BUSINESS ASSOCIATE AGREEMENT ADDENDUM
This Business Associate Agreement Addendum (this “BAA”) supplements and is incorporated into the On-Demand Subscription Services Agreement (for services not under a term commitment order) or the Subscription Services Agreement (for services under a term commitment order), (as applicable, the “Agreement”) between the entity identified in your Order (“you” and “Client”) and Pitney Bowes Inc. with a place of business at 3001 Summer St, Stamford CT, 06926 (“Business Associate”, “we”, “us”, and “our”).
Business Associate is furnishing services to Client under the Agreement. In order for Business Associate to furnish services to Client in accordance with the Agreement, Client intends to disclose certain PHI (defined below) to Business Associate and expects Business Associate to use or disclose the PHI to perform its obligations under this BAA. This BAA will govern each party’s respective obligations regarding PHI.
Business Associate and Client intend to comply with the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164 in accordance with the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”) and its accompanying regulations as well as applicable provisions of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act as incorporated in the American Recovery and Reinvestment Act of 2009 (“ARRA”) and any implementing regulations promulgated thereunder (collectively, “HIPAA Rules”).
1. Definitions. All capitalized terms used herein that are not otherwise defined shall have the same meaning as those terms are defined under HIPAA and HITECH, as may be amended from time to time. Any such amendments shall be considered to be included in the definitions, and the amended definition shall apply to this BAA. The following definitions supplement the defined terms set forth in the recitals of this BAA, which are incorporated by reference to this section.
a. “Breach” means the unauthorized acquisition, access, use or disclosure of Protected Health Information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information as set forth in 45 CFR §164.402. Breach does not include:
(i) any unintentional acquisition, access, or use of Protected Health Information by an employee or individual acting under the authority of Business Associate if:
(a) such acquisition, access or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with Business Associate; and
(b) such information is not further acquired, accessed, used or disclosed by any person; or
(ii) any inadvertent disclosure from an individual who is otherwise authorized to access Protected Health Information at a facility operated by Business Associate to another similarly situated individual at the same facility; and
(iii) any such information received as a result of such disclosure is not further acquired, accessed, used or disclosed without authorization by any person.
b. “Business Associate” shall mean Pitney Bowes Inc. acting as a business associate as such term is defined in 45 CFR §160.103.
c. “Covered Entity” shall have the same meaning as the term “covered entity” in 45 CFR §160.103, and in reference to the party to this BAA shall mean Client.
d. “CFR” means the Code of Federal Regulations.
e. “Designated Record Set” has the meaning assigned to such term in 45 CFR §164.501.
f. “Electronic Protected Health Information” or “ePHI” means individually identifiable health information, that is transmitted by electronic media; or maintained in electronic media as defined in 45 CFR §160.103.
g. “Individual” shall have the same meaning as the term “individual” in 45 CFR §164.501 and 45 CFR §160.103 and shall include a person who qualifies as personal representative in accordance with 45 CFR §164.502 (g)(1).
h. “Protected Health Information” shall have the same meaning as the term “protected health information” as defined in 45 CFR §160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
i. “Required By Law” shall have the same meaning as the term “required by law” in 45 CFR §164.502, and as permitted by §45 CFR 164.512.
j. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his/her designee.
k. “Security Incident” shall have the same meaning as the term “security incident” in 45 CFR §164.304, §164.308(a), and §164.314(a)(2) and means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. Notwithstanding the foregoing, “Security Incident” shall not include trivial incidents that occur on a routine basis, such as scans, “pings,” or similar unsuccessful attempts to penetrate computer networks or servers maintained by Business Associate.
l. “Standard Transactions” means the electronic health care transactions for which HIPAA standards have been established, as set forth in 45 CFR, Parts 160 and 162.
m. “Standards for Electronic Transactions Rule” means the final regulations issued by the Secretary concerning Standard Transactions and code sets under the HIPAA Rules, 45 CFR Parts 160 and 162 (August 17, 2000), as may thereafter be amended.
n. “Subcontractor” means a person whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such Business Associate as set forth in 45 CFR §160.103.
o. “Transaction” means the types of information exchange between two parties to carry out financial or administrative activities related to health care as defined in 45 CFR §160.103 and in accordance with the Standards for Electronic Transactions Rule.
p. “Unsecured Protected Health Information” or “unsecured PHI” means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary that is accredited by the American National Standards Institute as set forth in 45 CFR §164.402 and 42 U.S. Code §17932.
