Optima Healthcare Solutions, LLC (“Optima”) will provide the revenue cycle management services (the “RCM Services” or the “Services”) in accordance with the Agreement between Optima and CUSTOMER (the “Agreement”), this RCM Services Description, and the Terms and Conditions and Business Associate Agreement found below.
OUTPATIENT RCM SERVICES DESCRIPTION
- CLAIMS PROCESSING. Claims for services rendered by CUSTOMER will be processed by Optima after submission into an electronic claims management system. If/when electronic claims submission is not allowed by a payer, paper‐based claims processing will be performed. Claims processed by Optima will receive electronic and/or manual review (format and configuration only, not content) including submission of in‐network and out‐of‐network claims.
- INFORMATION TO BE PROVIDED BY CUSTOMER. The performance of the RCM Services by Optima is dependent on information provided by CUSTOMER. Certain information provided by CUSTOMER is generated by CUSTOMER, and other items may be obtained from patients, vendors or other 3rd parties. CUSTOMER acknowledges that Optima doesnotaudittheinformationprovidedbyCUSTOMERforusein providingtheRCM Services,andOptimamakesno warranty as to the accuracy or completeness of the information provided by CUSTOMER. The RCM Services do not include any independent verification of information provided by CUSTOMER, including but not limited to verification of credentialing, analysis of availability of benefits under an insurance contract or reimbursement program, appropriateness of coding for a provided service, or the method or appropriateness of the provision of services by CUSTOMER to its patients. CUSTOMER is responsible for the information it provides to Optima in the performance of the RCM Services, and CUSTOMER will provide the information in a timely, accurate manner to allow Optima to efficiently perform the RCM Services.
3.1 General. Fees for the RCM Services shall be as stated in the Agreement.
3.2 Untimely Information Fee. In the event CUSTOMER does not provide Optima with timely remittance advice, payment on claims, and/or patient information (including charges and/or chart notes) within ten (10) business days of the date such information is first generated, a $3.50 surcharge will be applied to each of such claim processed by Optima, in addition to the base collection Fees.
3.3 Data Export Fees & Pass-Through Fees. Upon termination of the Agreement for any reason, it will be CUSTOMER’s responsibility to secure any and all data exports necessary to preserve CUSTOMER’s ability to ensure compliance with applicable law, as well as to continue uninterrupted business operations with any new technology provider(s). The fees for such data exports will be the responsibility of CUSTOMER and will be negotiated directly between CUSTOMER and any of Optima’s software partners. Optima is not responsible for the ability of any data export to satisfy the legal and/or business needs of CUSTOMER upon termination for any reason. InthedeliveryofservicestoCUSTOMER, Optima may incur fees from its partners and vendors. These fees may include, but are not limited to, clearinghouse fees, mailing fees, statement processing fees, customer support phone lines, and other related fees. When incurred, these fees may be passed through to CUSTOMER inclusive of a markup which covers expenses associated with vendor relations, administrative fees, credit risk, timing differences, and other factors.
3.4 Fees Due Upon Termination. Upon termination of the Agreement for any reason, CUSTOMER will be responsible for a $3.50 fee for each claim which has been processed and submitted to the appropriate payer(s) by Optima, and for which there remains an open remit balance as of the date of termination (the “Open Claims”). Within 15 business days of termination, Optima will provide CUSTOMER with pertinent information relating to the Open Claims so that CUSTOMER may complete the collections effort for such claims.
3.5 Miscellaneous Fees. Other fees related to CUSTOMER requests which fall outside of the scope of the RCM Services contained in this Agreement will be the responsibility of CUSTOMER. Examples of these fees may include, but are not limited to, merchant services fees, collections agency fees, and other fees related to CUSTOMER requests or to services to which Optima is not a contracted party.
- PAYMENT POSTING; REMITTANCE. Incoming payments and remittance advice will be delivered electronically or by paper to Optima and posted to the corresponding claims within the claims management system. If payment and/or remittance advice is received first by CUSTOMER, CUSTOMER will provide the information to Optima for posting no later than ten (10) business days after such documents were first generated. CUSTOMER will provide and/or allow Optima authorized access to websites and/or portals through which Optima can access payer and claims information required for payment posting and remittance. CUSTOMER will complete electronic remittance advice (ERA) application(s) as requested by Optima in order to ensure expedited and accurate posting of claims information to patient accounts.
