Updated 2/13/25
WHEREAS, Subcontractor will provide certain services (the “Services”) as set forth more fully in a separate agreement between Business Associate and Subcontractor of even date herewith (the “Agreement”);
WHEREAS, Business Associate and Subcontractor are required to meet the requirements of the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 (the “Act”), the privacy standards adopted by the U.S. Department of Health and Human Services (“HHS”) as they may be amended from time to time, 45 C.F.R. parts 160 and 164, subparts A and E (the “Privacy Rule”), the security standards adopted by HHS as they may be amended from time to time, 45 C.F.R. parts 160 and 164, subparts A and C (the “Security Rule”), and the privacy provisions (Subtitle D) of the Health Information Technology for Economic and Clinical Health Act, Division A, Title XIII of Pub. L. 111-5, and its implementing regulations (the “HITECH Act”), due to their status as a “Business Associate” or a “Subcontractor” under the Act. (The Act, the Privacy Rule, the Security Rule, and the HITECH Act are collectively referred to herein as “HIPAA” for the purposes of this SBAA.);
WHEREAS, in order to provide the Services under the Agreement, Business Associate may disclose to Subcontractor certain Protected Health Information (“PHI”); and
WHEREAS, the parties desire to enter into this SBAA to (i) protect the privacy, and provide for the security of PHI disclosed by Business Associate to Subcontractor, and (ii) to satisfy certain requirements imposed upon the parties by HIPAA.
NOW, THEREFORE, in consideration of the mutual benefits of complying with laws and regulations stated above, Business Associate and Subcontractor agree as follows:
Article I: DEFINITIONS
I.1 Terms. Capitalized terms not specifically defined in this SBAA shall have the meanings attributed to them under HIPAA.
Article II: PRIVACY AND SECURITY OF PROTECTED HEALTH INFORMATION
II.1 Permitted Uses & Disclosures.
(a) Subcontractor may use and disclose PHI on behalf of Business Associate pursuant to the Agreement between Subcontractor and Business Associate or as Required By Law. Except for the specific uses or disclosures set forth in Section 2.1(b), Subcontractor may not use or disclose PHI in a manner that would violate the Privacy Rule if done by Business Associate. Subcontractor shall limit its use, disclosure or request of PHI, to the extent practicable, to a Limited Data Set or, if needed by Subcontractor, to the Minimum Necessary.
(b) Unless otherwise limited herein and except where prohibited by law, Subcontractor may (1) use or disclose PHI for the proper management and administration of Subcontractor; and (2) disclose PHI for the proper management and administration of Subcontractor; provided that any disclosure described by Subsection (1) or (2) of this Section is Required by Law, or Subcontractor obtains reasonable assurances from the person to whom PHI is disclosed that it will be kept confidential and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person agrees to notify Subcontractor of any instances of which it is aware in which the confidentiality of the information has been breached.
II.2 Prohibited Uses and Disclosures.
(a) Requests for Non-Disclosure. As applicable, Subcontractor shall abide by a request from an Individual pursuant to 45 C.F.R. § 164.522(a) to refrain from making certain uses or disclosures of the Individual’s PHI (i) to which Covered Entity has agreed and directed Business Associate; or (ii) to a health plan in connection with an item or service for which the Individual has paid out-of-pocket, in full, to which the Covered Entity is required to agree and directed Business Associate.
(b) Prohibition on Sale of PHI. Subcontractor shall not sell PHI or receive any direct or indirect remuneration in exchange for PHI.
(c) Prohibition on Marketing. Subcontractor shall not transmit, to any Individual for whom Subcontractor has PHI, any communication about a product or service that encourages the recipient of the communication to purchase or use that product or service unless permitted to do so.
II.3 Safeguards for the Protection of PHI. Subcontractor shall use appropriate safeguards and shall comply with the requirements of the Security Rule applicable to Subcontractor including those set forth at 45 C.F.R. parts 164.308, 164.310, 164.312 and 164.316 to prevent the use or disclosure of PHI other than as permitted by this SBAA.
II.4 Mitigation. Subcontractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Subcontractor resulting from a use or disclosure of PHI by Subcontractor in violation of the requirements of HIPAA.
II.5 Reporting to Business Associate.
(a) Breach and Other Privacy Rule Violations. Subcontractor shall report to Business Associate any use or disclosure of PHI not permitted by this SBAA, the Agreement, or that is in violation of any provision of HIPAA, including any Breach of unsecured PHI as required by 45 C.F.R. § 164.410, within five (5) business days after the date on which Subcontractor learns or should have learned of such occurrence. In its report to Business Associate, Subcontractor will identify, at a minimum (i) the nature of the non-permitted use or disclosure; (ii) the PHI used or disclosed; (iii) the party or parties who made the non-permitted use or received the non-permitted disclosure; (iv) what corrective action Subcontractor took or will take to prevent further non-permitted uses or disclosures; (v) what Subcontractor did or will do to mitigate any harmful effect of the non-permitted use or disclosure; (vi) such other information, including a written report, as Business Associate may request; and (vii) such other information as HHS may prescribe by regulation.