2. Obligations of Business Associate with Respect to PHI. Business Associate covenants and agrees that it shall:
2.1 Limitations on Use and Disclosure of PHI. Not use or disclose PHI other than as permitted under this BAA or as otherwise required by law in accordance with 45 CFR §164.522;
2.2 Use Minimum Necessary. Limit the request, use, and disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request in order to fulfill the purpose described above and as set forth in 45 CFR §164.502(b);
2.3 De-Identification. If necessary, use PHI to create de-identified information consistent with the standards set forth in 45 CFR §164.514(a)-(c);
2.4 Safeguarding PHI and ePHI. Use appropriate safeguards to prevent the use or disclosure of PHI other than as permitted in this BAA. With respect to ePHI, Business Associate shall implement and comply with (and ensure that its subcontractors implement and comply with) the administrative safeguards set forth in 45 CFR §164.308, the physical safeguards set forth in 45 CFR §164.310, the technical safeguards set forth in 45 CFR §164.312, and the policies and procedures set forth in 45 CFR §164.316 to reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI;
2.5 Workforce Compliance. Implement in accordance with 45 CFR §164.308:
(i) policies and procedures to ensure that all members of its workforce have appropriate authorization and access to ePHI, and to prevent those workforce members who should not have access from obtaining access to ePHI;
(ii) appropriate sanctions against workforce members who fail to comply with the security policies and procedures of Business Associate;
(iii) a security awareness and training program for all members of its workforce;
2.6 Notification of Inappropriate Uses or Disclosures and Breaches of Unsecured PHI. In the event that Business Associate discovers a Breach of unsecured PHI, Business Associate agrees to notify Client without unreasonable delay, and no later than thirty (30) days after Business Associate’s discovery of such Breach. A Breach shall be treated “discovered” as of the first day such Breach is known or, would have been known to Business Associate or any person, after the exercise of ‘reasonable diligence’, other than the person committing the Breach, who is an employee, officer, or other agent of Business Associate as set forth in 45 CFR §164.410(a)(2).
Business Associate and Client shall work together in good faith to conduct such ‘reasonable diligence’ to determine whether the Breach compromises the security or privacy of the unsecured PHI hereinafter defined as “Risk Assessment”. Business Associate shall cooperate with Client in investigating the Breach and in meeting obligations under the Breach Notification Rule in the event of a Breach of unsecured PHI has been determined. Business Associate will make the Risk Assessment report available to Client after Business Associate has completed its Risk Assessment.
Upon such discovery, the report as required by 45 CFR §164.410 shall include, to the extent possible:
(i) the identification of each individual whose unsecured PHI was the subject of the breach; a brief description of what happened;
(ii) the date of the breach and the date of the discovery of the breach, if known;
(iii) a description of the types of unsecured PHI that were involved in the breach (such as full name, social security number, date of birth, and home address);
(iv) any steps the individuals should take to protect themselves from potential harm resulting from the breach; and
(v) a brief description of what Business Associate is doing to investigate the breach, mitigate losses, and protect against further breaches.
It shall be Client’s sole responsibility provide any notifications to the individuals, Department of Health and Human Services, and/or the media required by the HIPAA Rules.