- DENIAL PROCESSING. Claims denied by CUSTOMER’s payers will be researched by Optima to determine if the claim can be resubmitted with additional or edited information. Optima will work with CUSTOMER to obtain and/or edit information required for submission. The inability of CUSTOMER to timely respond with accurate, complete information will significantly hinder the ultimate collection of denied claims. Optima may resubmit and/or appeal denied claims per the protocol established by CUSTOMER’s payers. If a first appeal is denied, the claim may be appealed a second time if allowed by contract and research indicates the claim may still be payable. It is at Optima’s discretion as to whether a second appeal is to be performed. If after resubmission and/or appeal it is determined by Optima that a claim is not payable, a write off request will be sent to CUSTOMER for approval. If approved by CUSTOMER, the denied balance will be written off. If not approved by CUSTOMER and CUSTOMER wishes to pursue further action to appeal the claim with their payer, CUSTOMER may use CUSTOMER’s internal resources for further research and/or appeal the claim. Optima makes no warranty, express or implied, regarding the collectability of any claim.
- STATEMENT PROCESSING. Patient statements will be generated once per month for CUSTOMER for three (3) statement cycles and mailed to patients with balances due. The mailing schedule for patient statements will coincide with the processing of patient statements for other Optima CUSTOMERs.
- PATIENT PHONE SUPPORT. Optima will establish and maintain a dedicated phone number published on outbound patient statements and used to support and accept phone payments from CUSTOMER patients.
- SECURE CLOUD STORAGE. CUSTOMER will be provided with access to a secure cloud storage and collaboration portal through which documents can be securely shared between CUSTOMER and Optima. CUSTOMER may have up to 5 unique user accounts for staff use, with a maximum of 2 GB storage space. Secure cloud storage is intended for documents pertaining to the RCM Services rendered by Optima. Cloud storage services may be provided by a 3rd party provider and Optima is not liable for any loss or inability to access data.
- PAST DUE PATIENT ACCOUNTS CLAIMS SERVICING. Optima does not perform debt collection services on past due claims relating to patient balances. If desired, CUSTOMER may establish an account with Optima’s collections partner in order to transfer past‐due patient account claims for collections servicing. If this option is exercised, CUSTOMER will maintain ownership and control of collections accounts, advising Optima and our collections partner as to which claims should be pursued through the collections process. Balances which are authorized by CUSTOMER to be pursued through the Optima collections partner will be transferred to the partner by Optima. Additional fees related to debt collections servicing will be the responsibility of CUSTOMER. Separate documents which outline the legal and/or procedural relationship between CUSTOMER and the debt collections partner may be required. If this option is not exercised and CUSTOMER wishes to use an independent collections partner, CUSTOMER will be responsible for communication of transferred balances to the independent partner.
- EXISTING ACCOUNTS RECEIVABLE SERVICING. Upon commencement of the RCM Services by Optima, CUSTOMER may have existing outstanding accounts receivable due from insurers and patients. If requested by CUSTOMER and agreed to by Optima, Optima will attempt to resolve accounts receivable balances which precede the CUSTOMER relationship with Optima. Inheriting such account receivable balances requires significant research and effort without any guarantee of payment due to a myriad of circumstances beyond Optima’s control, including lack of proper authorization for services, unmet timely filing requirements, incomplete information necessary to research or resubmit claims, etc. For this reason, Optima will attempt to resolve existing account receivable balances only under the following conditions:
10.1 Access to Information. Optima will be provided timely and efficient access to all existing electronic and/or paper claims data in possession of CUSTOMER. Where possible, and if agreeable to Optima, CUSTOMER will provide access to existing databases which contain the information necessary to fully research existing account receivable balances. Optima will determine, in the exercise of reasonable discretion, whether the access provided is sufficient and will make possible the research of existing account receivable balances.
10.2 Automatic Writeoffs. It is common for existing accounts receivable to contain large, unpayable balances. Balances which will not be paid must be addressed efficiently in order to limit any research efforts which will not generate additional monies to either CUSTOMER or Optima. For this reason, Optima will automatically write off balances which meet the following criteria:
- Any claim which has been denied for timely filing.
- Any non-Medicare claim over 90 days old which is missing patient or insurance information, including missing authorizations.
- Any claim over 365 days old.
- Any balance under $25.00.
10.3 Choice of Software. Optima may choose to resolve existing account receivable balances using CUSTOMER’s software, Optima’s software, or a combination of the two. CUSTOMER will be responsible for maintaining any and all license or access fees necessary for Optima to reasonably access relevant data should CUSTOMER software be used.
11. CREDIT CARD PROCESSING MERCHANT. Optima will process patient and/or insurance credit and debit cards on behalf of the CUSTOMER, as received by mail, online, or phone. In order for Optima to process these payments, CUSTOMER will be provided the following options pertaining to this service offering:
11.1 Optima Uses CUSTOMER Merchant Processor. If CUSTOMER utilizes a merchant account processor which allows secure, remote access over the internet, Optima will evaluate the merchant account processor to determine if Optima can process payments efficiently and accurately using the existing system. Merchant account fees, including access fees which allow Optima to utilize system, if any, will be the responsibility of CUSTOMER.
