THIS BUSINESS ASSOCIATE AGREEMENT (“BA Agreement”) is entered into by and between Cardiac Pacemakers, Inc. (
“Boston Scientific”), with offices at 4100 Hamline Ave. North, St. Paul, MN 55112-5798 and the entity or individual identified in
the associated LATITUDE PATIENT MANAGEMENT SYSTEM Licensee Enrollment Form (“Licensee”). Boston Scientific has entered into that
certain LATITUDE License Agreement (“License Agreement”) with Licensee that requires the exchange of information about patients that
is protected by the Health Insurance Portability and Accountability Act of 1996, as amended by Subtitle D of the Health Information Technology
for Economic and Clinical Health Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009
(Pub. L. No. 111-5) (the “HITECH Act”) and the federal regulations published at 45 C.F.R. parts 160 and 164 (collectively “HIPAA”).
The Licensee is a “Covered Entity” as that term is defined in HIPAA, and the parties desire to establish the responsibilities of both parties
regarding HIPAA-covered information and to meet their obligations under HIPAA.
1. Definitions
Unless otherwise specified in this BA Agreement, all capitalized terms used in this BA Agreement not otherwise defined have the meaning set forth in HIPAA, as amended from time to time.
1.1. “Breach” shall mean the unauthorized acquisition, access, use, or disclosure of Protected Health Information that compromises the security or privacy of such information to the extent such compromise poses a significant risk of financial, reputational, or other harm to the individual. “Breach” shall not include:
1.1.1. any use or disclosure of PHI that does not include the individual’s date of birth, the individual’s zip code, and the identifiers listed at 45 CFR § 164.514(e)(2);
1.1.2. any unintentional acquisition, access, or use of PHI by an employee or individual acting under the authority of Licensee or Boston Scientific, as long as such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual with Licensee or Boston Scientific and such information is not further acquired, accessed, used, or disclosed by any person;
1.1.3. an inadvertent disclosure from an individual who is otherwise authorized to access PHI at the Licensee to another individual authorized to access PHI at the Licensee, or from an individual who is otherwise authorized to access PHI at Boston Scientific to another individual authorized to access PHI at Boston Scientific, provided that any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed by any person; or
1.1.4. a disclosure of protected health information where Licensee or Boston Scientific has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
1.2. “Compliance Date” or “Compliance Dates” shall mean the date established by HHS or the United States Congress for effective date of applicability and enforceability of the HIPAA Rules and HITECH Standards.
1.3. “Designated Record Set” shall mean a group of records maintained by or for Licensee that is (i) the medical records and billing records about individuals maintained by or for Licensee, (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) used, in whole or in part, by or for Licensee to make decisions about individuals.
1.4. “Destruction” means the use of a technology or methodology by which the media on which the PHI is stored or recorded has been shredded, destroyed, cleared, or purged, as appropriate, such that the PHI cannot be read, retrieved, or otherwise reconstructed. Redaction is inadequate for the purposes of destruction.
1.5. “Electronic PHI” shall mean Electronic Protected Health Information, as defined in 45 CFR § 160.103, limited to the information received from or created or received on behalf of Licensee by Boston Scientific solely for the purposes of Boston Scientific’s provision of services under the License Agreement for Licensee in its capacity as a Business Associate.
1.6. “Encryption” means a technology or methodology that utilizes an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key, and such confidential process or key that might enable decryption has not been breached, and shall have the meaning given to such term under HIPAA, including 45 CFR § 164.304.
1.7. “HIPAA Rules” means the collective privacy, transaction and code sets, and security regulations promulgated pursuant to the Health Insurance Portability and Accountability Act, as codified at 45 CFR. Parts 160, 162 & 164.
1.8. “HITECH Standards” means the privacy, security and security Breach notification provisions applicable to a Business Associate under the HITECH Act and any regulations promulgated thereunder.
1.9. “Individual” shall have the same meaning as the term "individual" in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
1.10. “PHI” means Protected Health Information, as defined in 45 CFR § 160.103, limited to the information received from or created or received on behalf of Licensee by Boston Scientific solely for the purposes of Boston Scientific’s provision of services in its capacity as a Business Associate under the License Agreement.
1.11. “Privacy Rule” means the privacy regulations at 45 CFR Part 160 and 45 CFR Part 164, Subparts A and E, as they exist now or as they may be amended.
1.12. “Required by Law” shall have the same meaning as the term "required by law" in 45 CFR § 164.103.
1.13. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his designee.
1.14. “Security Incident” shall have the same meaning as “security incident” in 45 CFR § 164.304.
