BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ("Agreement") is made and entered into by and between You, as our Client, and WageWorks, Inc. (and its subsidiaries), as your service provider, pursuant to the Service Agreement entered into by and between us on even date herewith. This Agreement is incorporated by reference into the Service Agreement, supersedes any prior Business Associate Agreement we have been party to and reflects the Omnibus HITECH Act Final Regulations as of January 25, 2013.
Unless otherwise defined, terms used in this Agreement have the same meaning as those terms in the Standards for Privacy of Individually Identifiable Health Information or the HIPAA Security Standards ("HIPAA Privacy & Security Rules"), found at 45 CFR Parts 160-164.
- Agreement means this Business Associate Agreement.
- Business Associate means WageWorks, Inc. and its subsidiaries.
- Covered Entity means You.
- HITECH Act means the HITECH Act of the American Recovery and Reinvestment Act of 2009 (Title XIII, Subtitle D of P.L. 111-5), enacted February 17, 2009 (codified at 42 USC § 17921 et seq.).
- Service Agreement means the Order Form(s) and General Terms and Conditions of Service.
Obligations and Activities of Business Associate
- Use or Disclosure of Protected Health Information. Business Associate agrees not to use or disclose Protected Health Information, other than as permitted or required by this Agreement or as required by Law.
- Safeguards. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement.
- Duty to Mitigate. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement.
- Duty to Report Violations. Business Associate agrees to report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement of which it becomes aware, including, where there is a breach of Protected Health Information, the identities of any individual whose Protected Health Information was breached.
- Agents. In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate agrees to ensure that any subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information.
- Access to Secretary. Business Associate agrees to make internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary of Health and Human Services, for purposes of the Secretary determining Covered Entity's compliance with the HIPAA Privacy & Security Rules.
- Access to Individuals. Business Associate agrees to provide individuals with access to their Protected Health Information, as held in a Designated Record Set by Business Associate, in order to meet the requirements under 45 CFR 164.524.
- Amendment of Protected Health Information. Business Associate agrees to make any amendment(s) to Protected Health Information it holds in a Designated Record Set, as directed by the Covered Entity pursuant to 45 CFR 164.526.
- Accounting of Disclosures. Business Associate agrees to document and provide a description of any disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. Business Associate agrees to provide such information to Covered Entity, or to an Individual at the direction of the Covered Entity, in order for Covered Entity to comply with the accounting requirements in 45 CFR 164.528.
- Covered Entity's Right to Restrict. Business Associate agrees to comply, upon communication by Covered Entity, with any restrictions to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR 164.522.
- HIPAA Security Standards. Business Associate agrees to comply with the HIPAA Privacy & Security Rules with respect to any Electronic Protected Health Information that Business Associate holds on behalf of the Plan.
- Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information to prevent use or disclosure of Protected Health Information other than as provided for by the Agreement.
- Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Covered Entity, as required in the HIPAA Privacy & Security Rules.
- Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Electronic Protected Health Information agrees to implement reasonable and appropriate safeguards to protect such information.
- Business Associate agrees to report to Covered Entity any security incident under the HIPAA Privacy & Security Rules of which it becomes aware, including the identities of any individual whose Electronic Protected Health Information was breached.
- Responsibilities If Security Breach. Business Associate shall notify Covered Entity immediately if there is a breach by either Business Associate or one of its agents of unsecured protected health information, as defined in, and consistent with, the HITECH Act and any regulations or guidance issued thereunder, including 45 CFR Part 164, Subpart D. Such notification shall:
- Be made in writing to the Covered Entity's Privacy Officer.
- Be made within ten (10) days of discovery.
- Include the names of the individuals whose information was breached, the circumstances surrounding the breach, the date of the breach and date of discovery, the information breached, any steps the individuals should take to protect themselves, the steps Business Associate (or its agent) is taking to investigate the breach, mitigate losses, and protect against future breaches, and a contact person for more information.
If requested by Business Associate, Covered Entity shall allow Business Associate to approve the content of any notification in advance.
If requested by Covered Entity, Business Associate shall notify the individuals involved, or the media or the US Department of Health and Human Services, as applicable, in accordance with the HITECH Act, and regulations or guidance issued thereunder, including 45 CFR Part 164, Subpart D. For purposes of this provision, Business Associate is considered an independent contractor of Covered Entity.
Permitted Uses and Disclosures by Business Associate
- Disclosures Generally. Except as otherwise provided in this Agreement, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Service Agreement, provided that such use or disclosure would not violate the HIPAA Privacy & Security Rules if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity.
- To Carry Out Covered Entity Obligations. To the extent Business Associate is to carry out one or more of Covered Entity’s obligations under Subpart E of 45 CFR Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligations.
- Management & Administration.
- Business Associate may use Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
- Business Associate may disclose Protected Health Information for the proper management and administration of Business Associate, provided that disclosures are: (a) required by law or (b) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it is disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
- Data Aggregation & De-Identification. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity or to de-identify Protected Health Information. Once information is de-identified this Business Associate Agreement shall not apply.
- Required By Law. Business Associate may use or disclose Protected Health Information as required by law.
Term and Termination
- Term. This Agreement shall remain in effect for the term of the applicable Service Agreement. Upon termination of the Service Agreement, Business Associate will retain no copies of the Protected Health Information and will return or destroy the same. If such return or destruction is not feasible, Business Associate will continue to extend the protections afforded to Protected Health Information hereunder. This provision also applies to Protected Health Information that is in the possession of subcontractors or agents of Business Associate.
- Termination for Cause. Upon Covered Entity's knowledge of a material breach of this Agreement by Business Associate, Covered Entity is authorized to terminate this Agreement and the Service Agreement.
- Survival. The rights and obligations of Business Associate under this Agreement will survive the termination of this Agreement.
- Compliance with Laws and Regulations. The HITECH Act requires federal agencies to establish rules and regulations regarding the privacy and security of Protected Health Information. Business Associate will ensure that its privacy and security procedures are compliant with the HITECH Act and any rules and regulations issued thereunder with respect to Covered Entity's Protected Health Information. The parties agree to amend this Agreement to comply with applicable requirements of the HITECH Act, where necessary.
- Relationship of Parties. The parties intend that Business Associate is an independent contractor and not an agent of Covered Entity.