BUSINESS ASSOCIATE ADDENDUM

1. General.

 

A. Effective Date.

 

The effective date of this addendum is April 14,2003

 

B. Parties.

 

The parties to this addendum are CBY Systems, Inc. DBA The Credit Bureau of York, a Collection Agency, with its principle location at 33 South Duke St. York, PA 17401 and_____________________________,a Medical Practices firm with its principal office at ____________________________________________

 

C. Purpose of Addendum.

 

Covered Entity is subject to the following rules promulgated by the Department of Health and Human Services ('DHHS") under the Health Insurance Portability and Accountability Act ("HIPAA"):

 

Privacy Rule (a/k/a Standards for Privacy of Individually-Identifiable Health Information) - This rule is published at 45 C.F.R. Part 164. It establishes standards for the privacy of personal health information. Covered Entity is required under the rule to obtain privacy assurances from certain entities to which it discloses health information protected by the rule ("Protected Health Information") and/or which it allows to create or receive Protected Health Information on its behalf.

 

On April 14, 2003 the parties entered into an agreement ("Core Services Agreement") providing for Business Associate to provide Collection services to Covered Entity. Business Associate will regularly receive and/or create Protected Health Information in the course of performing these services and other duties and responsibilities under the Core Services Agreement. The Core Services Agreement also provides for Business Associate to conduct Transactions on behalf of Covered Entity. The purpose of this Addendum is to incorporate those terms and conditions required by the Privacy Rule and the Transactions and Code Sets Rule.

 

Page 1 of 9

 

 

 

D. Legally bound.

 

The Parties agree to be legally bound to the terms and conditions set forth in this Addendum. The Addendum is incorporated into and shall be deemed to be part of the Core Services Agreement.

 

II. Definitions.

 

A. Defined terms.

 

"Core Services Agreement" shall mean the agreement entered into by the parties on April 14, 2003 for Business Associate to deliver Collection services to Covered Entity.

 

"Individual" shall have the same meaning as the term "individual" in 45 C.F.R. §164.501 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. §164.502(g).

 

"Other state and federal privacy laws" include, but are not limited to professional licensing regulations for physicians (49 Pa. Code §16.61, §25.213), the Confidentiality of HIV-Related Information Act (35 P.S. §§7601-7612), the Mental Health Procedures Act and regulations (50 P.S. §7111; 55 Pa. Code §5100.31-5100.39), and the federal protections for drug and alcohol abuse treatment records (42 U.S.C. 290dd-2; 42 C.F.R. §§2.1-2.67).

 

"Privacy Rule" shall mean the Standards for Privacy of Individually-Identifiable Health Information promulgated by the Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act at 45 C.F.R. Part 164.

 

"Protected Health Information" shall have the same meaning as the term "protected health information" in 45 C.F.R. § 164.50 1, limited to the information created or received by Business Associate from or on behalf of Covered Entity.

 

"Required By Law" shall have the same meaning as the term "required by law" in 45 C.F.R. §164.501.

 

"Secretary" shall mean the Secretary of the Department of Health and Human Services or his or her designee.

 

"Transaction" means a transaction subject to the Transaction and Code Set Rule.

 

"Transactions and Code Set Rule" shall mean the Transactions and Code Set rule promulgated by the Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act at 45 C.F.R. Part 162.

 

Page 2 of 9

 

 

B. Other definitions.

 

Any other term used, but not otherwise defined, in this Addendum shall have the same meaning as given the term in 45 C.F.R. §§ 160.103 & 164.501.

 

III. Permitted uses and disclosures by Business Associate.

 

A. General uses and disclosures.

 

Except as otherwise limited in this Addendum, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Core Services Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity.

 

B. Specific uses and disclosures.

 

1. Management and Administration Uses

 

Except as otherwise limited in this Addendum, Business Associate may use Protected Health Information in accordance with 45 C.F.R. §164.504(e)(4)(i) for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.

 

2. Management and Administration Disclosures.

 

Except as otherwise limited in this Addendum, Business Associate may disclose Protected Health Information to third parties in accordance with 45 C.F.R. § 164.504(e)(4)(ii) for the proper management and administration of the Business Associate, provided that (i) the disclosures are Required By Law, or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

 

3. Data Aggregation Services

 

Except as otherwise limited in this Addendum, Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 42 C.F.R. §164.504(e)(2)(i)(B).

 

 

Page 3 of 9

 

 

 

 

 

IV. Obligations and Activities of Business Associate.

 

A. Prohibited uses and disclosures.

 

Business Associate agrees to not use or further disclose Protected Health Information other than as permitted or required by the Addendum or as Required By Law.

 

B. Safeguards.

 

Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Addendum.

 

C. Mitigation.

 

Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Addendum.

 

D. Self-reporting.

 

Business Associate agrees to report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this Addendum. The report shall be in writing and made within 30 days of Business Associate's discovery of the unauthorized use and/or disclosure.

 

E. Agents and Subcontractors.

 

Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity agrees in writing to the same restrictions and conditions that apply through this Addendum to Business Associate with respect to such information.

 

F. Access to Protected Health Information.

 

Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner designated by Covered Entity, to Protected Health Information in a Designated Record Set (as defined by Covered Entity), to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524.

 

 

Page 4 of 9

 

G. Amendments to Protected Health Information.

 

Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. §164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity.