11.2 CUSTOMER Uses Optima Merchant Processor. If CUSTOMER does not utilize a merchant account processor which allows secure, remote access over the internet, Optima will provide to CUSTOMER the option of using an Optima selected merchant processor to allow Optima to process credit and debit card payments on behalf of CUSTOMER. If CUSTOMER opts to use the Optima selected merchant processor, CUSTOMER will be required to complete any necessary paperwork or forms which establish the merchant account relationship between the merchant processor and CUSTOMER. Merchant account fees, including access fees which allow Optima to utilize the system, if any, will be the responsibility of CUSTOMER.
12. BILLING DISPUTES. IT IS THE RESPONSIBILITY OF THE CUSTOMER TO TIMELY REVIEW AND NOTIFY OPTIMA IN WRITING OF ANY DISPUTE WHICH CHALLENGES THE ACCURACY OR VERACITY OF INVOICES GENERATED BY OPTIMA FOR SERVICES RENDERED. IN NO EVENT WILL OPTIMA BE LIABLE FOR ANY DISPUTED CHARGES BEYOND THOSE BILLED ON THE INVOICES ISSUED FOR THE 90 DAYS PRIOR TO THE MONTH IN WHICH THE DISPUTE IS RAISED WITH OPTIMA. CUSTOMER WAIVES ANY RIGHT TO DAMAGES FOR BILLING DISCREPANCIES BEYOND THE 90 DAY LOOK BACK PERIOD REFERRED TO IN THE PRECEDING SENTENCE.
13. COMPLIANCE WITH LAWS. In the performance of the RCM Services, Optima is entitled to assume, without independent verification, that all services rendered by CUSTOMER to patients and submitted to Optima for claims processing were fully, legally and ethically performed under applicable federal and state regulation, by properly credentialed healthcare practitioners. Optima has no way to verify this information and will not be responsible, expressly or impliedly, for any such matters. In the event Optima becomes aware that any services rendered by CUSTOMER to patients were not fully, legally and ethically performed under applicable federal and state regulation, by properly credentialed healthcare practitioners, Optima may terminate the Agreement for cause.
TERMS AND CONDITIONS
(a) Provision of Services. Subject to the terms, conditions and limitations set forth in the Agreement and these Terms and Conditions, CUSTOMER shall provide the applicable Services to CUSTOMER as set forth in CUSTOMER’s Agreement. To the extent that the Agreement includes the use of any software provided by Optima, such software is also being provided as a service and is included in the Services.
(b) Title & Ownership of Rights. Optima may use certain intellectual property in performing the Services, including without limitation, data, software, designs, utilities, tools, models, systems, ideas, methods and techniques (“Materials”). CUSTOMER acknowledges that Optima is the owner of all Materials, including any and all related intellectual property rights in the Materials (including any developments, improvements, and knowledge generated during the performance of our Services), and in any working papers compiled in connection with the Services. In the course of performing the Services, Optima may provide CUSTOMER with access to spreadsheets, models, or other software tools. These items are provided to CUSTOMER solely for convenience and on an “as is” condition without warranty of any kind.
2. Independent Contractor. In connection with Optima’s performance of the Services, Optima and each person provided by Optima to CUSTOMER hereunder shall act solely as an independent contractor and nothing herein contained shall at any time be so construed as to create a relationship of employer and employee, partnership, principal and agent, or joint venture as between CUSTOMER and Optima or between CUSTOMER and any person provided by Optima to CUSTOMER hereunder.
3. Term and Termination.
(a) General. The term of the Agreement (“Term”) shall commence on the Effective Date of the Agreement and continue thereafter for the Initial Term, subject to earlier termination in accordance with these Terms and Conditions. Upon the expiration of the Initial Term, unless stated otherwise in the Agreement, the Agreement will automatically renew for successive terms of equal length with the Initial Term (each a “Renewal Term”) at the Fees set forth in Section 4(b) of these Terms and Conditions, unless either party elects to terminate the Agreement by giving the other party written notice of such election at least sixty (60) days before the expiration of the then-current Term.
(b) Termination. If CUSTOMER commits a material breach of the Agreement, including these Terms and Conditions and/or the BAA, and persists in such failure for a period of thirty (30) days after receiving written notice thereof from Optima, Optima may terminate the Agreement upon written notice to CUSTOMER and CUSTOMER shall pay all remaining Fees from the date of termination to the end of the current Term. If Optima commits a material breach of the Agreement, and persists in such failure for a period of thirty (30) days after receiving written notice thereof from CUSTOMER, CUSTOMER may terminate this Agreement upon written notice.
(a) General. In consideration of the Services provided by Optima pursuant to the Agreement, CUSTOMER shall pay to Optima the amounts provided for in the applicable Agreement (the “Fee(s)”) and in accordance with the payment terms set forth in the Agreement.
