been, accessed, acquired or disclosed during the Breach; and (ii) any particulars regarding the Breach that Business Associate would need to include in its notification, as such particulars are identified in 45 C.F.R. § 164.404.
- Sub-Business Associate’s Agents. In accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), as applicable, Sub-Business Associate shall enter into a written agreement with any agent or subcontractor that creates, receives, maintains or transmits PHI on behalf of Sub-Business Associate for services provided to Business Associate, providing that the agent agrees to restrictions and conditions that are substantially similar to those that apply through this BAA to Sub-Business Associate with respect to such PHI.
- Access to PHI. To the extent Sub-Business Associate has PHI contained in a Designated Record Set, it agrees to make such information available to Business Associate pursuant to 45 C.F.R. § 164.524, as applicable, within ten (10) business days of Sub-Business Associate’s receipt of a written request from Business Associate; provided, however, that Sub-Business Associate is not required to provide such access where the PHI contained in a Designated Record Set is duplicative of the PHI contained in a Designated Record Set possessed by Business Associate. If an Individual makes a request for access pursuant to 45 C.F.R. § 164.524 directly to Sub-Business Associate, or inquiries about his or her right to access, Sub-Business Associate shall direct the Individual to Business Associate.
- Amendment of PHI. To the extent Sub-Business Associate has PHI contained in a Designated Record Set, it agrees to make such information available to Business Associate for amendment pursuant to 45 C.F.R. § 164.526 within twenty (20) business days of Sub-Business Associate’s receipt of a written request from Business Associate. If an Individual submits a written request for amendment pursuant to 45 C.F.R. § 164.526 directly to Sub-Business Associate, or inquiries about his or her right to amendment, Sub-Business Associate shall direct the Individual to Business Associate.
- Documentation of Disclosures. Sub-Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Business Associate to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528, as applicable. Sub-Business Associate shall document, at a minimum, the following information (“Disclosure Information”): (i) the date of the disclosure, (ii) the name and, if known, the address of the recipient of the PHI, (iii) a brief description of the PHI disclosed, (iv) the purpose of the disclosure that includes an explanation of the basis for such disclosure, and (v) any additional information required under the HITECH Act and any implementing regulations.
- Accounting of Disclosures. Sub-Business Associate agrees to provide to Business Associate, within twenty (20) business days of Sub-Business Associate’s receipt of a written request from Business Associate, information collected in accordance with Section 3.6 of this BAA, to permit Business Associate to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528, as applicable. If an Individual submits a written request for an accounting of disclosures of PHI pursuant to 45 C.F.R. § 164.528 directly to Sub-Business Associate, or inquiries about his or her right to an accounting of disclosures of PHI, Sub-Business Associate shall direct the Individual to Business Associate.
- Governmental Access to Records. Sub-Business Associate shall make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by, Sub-Business Associate on behalf of, Business Associate available to the Secretary for purposes of the Secretary determining compliance with the Privacy Rule and the Security Rule.
- Mitigation. To the extent practicable, Sub-Business Associate will cooperate with Business Associate’s efforts to mitigate a harmful effect that is known to Sub-Business Associate of a use or disclosure of PHI not provided for in this BAA.
- Minimum Necessary. Sub-Business Associate shall request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure, in accordance with 45 C.F.R. § 164.514(d), and any amendments thereto.
- HITECH Act Applicability. Sub-Business Associate acknowledges that enactment of the HITECH Act, as implemented by the HIPAA Final Rule, amended certain provisions of HIPAA in ways that now directly regulate, or will on future dates directly regulate, Sub-Business Associate under the HIPAA Privacy and Security Rules. Sub-Business Associate agrees to comply with applicable requirements imposed under the HITECH Act, as of the effective date of each such requirement.
- Appropriate Safeguards.
- OBLIGATIONS OF BUSINESS ASSOCIATE.
- Notice of Privacy Practices. Business Associate shall notify Sub-Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect Sub-Business Associate’s use or disclosure of PHI. Business Associate shall provide such notice no later than fifteen (15) days prior to the effective date of the limitation.
- Notification of Changes Regarding Individual Permission. Business Associate shall notify Sub-Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Sub-Business Associate’s use or disclosure of PHI. Business Associate shall provide such notice no later than fifteen (15) days prior to the effective date of the change. Business Associate shall obtain any consent or authorization that may be required by the HIPAA Privacy Rule, or applicable state law, prior to furnishing Sub-Business Associate with PHI.
