Business Associate Addendum

This is an addendum to the Purchasing Terms and Conditions. This Addendum is applicable only in those situations where the Vendor providing goods or services under a purchase order will receive or create Protected Health Information as defined in 45 C.F.R. § 164.501 (e.g., individually identifiable health information of patients of the University of Virginia Health System or employees covered by the University of Virginia Health Plan.)

This Business Associate Addendum (“Addendum” or the “BAA”) becomes effective when the Vendor accepts the Purchasing Terms and Conditions.  It is entered into by the Vendor (the “Business Associate”) and The Rector and Visitors of the University of Virginia on behalf of its Medical Center, (the “Covered Entity”) (each a “Party” and collectively the “Parties”). 

The Parties have entered into an agreement or arrangement (the “Underlying Agreement”) under which the Covered Entity may disclose Protected Health Information or “PHI” (as defined in 45 C.F.R. §160.103) to the Business Associate and Business Associate may receive, use, and disclose Protected Health Information in its performance of the Parties’ respective obligations pursuant to the Underlying Agreement; and Covered Entity and Business Associate intend to protect the privacy and provide for the security of Protected Health Information disclosed, collected, or created by Business Associate in connection with the Arrangement in compliance with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”) Subtitle D of Title XIII of Division A of the American Recovery and Reinvestment Act of 2009, Public Law 111-5 (“HITECH”) and the regulations promulgated under HIPAA and HITECH, including, without limitation, the Standards for Privacy of Individually Identifiable Health Information, C.F.R. at Title 45, Parts 160 and 164 (the “Privacy Rule”) and the Standards for the Security of Electronic Protected Health Information, C.F.R. at Title 45, Parts 160 and 164 (the “Security Rule”); HIPAA and HITECH require Covered Entity and Business Associate to enter into an agreement containing certain requirements with respect to the use and disclosure of Protected Health Information and which are contained in this Business Associate Addendum. The Parties agree as follows:

1.                  DEFINITIONS.  Terms used, but not otherwise defined, in this Addendum shall have the same meanings as those terms in HIPAA and HITECH, except that the terms “Protected Health Information” and “Electronic Protected Health Information” shall have the same meaning as set forth in 45 C.F.R. §160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity in connection with the Arrangement. 

2.               PERMITTED USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION.

2.1.           Services.  Pursuant to the Underlying Agreement, the Business Associate provides services or goods for the Covered Entity that involves the use and disclosure of Protected Health Information.  Business Associate agrees to not use or disclose Protected Health Information other than as permitted or required by the Arrangement, this Agreement or as Required By Law.  Business Associate shall not use Protected Health Information in any manner that would constitute a violation of the HIPAA Regulations, or other applicable federal or State law if so used by Covered Entity.  All other uses not authorized by this Addendum are prohibited.  Moreover, Business Associate may disclose Protected Health Information for the purposes authorized by this Addendum only, (i) to its employees, subcontractors and agents (to the extent consistent with the terms of the Underlying Agreement), in accordance with Section 3.1(f) hereof, (ii) as directed by the Covered Entity, or (iii) as otherwise permitted by the terms of this Addendum including, but not limited to, Section 2.2(b) below.

2.2.          Business Activities of the Business Associate.  Unless otherwise limited herein, the Business Associate may:

(a)             use the Protected Health Information in its possession for its proper management and administration and to fulfill any present or future legal responsibilities of the Business Associate provided that such uses are permitted under state and federal confidentiality laws;

(b)             disclose the Protected Health Information in its possession to third parties for the purpose of its proper management and administration or to fulfill any present or future legal responsibilities of the Business Associate, if (i) the disclosures are Required by Law; or (ii) the Business Associate has received from the third party reasonable assurances regarding its confidential handling of such Protected Health Information as required under 45 C.F.R. §164.504(e)(4).

2.3.           Additional Activities of Business Associate. In addition to the foregoing, Business Associate also may, at the request of the Covered Entity:

(a)             aggregate the Protected Health Information in its possession with the Protected Health Information of other covered entities that the Business Associate has in its possession through its capacity as a business associate to said other covered entities provided that the purpose of such aggregation is to provide the Covered Entity with data analyses relating to the Health Care Operations of the Covered Entity; provided, however, that under no circumstances may the Business Associate disclose Protected Health Information of one Covered Entity to another Covered Entity absent the explicit authorization of the Covered Entity;

(b)             de-identify any and all Protected Health Information provided that the de-identification conforms to the requirements of 45 C.F.R. §164.514(b), and further provided that the Covered Entity maintains any documentation required by 45 C.F.R. §164.514(b) which may be in the form of a written assurance from the Business Associate; provided, however, that pursuant to 45 C.F.R. §164.502(d)(2), de-identified information does not constitute Protected Health Information and is not subject to the terms of this Addendum.

