Business Associate Agreement
SMART HOUSE CALLS, LLC d/b/a SmartHouseCalls.com (“SHC”) provides connective services that permit physicians and other health care providers to interact with their patients via the Internet. SHC does not retain any of the information generated during these interactions and basically functions as a “conduit” for the transmission of health information. However, to the extent that SHC is deemed to have access to or to use or possess any of this information for any period of time in such a way that it is required to comply with the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA Privacy and Security Rules”) (45 C.F.R. Parts 160 and 164), SHC will enter into a “business associate agreement” (or “BAA”) with all of its provider customers prior to the provision of access to its system. This document summarizes and briefly describes SHC’s obligations to its Customers under the BAA. To the extent that the terms and conditions of this Notice are different from those contained in the BAA between SHC and its customer, the terms of the BAA shall control.
I. DEFINITIONS
Except as otherwise defined herein, any and all capitalized terms in this Notice shall have the definitions set forth in the HIPAA Privacy and Security Rules.
The term “Breach” means the unauthorized acquisition, access, use, or disclosure of Protected Health Information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information. The term “Breach” does not include: (1) any unintentional acquisition, access, or use of Protected Health Information by any employee or individual acting under the authority of a covered entity or SHC if (a) such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with the covered entity or SHC, and (b) such information is not further acquired, accessed, used, or disclosed by any person; or (2) any inadvertent disclosure from an individual who is otherwise authorized to access Protected Health Information at a facility operated by a covered entity or SHC to another similarly situated individual at same facility; and (3) any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person.
The term “Customer” means a provider of health care services that is a “Covered Entity” as that term is defined in the HIPAA Privacy and Security Rules and that has signed an agreement with SHC to purchase its products and services.
The term “Electronic Health Record” means an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by a Customer.
The term “Protected Health Information” means individually identifiable health information including, without limitation, all information, data, documentation, and materials, including without limitation, demographic, medical and financial information, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or with respect to which there is reasonable basis to believe the information can be used to identify the individual. “Protected Health Information” includes, without limitation, “Electronic Protected Health Information,” as defined below.
The term “Electronic Protected Health Information” means Protected Health Information which is transmitted by or maintained in Electronic Media (as now or hereafter defined in the HIPAA Privacy and Security Rules).
The term “Secretary” means the Secretary of the Department of Health and Human Services.
The term “Unsecured Protected Health Information” means Protected Health Information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance published in the Federal Register at 74 Fed. Reg. 19006 on April 27, 2009 and in annual guidance published thereafter.
II. PERMITTED USES AND DISCLOSURES
a. SHC may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, our Customers, provided that such use or disclosure would not violate the HIPAA Privacy and Security Rules if done by our Customers.
b. SHC may use Protected Health Information in its possession for its proper management and administration and to fulfill any present or future legal responsibilities of SHC, provided that such uses are permitted under state and federal confidentiality laws.
c. SHC may disclose Protected Health Information in its possession to third parties for the purposes of its proper management and administration or to fulfill any present or future legal responsibilities of SHC, provided that:
1. the disclosures are required by law; or
2. SHC obtains reasonable assurances from the third parties to whom the Protected Health Information is disclosed that the information will remain confidential and be used or further disclosed only as required by law or for the purpose for which it was disclosed to the third party, and that such third parties will notify SHC of any instances of which they are aware in which the confidentiality of the information has been breached.
III. OBLIGATIONS AND ACTIVITIES OF SHC
a. SHC will not use or further disclose Protected Health Information other than as permitted or required by our agreements with our Customers or as required by law.
b. SHC will use appropriate safeguards to prevent use or disclosure of Protected Health Information other than as provided for by this Notice. Specifically, SHC will:
1. implement the administrative, physical, and technical safeguards set forth in Sections 164.308, 164.310, and 164.312 of the HIPAA Privacy and Security Rules that reasonably and appropriately protect the confidentiality, integrity, and availability of any Protected Health Information that it creates, receives, maintains, or transmits on behalf of its Customers, and, in accordance with Section 164.316 of the HIPAA Privacy and Security Rules, implement and maintain reasonable and appropriate policies and procedures to enable it to comply with the requirements outlined in Sections 164.308, 164.310, and 164.312; and
2. report to the affected Customer any use or disclosure of Protected Health Information not provided for by this Notice of which SHC becomes aware. SHC shall report to the affected Customer any Security Incident of which it becomes aware. For purposes of this Notice, “Security Incident” means the successful unauthorized access, use, disclosure, modification, or destruction of Protected Health Information or interference with system operations in an information system, of which SHC has knowledge or should, with the exercise of reasonable diligence, have knowledge, excluding (i) “pings” on an information system firewall; (ii) port scans; (iii) attempts to log on to an information system or enter a database with an invalid password or user name; (iv) denial-of-service attacks that do not result in a server being taken offline; or (v) malware (e.g., a worm or a virus) that does not result in unauthorized access, use, disclosure, modification or destruction of Protected Health Information. The report shall be made as soon as practical, and in any event within ten (10) days of the impermissible use or disclosure.
