Business Associate Agreement
Pursuant to the Health Insurance Portability and Accountability Act (HIPAA) of 1996
and the Health Information Technology for Economic and Clinical Health (HITECH) Act
1. Parties to This Agreement
Covered Entity
The healthcare provider, health plan, or healthcare clearinghouse entering into this agreement with DRMAPro2, LLC (identified by signature below).
Business Associate
DRMAPro2, LLC
A limited liability company providing diagnostic radiology management and reporting services.
2. Purpose
This Business Associate Agreement ("BAA") is entered into to ensure that DRMAPro2, LLC will appropriately safeguard Protected Health Information ("PHI") that it creates, receives, maintains, or transmits on behalf of the Covered Entity, in compliance with the Privacy Rule and Security Rule under HIPAA and the HITECH Act.
3. Definitions
Unless otherwise defined herein, all capitalized terms shall have the meanings given to them under HIPAA, the HITECH Act, and their implementing regulations, including:
- Protected Health Information (PHI) — Individually identifiable health information transmitted or maintained in any form or medium.
- Electronic PHI (ePHI) — PHI that is created, stored, transmitted, or received electronically.
- Breach — Unauthorized acquisition, access, use, or disclosure of PHI that compromises security or privacy.
- Subcontractor — A person to whom DRMAPro2, LLC delegates a function, activity, or service involving PHI.
4. Obligations of DRMAPro2, LLC (Business Associate)
DRMAPro2, LLC agrees to:
- Not use or disclose PHI other than as permitted by this Agreement or required by law.
- Implement appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI.
- Report to the Covered Entity any use or disclosure of PHI not provided for by this Agreement, including any Breach of Unsecured PHI, without unreasonable delay and no later than 60 calendar days after discovery.
- Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of DRMAPro2, LLC agree to the same restrictions and conditions as those that apply to DRMAPro2, LLC.
- Make available PHI in a Designated Record Set to the Covered Entity as necessary for the Covered Entity to fulfill its obligations to provide individuals with access to their PHI.
- Make its internal practices, books, and records available to the Secretary of HHS for purposes of determining compliance with HIPAA.
- Upon termination of this Agreement, return or destroy all PHI received from or created on behalf of the Covered Entity, if feasible.
5. Permitted Uses and Disclosures
DRMAPro2, LLC may use or disclose PHI only as follows:
- To perform functions, activities, or services for or on behalf of the Covered Entity as specified in the underlying services agreement.
- For the proper management and administration of DRMAPro2, LLC, provided disclosures are required by law or the recipient provides written assurances of confidentiality.
- To provide data aggregation services relating to the health care operations of the Covered Entity.
- As required by law.
6. Obligations of the Covered Entity
The Covered Entity agrees to:
- Notify DRMAPro2, LLC of any limitations in its Notice of Privacy Practices that affect DRMAPro2, LLC's use or disclosure of PHI.
- Notify DRMAPro2, LLC of any changes in, or revocation of, an individual's authorization that may affect DRMAPro2, LLC's use or disclosure of PHI.
- Not request DRMAPro2, LLC to use or disclose PHI in any manner that would not be permissible under HIPAA if done by the Covered Entity.
7. Term and Termination
This Agreement shall be effective as of the date of execution and shall remain in effect until terminated. Either party may terminate this Agreement upon 30 days written notice. The Covered Entity may terminate immediately if DRMAPro2, LLC has materially breached this Agreement and has not cured the breach within a reasonable time period specified by the Covered Entity.
Upon termination, DRMAPro2, LLC shall return or destroy all PHI and retain no copies, unless such return or destruction is not feasible, in which case the protections of this Agreement shall extend to such PHI.
8. Miscellaneous
- Amendment: This Agreement may be amended by mutual written consent of the parties. DRMAPro2, LLC reserves the right to amend this Agreement as necessary to comply with changes in applicable law.
- Governing Law: This Agreement shall be governed by applicable federal law and the laws of the state in which the Covered Entity is domiciled.
- Entire Agreement: This BAA, together with any underlying services agreement, constitutes the entire agreement between the parties regarding the subject matter hereof.
- Severability: If any provision of this Agreement is found to be unenforceable, the remaining provisions shall continue in full force and effect.