(b) Renewal & Third-Party Fees. For any Renewal Term, the Fees shall be Optima’s then-current Fees. In addition, Optima may increase Fees at any time in an amount equal to any charges imposed by third parties for any third party components used in connection with the Services.
(c) Taxes Not Included. To the extent applicable, the Fees listed in the Agreement do not include taxes, duties, or other fees, and CUSTOMER shall reimburse Optima for all such taxes appropriately assessed and paid related to any Services provided pursuant to this Agreement, except for those taxes based on Optima’s net income.
(d) Late Payment. If any of the Fees are not paid to Optima by CUSTOMER when due, then the Services may not become available to CUSTOMER until such Fees are paid in full. Payments not made when due will be subject to interest charges at a rate equal to the lesser of one and one-half percent (1.50%) per month, or the maximum rate allowable by law and will accrue monthly on all outstanding balances until paid. CUSTOMER shall be responsible for paying all costs of collection, including reasonable attorneys’ fees, and where lawful, collection agency fees. If payment is not received within sixty (60) days of such payment due date, any and all warranties provided pursuant to the terms of this Agreement shall be voided, and Services provided to CUSTOMER pursuant to the terms of the Agreement will be suspended until payment is received. Services shall be reinstated when CUSTOMER’S payment is received in full. Except for termination by CUSTOMER in accordance with this Agreement, all payment obligations under this Agreement are non-cancelable and non-refundable.
5. CUSTOMER Responsibilities & Acknowledgements.
(a) CUSTOMER shall be responsible for the following, unless otherwise set forth in the Agreement: adherence to specified system requirements; running and maintaining all computer network and internet connections necessary for CUSTOMER to use the Services; and all data conversion (if applicable).
(b) CUSTOMER will fully cooperate with Optima in its performance of the Services and will at all times provide Optima with at least one reliable point of contact for purposes of overseeing the Services.
(c) CUSTOMER will participate fully in the implementation of the Services, including, as applicable, attending training sessions, performing applicable file builds, and complying with other reasonable Optima instructions regarding the implementation. In no event shall CUSTOMER delay the start of implementation of the applicable software beyond the applicable Billing Start Date (as set forth in the applicable Agreement). In the event CUSTOMER delays the completion of the implementation of the Services beyond the Billing Start Date, for each month thereafter until the Services are fully implemented, CUSTOMER shall pay to Optima the greater of (i) one-half of the monthly Fees due for the Services, or $350.00/month.
(d) CUSTOMER acknowledges that the Services may use, incorporate or access Third Party Products and/or that Optima may utilize subcontractors in its performance of the Services. To the extent that CUSTOMER uses, incorporates or accesses any Third Party Products that are provided by Optima to CUSTOMER, CUSTOMER acknowledges that continued usage of such Third Party Product(s) is contingent on Optima’s continued relationship with such Third Party Product vendor and that such use may be subject to additional terms and conditions of the applicable Third Party Product vendor. To the extent CUSTOMER uses, incorporates or accesses any Third Party Products that are not provided by Optima to CUSTOMER, CUSTOMER represents it has obtained and covenants it will obtain the necessary rights or licenses from the applicable third party vendors to use such Third Party Products and agrees that Optima shall not be liable for CUSTOMER’s failure to obtain such rights or licenses. Optima makes no representation or warranty with respect to any such Third Party Products. Optima shall not be liable for any damages, costs, or expenses, direct or indirect, arising out of the performance or failure to perform of Third Party Products. “Third Party Products” includes, but is not limited to, any product, technology, tool, database, software, works, coding scheme or other intellectual property developed or owned by a third party. To the extent that CUSTOMER utilizes billing software provided by Optima, the terms and conditions located at www.nethealth.com/CPT-End-User-Agreement also apply with regard to the CPT codes located within such billing software.
(e) CUSTOMER acknowledges that the Services may include access to software to be used by CUSTOMER’s personnel as an aid to the organization of patient care. Such software is in no way intended, and the information contained therein is not to be used by any party in any way to replace the professional skill and judgment of physicians and other health care providers. The software is not to be used to guide or determine care provided by physicians and other health care providers, nor as a substitute for an accurate patient medical record and/or sound medical judgment by the treating physician or other health care provider. CUSTOMER’s personnel and all healthcare providers are solely responsible for the care of their patients and for determining whether to rely on the data and information contained within any software provided by Optima. Any reliance for any purpose directly or indirectly related to patient care cannot in any way be controlled by Optima and CUSTOMER is responsible for verifying the accuracy and completeness of any medical or other similar information contained in, entered into, or used in connection with such software.