2.7 Mitigate Harmful Effects. Business Associate shall implement policies and procedures to address Security Incidents. To the extent possible, Business Associate shall make all commercially reasonable efforts to identify and respond to suspected or known Security Incidents, mitigate the harmful effects of Security Incidents known to Business Associate and document Security Incidents and their outcomes as set forth in 45 CFR §164.308(a)(6)(ii). In addition, Business Associate shall report to Client any Security Incident of unsecured PHI of which it becomes aware and which has resulted in a Breach, as required by 45 CFR §164.410.
2.8 Compliance of Subcontractors. In compliance with 45 CFR §164.502(e)(1)(ii) and §164.308(b)(2), obtain from any subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate satisfactory assurances in a form consistent with, the terms and conditions, restrictions and requirements established in this BAA that the subcontractor will appropriately safeguard the PHI and agree to the same restrictions and conditions that apply to Business Associate with respect to such information;
2.9 Access to PHI. Upon Client’s written request, provide Client with access to PHI in a designated record set as necessary for Client to satisfy its obligations under 45 CFR §164.524. If Business Associate receives a written request for access to PHI in a designated record set directly from an individual, Business Associate will promptly forward the individual’s request to Client to fulfill the request;
2.10 Amendment of PHI. Upon Client’s written request, make any amendment(s) to PHI in a designated record or take other measures as necessary to satisfy Client’s obligations under 45 CFR §164.526 and Business Associate shall, as reasonably requested by Client, incorporate any amendments to PHI into copies of such PHI maintained by Business Associate. If Business Associate receives a written request for amendment to PHI in a designated record set directly from an individual, Business Associate will promptly forward the individual’s request to Client to fulfill the request;
2.11 Accounting of Disclosures. Upon Client’s written request, make available information to Client concerning Business Associate’s disclosure of PHI for which Client needs to provide an individual with an accounting of disclosures as necessary to satisfy Client’s obligations under 45 CFR §164.528. Should an accounting of the PHI of a particular individual be requested more than once in any twelve month period, Business Associate may charge Client a reasonable, cost-based fee in accordance with 45 CFR §164.524 (c)(4). If Business Associate receives a request for an accounting of disclosures directly from an individual, Business Associate will promptly forward the individual’s request to Client to fulfill the request;
2.12 Availability of Practices, Books, and Records. Unless otherwise prohibited by applicable law, make Business Associate's internal practices, books and records relating to the use and disclosure of PHI received from Client or created or received by Business Associate on behalf of Client available to the Secretary for purposes of determining Client’s compliance with the HIPAA Rules in accordance with 45 CFR §164.504(e)(2)(ii); and
2.13 Compliance with Subpart E. To the extent Business Associate is to carry out one or more of Client’s obligations under Subpart E of 45 CFR Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to the Client in the performance of such obligations.
3. Permissible Use of PHI by Business Associate. The parties agree that Business Associate has the following rights regarding PHI:
3.1 Business Associate may create, use and/or disclose Client’s PHI to its agents, contractors or subcontractors pursuant to and in accordance with the Agreement or this BAA or as required by law to carry out its legal responsibilities, for proper management and administration, provided that such use or disclosure would not violate the HIPAA Rules as permitted by 45 CFR §164.502(a)(3) and 45 CFR §164.504(e);
3.2 Data Aggregation Services. If requested by Client, Business Associate may provide data aggregation services relating to the health care operations of Client as permitted by 42 CFR §164.504(e)(2)(i)(B);
3.3 Business Associate may use PHI to report violation of law to appropriate Federal and State authorities, consistent with §164.502 (j)(1);
3.4 Business Associate may disclose PHI that it receives or creates to another business associate of Client as requested by Client upon assurance by Client that the person and Client have entered a business associate agreement in compliance with the HIPAA Rules; and
3.5 Business Associate may create de-identified PHI to be used for any purpose.
4. Compliance with Transactions Standards. If Business Associate conducts in whole or part electronic Transactions on behalf of Client, Business Associate will:
4.1 Comply with all applicable provisions of the Standards for Electronic Transactions Rule when exchanging information as required for electronic transactions, including any future required transactions or code set standards adopted by the Secretary.
