Regarding the HIPAA Business Associate Agreement
You may be aware that the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) requires Business Associate Agreements with any service providers or vendors with whom protected health information is shared.
Basically, this agreement allows an agent to assist groups and members with any possible issues regarding their account or claims information.
Individual claim information will still require a release of personal health information forms from the individual.
Please sign the following Agreement, make a copy for your records, and return the signed original to the following address. If you work with someone else for your group insurance you will need to contact them for their particular form. You may also request a group insurance quote from us and we would be happy to work with you.
Group Benefits, Inc.
21 Nob Hill Drive, Lower Level
St. Louis, MO 63138
HIPAA BUSINESS ASSOCIATE AGREEMENT
This HIPAA Business Associate Agreement (“Agreement”) is entered into on the last date of signature below by and between ______________________________________________ and Business Associate named below (“Business Associate”).
In consideration of the mutual promises below and the exchange of information pursuant to this Agreement, the parties agree as follows:
1. Definitions .
a. “Designated Record Set” shall have the same meaning as the term “designated record set” in 45 CFR Section 164.501.
b. “Individual” shall have the same meaning as the term “individual” in 45 CFR Section 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR Section 164.502(g).
c. “Privacy Rule ” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.
d. “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 CFR Section 164.501, limited to the information created or received by Business Associate from or on behalf of __________________________________________.
e. “Required by Law” shall have the same meaning as the term “required by law” in 45 CFR Section 164.501.
f. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his designee.
2. Permitted Uses and Disclosures of PHI by Business Associate .
a. General Use and Disclosure Provisions . Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI to perform functions, activities or services for, or on behalf of, _________________________________________ provided that such use or disclosure would not violate the Privacy Rule.
b. Specific Use and Disclosure Provisions .
i. Except as otherwise limited in this Agreement or by law, Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate for those functions, activities, or services performed for, or on behalf of, ________________________________________.
ii. Except as otherwise limited in this Agreement or by law, Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that the information is disclosed will remain confidential and be used or further disclosed only for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
3. Obligations of Business Associate .
a. Use and Disclosure . Business Associate agrees to not use or further disclose PHI other than as permitted or required by this Agreement or as Required by Law.
b. Appropriate Safeguards . Business Associate shall use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement.
c. Reporting of Improper Use or Disclosure . Business Associate shall report to _______________________________________ any use or disclosure of PHI not provided for by this Agreement.
d. Mitigation . Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
e. Business Associate’s Agents . Business Associate shall ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by Business Associate on behalf of ___________________________________________, agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such PHI.
f. Access to PHI . Business Associate shall provide access, at the request of _______________________________________________, and in the time and manner designated by __________________________, to PHI in a Designated Record Set, to _________________________ or, as directed by _____________________, to an Individual in order to meet the requirements under 45 CFR Section 164.524, if applicable.
g. Amendment of PHI . Business Associate shall make any amendment(s) to PHI in a Designated Record Set that the _______________________________ directs or agrees to pursuant to 45 CFR Section 164.526 at the request of _______________________________________________ or an Individual, and in the time and manner designated by the _______________________________________________, if applicable.
h. Documentation of Disclosures . Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for _______________________________________________ to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR Section 164.528.
i. Accounting of Disclosures . Business Associate agrees to provide to _______________________________________________ or an Individual, in time and manner designated by _______________________________________________, information collected in accordance with Section 3(e) of this Agreement, to permit _______________________________________________ to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR Section 164.528.
j. Governmental Access to Records . Business Associate shall make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, _______________________________________________ available to _______________________________________________ or, at the request of _______________________________________________, to the Secretary for purposes of the Secretary determining _______________________________________________’ compliance with the Privacy Rule.
k. Minimum Necessary Standard . In the performance of functions and activities on _______________________________________________’ behalf, Business Associate agrees to use, disclose or request only the minimum amount of PHI necessary to accomplish the purpose of the use, disclosure or request.
l. Chain of Trust . To the extent PHI is electronically exchanged between _______________________________________________ and Business Associate, Business Associate shall provide and maintain the equipment, software, services and testing necessary to effectively, reliably and confidentially transmit, process, convert, receive and interchange PHI in accordance with this Agreement and HIPAA Regulations. Further, Business Associate shall ensure that all electronic transmissions of PHI shall be protected from improper disclosure. In the event that such transmissions travel across lines of communication where both ends are not under the control of _______________________________________________, Business Associate agrees to use appropriate authentication and encryption systems designed to protect PHI from improper disclosures.
4. Obligations of _______________________________________________.
a. Notice of Privacy Practices . _______________________________________________ shall provide Business Associate, upon request, with the notice of privacy practices that _______________________________________________ produces in accordance with 45 CFR Section 164.520.
b. Notification of Changes Regarding Individual Permission . _______________________________________________ shall provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes affect Business Associate’s permitted or required uses and disclosures.
c. Notification of Restrictions to Use or Disclosure of PHI . _______________________________________________ shall notify Business Associate of any restriction to the use or disclosure of PHI that _______________________________________________ has agreed to in accordance with 45 CFR Section 164.522.
5. Permissible Requests by _______________________________________________. _______________________________________________ shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by ______________________________________________, except as permitted pursuant to the provisions of Sections 2(a) and 2(b) of this Agreement.
6. Term and Termination .
a. Term . The term of this Agreement shall commence as of the last date of signature below.
b. Termination for Cause . Upon _______________________________________________ knowledge of a material breach by Business Associate of this Agreement, _______________________________________________ shall provide an opportunity for Business Associate to cure the breach or end the violation within the time specified by _______________________________________________, or immediately terminate this Agreement.
c. Effect of Termination .
Business Associate shall extend the protections of this
Agreement to such PHI and limit further
uses and disclosures of such, for so long as Business Associate maintains such PHI.
7. Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended, and for which compliance is required.
8. Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for ______________________________________________ to comply with the requirements of the Privacy Rule and HIPAA.
9. Survival. The respective rights and obligations of Business Associate under Section 6(c) of this Agreement shall survive the termination of this Agreement.
10. No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than _______________________________________________, Business Associate and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
11. Effect on Agreement. Except as specifically required to implement the purposes of this Agreement, or to the extent inconsistent with this Agreement, all other terms of any other agreement by and between _______________________________________________ and Business Associate shall remain in force and effect.
IN WITNESS WHEREOF, the parties hereto have duly executed this Agreement effective as of the last date signed below.
___________________________________ Business Associate
By: _______________________________ By: ____________________________
Print Name: ________________________ Print Name: _____________________
Title: _____________________________ Title: ___________________________
Date: _____________________________ Date: ___________________________
City, State, Zip: ___________________
Phone Number: ___________________
Agent Number: ___________________