(a) CUSTOMER acknowledges that the Services, including any software provided by Optima pursuant to the Services, contain proprietary information of Optima, and such information is deemed confidential/proprietary information, the disclosure of which is restricted by this section (such information being “Confidential Information”). CUSTOMER agrees to maintain the confidentiality of the Confidential Information in a manner using at least as great a degree of care as the manner used to maintain the confidentiality of CUSTOMER’S own confidential information. Unless otherwise permitted by this Agreement, CUSTOMER shall not disclose any of the Confidential Information to any third party without the prior written consent of Optima. CUSTOMER further agrees that the confidentiality obligations contained herein shall apply to CUSTOMER’s agents and employees that utilize the Services, and that CUSTOMER is wholly responsible for its user’s compliance with this provision.
(b) CUSTOMER, its authorized affiliates, agents, and subcontractors shall not sell, transfer, publish, disclose, display, reverse engineer, or otherwise make available to others the Services or any other material relating to the software. CUSTOMER shall protect the Services, including any software or any other material relating to the Services, from unauthorized access and use, including using passwords made known only to CUSTOMER’S employees who use the Services as a regular part of their employment and giving its employees written notification of the requirements of this section. CUSTOMER shall advise Optima immediately if CUSTOMER learns or has reason to believe that any of CUSTOMER’S employees, agents, independent contractors, or affiliates has violated or intends to violate the terms of this section, and CUSTOMER will cooperate with Optima in seeking injunctive or other equitable relief against any such person including giving Optima access to all relevant documents and the opportunity to interview CUSTOMER’S employees.
7. Use of De-Identified Data. In further consideration of the CUSTOMER’s use and access of the Services, Optima may use in its business, on a perpetual, irrevocable basis, without obligation to CUSTOMER, de-identified patient data and information that is collected and uploaded to any software provided by Optima including, but not limited to, patients’ gender, age, medical histories and treatment (collectively, the “Data”).Under no circumstances shall Optima use or disclose such Data except in the de-identified form as described above and in compliance with HIPAA.
8. Publicity. Following execution of this Agreement and during the Term hereof, Optima shall be permitted to utilize CUSTOMER’S name and logo in marketing materials, customer lists, and in press releases noting that CUSTOMER is an Optima customer.
9. Warranty Disclaimer; Limitation Of Liability.
(a) THE WARRANTIES PROVIDED IN THIS AGREEMENT ARE THE SOLE AND EXCLUSIVE WARRANTIES OFFERED BY OPTIMA. OPTIMA MAKES AND CUSTOMER RECEIVES NO OTHER WARRANTIES, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF THIS AGREEMENT OR ANY OTHER COMMUNICATION, REGARDING THE SERVICES AND OPTIMA SPECIFICALLY DISCLAIMS ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
(b) In no event shall Optima be liable to CUSTOMER for any loss of profits; any incidental, special, exemplary, or consequential damages; or any claims or demands brought against CUSTOMER, even if Optima has been advised of the possibility of such damages. Optima’s total liability with respect to all causes of action together will not exceed the total amount of Fees paid by CUSTOMER to Optima under the applicable Agreement in the twelve (12) months before such claim arose.
10. Governing Law and Jurisdiction. The Agreement and these Terms and Conditions shall be governed and construed in all respects in accordance with the laws of the Commonwealth of Pennsylvania without regard to any conflict of laws principles. Any disputes arising out of this Agreement will be subject to the exclusive jurisdiction of the state and federal courts located in Allegheny County, Pennsylvania, each party hereby consents to the jurisdiction of such courts, and neither party shall bring any action hereunder in any other court.
11. Force Majeure. Optima shall not be liable for breach of the Agreement caused by circumstances beyond Optima’s reasonable control.
12. Notices. All notices required by this Agreement shall be in writing and shall be delivered by hand, United States Postal Service certified mail, or overnight courier to the other party at such party’s address set forth in the opening paragraph of this Agreement, or to such other address as each party may designate in writing.
13. Integration. The Agreement, including these terms and conditions, constitutes the entire agreement of the parties with respect to the subject matter contained herein, and supersedes all prior representations, proposals, discussions, and communications, whether oral or written.
14. Clinisign. The following applies only if CliniSign is included in the Agreement:
(a) By using CliniSign, CUSTOMER is giving Optima permission to send documents to physicians and other healthcare providers (collectively, “Healthcare Providers”) for electronic signature. The permission and access to records is initiated through the CliniSign enrollment process where a link is established with the individual Healthcare Provider. To revoke permission and access to records, CUSTOMER must remove the link for the Healthcare Provider. CUSTOMER agrees that the Healthcare Provider is entitled to transmit, receive, or exchange Protected Health Information as directed by CUSTOMER and in compliance with HIPAA.
(b) Prior to establishing a link for a specific Healthcare Provider, CUSTOMER agrees to inform the Healthcare Provider that they may receive automated communications by email, text, or both from CliniSign. By providing a Healthcare Provider’s cell phone number or email address, CUSTOMER agrees that the Healthcare Provider has given permission to CUSTOMER for CliniSign to send emails and automated text messages to the Healthcare Provider and has informed the Healthcare Provider.