(b) Security Incidents. Subcontractor shall report all Security Incidents to Business Associate, in accordance with the following reporting procedures for (i) Security Incidents that result in unauthorized access, use, disclosure, modification or destruction of electronic PHI (“ePHI”) or interference with system operations (“Successful Security Incidents”); and (ii) Security Incidents that do not result in unauthorized access, use, disclosure, modification or destruction of ePHI or interference with system operations (“Unsuccessful Security Incidents”).
(i) Successful Security Incidents. Subcontractor shall provide notice to Business Associate of any Successful Security Incident of which it becomes aware within five (5) business days. At a minimum, such report shall contain the following information: (A) date and time when the Security Incident occurred and/or was discovered; (B) names of systems, programs, or networks affected by the Security Incident; (C) preliminary impact analysis; (D) description of and scope of ePHI used, disclosed, modified, or destroyed; and (E) any mitigation steps taken by Subcontractor.
(ii) Unsuccessful Security Incidents. To avoid unnecessary burden on either party, Subcontractor shall report to Business Associate any Unsuccessful Security Incident of which it becomes aware only upon request of Business Associate. The frequency, content and the format of the report of Unsuccessful Security Incidents shall be mutually agreed upon by the parties. If the definition of “Security Incident” is amended under the Security Rule to remove the requirement for reporting “unsuccessful” attempts to use, disclose, modify or destroy ePHI, then this Section 2.5(b)(ii) shall no longer apply as of the effective date of such amendment.
(c) Cooperation. Subcontractor agrees to cooperate with the Business Associate and any applicable Covered Entities upon report of any such Breach so that the Business Associate may provide the individual(s) affected by such Breach with proper notice as required by HIPAA
(d) Costs. Subcontractor shall reimburse Business Associate for all reasonable costs, including applicable attorneys’ fees, involved in investigating and providing notifications in the event of a breach of unsecured PHI.
II.6 Use of Subcontractors. Subcontractor shall not use any Subcontractor to assist with Subcontractor’s provision of the Services under the Agreement without the prior consent of Business Associate. Subcontractor may disclose PHI to a Subcontractor only to the extent expressly permitted by the Agreement and subject to the terms of this SBAA. Prior to the disclosure of PHI to any Subcontractor, Subcontractor shall cause each such Subcontractor to agree in writing to the same restrictions, conditions and requirements that apply to the Subcontractor with respect to such PHI. Upon request, Subcontractor shall provide to Business Associate a copy of the written contract with the Subcontractor. Furthermore, Subcontractor shall disclose to its Subcontractors only the Minimum Necessary to perform such Services as are delegated to the Subcontractor by the Subcontractor.
II.7 Authorized Access to PHI. At the request of Business Associate and within twenty (20) business days of such request, Subcontractor shall make available to Business Associate (or to the Individual at the direction of Business Associate) for inspection and copying, any PHI about an Individual which Subcontractor created or received for or from Business Associate and that is in the custody or control of Subcontractor as required by 45 C.F.R. § 164.524. To enable Business Associate to fulfill its obligations that pertain to an Individual’s request for an electronic copy of his or her PHI that is used or maintained in an Electronic Health Record, to the extent Subcontractor uses or maintains PHI in an Electronic Health Record, Subcontractor shall provide Business Associate with a copy of such information in electronic format, at Business Associate’s expense, within five (5) business days of a request by Business Associate.
II.8 Amendment of PHI. Subcontractor shall, at the request of Business Associate, within twenty (20) business days, amend PHI in accordance with the instructions provided by Business Associate or permit Business Associate access to amend any portion of the PHI which Subcontractor created or received from or on behalf of Business Associate, as required by 45 C.F.R. § 164.526.
II.9 Accounting of Disclosures of PHI.
(a) Disclosure Tracking. Subcontractor shall retain a record of each disclosure of PHI that Subcontractor makes to a third party to the extent required by HIPAA, including (i) the disclosure date; (ii) the name and (if known) address of the person or entity to whom Subcontractor made the disclosure; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure.
(b) Disclosure Accounting. Subcontractor shall provide an accounting of disclosure of PHI to Business Associate (or to an individual, is so directed by Business Associate) (i) no later than thirty (30) business days after receipt of a written request for such disclosure accounting by Business Associate pursuant to 45 C.F.R. § 164.528, or (ii) in accordance with HIPAA.
II.10 Performance of Obligations of Business Associate. To the extent Subcontractor is to carry out an obligation of any Covered Entity with which Business Associate has an applicable agreement under the Privacy Rule, Subcontractor shall comply with the requirements of the Privacy Rule that apply to Covered Entity in performance of such obligation.
II.11 Inspection of Books and Records. Subcontractor shall make its internal practices, books, and records, relating to the use and disclosure of all such PHI, available to Business Associate and to HHS to determine Business Associate’s and Subcontractor’s compliance with HIPAA.
Article III: TERM AND TERMINATION
III.1 Term. The term of this SBAA shall commence as of the Effective Date of this SBAA and shall continue in effect until terminated in accordance with Section 3.2.
