Provider1st
Terms & Conditions
Business Associate Agreement (BAA)
This Business Associate Agreement (the “BAA”), deemed concurrently effective as of the date the Provider1st Service Agreement is executed between the parties (the “Effective Date”), is between the Client (referred to as the “Covered Entity”) and Provider1st, Inc. (“Business Associate”) for the purpose of complying with the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), the related privacy and security provisions of the American Recovery and Reinvestment Act of 2009 (Public Law 111-005, also known as the Health Information Technology for Economic and Clinical Health Act) and the regulations promulgated under each of those statutes, as they may be amended from time to time (collectively “HIPAA”).
WHEREAS, Covered Entity is a “covered entity” as that term is defined under HIPAA;
WHEREAS, Business Associate provides or will provide services to Covered Entity under one or more agreements between the parties (collectively the “Agreement”);
WHEREAS, in providing those services, Business Associate may have access to PHI and may accordingly become a “business associate” of Covered Entity, as that term is defined under HIPAA;
WHEREAS, the parties intend to protect the privacy and provide for the security of PHI, as required by HIPAA.
NOW, THEREFORE, in consideration of the mutual promises in this BAA and the Agreement, and the exchange of information pursuant to this BAA, the parties agree as follows:
I. Definitions
Capitalized terms that are used in this BAA and not defined will have the meanings given to them in HIPAA. The below terms have the following meanings (incorporating any amendments to statutory and regulatory references that may occur from time to time):
A. Breach has the meaning given to that term under 45 C.F.R. § 164.402.
B. Data Aggregation has the meaning given to that term in the Privacy Rule, including but not limited to, 45 C.F.R. § 164.501.
C. Designated Record Set has the meaning given to that term in the Privacy Rule.
D. PHI has the meaning given to “protected health information” in 45 C.F.R. § 160.103, but only encompasses protected health information that Business Associate receives or creates from or on behalf of Covered Entity while Business Associate is acting as a business associate of Covered Entity.
E. Electronic PHI means PHI that is transmitted or maintained in electronic media.
F. Privacy Rule means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, subparts A and E.
G. Required by Law has the meaning given to that term in 45 C.F.R. § 164.103.
H. Security Incident has the meaning given to that term in 45 C.F.R. § 164.304.
I. Security Rule means the Security Standard for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and Part 164, subparts A and C.
J. Unsecured PHI has the meaning given to that term in 42 U.S.C. § 17932(h).
K. Unsuccessful Security Incident means a Security Incident that does not result in unauthorized access, use, disclosure, modification or destruction of PHI (including, but not limited to, pings on Business Associate’s firewall, port scans, attempts to log on to a system or enter a database with an invalid username or password and denial-of-service attacks).
II. Permitted Uses and Disclosures
A. Except as otherwise provided in this BAA, Business Associate may only use or disclose PHI:
- as reasonably necessary for Business Associate to provide its services under the Agreement;
- as Required by Law; and
- for Business Associate’s proper management and administration, and to fulfill its legal responsibilities; provided, however, that if Business Associate discloses PHI to a third party for any such purpose, then Business Associate shall obtain reasonable written assurances from the third party that the third party will (i) hold the PHI in confidence and further use or disclose it only as Required by Law or for the purpose for which it was disclosed and (ii) notify Business Associate in writing of any other use or disclosure of the PHI.B. Business Associate may use PHI to provide Data Aggregation services to Covered Entity for Covered Entity’s healthcare operations.C. Business Associate may deidentify PHI and use such deidentified data for Business Associate’s internal business purposes, including performance monitoring and benchmarking, and systems training any algorithms and models, the use of which will not confer any rights whatsoever of Business Associate’s tools, property, or systems to Covered Entity or any other party.
III. Other Obligations of Business Associate
A. Business Associate shall implement and maintain appropriate safeguards to prevent the use or disclosure of PHI in any manner not permitted by this BAA.B. Business Associate shall implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of any Electronic PHI. Without limiting the foregoing, Business Associate shall comply with the Security Rule.C. To the extent required by the “minimum necessary” requirements of HIPAA, Business Associate shall only request, use, and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use, or disclosure.D. To the extent Business Associate agrees in writing to carry out any of Covered Entity’s obligations under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations.
IV. Disclosure to Subcontractors
If Business Associate discloses PHI to any agents or subcontractors, then Business Associate shall obligate each such agent and subcontractor to agree in writing:
- to the material obligations regarding the use and disclosure of PHI contained in this BAA; and
- without limiting the foregoing, to implement reasonable and appropriate safeguards to protect any Electronic PHI that it creates, receives, maintains, or transmits on behalf of Business Associate or, through Business Associate, Covered Entity.