1.15. “Security Rule” means the security regulations at 45 CFR Part 160 and 45 CFR Part 164, Subparts A and C, as they exist now or as they may be amended.
1.16. “Unsecured PHI” means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of an Encryption or Destruction technology or methodology specified by the Secretary in guidance issued under section 13402(h)(2) of the HITECH Act, as such guidance may be revised from time to time, and shall have the meaning given to such term under HIPAA, including 45 CFR § 164.402.
2. Use and Disclosure Obligations
2.1. Use or Disclosure. Boston Scientific agrees to use and/or disclose PHI only as permitted or required by this BA Agreement or as Required by Law applicable to Boston Scientific;
2.2. Minimum Necessary. Boston Scientific will take reasonable efforts to limit requests for, use and disclosure of PHI to the minimum necessary to accomplish the intended request, use or disclosure.
2.3. Safeguards. Boston Scientific agrees to use appropriate safeguards to prevent use or disclosure of PHI other than as permitted or required by this BA Agreement and will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that Boston Scientific creates, receives, maintains, or transmits on behalf of Licensee.
2.4. Reporting. Boston Scientific agrees to promptly notify Licensee if Boston Scientific has knowledge that PHI has been used or disclosed by Boston Scientific in a manner that violates this BA Agreement. To the extent that Boston Scientific creates, receives, maintains, or transmits Electronic PHI, Boston Scientific agrees to report promptly to Licensee any Security Incident, as determined by Boston Scientific, involving PHI of which Boston Scientific becomes aware. Boston Scientific shall, following the discovery of a Breach of Unsecured PHI, notify Licensee of such Breach without unreasonable delay and in no event later than sixty (60) calendar days after the discovery, including the identification of each Individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired or disclosed during the Breach. A Breach shall be treated as discovered as of the first day on which such Breach is known or reasonably should have been known by Boston Scientific.
2.5. Subcontractors and Agents. Boston Scientific agrees to require all its subcontractors and agents that create, receive, use, disclose, or have access to PHI to perform services under the License Agreement for Licensee to agree, in writing, to the same restrictions and conditions on the use and/or disclosure of PHI that apply to Boston Scientific, including that all of its subcontractors and agents to whom Boston Scientific provides Electronic PHI agree to implement reasonable and appropriate safeguards to protect such Electronic PHI.
2.6. Accountability. Boston Scientific agrees to make internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Boston Scientific on behalf of the Licensee, available to Licensee within ten (10) business days, or at the request of the Licensee or the Secretary, to the Secretary in a time and manner directed by the Secretary, for purposes of the Secretary determining the Licensee’s compliance with HIPAA. Any release of information regarding Boston Scientific’s practices, books and records is proprietary to Boston Scientific and both parties shall treat such information as confidential and shall not disclose further without the written permission of Boston Scientific, except as necessary to comply with HIPAA.
2.7. Access and Correction. Within fifteen (15) business days of a request by the Licensee, Boston Scientific shall provide access to Licensee to PHI in a Designated Record Set in order to meet the requirements under 45 CFR § 164.524. If Boston Scientific receives a request directly from an Individual, or if requested by the Licensee that access be provided to the Individual, Boston Scientific shall provide access to the Individual to PHI in a Designated Record Set within thirty (30) days in order to meet the requirements under 45 CFR § 164.524. Within sixty (60) days of a request by the Licensee or subject Individual, Boston Scientific agrees to make any appropriate amendment(s) to PHI in a Designated Record Set that Licensee directs or agrees to pursuant to 45 CFR § 164.526.
2.8. Accounting. Within thirty (30) days of a proper request by the Licensee, Boston Scientific agrees to document and make available to Licensee, for a reasonable cost-based fee (under conditions permitted by HIPAA if an Individual requests an accounting more than once during a twelve month period), such disclosures of PHI and information related to such disclosures necessary to respond to such request for an accounting of disclosures of PHI, in accordance with 45 CFR § 164.528. Within sixty (60) days of proper request by subject Individual, Boston Scientific agrees to make available to the Individual the information described above. Boston Scientific shall retain copies of any accountings for a period of six (6) years from the date the accounting was created.
2.9. Mitigation. Boston Scientific agrees to mitigate, to the extent practicable, any harmful effect that is known to Boston Scientific of a use or disclosure of PHI by Boston Scientific in violation of this BA Agreement.
