BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement (the "Agreement") is made as of the effective date of that certain Consumer Feedback and Data Service Agreement by and between Provider and uSPEQ^®.

Whereas, Provider is a "covered entity" and uSPEQ is a "business associate" of Provider within the meaning of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. § 1320(d)) ("HIPAA");

Whereas, Provider and uSPEQ desire to permit uSPEQ to use or disclose Individually Identifiable Health Information received from Provider or another business associate of Provider for the purposes of collecting, aggregating, analyzing, and reporting service participant experience data;

Whereas, the parties wish for Provider to comply with HIPAA, including the Standards for Privacy of Individually Identifiable Health Information, the Standards for Electronic Transactions, and the Security Standards (collectively, the "Standards") promulgated or to be promulgated by the Secretary of Health and Human Services (the "Secretary").

Now, therefore, in consideration of the mutual promises, requirements, undertakings, and considerations set forth in this Agreement, uSPEQ and Provider hereby agree as follows:

Article I

Definitions

The following terms, as used in this Agreement, shall have the meanings set forth below:

1.1 "Individually Identifiable Health Information" means information that is a subset of health information, including demographic information collected from an individual, and:

(a) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

(b) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) identifies the individual, or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

1.2 "Protected Heath Information" or "PHI" means Individually Identifiable Health Information, disclosed by Provider to uSPEQ in the course of collecting, aggregating, analyzing, and reporting service participant experience data, that is (a) transmitted by electronic media, (b) maintained in any medium constituting electronic media, or (c) transmitted or maintained in any other form or medium. "Protected Health Information" excludes individually identifiable health information in: (a) education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. § 1232g; (b) records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and (c) employment records held by a covered entity in its role as an employer.

Article II

Obligations of uSPEQ With Respect to PHI

2.1 Use and Disclosure of PHI. uSPEQ shall use and disclose PHI only as required for collecting, aggregating, analyzing, and reporting service participant experience data, or as required by law, and shall not otherwise use or disclose any PHI. Provider shall not request uSPEQ to use or disclose PHI in any manner that would not be permissible under the Standards for Privacy of Individually Identifiable Health Information (hereinafter, the "Privacy Standards") if done by Provider, except with respect to uses and disclosures of PHI for management and administrative activities of uSPEQ, as provided in Section 2.10 of this Agreement.

2.2 Purposes and Limitations on Use or Disclosure of PHI.

2.2.1 Purposes. Except as otherwise limited in this Agreement, uSPEQ may use or disclose PHI on behalf of, or to provide services to, Provider for the purpose of collecting, aggregating, analyzing, and reporting service participant experience data, so long as such use or disclosure of PHI would not violate the Standards if used or disclosed by Provider. uSPEQ may also use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).

2.2.2 Minimum Necessary. uSPEQ acknowledges and agrees that, to the extent uSPEQ requests Provider to disclose PHI to uSPEQ, such request will be only for the minimum necessary PHI for the accomplishment of uSPEQ's purposes.

Provider acknowledges and agrees that disclosures of PHI for the purpose of collecting, aggregating, analyzing, and reporting service participant experience data are "routine and recurring" disclosures within the meaning of 45 C.F.R. § 164.514(d)(3)(i).

2.3 Safeguards. uSPEQ agrees to use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement or as required by law.

2.4 Reporting Disclosures of PHI; Mitigation. uSPEQ agrees to report to Provider any use or disclosure of PHI not provided for by this Agreement of which uSPEQ becomes aware. uSPEQ agrees to mitigate, to the extent practicable, any harmful effect that is known to uSPEQ of a use or disclosure of PHI by uSPEQ in violation of the requirements of this Agreement.

2.5 Agents. uSPEQ agrees to ensure that any agent, including a subcontractor to whom uSPEQ provides PHI received from, or created or received by, uSPEQ on behalf of Provider, agrees to the same restrictions and conditions that apply through this Agreement to uSPEQ with respect to such PHI.

2.6 Privacy Practices. Prior to disclosing any PHI to uSPEQ, Provider shall obtain appropriate consents or authorizations, if required by law.

2.7 Revocation or Modification of Consumer Permission. Provider shall notify uSPEQ of any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent that such changes may affect uSPEQ's use or disclosure of PHI.

2.8 Consumer Restrictions on Uses and Disclosures. Provider shall notify uSPEQ of any restriction on the use or disclosure of any PHI that Provider has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect uSPEQ's use or disclosure of PHI.

2.9 Availability of Books and Records. uSPEQ agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from, or created or received by uSPEQ on behalf of, Provider available to the Secretary, in a time and manner reasonably designated by the Secretary for purposes of the Secretary determining Provider's compliance with the Standards. The provisions of this section of the Addendum shall survive the termination of this Agreement.