15. Survival. Sections 1(b), 4, 6, 7, 9, 10, 11, 12, and this Section 15 shall survive any termination or expiration of the Agreement.
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ("BAA") is entered into by and between Optima Healthcare Solutions, LLC ("Business Associate") and CUSTOMER("Covered Entity") effective as the effective date of the Agreement between the parties (“Effective Date”). This BAA sets out the responsibilities and obligations of Business Associate as a business associate of Covered Entity under the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).
Whereas, Business Associate and Covered Entity have entered into a certain Agreement ("Agreement") under which Business Associate has agreed to provide Covered Entity with certain software and/or related services;
Whereas, Business Associate and Covered Entity have mutual obligations under the Agreement that may require Business Associate and Covered Entity to use or disclose Covered Entity's PHI of Individuals as that term is defined under HIPAA; and
Whereas, This BAA is intended to comply with the rules on handling of PHI under the HIPAA Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Part 160 and Part 164, Subpart E (“Privacy Rule”), the HIPAA Security Standards, 45 C.F.R. Part 160 and Part 164, Subpart C (“Security Rule”), and the HIPAA Breach Notification Regulations, 45 C.F.R. Part 164, Subpart D (“Breach Notification Rule”), so as to permit the Business Associate and Covered Entity to access, use and exchange PHI in a manner which complies with the provisions of HIPAA and the HITECH Act.
NOW, THEREFORE, in consideration of the foregoing, the agreements contained herein and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged by the parties, Business Associate and Covered Entity agree as follows:
Section 1— Definitions
1.1 Terms Defined in Regulation. Capitalized terms used, but not otherwise defined, in this BAA shall have the same meaning as those terms are defined in the Privacy Rule, the Security Rule, and the Breach Notification Rule promulgated pursuant to the HITECH Act, 45 C.F.R. 164.402.
1.2 Electronic Health Record. "Electronic Health Record" shall have the same meaning as the term "electronic health record" in the HITECH Act, section 13400(5).
1.3 Electronic Protected Health Information. "Electronic Protected Health Information" (sometimes “ePHI”) shall have the same meaning as the term 'electronic protected health information' in 45 C.F.R. 160.103 limited to the information received from Covered Entity, or created, maintained or transmitted by Business Associate on behalf of Covered Entity.
1.4 Individual. "Individual" shall have the same meaning as the term "individual" in 45 C.F.R.160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. 164.502(g).
1.5 Protected Health Information. "Protected Health Information" (“PHI”) shall have the same meaning as the term "protected health information" in 45 C.F.R. 160.103, limited to the information received from Covered Entity, or created, maintained or transmitted by Business Associate on behalf of Covered Entity.
Section 2 - Obligations & Activities of Business Associate under the Privacy Rule
2.1 Business Associate agrees to comply with all applicable Use and Disclosure provisions of the Privacy Rule as directed under section 13404 of the HITECH Act. To the extent Business Associate is to carry out an obligation of Covered Entity under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation.
2.2 Business Associate agrees that any Use or Disclosure of PHI shall comply with the Privacy Rule, as applicable to Business Associate.
2.3 Business Associate agrees to not Use or Disclose PHI other than as permitted or required by this BAA, the Agreement, or as Required by Law. Business Associate shall only Use or Disclose only the Minimum Necessary amount of PHI necessary to accomplish the purpose of the Use or Disclosure, in accordance with any current or future guidance issued by the Department of Health and Human Services regarding the "minimum necessary" use or disclosure of PHI. Except as otherwise permitted under HIPAA, Covered Entity shall provide to Business Associate only the Minimum Necessary amount of PHI necessary to accomplish the purpose of the request, use or disclosure.
2.4 Business Associate will comply with the applicable requirements of the HIPAA Security Rule.
2.5 Business Associate agrees to report to Covered Entity's Privacy Official any Use or Disclosure of PHI for purposes other than those permitted by this BAA and/or the Agreement of which it becomes aware.
2.6 Business Associate agrees to ensure that any agent or subcontractor to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity, agrees to substantially the same restrictions and conditions that apply through this BAA to Business Associate with respect to such information.
2.7 To the extent Business Associate maintains PHI in a Designated Record Set that is not duplicative of a Designated Record Set maintained by Covered Entity, Business Associate will make such PHI available to Covered Entity PHI in order for Covered Entity to meet the requirements under 45 C.F.R. 164.524. If an Individual makes a request for access to PHI directly to Business Associate, Business Associate shall notify Covered Entity of such request. Covered Entity will be responsible for making all determinations regarding the grant or denial of an Individual’s request for PHI and Business Associate will make no such determinations. Only Covered Entity will release PHI to an Individual pursuant to such a request. Business Associate will notify Covered Entity of any request (including subpoenas) that Business Associate receives for access to PHI that is within Business Associate’s custody, and Covered Entity will be responsible for providing an appropriate response.