2.10. Specific Use or Disclosure. If and only to the extent that Boston Scientific retains PHI in its possession and such PHI constitutes a Designated Record Set, Boston Scientific agrees as follows with regard to such PHI:
2.10.1. within thirty (30) days of receiving a written request from Licensee, to make available the PHI necessary for Licensee to respond to individuals’ requests for access to PHI about them; and
2.10.2. within thirty (30) days of receiving a written request from Licensee, incorporate any amendments or corrections to the PHI in accordance with the Privacy Rule.
2.11. Restrictions on Use or Disclosure. Within fifteen (15) business days of a request of the Licensee, Boston Scientific agrees to implement restrictions on the use or disclosure of PHI agreed to by the Licensee at the request of an Individual in accordance with 45 CFR § 164.522.
2.12. HITECH Compliance. Notwithstanding any other provision in this BA Agreement, no later than February 17, 2010, unless a separate effective date is specified by law or this BA Agreement for a particular requirement (in which case the separate effective date shall be the effective date for that particular requirement) Boston Scientific agrees to comply with the HITECH Standards to the extent applicable to Business Associates including, but not limited to: (i) compliance with the requirements regarding minimum necessary under HITECH Act § 13405(b); (ii) requests for restrictions on use or disclosure to health plans for payment or health care operations purposes when the provider has been paid out of pocket in full consistent with HITECH Act § 13405(a); (iii) the prohibition of sale of PHI without authorization unless an exception under HITECH Act § 13405(d) applies; (iv) the prohibition on receiving remuneration for certain communications that fall within the exceptions to the definition of marketing under 45 CFR § 164.501 unless permitted by this Agreement and HITECH Act § 13406; (v) the requirements relating to the provision of access to certain information in electronic access under HITECH Act § 13405(e); (vi) compliance with each of the Standards and Implementation Specifications of 45 CFR. § 164.308 (Administrative Safeguards), 45 CFR. § 164.310 (Physical Safeguards), 45 CFR. § 164.312 (Technical Safeguards), and 45 CFR. § 164.316 (Policies and Procedures and Documentation Requirements); and (vii) as of the separate compliance date set forth in regulations promulgated under the HITECH Act on this topic, the requirements regarding accounting of certain disclosures of PHI maintained in an Electronic Health Record under HITECH Act § 13405(c) to the extent that Boston Scientific discloses any PHI maintained in an Electronic Health Record on behalf of the Licensee pursuant to this BA Agreement.
3. Permitted Uses and Disclosures of PHI.
Unless otherwise limited herein, in addition to any other uses and/or disclosures permitted or required by this BA Agreement or required by law, Boston Scientific may:
3.1. make any and all uses and disclosures of PHI necessary to provide the services in connection with the LATITUDE PATIENT MANAGEMENT SYSTEM;
3.2. use the PHI in its possession for its proper management and administration and to fulfill any legal responsibilities of Boston Scientific;
3.3. disclose the PHI in its possession to a third party for the purpose of Boston Scientific’s proper management and administration or to fulfill any legal responsibilities of Boston Scientific; provided, however, that the disclosures are Required by Law or Boston Scientific has received from the third party written assurances that (i) the information will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the third party; and (ii) the third party will notify Boston Scientific of any instances of which it becomes aware in which the confidentiality of the information has been breached;
3.4. perform Data Aggregation for the Health Care Operations of Licensee;
3.5. de-identify any and all PHI created or received by Boston Scientific under this BA Agreement; provided, however, that the de-identification conforms to the requirements of the Privacy Rule. Such resulting de-identified information would not be subject to the terms of this BA Agreement; and
3.6. may use the PHI to create Limited Data Sets consistent with the requirements of 45 CFR § 164.514(e)(2) of the Privacy Rule (“LDS”). Boston Scientific may use or disclose the LDS only for the limited purposes of Research, Public Health, or Health Care Operations, and the LDS will include only the minimum data fields necessary to accomplish these limited purposes. Boston Scientific will comply with this BA Agreement with respect to the use and disclosure of the LDS.
4. Responsibilities of Licensee.
Licensee agrees:
4.1. to obtain any consent, authorization or permission that may be required by the Privacy Rule or any other applicable federal, state or local laws and/or regulations prior to furnishing PHI to Boston Scientific and will notify Boston Scientific of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Boston Scientific’s use or disclosure of PHI.
4.2. to inform Boston Scientific of any PHI that is subject to any arrangements permitted or required of Licensee under the Privacy Rule that may materially impact in any manner the use and/or disclosure of PHI by Boston Scientific under this BA Agreement, including, but not limited to, restrictions on the use and/or disclosure of PHI as provided for in 45 CFR § 164.522 and agreed to by Licensee;
4.3. to notify Boston Scientific of any limitation(s) in the notice of privacy practices of the Licensee in accordance with 45 CFR. § 164.520, to the extent that such limitation may affect Boston Scientific’s use or disclosure of PHI.