V. Reporting of Improper Uses, Disclosures, Breaches, and Security Incidents
A. Business Associate shall notify Covered Entity in writing of any use or disclosure of PHI not permitted by this BAA, including any Breach of Unsecured PHI, within 15 business days of becoming aware of it.B. Business Associate shall notify Covered Entity in writing of any Security Incident affecting Electronic PHI within 15 business days of becoming aware of it, except that the parties agree that this paragraph constitutes notice by Business Associate to Covered Entity of the ongoing occurrence of attempted but Unsuccessful Security Incidents.C. Business Associate shall take reasonable steps to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate that is not permitted by this BAA.
VI. Access to and Amendment of PHI/Accounting of Disclosures
A. To the extent Business Associate maintains PHI in a Designated Record Set, it shall, within ten business days of receiving a written request from Covered Entity, provide Covered Entity with the PHI in the applicable Designated Record Set(s) to the extent reasonably required:
- for Covered Entity to provide Individuals with access to PHI in accordance with 45 CFR § 164.524; and
- for Covered Entity to respond to a request by an Individual to amend PHI in accordance with 45 C.F.R. § 164.526.Within fifteen business days of receiving a written request from Covered Entity, Business Associate shall amend any PHI in its possession as directed by Covered Entity consistent with 45 C.F.R. § 164.526.B. If an Individual requests access to PHI directly from Business Associate, or requests that Business Associate amend PHI, then Business Associate shall forward that request to Covered Entity within ten business days of receiving it. Covered Entity will be solely responsible for responding to any such requests.C. Business Associate shall document any disclosures of PHI that it makes as required by 45 C.F.R. §164.528(a). Within ten business days of receiving a request from Covered Entity, Business Associate shall provide Covered Entity with any information that Covered Entity reasonably requires to respond to a request for an accounting of disclosures in accordance with 45 C.F.R. §164.528.
VII. Obligations of Covered Entity
A. Covered Entity shall not request that Business Associate use or disclose PHI in any manner that would not be permissible under HIPAA and other applicable laws if done by Covered Entity.B. Covered Entity shall only provide Business Associate with PHI that is necessary for Business Associate to provide its services under the Agreement.C. Covered Entity shall notify Business Associate of any restrictions on the use or disclosure of PHI: (i) in Covered Entity’s notice of privacy practices, (ii) resulting from any changes in, or revocation of, permission by an Individual to use or disclose PHI, or (iii) to which Covered Entity has agreed, each to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.D. Covered Entity shall use all efforts to avoid any restrictions on the use or disclosure of PHI that would materially impair Business Associate’s ability to perform under the Agreement.E. Covered Entity hereby warrants that it has obtained legally sufficient permission under HIPAA and other applicable laws to disclose all PHI that it provides to Business Associate under this BAA.F. Covered Entity shall encrypt all Electronic PHI in transit to Business Associate via AES-256, or another encryption protocol that provides materially equivalent protection.
VIII. Limitation of Liability
Notwithstanding anything in the Agreement to the contrary, to the maximum extent permitted by applicable law, the total liability of Business Associate (and its affiliates, officers, directors, employees, and other agents) under this BAA, whether to Covered Entity or any third party, will be limited to the aggregate fees actually paid by Covered Entity to Business Associate under the Agreement applicable to the claim in the twelve-month period preceding the event first giving rise to the claim. This Section VIII will survive the termination of this BAA.
IX. Access by HHS
Subject to Business Associate’s reasonable confidentiality and security practices, Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the Department of Health and Human Services for purposes of determining Covered Entity’s compliance with HIPAA.
X. Term
This BAA will become effective on the Effective Date and will remain in effect until all Agreements under which Business Associate may create or receive PHI terminate or expire. At that time, this BAA will automatically terminate.
XI. Termination for Cause
Either party may terminate this BAA for cause if the other party materially breaches it and fails to cure that breach within thirty days of receiving written notice from the non-breaching party. Termination under this Section XI will be effective upon the non-breaching party’s provision of a written termination notice to the breaching party.
XII. Return of PHI Upon Termination
Upon termination of this BAA for any reason, Business Associate shall, if feasible, return or destroy all PHI maintained by Business Associate. If, in Business Associate’s reasonable judgment, return or destruction of PHI is not feasible, then Business Associate shall notify Covered Entity in writing of the reasons that make return or destruction infeasible. Business Associate may then retain any PHI that it is not feasible to return or destroy, provided that Business Associate shall extend the protections of this BAA to such information and limit further use and disclosure of the affected PHI to those purposes that make the return or destruction infeasible. This Section XII will survive the termination of this BAA.
XIII. Amendment
The parties shall negotiate in good faith to modify this BAA as reasonably necessary to comply with HIPAA, as it may be amended from time to time.
