THIS BUSINESS ASSOCIATE AGREEMENT (“BA Agreement”) is entered into by and between Cardiac Pacemakers, Inc. (“Boston Scientific”), with offices at 4100 Hamline Ave. North, St. Paul, MN 55112-5798 and the entity or individual identified in the associated LATITUDE PATIENT MANAGEMENT SYSTEM Licensee Enrollment Form (“Licensee”). Boston Scientific has entered into that certain LATITUDE License Agreement (“License Agreement”) with Licensee that requires the exchange of information about patients that is protected by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") as applicable to Business Associates, as well as any amendments or additions thereto, including amendments made by the HITECH Act and GINA (defined below). As a condition to Licensee having access to the LATITUDE PATIENT MANAGEMENT SYSTEM and by entering into the License Agreement, Licensee has agreed and agrees to the terms and conditions set forth in this BA Agreement. The Licensee is a "Covered Entity" as that term is defined in HIPAA, and the parties desire to establish the responsibilities of both parties regarding HIPAA-covered information and to meet their obligations under HIPAA.
Unless otherwise specified in this BA Agreement, all capitalized terms used in this BA Agreement not otherwise defined have the meaning set forth in HIPAA, as amended from time to time.
1.1. “Breach Notification Rule” means the breach notification regulations at 45 CFR Part 160 and 45 CFR Part 164, Subpart D, as they exist now or as they may be amended.
1.2. “Compliance Date” or “Compliance Dates” shall mean the date established by HHS or the United States Congress for effective date of applicability and enforceability of HIPAA and the HITECH Act.
1.3. “Data Aggregation” shall have the meaning assigned to such a term in 45 CFR § 164.501, and includes, but is not limited to, combining Phi created or received to permit data analysis services for Licensee as specified in a written agreement and consistent with this BAA.
1.4. “Designated Record Set” shall have the meaning assigned to such term in 45 CFR § 164.501, but shall be limited to any item, collection or grouping of Phi maintained, created, or received by or for Licensee.
1.5. “Destruction” means the use of a technology or methodology by which the media on which the PHI is stored or recorded has been shredded, destroyed, cleared, or purged, as appropriate, such that the PHI cannot be read, retrieved, or otherwise reconstructed. Redaction is inadequate for the purposes of destruction.
1.6. “Electronic PHI” or “EPHI” shall mean Electronic Protected Health Information, as defined in 45 CFR § 160.103, limited to the information received from or created or received on behalf of Licensee by Boston Scientific solely for the purposes of Boston Scientific’s provision of services under the License Agreement for Licensee in its capacity as a Business Associate.
1.7. “Encryption” shall mean a technology or methodology that utilizes an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key, and such confidential process or key that might enable decryption has not been breached, and shall have the meaning given to such term under HIPAA, including 45 CFR § 164.304.
1.8. “GINA” shall mean the Genetic Information Nondiscrimination Act of 2008 and any implementing regulations or guidance thereunder.
1.9. “HIPAA” shall mean the Health Insurance Portability and Accountability Act, as modified and amended, and its implementing regulations, and incorporating any amendments thereto made by the HITECH Act, GINA, and other applicable laws or regulations.
1.10. “HITECH Act” shall mean the Health Information Technology for Economic and Clinical Health Act, found in Title XIII of the American Recovery and Reinvestment Act of 2009, enacted February 17, 2009, and any implementing regulations or guidance thereunder.
1.11. “Individual” shall have the same meaning as the term "individual" in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
1.12. “Protected Health Information” or “PHI” shall have the meaning set forth in 45 CFR § 164.103, limited, however, to the information that Boston Scientific creates, accesses, or receives on behalf of Licensee. PHI includes EPHI.
1.13. “Privacy Rule” shall mean the privacy regulations at 45 CFR Part 160 and 45 CFR Part 164, Subparts A and E, as they exist now or as they may be amended.
1.14. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his designee.
1.15. “Security Rule” shall mean the security regulations at 45 CFR Part 160 and 45 CFR Part 164, Subparts A and C, as they exist now or as they may be amended.