4.4. to not request that Boston Scientific use or disclose PHI in any manner that would exceed that which is minimally necessary under HIPAA or that would not be permitted by a Covered Entity;
4.5. to have entered into "Business Associate Agreements" with any third parties (e.g., case managers, brokers or third party administrators) to which Licensee directs and authorizes Boston Scientific to disclose PHI; and
4.6. prior to using the name or any trademark or tradename of Boston Scientific in any written or oral communication to the public, including any notices provided under HIPAA, to first give Boston Scientific the opportunity to review and comment on the proposed communication.
5. Term and Termination.
This BA Agreement will be effective as of the Effective Date and will continue in effect until terminated in accordance with the provisions herein.
5.1. Termination by Licensee. Upon Licensee’s determination of a breach of a material term of this BA Agreement by Boston Scientific, Licensee will provide Boston Scientific written notice of that breach in sufficient detail to enable Boston Scientific to understand the specific nature of that breach and afford Boston Scientific an opportunity to cure the breach; provided, however, that if Boston Scientific fails to cure the breach within a reasonable time specified by Licensee, which shall not be less than thirty (30) days, Licensee may terminate this BA Agreement and the associated License Agreement to the extent that the provision of services under the License Agreement requires Boston Scientific to create or receive PHI. If Licensee terminates this BA Agreement, Boston Scientific will have no continuing obligation to provide any services under the License Agreement to the Licensee.
5.2. Termination by Boston Scientific. Without limiting any other termination rights of the parties, upon Boston Scientific’s knowledge of a material breach by the Licensee of this BA Agreement, Boston Scientific shall notify Licensee of such breach and the Licensee shall have thirty (30) days to cure such breach. In the event the Licensee does not cure the breach, or cure is infeasible, Boston Scientific shall have the right to immediately terminate this BA Agreement and the underlying services. If cure of the material breach is infeasible, consistent with HIPAA, Boston Scientific shall report the violation to the Secretary.
5.3. Return of PHI. Except as provided in the section below, upon termination of this BA Agreement for any reason, Boston Scientific will return or destroy all PHI received from Licensee, or created or received by Boston Scientific on behalf of Licensee. This provision will apply to PHI that is in the possession of subcontractors or agents of Boston Scientific.
5.4. Protection of PHI. In the event that Boston Scientific determines that returning or destroying the PHI is infeasible, Boston Scientific will notify Licensee of the conditions that make return or destruction infeasible. In that event: (i) Boston Scientific will extend the protections of this BA Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Boston Scientific maintains such PHI; and (ii) Licensee will comply with its obligations under this BA Agreement with respect to any PHI retained by Boston Scientific after the termination or expiration of this BA Agreement. This section will survive any termination or expiration of this BA Agreement.
6. Indemnification.
Each party (the “ Indemnifying Party”) shall indemnify and hold the other party and its officers, directors, employees and agents
(each an “ Indemnified Party”) harmless from and against any claim, cause of action, liability, damage, cost or expense (“ Liabilities”) to which the Indemnified Party becomes subject to as a result of third party claims (including reasonable attorneys' fees and court or proceeding costs) brought against the Indemnified Party, which arise as a result of: (i) the material breach of this BA Agreement by the Indemnifying Party; or (ii) the gross negligence or willful misconduct of the Indemnifying Party, except to the extent such Liabilities were caused by the Indemnified Party. A party entitled to indemnification under this Section 6 shall give prompt written notification to the Indemnifying Party of the commencement of any action, suit or proceeding relating to a third party claim for which indemnification is sought, subject to applicable confidentiality constraints. The Indemnifying Party shall be entitled to assume control of the defense of such action, suit, proceeding or claim with competent counsel of its choosing. Indemnification shall not be required if any claim is settled without the Indemnifying Party’s consent, which such consent shall not be unreasonably withheld. NOTWITHSTANDING THE FOREGOING PROVISIONS OF THIS SECTION, IN NO EVENT WILL AN INDEMNIFYING PARTY BE LIABLE TO AN INDEMNIFIED PARTY UNDER CONTRACT, TORT, OR ANY OTHER LEGAL THEORY FOR INCIDENTAL, CONSEQUENTIAL, INDIRECT, PUNITIVE, OR SPECIAL LOSSES OR DAMAGES OF ANY KIND.