4.2 Ensure that any agents, including but not limited to contractors and subcontractors that assist Business Associate to conduct Standard Transactions on behalf of Client, agree in writing to comply with the Standards for Electronic Transactions Rule.
4.3 Not change the definition, data condition, or use of any data element or segment.
4.4 Not add any data elements or segments to the maximum defined data set in a standard Transaction.
4.5 Not use any code or data elements that are either marked “not used” in the standard's implementation specification or are not in the standard's implementation specification(s).
4.6 Not change the meaning or intent of the standard's implementation specification(s).
5. Obligations of Client.
5.1 Client will use appropriate safeguards to maintain the confidentiality, privacy and security of PHI in transmitting same to Business Associate pursuant to this BAA.
5.2 Client shall not agree to any restrictions on the use or disclosure of PHI that might adversely affect Business Associate’s ability to perform the services described above.
5.3 Client shall notify Business Associate of any limitation(s) in the notice of its privacy practices consistent with 45 CFR §164.520 (as well as any changes to that notice), to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
5.4 Client shall notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
5.5 Client shall notify Business Associate of any restriction on the use or disclosure of PHI that Client has agreed to or is required to abide by under 45 CFR §164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
5.6 Client shall not request that Business Associate use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Client.
6. Termination for Cause. Upon Client’s knowledge of a material breach by Business Associate and as permitted by 45 CFR §164.504(e)(1),
6.1 Client shall either:
a. Provide an opportunity for Business Associate to cure the breach or end the violation. If Business Associate does not cure the breach or end the violation within 30 business days of written notice of breach from Client, Client may terminate this BAA;
b. Terminate this BAA if Business Associate has breached a material term of this BAA and cure is not possible; or
c. If neither termination nor cure are feasible, Client shall report the violation to the Secretary.
6.2 Return of PHI at Termination. Upon termination of this BAA, Business Associate shall, where feasible, return or destroy all PHI received from Client, or created, maintained, or received by Business Associate on behalf of Client in connection with the performance of its services. If return or destruction of PHI is not feasible, Business Associate shall protect all PHI according to the covenants and representations contained herein, for as long as Business Associate retains the PHI in accordance with 45 CFR §164.504(e)(2)(ii).
7. Entire Agreement. This BAA, including any exhibits attached hereto, constitutes the entire agreement among the parties hereto with respect to the subject matter hereof, and supersedes any and all prior agreements or statements among the parties hereto, both oral and written, concerning the subject matter hereof. This BAA may not be amended, modified, or terminated except by a writing signed by both parties. The Parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.
8. Interpretation. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits Client to comply with the HIPAA Rules.
9. Limitation of Liability. The parties agree that the indemnification provision of the Agreement shall apply in the same manner and with the same force and effect on the parties’ duties and obligations under this BAA including, but not limited to, any limitations of liability. If the Agreement is silent as to any limitations on Business Associate’s indemnification obligation or Business Associate’s total liability, the Business Associate’s total indemnification obligation to Client, if any, under this BAA and Business Associate’s total liability to Client for a breach of this BAA, shall not exceed the amounts paid by Client to Business Associate in the previous billing period under the Agreement.
10. Venue. Any disputes arising out of this BAA shall be litigated in the state or federal courts of Delaware. To the extent not preempted by federal law, this BAA shall be interpreted under Delaware state law. This Section 10 shall supersede anything to the contrary in the Agreement.
11. Regulatory References. A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.
12. Waiver. Failure or delay by either party to enforce compliance with any term or condition of this BAA will not constitute a waiver of such term or condition.
13. Enforceability. If any provision of this BAA shall be held invalid or unenforceable, such invalidity or unenforceability shall attach only to such provision and shall not in any way affect or render invalid or unenforceable any other provision of this BAA.
14. No Third Party Beneficiaries. The parties have not created and do not intend to create by this BAA any third party rights under this BAA. There are no third party beneficiaries to this BAA.