1.16. “Unsecured PHI” shall have the meaning assigned to such term in 45 CFR § 164.402, limited however, to the information that Boston Scientific creates, accesses, or receives on behalf of Licensee.
2.1. Use or Disclosure. Boston Scientific agrees to use and/or disclose PHI only as permitted or required by this BA Agreement or as Required by Law applicable to Boston Scientific;
2.2. Minimum Necessary. Boston Scientific will take reasonable efforts to limit requests for, use and disclosure of PHI to the minimum necessary to accomplish the intended request, use or disclosure.
2.3. Safeguards. Boston Scientific agrees to use appropriate safeguards to prevent use or disclosure of PHI other than as permitted or required by this BA Agreement and will comply with the Security Rule with respect to Electronic PHI that Boston Scientific creates, receives, maintains, or transmits on behalf of Licensee.
2.4. Reporting. Boston Scientific agrees to promptly notify Licensee if Boston Scientific has knowledge that PHI has been used or disclosed by Boston Scientific in a manner that violates this BA Agreement. To the extent that Boston Scientific creates, receives, maintains, or transmits Electronic PHI, Boston Scientific agrees to report promptly to Licensee any Security Incident, as determined by Boston Scientific, involving PHI of which Boston Scientific becomes aware, in accordance with the Breach Notification Rule. Boston Scientific shall, following the discovery of a Breach of Unsecured PHI, notify Licensee of such Breach without unreasonable delay and in no event later than sixty (60) calendar days after the discovery, including the identification of each Individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired or disclosed during the Breach. A Breach shall be treated as discovered as of the first day on which such Breach is known or reasonably should have been known by Boston Scientific.
2.5. Subcontractors and Agents. Boston Scientific agrees to require all its subcontractors and agents that create, receive, maintain, transmit, use, disclose, or have access to PHI to perform services under the License Agreement for Licensee to agree, in writing, to the same restrictions and conditions on the use and/or disclosure of PHI that apply to Boston Scientific, including that all of its subcontractors and agents to whom Boston Scientific provides Electronic PHI agree to comply with the applicable standards of the Security Rule and implement reasonable and appropriate safeguards to protect such Electronic PHI. If Boston Scientific becomes aware of a pattern of activity or practice of a subcontractor that constitutes a material violation of the subcontractor’s obligations under the written agreement described above, Boston Scientific agrees to take reasonable steps to cure or end the violation, and if such steps are unsuccessful, to terminate the agreement, if feasible.
2.6. Accountability. Boston Scientific agrees to make internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Boston Scientific on behalf of the Licensee, available to Licensee within ten (10) business days, or at the request of the Licensee or the Secretary, to the Secretary in a time and manner directed by the Secretary, for purposes of the Secretary determining the Licensee’s compliance with HIPAA. Any release of information regarding Boston Scientific’s practices, books and records is proprietary to Boston Scientific and both parties shall treat such information as confidential and shall not disclose further without the written permission of Boston Scientific, except as necessary to comply with HIPAA.
2.7. Access and Correction. Within fifteen (15) business days of a request by the Licensee, Boston Scientific shall provide access to Licensee to PHI in a Designated Record Set in order to meet the requirements under 45 CFR § 164.524. If Boston Scientific receives a request directly from an Individual, or if requested by the Licensee that access be provided to the Individual, Boston Scientific shall provide access to the Individual to PHI in a Designated Record Set within thirty (30) days in order to meet the requirements under 45 CFR § 164.524. Within sixty (60) days of a request by the Licensee or subject Individual, Boston Scientific agrees to make any appropriate amendment(s) to PHI in a Designated Record Set that Licensee directs or agrees to pursuant to 45 CFR § 164.526.
2.8. Accounting. Within thirty (30) days of a proper request by the Licensee, Boston Scientific agrees to document and make available to Licensee, for a reasonable cost-based fee (under conditions permitted by HIPAA if an Individual requests an accounting more than once during a twelve month period), such disclosures of PHI and information related to such disclosures necessary to respond to such request for an accounting of disclosures of PHI, in accordance with 45 CFR § 164.528. Within sixty (60) days of proper request by subject Individual, Boston Scientific agrees to make available to the Individual the information described above. Boston Scientific shall retain copies of any accountings for a period of six (6) years from the date the accounting was created.