2.8 To the extent Business Associate maintains PHI in a Designated Record Set that is not duplicative of a Designated Record Set maintained by Covered Entity, Business Associate will provide such PHI to Covered Entity for amendment. If an Individual makes a request for amendment directly to Business Associate, Business Associate will forward such request in writing to Covered Entity. Covered Entity shall have the sole responsibility to make decisions regarding whether to approve a request for an amendment to PHI.
2.9 Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary, in a time and manner designated by the Secretary, as applicable, for purposes of determining Covered Entity's compliance with HIPAA or the HITECH Act. No attorney-client, accountant-client or other legal privilege will be deemed waived by Business Associate or Covered Entity as a result of compliance with this Section.
2.10 Business Associate agrees to document such disclosures of PHI in its possession and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. 164.528. At a minimum the following information regarding the disclosure will be documented: 1) the date of the disclosure; 2) the name of the entity or person who received the PHI, and the address of such entity or person; 3) a brief description of the PHI disclosed; 4) a brief statement regarding the purpose and an explanation of the basis of such disclosure; and 5) the names of the Individuals whose PHI was disclosed.
2.11 Business Associate agrees to provide to Covered Entity, upon written request, information collected in accordance with Section 2.10 of this BAA, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. 164.528.
2.12 To the extent that Covered Entity uses or maintains an Electronic Health Record that discloses any PHI to a third party, and/or to the extent Business Associate's licensed software is deemed to be an Electronic Health Record that discloses any PHI to a third party, Business Associate agrees to cooperate with Covered Entity to ensure that, as of any applicable compliance date, such Electronic Health Record is capable of providing the information required by the then current provisions of the HITECH Act, or any regulations promulgated thereunder, for an accounting of disclosures of PHI through an Electronic Health Record.
Section 3 — Permitted Uses & Disclosures by Business Associate
3.1 General Use and Disclosure Provision. Except as otherwise limited in this BAA, Business Associate may Use or Disclose PHI obtained from or on behalf of Covered Entity to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in this BAA and/or the Agreement, provided that such Use or Disclosure complies with HIPAA and the HITECH Act.
3.2 Specific Use and Disclosure Provision.
(a) Except as otherwise limited in this BAA, Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
(b) Except as otherwise limited in this BAA, Business Associate may Use or Disclose PHI for the proper management and administration of Business Associate, or to carry out the legal responsibilities of Business Associate. Business Associate may Disclose PHI to a third party for such purposes only if: (1) the Disclosure is Required by Law; or (2) Business Associate secures written assurance from the receiving party that the receiving party will: (i) hold the PHI confidentially; (ii) Use or Disclose the PHI only as Required by Law or for the purposes for which it was Disclosed to the recipient; and (iii) notify the Business Associate of any other Use or Disclosure of PHI.
(c) Business Associate may Use or Disclose PHI to perform Data Aggregation as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
(d) Business Associate and its subcontractor(s) may also Use and Disclose PHI to create de-identified information consistent with the standard for de-identification of PHI set forth at 45 C.F.R. 164.514. Business Associate and its subcontractor(s) shall be permitted to further Use or Disclose such de-identified information provided that such Use or Disclosure is not prohibited by law. The parties understand that properly de-identified information is not PHI and is not subject to the terms and conditions of this BAA.
Section 4 - Obligations & Activities of Business Associate under the Security Rule and HITECH Act
4.1 Business Associate will implement and maintain appropriate safeguards to prevent any Use or Disclosure of PHI for purposes other than those permitted by this BAA or the Agreement, including administrative, physical and technical safeguards to protect the confidentiality, integrity, and availability of any ePHI, if any, that Business Associate receives from Covered Entity or creates, maintains, or transmits on behalf of Covered Entity. Business Associate will comply with the applicable requirements of the HIPAA Security Rule.
4.2 Business Associate agrees to ensure that any agent, including subcontractors, to whom it provides ePHI agree in writing to implement reasonable and appropriate safeguards to protect the ePHI.
4.3 Business Associate agrees to report to Covered Entity any Security Incident involving ePHI of which Business Associate becomes aware in which there is a successful unauthorized access, Use, Disclosure, modification, or destruction of ePHI or interference with system operations in an information system in a manner that risks the confidentiality, integrity, or availability of such information. Notice is hereby deemed provided, and no further notice will be provided, for unsuccessful attempts at such unauthorized access, use, disclosure, modification, or destruction, such as pings and other broadcast attacks on a firewall, denial of service attacks, port scans, unsuccessful login attempts, or interception of encrypted information where the key is not compromised, or any combination of the above.
4.4 Business Associate agrees to notify Covered Entity no later than sixty (60) days following the discovery of a Breach of Unsecured PHI. A Breach is considered "discovered" as of the first day on which the Breach is known to Business Associate or any employee, officer or agent of Business Associate, other than the individual committing the Breach. Such notices shall include the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during such Breach.