3.               RESPONSIBILITIES WITH RESPECT TO PROTECTED HEALTH INFORMATION.

3.1.           Privacy Responsibilities of the Business Associate.  With regard to its use and/or disclosure of Protected Health Information, the Business Associate hereby agrees to do the following:

(a)             request from the Covered Entity, access, and disclose to its subcontractors, agents or other third parties, only the minimum amount of Protected Health Information necessary to perform or fulfill a specific function required or permitted under this Addendum and/or the Underlying Agreement;

(b)             use and/or disclose the Protected Health Information only as permitted or required by this Addendum or as otherwise Required by Law;

(c)             report to the designated Privacy Officer of the Covered Entity, in writing, any use and/or disclosure of the Protected Health Information that is not permitted or required by this Agreement of which Business Associate becomes aware within five (5) days of the Business Associate’s discovery of such unauthorized use and/or disclosure;

(d)             take commercially reasonable steps to mitigate harmful effects from any Breach of Unsecured Protected Health Information or other Security Incident or inconsistent use or disclosure of the Protected Health Information which Business Associate is required to report to Covered Entity pursuant to this Agreement;

(e)             use appropriate physical, administrative and technical safeguards that (i) reasonably and appropriately protect the confidentiality, integrity, and availability of Protected Health Information that it creates, receives, maintains or transmits on behalf of Covered Entity, and (ii) prevent the use, disclosure of, or access to the Protected Health Information other than as provided for by this Agreement including ability to transmit any beneficiary information electronically using encrypted technology;

(f)              ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity agrees: (i) to substantially similar restrictions and conditions that apply through this Agreement to Business Associate with respect to such information; and (ii) to implementation of reasonable and appropriate privacy and security safeguards to protect Protected Health Information;

(g)             make available all records, books, agreements, policies and procedures relating to the use and/or disclosure of Protected Health Information to the Covered Entity, or at the Covered Entity’s request, to the Secretary of HHS, in a time and manner designated by the Secretary, for purposes of determining the Covered Entity’s compliance with the Privacy Regulation, subject to attorney-client and other applicable legal privileges;

(h)             upon prior written request, make available during normal business hours at Business Associate’s offices all records, books, agreements, policies and procedures relating to the use and/or disclosure of Protected Health Information to the Covered Entity within fifteen (15) days for purposes of enabling the Covered Entity to determine the Business Associate’s compliance with the terms of this Addendum;

(i)              within fifteen (15) days of receiving a written request from the Covered Entity, provide to the Covered Entity such information as is requested by the Covered Entity to permit the Covered Entity to respond to a request by an individual for an accounting of the disclosures of the individual's Protected Health Information in accordance with 45 C.F.R. §164.528;

(j)              within fifteen (15) days of receiving a written request from the Covered Entity, document such disclosures of Protected Health Information and information related to such disclosures, as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of protected health information in accordance with 45 C.F.R. §164.528; and

(k)             to the extent the Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).

3.2.          Security Responsibilities of the Business Associate. 

(a)             Business Associate represents and warrants to Covered Entity that Business Associate will comply with the standards and implementation specifications for security safeguards as set forth at 45 C.F.R. §§164.308, 164.310, 164.312 and 164.316 and will ensure that any agent, including a subcontractor, to whom it provides Protected Health Information agrees in writing to implement reasonable and appropriate safeguards consistent with such standards and implementation specifications.

(b)             Business Associate agrees to report to Covered Entity: (i) any Security Incident, provided, however, that Business Associate shall not be required to report pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in the defeat or circumvention of any security control, or in the unauthorized access, use or disclosure of Protected Health Information; and (ii) any use or disclosure of the Protected Health Information not provided for by this Agreement, of which it becomes aware.  Such report shall be made without undue delay and no later than five (5) business days after Business Associate’s discovery of the security incident or inconsistent use or disclosure, including incident or improper use or disclosure by an agent or subcontractor of Business Associate.  To the extent Business Associate accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses or discloses Unsecured Protected Health Information, Business Associate shall notify Covered Entity in accordance with 45 C.F.R.  §164.410 of any Breach of such Unsecured Protected Health Information.  Such notification shall be made without undue delay and no later than five (5) business days after the Breach is discovered by Business Associate.  The notification of Breach shall be provided in writing and shall include, to the extent possible, the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, used, or disclosed during the Breach.  Business Associate shall also provide the applicable Covered Entity any other information that the Covered Entity is required to include in notification to the individual under 45 C.F.R. §164.404(c) at the time of the notification, or as promptly thereafter as such information becomes available.