 

H. Cooperation with Audits and Investigations.

 

Business Associate agrees to make internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Covered Entity, or at the request of the Covered Entity to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule.

 

I. Other Compliance Cooperation

 

Business Associate agrees to make internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Covered Entity, in a time and manner designated by the Covered Entity, for purposes of Covered Entity determining Business Associate's compliance with this Addendum.

 

J. Documentation of Disclosures.

 

Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528.

 

K. Accounting of Disclosures.

 

Business Associate agrees to provide to Covered Entity or an Individual, in time and manner designated by Covered Entity, information collected in accordance with Section IV.J. of this Addendum, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. §164.528.

 

L. Other state and federal privacy laws

 

Notwithstanding any other provision in this Addendum, Business Associate shall comply with other state and federal privacy laws (except to the extent that they are preempted by the Privacy Rule) and shall not engage in any activity that would result in Covered Entity being in violation of any other state or federal privacy law.

Page 5 of 9

M. Compliance with Transactions and Code Set Rule

 

If Business Associate conducts a Transaction in whole or part for or on behalf of Covered Entity, Business Associate shall comply with all applicable requirements of the Transactions and Code Sets Rule and require any agent or subcontractor to comply with all applicable requirements of the Transactions and Code Set Rule.

 

V. Obligations of Covered Entity

 

A. Notice of Privacy Practices

 

Covered Entity shall provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 C.F.R. § 164.520, as well as any changes to such notice.

 

B. Status of Individual Permissions

 

Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, if such changes affect Business Associate's permitted or required uses and disclosures.

 

C. Restrictions on Use and Disclosure

 

Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, if the restriction affects Business Associate's permitted or required uses and disclosures.

 

D. Permissible Requests by Covered Entity

 

Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity, except for data aggregation or management and administrative activities of the Business Associate that are authorized under

Section III.B of this Addendum.

 

VI. Term and Termination

 

 A. Term.

 

The Term of this Addendum shall be effective as of April 14, 2003                           and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section VI.

Page 6 of 9

B. Automatic termination

 

This Addendum shall automatically terminate without any further action of the Parties upon the termination or expiration of the Core Services Agreement. In the event of such a termination, the provisions of Section VI.D shall apply.

 

C. Termination for Cause.

 

1. Material Breach.

 

In the event that Covered Entity determines that Business Associate has materially breached this Addendum, Covered Entity may either (i) immediately terminate this Addendum, the Core Service Agreement and any other related agreements or (ii) provide Business Associate with an opportunity to cure the breach in accordance with Section VI.C.2. In the event of a termination pursuant to this section, the provisions of Section VI.D shall apply.

 

2. Opportunity to cure option.

 

Covered Entity may elect to notify Business Associate of a material breach and provide Business Associate with the opportunity to cure the breach upon mutually satisfactory terms. Provided however, in the event that the Parties do not agree to mutually satisfactory terms within 60 days, Business Associate shall cure the breach to the satisfaction of the Covered Entity within 90 days. Business Associate's failure to cure a breach as set forth in this subsection is grounds for the immediate termination of this Addendum, the Core Services Agreement, and any other related agreements. In the event of a termination pursuant to this section, the provisions of Section VI.D shall apply.

 

D. Effect of Termination.

 

1. Return or Destruction of Protected Health Information.

 

Except as provided in Section VI.D.2, upon termination of this Addendum, for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information.

 

2. Return or Destruction Infeasible.

 

In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of Protected Health Information is infeasible, Business Associate shall extend the protections of this Addendum to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that makes the return or destruction infeasible, for so long as Business Associates maintains such Protected Health Information.

 

 

Page 7 of 9

 

 

VII. Notices.

 

Any notices or reports required under this Addendum shall be provided to the notice contact and the copy recipient both via the U.S. Mail or express courier and via facsimile, as provided below.

 

Designated Contact:  Michael S. Euculano

                     CBY Systems, Inc.

                     33 South Duke St.

                     York, PA 17401

                     fax: 717-845-1886

 

 

VIII. Miscellaneous.

 

A. Regulatory References.

 

A reference in this Addendum to a section in the Privacy Rule means the section as in effect or as amended, and for which compliance is required.

 

B. Interpretation.

 

Any ambiguity in this Addendum shall be resolved in a favor of a meaning that permits Covered Entity to comply with the Privacy Rule.

 

 

C. Amendment.

 

The Parties agree to take such action as is necessary to amend this Addendum from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy Rule and the Health Insurance Portability and Accountability Act, Public Law 104-191.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Page 8 of 9

D. Conflict with Core Services Agreement.

 

In the event that there is any conflict or inconsistency between the Core Services Agreement and this Addendum, this Addendum controls and arnends the Core Services Agreement.

 

E. Survival.

 

The respective rights and obligations of Business Associate under Section VI.D of this Addendum shall survive the termination of this Addendum.

 

F. Disputes.

 

The Parties agree to make a good faith effort to resolve any controversy, claim or dispute between the Parties with respect to this Addendum.

 

G. No third party beneficiaries.

 

This Addendum is not intended to confer any rights on any person other than the Parties.

 

 

 

 

 

 

COVERED ENTITY                  BUSINESS ASSOCIATE

 

By: ___________________________ By: ________________________________

 

Print Name: ___________________ Print Name: ________________________

 

Print Title: __________________ Print Title: _______________________

 

Date: __________________________ Date: ______________________________

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Page 9 of 9