- Notification of Restrictions to Use or Disclosure of PHI. Business Associate shall notify Sub-Business Associate of any restriction to the use or disclosure of PHI that Business Associate has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Sub-Business Associate’s use or disclosure of PHI. Business Associate shall provide such notice no later than fifteen (15) days prior to the effective date of the restriction. If Sub-Business Associate reasonably believes that any restriction agreed to by Business Associate pursuant to this Section may materially impair Sub-Business Associate’s ability to perform its obligations under the Master Agreement or this BAA, the Parties shall mutually agree upon any necessary modification of Sub-Business Associate’s obligations under such agreements.
- Permissible Requests by Business Associate. Business Associate shall not request Sub-Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule, the Security Rule or the HITECH Act if done by Business Associate, except as permitted pursuant to the provisions of Section 2 of this BAA.
- TERM AND TERMINATION.
- Term. The term of this BAA shall commence as of the Effective Date and shall terminate when all of the PHI provided by Business Associate to Sub-Business Associate, or created or received by, Sub-Business Associate on behalf of Business Associate, is destroyed or returned to Business Associate or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with Section 5.3.
- Termination for Cause. Upon either Party’s knowledge of a material breach by the other Party of this BAA, such Party shall provide written notice to the breaching Party stating the nature of the breach and providing an opportunity to cure the breach within thirty (30) business days. Upon the expiration of such 30-day cure period, the non-breaching Party may terminate this BAA and, at its election, the Master Agreement, if cure is not possible.
- Effect of Termination.
- Except as provided in paragraph (ii) of this Section 5.3, upon termination of the Master Agreement or this BAA for any reason, Sub-Business Associate shall return or destroy all PHI received from Business Associate, or created or received by, Sub-Business Associate on behalf of Business Associate, and shall retain no copies of the PHI.
- If it is infeasible for Sub-Business Associate to return or destroy the PHI upon termination of the Master Agreement or this BAA, Sub-Business Associate shall: (i) extend the protections of this BAA to such PHI; (ii) limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Sub-Business Associate maintains such PHI; and (iii) never disclose such PHI to another Sub-Business Associate Business Associate or third party unless such information has been de-identified in accordance with the standards set forth in 45 C.F.R. § 164.514(b).
- Cooperation in Investigations. The Parties acknowledge that certain breaches or violations of this BAA may result in litigation or investigations pursued by federal or state governmental authorities of the United States resulting in civil liability or criminal penalties. Each Party shall cooperate in good faith in all respects with the other Party in connection with any request by a federal or state governmental authority for additional information and documents or any governmental investigation, complaint, action or other inquiry.
- Survival. The respective rights and obligations of Sub-Business Associate under Section 5.3 of this BAA shall survive the termination of this BAA and the Master Agreement.
- Effect of BAA. In the event of any inconsistency between the provisions of this BAA and the Master Agreement, the provisions of this BAA shall control. In the event of inconsistency between the provisions of this BAA and mandatory provisions of the Privacy Rule, the Security Rule or the HITECH Act, as amended, or their interpretation by any court or regulatory agency with authority over Sub-Business Associate or Business Associate, such interpretation shall control; provided, however, that if any relevant provision of the Privacy Rule, the Security Rule or the HITECH Act is amended in a manner that changes the obligations of Sub-Business Associate or Business Associate that are embodied in terms of this BAA, then the Parties agree to negotiate in good faith appropriate non-financial terms or amendments to this BAA to give effect to such revised obligations. Where provisions of this BAA are different from those mandated in the Privacy Rule, the Security Rule, or the HITECH Act, but are nonetheless permitted by such rules as interpreted by courts or agencies, the provisions of this BAA shall control.
- General. This BAA is governed by, and shall be construed in accordance with, the laws of the State that govern the Master Agreement. Any action relating to this BAA must be commenced within (1) one year after the date upon which the cause of action accrued. Business Associate shall not assign this BAA without the prior written consent of Sub-Business Associate, which shall not be unreasonably withheld. If any part of a provision of this BAA is found illegal or unenforceable, it shall be enforced to the maximum extent permissible, and the legality and enforceability of the remainder of that provision and all other provisions of this BAA shall not be affected. All notices relating to the Parties’ legal rights and remedies under this BAA shall be provided in writing to a Party, shall be sent to its address set forth in the signature block below, or to such other address as may be designated by that Party by notice to the sending Party, and shall reference this BAA. This BAA may be modified, or any rights under it waived, only by a written document executed by the authorized representatives of both Parties. Nothing in this BAA shall confer any right, remedy, or obligation upon anyone other than Business Associate and Sub-Business Associate. This BAA is the complete and exclusive agreement between the Parties with respect to the subject matter hereof, superseding and replacing all prior agreements, communications, and understandings (written and oral) regarding its subject matter.