4.5 Business Associate agrees to make its policies and procedures, and any documentation required under the Security Rule available to the Secretary, within fifteen (15) days or in a time and manner designated by the Secretary, for purposes of the Secretary determining Business Associate's and/or Covered Entity's compliance with the Security Rule.
Section 5 – Obligations & Restrictions of Covered Entity
5.1 Except as Required by Law, Covered Entity shall not include any limitation in the Covered Entity’s notice of privacy practices that limits Business Associate’s use or disclosure of PHI under the Services agreements.
5.2 Covered Entity warrants that it has obtained and will obtain any consents, authorizations and/or other legal permissions required under HIPAA and other applicable law for the disclosure of PHI to Business Associate. Covered Entity shall notify Business Associate in writing of any changes in, or revocations of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI.
5.3 Covered Entity shall not agree to any restriction on the use or disclosure of PHI under 45 CFR § 164.522 that restricts Business Associate’s use or disclosure of PHI under the Services agreement unless such restriction is Required by Law.
5.4 Covered Entity shall not request or permit Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done directly by Covered Entity (except for those activities which are permissible for Business Associate to undertake under HIPAA).
Section 6 —Term and Termination
6.1 Term. This BAA shall become effective on the date the Agreement becomes effective, and shall terminate when the Agreement terminates.
6.2 Continuation of Agreement. This BAA supersedes any prior Business Associate Agreement between Covered Entity and Business Associate. This BAA shall continue after any new Agreement is entered into between Covered Entity and Business Associate except to the extent that such other agreement includes business associate agreement provisions or specifically states that it supersedes this BAA.
6.3 Termination for Cause. Upon a party's knowledge of a material breach by the other party, the non-breaching party shall either:
(a) Provide an opportunity for the other party to cure the breach or end the violation within thirty (30) days of receipt of written notice of such breach or violation, and terminate this BAA if the other party does not cure the breach or end the violation within such thirty (30) day period or begin taking steps to cure the breach or violation and proceed promptly to completion of such cure; or
(b) Immediately terminate this BAA if the other party has breached a material term of this BAA and cure is not possible.
6.4 Effect of Termination.
(a) Except as provided in paragraph (b) of this section, upon termination of this BAA, for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. Business Associate shall retain no copies of the PHI.
(b) In the event that Business Associate determines that returning or destroying the PHI is infeasible, for example, because such information must be retained for compliance with applicable laws, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon notification of the conditions that make return or destruction infeasible, Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
Section 7 -- Miscellaneous
7.1 Regulatory References. A reference in this BAA to a section in the Privacy Rule, Security Rule or HITECH Act means the relevant section as in effect or as amended.
7.2 Amendment. The parties agree to take such action as is necessary to amend this BAA from time to time as necessary to comply with the requirements of the Privacy Rule, the Security Rule, HIPAA, the HITECH Act, and any rules and regulations adopted in the future to provide additional guidance with respect to the above.
7.3 Independent Contractors. None of the provisions of this BAA shall create or be construed to create any relationship between the parties other than that of independent entities contracting for the sole purpose of effecting the provisions of this BAA and the Agreement. Neither party, nor any of their respective agents or employees, shall be construed to be the agent, employee or representative of the other party.
7.4 No Agency Relationship. Nothing in this BAA is intended to make either party an agent of the other. Nothing in this BAA is intended to confer upon Covered Entity the right or authority to direct or control Business Associate’s conduct in the course of Business Associate complying with the Agreement or the Agreement.
7.5 Survival. The respective rights and obligations of Business Associate under Section 6.4 of this BAA shall survive the termination of this BAA.
7.6 No Third Party Beneficiaries. This BAA is effective only in regard to the rights and obligations of Covered Entity and Business Associate. Covered Entity and Business Associate do not intend this BAA to create any independent rights in any third party or to make any third-party beneficiary of this BAA.
7.7 Interpretation. Any ambiguity in this BAA shall be resolved to permit Business Associate and Covered Entity to comply with the Privacy Rule, the Security Rule, HIPAA and its rules and regulations as they may become available or effective, and the HITECH Act and its rules and regulations as they may become available or effective.
7.8 Choice of Law. The validity, construction and effect of this BAA will be governed by the laws of the Commonwealth of Pennsylvania without giving effect to that state’s conflict of laws rules. Any dispute will be resolved in accordance with the dispute resolution terms in the Agreement.
7.9 Relationship to Provisions in Other Agreements. In the event that a provision of this BAA is contrary to a provision of the Agreement or any other agreement or agreements under which Covered Entity discloses PHI to Business Associate, this BAA shall control in regard to the Use and Disclosure of PHI.
REMAINDER OF PAGE INTENTIONALLY BLANK.