(c)             Business Associate shall cooperate with the Covered Entity as needed to further investigate and evaluate any Security Breach involving the Business Associate or of which the Business Associate has become aware and, in the event of impermissible use or disclosure by the Business Associate or any subcontractor of unsecured Protected Health Information that constitutes, in the reasonable judgment of the Covered Entity a breach requiring notification under applicable provisions of the HITECH Act and implementing regulations, at the discretion of the Covered Entity either the Business Associate or the Covered Entity will notify in writing all affected individuals as required by the HITECH Act and implementing regulations. The Business Associate will be responsible for all costs associated with such notification, including any costs of credit monitoring services that the Covered Entity and Business Associate reasonably agree should be offered to affected individuals. For purposes of this paragraph, unsecured PHI means PHI which is not encrypted or destroyed. Breach means the acquisition, access, use or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule or this contract which compromises the security or privacy of the PHI by posing a significant risk of financial, reputational, or other harm to the individual, as reasonably determined by the Covered Entity.

4.               ADDITIONAL RESPONSIBILITIES OF THE PARTIES WITH RESPECT TO PROTECTED HEALTH INFORMATION.

4.1.          Responsibilities of the Business Associate with Respect to Handling of Designated Record Set.  In the event that the Parties mutually agree in writing that the Protected Health Information constitutes a Designated Record Set, the Business Associate hereby agrees to do the following at the request of, and in the time and manner designated by, the Covered Entity:

(a)             provide access to the Protected Health Information to the Covered Entity or the individual to whom such Protected Health Information relates, or his or her authorized representative, in order to meet a request by such individual under 45 C.F.R. §164.524; and

(b)             make any amendment(s) to the Protected Health Information that the Covered Entity directs pursuant to 45 C.F.R. § 164.526; provided, however, that the Covered Entity makes the determination that the amendment(s) are necessary because the Protected Health Information that is the subject of the amendment(s) has been, or could foreseeably be, relied upon by the Business Associate or others to the detriment of the individual who is the subject of the Protected Health Information to be amended.

4.2.          Responsibilities of the Covered Entity with Respect to the Handling of the Designated Record Set.  In the event that the Parties mutually agree in writing that the Protected Health Information constitutes a Designated Record Set, the Covered Entity hereby agrees to do the following:

(a)             notify the Business Associate, in writing, of any Protected Health Information that Covered Entity seeks to make available to an individual pursuant to 45 C.F.R. § 164.524 and the time, manner and form in which the Business Associate will provide such access; and

(b)             notify the Business Associate, in writing, of any amendment(s) to the Protected Health Information in the possession of the Business Associate that the Business Associate will make and inform the Business Associate of the time, form and manner in which such amendment(s) will be made.

5.               TERMS AND TERMINATION.

5.1.           Term.  This Addendum will become effective on the Effective Date and will continue in effect until all obligations of the Parties have been met, unless terminated as provided in this Section.  In addition, certain provisions and requirements of this Addendum will survive its expiration or other termination in accordance with Section 5.1 herein.

5.2.          Termination by the Covered Entity.  As provided for under 45 C.F.R. §164.504(e)(2)(iii), the Covered Entity may immediately terminate the Underlying Agreement and this Addendum if the Covered Entity makes the determination that the Business Associate has breached a material term of this Addendum.  Alternatively, the Covered Entity may choose to: (i) provide the Business Associate with ten (10) days written notice of the existence of an alleged material breach; and (ii) afford the Business Associate an opportunity to cure said alleged material breach upon mutually agreeable terms.  Nonetheless, in the event that mutually agreeable terms cannot be achieved within ten (10) days, Business Associate must cure said breach to the satisfaction of the Covered Entity within ten (10) days.  Failure to cure in the manner set forth in this paragraph is grounds for the immediate termination of the Underlying Agreement and this Addendum.

5.3.          Automatic Termination. This Addendum will automatically terminate without any further action of the Parties upon the termination or expiration of the Underlying Agreement.