7. Miscellaneous.
7.1. Amendment. The parties acknowledge that the foregoing provisions are designed to comply with the mandates of HIPAA and HITECH Standards. Boston Scientific may amend this BA Agreement from time to time to the extent that any final regulation or amendment to final regulations promulgated by the Secretary or changes and amendments to HIPAA require changes to this BA Agreement by providing electronic notice of the amended BA Agreement and by posting an updated version of the BA Agreement on the Boston Scientific website. The notice shall include any additional amendment required by any such final regulation and the BA Agreement shall be automatically amended to incorporate the changes set forth in such amendment provided by Boston Scientific to Licensee, unless Licensee objects to such amendment in writing within fifteen (15) days of the transmission of such electronic notice. In the event that Licensee objects timely to such amendment, the parties shall work in good faith to reach agreement on an amendment to the BA Agreement that complies with the final regulations. If the parties are unable to reach agreement regarding an amendment to the BA Agreement within thirty (30) days of the date that Boston Scientific receives any written objection from the Licensee, either Boston Scientific or Licensee may terminate this BA Agreement upon ninety (90) days written notice to the other party. Any other amendment to this BA Agreement unrelated to compliance with applicable law and regulations shall be effective only upon execution of a written agreement between the parties.
7.2. No Third-Party Beneficiaries. Nothing express or implied in this BA Agreement or any associated agreement between the parties is intended to confer, nor shall anything herein confer, upon any person other than the parties and the respective successors or assigns of the parties, any rights, remedies, obligations or liabilities whatsoever.
7.3. Severability. If any provision of this BA Agreement is found invalid or unenforceable by a court of competent jurisdiction, the remaining portions will remain in full force and effect.
7.4. Waiver. No failure or delay by either party in exercising any right hereunder will operate as a waiver thereof.
7.5. Assignment. If a party wishes to assign or otherwise transfer this BA Agreement, or any of its rights or obligations hereunder, to anyone, such party must obtain the other’s prior written consent, which will not be unreasonably withheld provided that it will be reasonable to withhold consent if the assignee is a competitor of the non-assigning party. Boston Scientific may assign this BA Agreement, or any of its rights or obligations hereunder, to any of its affiliates without any notice to or consent of Licensee. Any attempted assignment or transfer not expressly permitted by the foregoing will be void. This BA Agreement will be binding on the parties, their successors and permitted assigns.
7.6. Interpretation. Any ambiguity in this BA Agreement shall be resolved in favor of a meaning that permits the Licensee and Boston Scientific to comply with HIPAA and the HITECH Standards and be construed in light of any applicable interpretation or guidance on HIPAA, the Privacy Rule, and/or the Security Rule issued by HHS or the Office for Civil Rights.
7.7. Contradictory Terms. The parties agree that any provision of any other agreement between the parties, including any other business associate agreement, regardless of when executed, which concerns the parties’ exchange of PHI and which contradicts one or more terms of this BA Agreement, or which would have the effect of diminishing a right, increasing a duty, or shortening a deadline applicable to Boston Scientific under this BA Agreement (collectively, a “Contradictory Term”), shall be superseded by the terms of this BA Agreement unless Boston Scientific expressly waives such superseding effect in a separately written agreement referencing this section.
7.8. Notices. All notices pursuant to this BA Agreement must be given in accordance with the following. If to Boston Scientific, by first class mail to 4100 Hamline Ave. North, St. Paul, MN 55112-5798, Attention: Legal/HIPAA. If to Licensee, by postal address, email address, or facsimile number on record with Boston Scientific in association with the License Agreement.
7.9. Effective Date. This BA Agreement shall be effective as of as of the Effective Date of the License Agreement; provided, however, that any term or condition that relates to obligations of either party only will be effective on the later of the Effective Date of this BA Agreement or the Compliance Date applicable to such obligations under HIPAA.
7.10. Acceptance by Licensee. Execution of this BA Agreement by Licensee is not required. Licensee shall be deemed to have accepted this BA Agreement in all respects by acceptance of the License Agreement by the Licensee and any use or access to the LATITUDE PATIENT MANAGEMENT SYSTEM after the Effective Date.
|
CARDIAC PACEMAKERS, INC.
|
|
LICENSEE
|
|
|
|
|
SIGNATURE
|
|
SIGNATURE
|
|
Kenneth P. Mortensen, Esq.
|
|
|
|
PRINTED NAME
|
|
PRINTED NAME
|
|
Chief Privacy Officer
|
|
|
|
TITLE
|
|
TITLE
|
|
2/10/2010
|
|
|
|
DATE
|
|
DATE
|
|