2.9. Mitigation. Boston Scientific agrees to mitigate, to the extent practicable, any harmful effect that is known to Boston Scientific of a use or disclosure of PHI by Boston Scientific in violation of this BA Agreement.
2.10. Specific Use or Disclosure. If and only to the extent that Boston Scientific retains PHI in its possession and such PHI constitutes a Designated Record Set, Boston Scientific agrees as follows with regard to such PHI:
2.10.1. within thirty (30) days of receiving a written request from Licensee, to make available the PHI necessary for Licensee to respond to individuals’ requests for access to PHI about them; and
2.10.2. within thirty (30) days of receiving a written request from Licensee, incorporate any amendments or corrections to the PHI in accordance with the Privacy Rule.
2.11. Restrictions on Use or Disclosure. Within fifteen (15) business days of a request of the Licensee, Boston Scientific agrees to implement restrictions on the use or disclosure of PHI agreed to by the Licensee at the request of an Individual in accordance with 45 CFR § 164.522.
2.12. Remuneration in Exchange for PHI. Except as permitted under 45 CFR § 164.502(a)(5)(ii), Boston Scientific agrees that it shall not directly or indirectly receive remuneration in exchange for PHI from or on behalf of the recipient of such PHI. 3. Responsibilities of Covered Entity.
Unless otherwise limited herein, in addition to any other uses and/or disclosures permitted or required by this BA Agreement or required by law, Boston Scientific may:
3.1. make any and all uses and disclosures of PHI necessary to provide the services in connection with the LATITUDE PATIENT MANAGEMENT SYSTEM;
3.2. use the PHI in its possession for its proper management and administration and to fulfill any legal responsibilities of Boston Scientific;
3.3. disclose the PHI in its possession to a third party for the purpose of Boston Scientific’s proper management and administration or to fulfill any legal responsibilities of Boston Scientific; provided, however, that the disclosures are Required by Law or Boston Scientific has received from the third party written assurances that (i) the information will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the third party; and (ii) the third party will notify Boston Scientific of any instances of which it becomes aware in which the confidentiality of the information has been breached;
3.4. perform Data Aggregation for the Health Care Operations of Licensee;
3.5. de-identify any and all PHI created or received by Boston Scientific under this BA Agreement; provided, however, that the de-identification conforms to the requirements of the Privacy Rule. Such resulting de-identified information would not be subject to the terms of this BA Agreement; and
3.6. may use the PHI to create Limited Data Sets consistent with the requirements of 45 CFR § 164.514(e)(2) of the Privacy Rule (“LDS”). Boston Scientific may use or disclose the LDS only for the limited purposes of Research, Public Health, or Health Care Operations, and the LDS will include only the minimum data fields necessary to accomplish these limited purposes. Boston Scientific will comply with this BA Agreement with respect to the use and disclosure of the LDS.
4.1. to obtain any consent, authorization or permission that may be required by the Privacy Rule or any other applicable federal, state or local laws and/or regulations prior to furnishing PHI to Boston Scientific and will notify Boston Scientific of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Boston Scientific’s use or disclosure of PHI.
4.2. to inform Boston Scientific of any PHI that is subject to any arrangements permitted or required of Licensee under the Privacy Rule that may materially impact in any manner the use and/or disclosure of PHI by Boston Scientific under this BA Agreement, including, but not limited to, restrictions on the use and/or disclosure of PHI as provided for in 45 CFR § 164.522 and agreed to by Licensee;
4.3. to notify Boston Scientific of any limitation(s) in the notice of privacy practices of the Licensee in accordance with 45 CFR. § 164.520, to the extent that such limitation may affect Boston Scientific’s use or disclosure of PHI.