2.10 Proper Management and Administration of uSPEQ.

2.10.1 Permissible Uses. Except as otherwise limited in this Agreement, uSPEQ may use PHI for the proper management and administration of uSPEQ or to carry out the legal responsibilities of uSPEQ.

2.10.2 Permissible Disclosures. Except as otherwise limited in this Agreement, uSPEQ may disclose PHI for the proper management and administration of uSPEQ, provided that disclosures are required by law, or that uSPEQ obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies uSPEQ of any instances of which it is aware in which the confidentiality of the information has been breached.

2.11 Access, Amendments, and Accounting. uSPEQ shall make available to Provider all PHI, if any, as may be reasonably requested for Provider to comply with 45 C.F.R. 164.524. uSPEQ shall amend all PHI, if any, as may be reasonably requested by Provider in accordance with 45 C.F.R. 164.526. uSPEQ shall make available to Provider all information, if any, as may be reasonably requested for Provider to provide an accounting of disclosures in accordance with 45 C.F.R. 164.528.

2.12 Security. uSPEQ shall: (a) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any electronic PHI that it creates, receives, maintains, or transmits on behalf of Provider; (b) ensure that any agent, including a subcontractor, to whom it provides any electronic PHI agrees to implement reasonable and appropriate safeguards to protect it; and (c) report to Provider any security incident of which it becomes aware.

Article III

Term and Termination

3.1 Term. Unless earlier terminated pursuant to the terms of this Agreement, this Agreement shall terminate upon destruction or return of the PHI.

3.2 Termination For Cause. Notwithstanding any other provision of this Agreement, upon the violation of a material term of this Agreement by uSPEQ, Provider shall provide uSPEQ with written notice of the violation and an opportunity to cure the violation within the 30-day period following the provision of notice. If uSPEQ does not cure the violation to the reasonable satisfaction of Provider during the 30-day cure period, Provider may terminate this Agreement immediately upon written notice to uSPEQ.

3.3 Return or Destruction of PHI upon Termination.

3.3.1 General Provisions. In the event that uSPEQ possesses any PHI upon the termination of this Agreement, uSPEQ shall either return or destroy all PHI received from Provider, or created or received by uSPEQ on behalf of Provider and which uSPEQ still maintains in any form.

3.3.2 Alternative Arrangement. Notwithstanding the foregoing, to the extent it is not feasible to return or destroy such PHI, uSPEQ shall provide to Provider notification of the conditions that make return or destruction infeasible. Thereupon, uSPEQ agrees to (a) extend the protections of this Agreement to such PHI only for those purposes that make the return or destruction infeasible, (b) limit further uses and disclosures of such PHI to such purposes, and (c) extend any term or provision of this Agreement relating to PHI so that such term or condition shall survive termination of this Agreement. Thereafter, such PHI shall be used or disclosed solely for such purpose or purposes, which prevented the return or destruction of such PHI.

3.4 Applicability of Provisions. The provisions of this section of the Agreement shall apply, to the same extent that it applies to uSPEQ, to PHI that is in the possession of agents (including subcontractors) of uSPEQ.

Article IV

Miscellaneous

4.1 Survival. All matters that (a) expressly survive the termination of this Agreement, (b) relate to the termination of this Agreement, or (c) in the normal course would not occur or be effectuated until after any such termination, as well as all rights and obligations of the parties pertaining thereto, shall survive any termination and be given full force and effect notwithstanding any termination of this Agreement.

4.2 Successors and Assigns. This Agreement shall be binding upon the parties and their successors and assigns.

4.3 Amendment. This Agreement may not be amended, modified, or terminated orally, and no amendment, modification, termination, or attempted waiver shall be valid unless in writing signed by both parties hereto.

4.4 Severability. Should any provision of this Agreement be held invalid, illegal, or unenforceable by a tribunal of competent jurisdiction, for any reason whatsoever, the remaining terms and provisions of this Agreement shall not be affected and shall continue to be valid and enforceable to the fullest extent permitted by law.

4.5 Waiver. The failure at any time by either party to require strict performance of any provision of this Agreement shall not constitute a waiver by said party of such provision, even if aid party knows of the nature of the performance and fails to object to it.

4.6 Third-Party Beneficiaries. Nothing expressed or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than uSPEQ and Provider and their successors and assigns, any rights, remedies, obligations, or liabilities whatsoever.

4.7 Notices. Any notice, request, demand, approval, consent, or other communication required or permitted under the terms of this Agreement (collectively, "Notice") shall be in writing and delivered personally, or by registered or certified mail, return receipt requested, postage prepaid, or by reputable overnight courier, addressed to the other party. Notice shall be deemed to have been given when received if delivered personally, three (3) days after postmarked if sent by registered or certified mail, or one (1) day after deposited with an overnight courier.

v1205

Read a PDF version of the uSPEQ Business Associate Agreement (48 KB). You must have Adobe Reader opens in a new window software on your computer to open PDF files.