5.4.          Effect of Termination.  Upon the event of termination pursuant to this Section, the Business Associate agrees to return or destroy all Protected Health Information pursuant to 45 C.F.R. §164.504(e)(2)(I), if it is feasible to do so, within ninety (90) days of the effective date of such termination.  Prior to doing so, the Business Associate further agrees to recover any Protected Health Information in the possession of its subcontractors or agents (to the extent such disclosure is permitted pursuant to the Underlying Agreement).  If it is not feasible for the Business Associate to return or destroy said Protected Health Information, the Business Associate will notify the Covered Entity in writing with a Certificate of Destruction that will include:  (i) a statement that the Business Associate has determined that it is infeasible to return or destroy the Protected Health Information in its possession, and (ii) the specific reasons for such determination.  The Business Associate further agrees to extend any and all protections, limitations and restrictions contained in this Addendum to the Business Associate’s use and/or disclosure of any Protected Health Information retained after the termination of this Addendum or the Underlying Agreement, and to limit any further uses and/or disclosures to the purposes that make the return or destruction of the Protected Health Information infeasible.  If it is infeasible for the Business Associate to obtain, from a subcontractor or agent any Protected Health Information in the possession of the subcontractor or agent, the Business Associate must provide a written explanation to the Covered Entity and require the subcontractors and agents to agree to extend any and all protections, limitations and restrictions contained in this Addendum to the subcontractors’ and/or agents’ use and/or disclosure of any Protected Health Information retained after the termination of this Addendum, and to limit any further uses and/or disclosures to the purposes that make the return or destruction of the Protected Health Information infeasible.

6.               INSURANCE; INDEMNITY; LIMITATIONS ON LIABILITY.

6.1.          Insurance.  Business Associate shall obtain and maintain at all times HIPAA Breach and Cyber Liability Insurance coverage with coverage limits of at least Five Million Dollars ($5,000,000) per occurrence or claim and Ten Million Dollars ($10,000,000) in the annual aggregate with Ten Million Dollars ($10,000,000) of excess coverage.

6.2           Indemnification by Business Associate. Business Associate covenants and agrees to indemnify, defend and hold harmless Covered Entity, and the directors, members, officers, employees and agents of Covered Entity, from any and all demands, claims, actions or causes of action, costs, expenses, losses, damages and liabilities incurred or suffered, directly or indirectly, by any of them (including reasonable legal fees and expenses) resulting from or attributable to (i) the breach of any of the covenants of Business Associate under this Addendum; (ii) any and all obligations, debts or other liabilities of Business Associate, or (iii) the negligence, gross negligence or intentional conduct of partners, directors, members, officers, employees and agents of Business Associate.

6.3.          Limitations on Liability.  The limitations on liability, if any, set forth in the Underlying Agreement shall not apply to any losses, claims, damages or other costs incurred by Covered Entity in connection with a breach of this Addendum by Business Associate.

7.               MISCELLANEOUS.

7.1.           Survival.  The respective rights and obligations of the Business Associate and Covered Entity under the provisions of Sections 3.1, 3.2, 5.4, 6 and 7.4, solely with respect to Protected Health Information that the Business Associate retains in accordance with Section 5.4 because it is not feasible to return or destroy such Protected Health Information, will survive termination of this Addendum indefinitely.  In addition, Section 3 will survive termination of this Addendum, provided that the Covered Entity determines that the Protected Health Information being retained pursuant to Section 4.4 constitutes a Designated Record Set.

7.2.          Amendments; Waiver.  This Addendum may not be modified, nor will any provision be waived or amended, except in a writing duly signed by authorized representatives of the Parties; provided, however, that except as otherwise limited in this Business Associate Addendum, the parties agree to take such action as is necessary to amend this Business Associate Addendum from time to time as is necessary for Covered Entity to comply with the requirements of HIPAA and HITECH.  A waiver with respect to one event will not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events. 

7.3.          No Third Party Beneficiaries.  Nothing express or implied in this Addendum is intended to confer, nor will anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.

7.4.          Notices.  All notices required or permitted under this Business Associate Addendum shall be in writing, except as otherwise provided, and sent to the other party as directed in the Underlying Agreement or as otherwise directed by either party, from time to time, by written notice to the other.  All such notices shall be deemed validly given upon receipt of such notice by certified mail, postage prepaid, facsimile transmission or personal or courier delivery.

7.5.          Interpretation. Any ambiguity in this Addendum and the Underlying Agreement will be resolved to permit Covered Entity to comply with the Privacy and Security Rules and the HITECH Act and applicable regulations and guidance documents.

7.6.          Counterparts; Facsimiles.  This Addendum may be executed in any number of counterparts, each of which will be deemed an original.  Facsimile copies hereof will be deemed to be originals.

7.7.          Governing Law.  This Business Associate Addendum shall be construed in accordance with the laws of the Commonwealth of Virginia without regard to conflicts of law provisions.