4.4. to not request that Boston Scientific use or disclose PHI in any manner that would exceed that which is minimally necessary under HIPAA or that would not be permitted by a Covered Entity;
4.5. to have entered into "Business Associate Agreements" with any third parties (e.g., case managers, brokers or third party administrators) to which Licensee directs and authorizes Boston Scientific to disclose PHI; and
4.6. prior to using the name or any trademark or tradename of Boston Scientific in any written or oral communication to the public, including any notices provided under HIPAA, to first give Boston Scientific the opportunity to review and comment on the proposed communication.
This BA Agreement will be effective as of the Effective Date and will continue in effect until terminated in accordance with the provisions herein.
5.1. Termination by Licensee. Upon Licensee’s determination of a breach of a material term of this BA Agreement by Boston Scientific, Licensee will provide Boston Scientific written notice of that breach in sufficient detail to enable Boston Scientific to understand the specific nature of that breach and afford Boston Scientific an opportunity to cure the breach; provided, however, that if Boston Scientific fails to cure the breach within a reasonable time specified by Licensee, which shall not be less than thirty (30) days, Licensee may terminate this BA Agreement and the associated License Agreement to the extent that the provision of services under the License Agreement requires Boston Scientific to create or receive PHI. If Licensee terminates this BA Agreement, Boston Scientific will have no continuing obligation to provide any services under the License Agreement to the Licensee.
5.2. Termination by Boston Scientific. Without limiting any other termination rights of the parties, upon Boston Scientific’s knowledge of a material breach by the Licensee of this BA Agreement, Boston Scientific shall notify Licensee of such breach and the Licensee shall have thirty (30) days to cure such breach. In the event the Licensee does not cure the breach, or cure is infeasible, Boston Scientific shall have the right to immediately terminate this BA Agreement and the underlying services.
5.3. Return of PHI. Except as provided in the section below, upon termination of this BA Agreement for any reason, Boston Scientific will return or destroy all PHI received from Licensee, or created or received by Boston Scientific on behalf of Licensee. This provision will apply to PHI that is in the possession of subcontractors or agents of Boston Scientific.
5.4. Protection of PHI. In the event that Boston Scientific determines that returning or destroying the PHI is infeasible, Boston Scientific will notify Licensee of the conditions that make return or destruction infeasible. In that event: (i) Boston Scientific will extend the protections of this BA Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Boston Scientific maintains such PHI; and (ii) Licensee will comply with its obligations under this BA Agreement with respect to any PHI retained by Boston Scientific after the termination or expiration of this BA Agreement. This section will survive any termination or expiration of this BA Agreement.
Each party (the “Indemnifying Party”) shall indemnify and hold the other party and its officers, directors, employees and agents (each an “Indemnified Party”) harmless from and against any claim, cause of action, liability, damage, cost or expense (“Liabilities”) to which the Indemnified Party becomes subject to as a result of third party claims (including reasonable attorneys' fees and court or proceeding costs) brought against the Indemnified Party, which arise as a result of: (i) the material breach of this BA Agreement by the Indemnifying Party; or (ii) the gross negligence or willful misconduct of the Indemnifying Party, except to the extent such Liabilities were caused by the Indemnified Party. A party entitled to indemnification under this Section 6 shall give prompt written notification to the Indemnifying Party of the commencement of any action, suit or proceeding relating to a third party claim for which indemnification is sought, subject to applicable confidentiality constraints. The Indemnifying Party shall be entitled to assume control of the defense of such action, suit, proceeding or claim with competent counsel of its choosing. Indemnification shall not be required if any claim is settled without the Indemnifying Party’s consent, which such consent shall not be unreasonably withheld. NOTWITHSTANDING THE FOREGOING PROVISIONS OF THIS SECTION, IN NO EVENT WILL AN INDEMNIFYING PARTY BE LIABLE TO AN INDEMNIFIED PARTY UNDER CONTRACT, TORT, OR ANY OTHER LEGAL THEORY FOR INCIDENTAL, CONSEQUENTIAL, INDIRECT, PUNITIVE, OR SPECIAL LOSSES OR DAMAGES OF ANY KIND.