XIV. Agreement; Conflicting Terms
This BAA is a part of and subject to the terms of the Agreement, except that to the extent any terms of this BAA conflict with any terms of the Agreement, the terms of this BAA will govern.
XV. No Third-Party Beneficiaries
Except as explicitly set forth in Section VIII, this BAA does not confer any rights upon any person or entity other than the parties (and their respective successors and permitted assigns).
XVI. Independent Contractors
The parties intend that their relationship will be that of independent contractors. Neither party may bind the other without the written permission of the party to be bound.
XVII. Notices
The parties shall provide any notices under this BAA to the addresses set forth in the Notices section in the underlying Provider1st Service Agreement between the parties.
XVIII. Modification; Waiver
This BAA may not be modified except in a writing signed by authorized representatives of the parties that explicitly references this BAA. No waiver of satisfaction of a condition or nonperformance of an obligation under this BAA will be effective unless it is in writing and signed by the party granting the waiver.
XIX. Counterparts
This BAA may be executed in any number of counterparts, each of which shall be deemed an original. Electronic (pdf) copies thereof shall be deemed to be originals.
Master Services Agreement (MSA)
Services Provided.
Thank you for providing Provider1st with the opportunity to help the undersigned provider (“you”) with “Release-of-Information” services. This agreement sets forth our understanding. You will either direct third parties to us via a website we provide, or you will receive, review and forward to us via such website requests for health information. We will access, scan and download patient records for the sole purpose of complying with authorized requests.
You agree to provide us with access to the requested records during the scheduled hours, as we mutually agree. Our trained staff will scan and/or download the relevant records. We will mail or email the requests within five business days of obtaining the records. We will log and track all records we process in our system.
Original Medical Information.
We will not, under any circumstances, provide copies of health information to any person other than the duly authorized requesting party. In addition, we will not remove any original medical records, charts or files from your facility. The business associate agreement between us and you will continue to apply.
Information Processed.
We will process the following types of requested information: continuing care, disability, subpoenas, life insurance, underwriters, Medicare/Medicaid, health insurances and all other billable and courtesy requests.
Fees.
You agree to provide Provider1st with a copy of all fees delivered to you and processed by you with regard to requests for health information that we administer on your behalf. You authorize us to collect, and we are only responsible for the collection of, fees from requesting parties for the processing of medical record requests. Provider1st will collect and retain all fees associated with medical record requests. If we receive a request that falls outside the ordinary course, we may treat such request as a special project and outside the scope of this agreement. Provider1st will always look to negotiate payment agreements in advance from the requestor of such lists. However, if unsuccessful we will in good faith notify you in advance and provide you with the option to use our services as agreed or seek out separate fulfillment. Representation and Warranties. We represent and warrant that we comply with applicable electronic data transmission standards that are required by U.S. government agencies for the transmission of health information. Confidentiality and Indemnification. We will secure approved authorization(s) before scanning or downloading any patient records if such authorization is required. We will deliver only the requested information to an authorized requestor. Any disclosure of health information will be limited to that portion of the medical record needed to fulfill the specific purpose of the request. Unless we are expressly authorized by the patient or the patient’s duly appointed and authorized representative, we will not release any record regarding psychiatric care, alcoholism/alcohol abuse, drug abuse, HIV orHIV test results. You agree to be responsible for securing, verifying and approving written authorization for the reproduction of any such records. You agree and understand that we are not responsible for any losses or liability that result, directly or indirectly, from inaccurate information, incorrectly dated materials, insufficient or improper authorizations, or anyother type of faulty medical record documentation that you make availableor furnish to us.
Indemnification.
We will indemnify you and hold you harmless against andwith respect to liabilities which you actually incur to third persons, so longas such liabilities: (i) are evidenced by final judgement of a court ofcompetent jurisdiction, and (ii) arise out of and are limited to our negligencein scanning, downloading, copying and/or disseminating medical recordinformation that violates a such person’s right of privacy.
Insurance.
We have an Errors and Omissions liability insurance policywhich insures against negligent acts, errors or omissions and publication of material that violates a person’s right of privacy. We also have aCommercial General Liability Policy. We can provide evidence of such coverage upon request.
No Solicitation.
We and you agree that, during the term of this agreementand for 12 months thereafter, we and you will not directly or indirectly solicitfor employment any employees from each other.
Termination.
Either of us may terminate this agreement upon 30 days’ written notice to the other party; provided, however, you understand and agree that if your reason for termination is either that (i) you have additional needs or requirements that we are not fulfilling, or (ii) a comparable health information management service has proposed to provide you with services which we do not provide, then you agree to first give us at least 30 days to meet such additional needs/requirements before you send us a termination notice. Please send all notices in writing to AdvantMed, LLC, LegalDepartment, 17981 Sky Park Circle Bldg. 39/Ste. B & C, Irvine, CA 92614