c. SHC agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by SHC on behalf of any of our customers, agrees to the same restrictions and conditions that apply through this Notice to SHC with respect to such information.
d. SHC agrees that it will make its internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by SHC on behalf of, Covered Entity, available to the Secretary for the purpose of determining Covered Entity’s compliance with the HIPAA Privacy and Security Rules, in a time and manner designated by the Secretary.
e. SHC agrees that, while present at any Customer facility and/or when accessing a customer’s computer network(s), it and all of its employees, agents, representatives and subcontractors will at all times comply with any network access and other security practices, procedures and/or policies established by the Customer including, without limitation, those established pursuant to the HIPAA Privacy and Security Rules.
f. SHC agrees that it will not directly or indirectly receive remuneration for any written communication that uses Protected Health Information to encourage an individual to purchase or use a product or service without first obtaining the written authorization of the individual or the individual’s representative, unless:
1. such payment is for a communication regarding a drug or biologic currently prescribed for the individual and is reasonable in amount (as defined by the Secretary); or
2. the communication is made on behalf of our Customer and is consistent with the terms of the BAA.
IV. SHC’S MITIGATION AND BREACH NOTIFICATION OBLIGATIONS
a. SHC agrees to mitigate, to the extent practicable, any harmful effect that is known to SHC of a use or disclosure of Protected Health Information by SHC in violation of the requirements of the BAA.
b. Following the discovery of a Breach of Unsecured Protected Health Information, SHC shall notify the affected Customer of such Breach without unreasonable delay and in no case later than thirty (30) calendar days after discovery of the Breach. A Breach shall be treated as discovered by SHC as of the first day on which such Breach is known to SHC or, through the exercise of reasonable diligence, would have been known to SHC.
c. Notwithstanding the provisions of Section IV.b., above, if a law enforcement official states to SHC that notification of a Breach would impede a criminal investigation or cause damage to national security, then:
1. if the statement is in writing and specifies the time for which a delay is required, SHC shall delay such notification for the time period specified by the official; or
2. if the statement is made orally, SHC shall document the statement, including the identity of the official making it, and delay such notification for no longer than thirty (30) days from the date of the oral statement unless the official submits a written statement during that time.
Following the period of time specified by the official, SHC shall promptly deliver a copy of the official’s statement to the affected Customer.
d. The Breach notification provided shall include, to the extent possible:
1. the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by SHC to have been, accessed, acquired, used, or disclosed during the Breach;
2. a brief description of what happened, including the date of the Breach and the date of discovery of the Breach, if known;
3. a description of the types of Unsecured Protected Health Information that were involved in the Breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
4. any steps individuals should take to protect themselves from potential harm resulting from the Breach;
5. a brief description of what SHC is doing to investigate the Breach, to mitigate harm to individuals, and to protect against any further Breaches and when such steps were taken; and
6. contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
e. SHC shall provide the information specified in Section IV.d., above, to the affected Customer at the time of the Breach notification if possible or promptly thereafter as information becomes available. SHC shall not delay notification to a customer that a Breach has occurred in order to collect the information described in Section IV.d. and shall provide such information to the Customer even if the information becomes available after the thirty (30)-day period provided for initial Breach notification.
V. MISCELLANEOUS
a. No Rights in Third Parties. Except as expressly stated in the BAA or in the HIPAA Privacy and Security Rules, SHC does not intend to create any rights in any third parties, including the patients of Customers.
b. Amendment. The BAA may be amended or modified by SHC at any time. Customers not agreeing to modifications of the BAA may be required to discontinue receiving services from SHC.
c. Independent Contractor. None of the provisions of the BAA are intended to create, nor will they be deemed to create, any relationship between SHC and its Customers other than that of independent parties contracting with each other.
d. Governing Law. To the extent the BAA is not governed exclusively by the HIPAA Privacy and Security Rules or other provisions of federal statutory or regulatory law, it will be governed by and construed in accordance with the substantive laws of the State of Georgia.