III.2 Termination. This SBAA shall terminate upon the earlier to occur of: (i) termination of the Agreement or (ii) receipt by Subcontractor of Business Associate’s notice to terminate in the event Subcontractor breaches a material term of this SBAA pursuant to Section 3.3.
III.3 Right to Terminate for Breach. Business Associate has the right to terminate this SBAA immediately if Business Associate determines, in its reasonable discretion that Subcontractor has breached any material term of this SBAA. Following Business Associate’s determination that Subcontractor has breached a material term of this SBAA, in lieu of immediate termination, Business Associate may elect, in its sole discretion, to provide Subcontractor with written notice of its determination, and afford Subcontractor an opportunity to cure such alleged breach within thirty (30) days. In the event that Subcontractor fails to cure said breach to the reasonable satisfaction of Business Associate within thirty (30) days or if cure is not feasible, Business Associate may immediately terminate this SBAA and the Agreement.
III.4 Return or Destruction of PHI.
(a) Upon termination of the SBAA for any reason, Subcontractor shall automatically return, at its cost, all PHI or any copies thereof received from Business Associate that Subcontractor or its agents or Subcontractors still maintain in any form. Prior to the return of PHI to Business Associate, Subcontractor may submit to Business Associate a written request for permission to destroy PHI, and such request may be approved or denied in the sole discretion of Business Associate.
(b) Subcontractor shall not retain any copies of PHI unless Business Associate expressly permits it to do so in writing.
III.5 Continuing Privacy and Security Obligation. If return or destruction of the PHI is not feasible, as determined by Business Associate, Subcontractor shall extend the protections of this SBAA for as long as necessary to protect the PHI and to limit any further use or disclosure. Subcontractor shall only use or disclose such PHI for those purposes that make return or destruction infeasible.
III.6 Injunctive Relief. In the event of a breach of any material term of this SBAA, Business Associate has a right to obtain injunctive relief to prevent future disclosure of PHI.
Article IV: INSURANCE
IV.1 Insurance. Subcontractor agrees to maintain during the term of this SBAA liability insurance covering claims based on Subcontractor’s unauthorized use or disclosure of PHI in violation of HIPAA or any other applicable state law or regulation concerning the privacy of an individual’s health information. A copy of such policy or a certificate evidencing the policy shall be provided to Business Associate upon written request.
Article V: INDEMNIFICATION
V.1 Indemnification. Subcontractor shall indemnify and hold harmless Business Associate and any Business Associate affiliate, officer, director, employee, subcontractor, agent, or other members of its workforce, from and against any claim, cause of action, liability, damage, fine, penalty, cost or expense arising out of or in connection with any non-permitted use or disclosure of PHI or other breach of this SBAA by Subcontractor or any subcontractor, affiliate, or agent therefore, including but not limited to any Subcontractor, that provides services described in or relating to the Agreement. Notwithstanding any provision of the Agreement to the contrary, Subcontractor’s responsibility for indemnification arising out of or in connection with this SBAA will be governed solely by this Section 5.1 and no provision set forth in the Agreement, including indemnification provisions thereunder or any terms that define, restrict or limit the types or amounts of damages, costs or expenses, will in any way alter, expand, restrict or limit Subcontractor’s indemnification liability hereunder.
Article VI: MISCELLANEOUS
VI.1 Amendments. The parties acknowledge that state and federal laws relating to data security and privacy are rapidly evolving and that amendment of this SBAA may be required to provide for procedures to ensure compliance with such developments. The parties specifically agree to take such action as is necessary to implement the standards and requirements of HIPAA and other applicable laws relating to the security or confidentiality of PHI.
VI.2 No Third Party Beneficiaries. Nothing express or implied in this SBAA is intended to confer, nor shall anything herein confer, upon any person other than Business Associate, Subcontractor and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
VI.3 Conflicts. The terms and conditions of this SBAA will override and control any conflicting term or condition of any other agreements that may be in place between the parties. All non-conflicting terms and conditions of this SBAA and any other agreement between the parties remain in full force and effect.
VI.4 Construction. This SBAA shall be construed as broadly as necessary to implement and comply with HIPAA. Any ambiguity in this SBAA shall be resolved in favor of a meaning that complies with HIPAA.
VI.5 Subpoenas. Subcontractor shall provide written notice to Business Associate of any subpoena or other legal process seeking PHI received from or created on behalf of Business Associate, or otherwise relating to the provision of Services by Subcontractor. Such written notice shall be provided within forty-eight (48) hours of receipt of a subpoena or other legal process.
VI.6 Notices. See the executed signature document for this SBAA.
VI.7 Counterparts. This SBAA may be executed in two or more counterparts and each such counterpart executed shall for all purposes be deemed an original, and all counterparts together shall constitute but one and the same instrument. The resulting instrument shall be binding upon all signatories hereof who sign below.
VI.8 Survival. The rights and obligations of Subcontractor under Sections 2.9, 3.5, 3.6, 4.1, and 5.1 of this SBAA shall survive the termination of this SBAA.
VI.9 Governing Law. This SBAA shall be governed by and interpreted in accordance with the laws of Arkansas.