7.1. Amendment. The parties acknowledge that the foregoing provisions are designed to comply with the mandates of HIPAA. Boston Scientific may amend this BA Agreement from time to time to the extent that any changes or amendments to HIPAA require changes to this BA Agreement by providing electronic notice of the amended BA Agreement and by posting an updated version of the BA Agreement on the Boston Scientific website. The BA Agreement shall be automatically amended to incorporate the changes set forth in such amendment provided by Boston Scientific to Licensee, unless Licensee objects to such amendment in writing within fifteen (15) days of the transmission of such electronic notice. In the event that Licensee objects timely to such amendment, the parties shall work in good faith to reach agreement on an amendment to the BA Agreement that complies with the changes to the HIPAA regulations. If the parties are unable to reach agreement regarding an amendment to the BA Agreement within thirty (30) days of the date that Boston Scientific receives any written objection from the Licensee, either Boston Scientific or Licensee may terminate this BA Agreement upon ninety (90) days written notice to the other party. Any other amendment to this BA Agreement unrelated to compliance with applicable law and regulations shall be effective only upon execution of a written agreement between the parties.
7.2. No Third-Party Beneficiaries. Nothing express or implied in this BA Agreement or any associated agreement between the parties is intended to confer, nor shall anything herein confer, upon any person other than the parties and the respective successors or assigns of the parties, any rights, remedies, obligations or liabilities whatsoever.
7.3. Severability. If any provision of this BA Agreement is found invalid or unenforceable by a court of competent jurisdiction, the remaining portions will remain in full force and effect.
7.4. Waiver. No failure or delay by either party in exercising any right hereunder will operate as a waiver thereof.
7.5. Assignment. If a party wishes to assign or otherwise transfer this BA Agreement, or any of its rights or obligations hereunder, to anyone, such party must obtain the other’s prior written consent, which will not be unreasonably withheld provided that it will be reasonable to withhold consent if the assignee is a competitor of the non-assigning party. Boston Scientific may assign this BA Agreement, or any of its rights or obligations hereunder, to any of its affiliates without any notice to or consent of Licensee. Any attempted assignment or transfer not expressly permitted by the foregoing will be void. This BA Agreement will be binding on the parties, their successors and permitted assigns.
7.6. Interpretation. Any ambiguity in this BA Agreement shall be resolved in favor of a meaning that permits the Licensee and Boston Scientific to comply with HIPAA and be construed in light of any applicable interpretation or guidance on HIPAA, the Privacy Rule, the Security Rule, and/or the Breach Notification Rule issued by HHS or the Office for Civil Rights.
7.7. Contradictory Terms. The parties agree that any provision of any other agreement between the parties, including any other business associate agreement, regardless of when executed, which concerns the parties’ exchange of PHI and which contradicts one or more terms of this BA Agreement, or which would have the effect of diminishing a right, increasing a duty, or shortening a deadline applicable to Boston Scientific under this BA Agreement (collectively, a “Contradictory Term”), shall be superseded by the terms of this BA Agreement unless Boston Scientific expressly waives such superseding effect in a separately written agreement referencing this section.
7.8. Notices. All notices pursuant to this BA Agreement must be given in accordance with the following. If to Boston Scientific, by first class mail to 4100 Hamline Ave. North, St. Paul, MN 55112-5798, Attention: Legal/HIPAA. If to Licensee, by postal address, email address, or facsimile number on record with Boston Scientific in association with the License Agreement.
7.9. Effective Date. This BA Agreement shall be effective as of as of the Effective Date of the License Agreement; provided, however, that any term or condition that relates to obligations of either party only will be effective on the later of the Effective Date of this BA Agreement or the Compliance Date applicable to such obligations under HIPAA.
7.10. Acceptance by Licensee. Execution of this BA Agreement by Licensee is not required. Licensee shall be deemed to have accepted this BA Agreement in all respects by acceptance of the License Agreement by the Licensee and any use or access to the LATITUDE PATIENT MANAGEMENT SYSTEM after the Effective Date.