ORDER NO. 31650
BUSINESS AGREEMENTS TO BE SIGNED BY PRIVACY OFFICER
Came to be heard this the 8th day of March, 2010, with a motion made by Commissioner
Letz, seconded by Commissioner Oehler, the Court unanimously approved by a vote of
4-0-0 to:
Approve Privacy Officer signing new Business Agreements with Willis HRH and Script
Care required for Kerr County.
) , I > COMMISSIONERS' COURT AGENDA REQUEST -31 ? 5 J
PLEASE FURNISH ONE ORIGINAL AND TEN COPIES OF THIS
REQUEST AND DOCUMENTS TO BE REVIEWED BY THE COURT
MADE BY: E. Hyde OFFICE: H.R.
MEETING DATE: 03-08-10 TIME PREFERRED:
SUBJECT: Consider, discuss, and take appropriate action on Privacy Officer signing
new Business Agreements with Willis HRH and Script Care required for Kerr County.
EXECUTIVE SESSION REQUESTED: (PLEASE STATE REASON) YES
Personnel Matters 551.074
a) This chapter does not require a governmental body to conduct an open meeting:
1) to deliberate the appointment, employment, evaluation, reassignment, duties,
discipline, or dismissal of a public official or employee; or
2) to hear a complaint or charge against an officer or employee.
b) Subsection a) does not apply if the officer or employee who is the subject of the
deliberation or hearing requests a public hearing.
NAME OF PERSON ADDRESSING THE COURT:
Carey Malek, G. Looney, E. Hyde
ESTIMATED LENGTH OF PRESENTATION: 10 minutes
IF PERSONNEL MATTER - NAME OF EMPLOYEE: Eva Hyde
Time for submitting this request for Court to assure that the matter is posted in
accordance with Title 5, Chapter 551 and 552, Government Code, is as follows:
Meeting scheduled for Mondays: 5:00 P.M. previous Tuesday.
THIS REQUEST RECEIVED BY:
THIS REQUEST RECEIVED ON:

All Agenda Requests will be screened by the County Judge's Office to determine if adequate
information has been prepared for the Court's formal consideration and action at time of Court
Meetings. Your cooperation will be appreciated and contribute towards your request being
addressed at the earliest opportunity. See Agenda Request Rules Adopted by Commissioners'
Court.BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (this
"Agreement") is made as of [February 1, 20101, by
and between [Kerr County] ("CLIENT") and
[WILLIS of Texas, Inc.] ("WILLIS").
RECITALS:
A. CLIENT and WILLIS have entered into an
arrangement or arrangements pursuant to which
WILLIS provides certain services for and on behalf
of CLIENT (the "Arrangement");
B. Under the Health Insurance Portability and
Accountability Act of 1996 ("HIPAA") and its
implementing regulations which include the
Standards for the Privacy of Individually Identifiable
Health Information (the "Privacy Rule") (45 C.F.R.
Parts 160 and 164) and the Security Standards for the
Protection of Electronic Protected Health Information
(the "Security Rule") (45 C.F.R. Parts 160 and 164),
as amended by applicable provisions of the Health
Information Technology for Economic and Clinical
Health Act (Title XI11, Subtitle D) and its
implementing regulations (the "HITECH Act")
(collectively, the "HIPAA Rules"), CLIENT and
WILLIS must enter into a business associate
agreement to enable WILLIS to carry out its
obligations under the Arrangement since CLIENT
discloses to WILLIS, and/or WILLIS creates and
receives on behalf of CLIENT Individually
Identifiable Health Information, as such term is
defined in 45 C.F.R. 160.103; and
C. CLIENT and WILLIS desire to make this
Agreement to the Arrangement in order to enable
CLIENT to satisfy its obligations under the HIPAA
Rules.
NOW, THEREFORE, for and in consideration
of the mutual promises herein contained and other
good and valuable consideration, the receipt and
sufficiency of which are hereby acknowledged, the
parties hereto agree as follows:
1. DEFINITIONS.
Capitalized terms used in this Agreement and not
otherwise defined herein shall have that meaning
given to them in HIPAA, the Privacy Rule, Security
Rule and HITECH Act.
II. USE AND DISCLOSURE OF PROTECTED
HEALTH INFORMATION BY WILLIS.
2.1 Confidentiality. WILLIS shall hold Protected
Health Information confidentially, and shall not Use
or Disclose it other than as permitted or required by
this Agreement or as Required by Law.
2.2 Use or Disclosure to Provide Services Under the
Arrangement. WILLIS may Use and Disclose
3106938.2
HIPAA Client BAA 111709
Protected Health Information as necessary to perform its
obligations under the Arrangement; provided, however,
that WILLIS shall not, and shall ensure that its directors,
officers, employees, contractors and agents (the
"Representatives") do not, Use or Disclose Protected
Health Information in any manner that would violate the
Privacy Rule, as amended from time to time, if done by
CLIENT.
2.3 Use or Disclosure for WILLIS' Management and
Administration. Notwithstanding Section 2.2 above,
WILLIS may Use or Disclose Protected Health
Information for its proper management and administration
provided that, before Disclosing Protected Health
Information to a third party for WILLIS' proper
management and administration, WILLIS must obtain
reasonable assurances from the third party that: (i) the
Protected Health Information will be held confidentially
and subject to the same restrictions and conditions that
apply to WILLIS under this Agreement and will only be
Used or Disclosed as Required by Law or for the purposes
for which it was Disclosed to the third party; and (ii) the
third party will immediately notify WILLIS of any
instances of which it is aware in which the confidentiality
of the Protected Health Information Disclosed to it has
been breached.
2.4 Use or Disclosure to Provide Data A regation
Services. WILLIS may Use or Disclose Protected Health
Information to provide Data Aggregation services relating
to the Health Care Operations of CLIENT.
2.5 De-Identification of Protected Health Information.
WILLIS may de-identify any and all Protected Health
Information provided that the de-identification conforms to
the requirements of the Privacy Rule. The parties
acknowledge and agree that de-identified data does not
constitute Protected Health Information and is not subject
to the terms of this Agreement.
2.6 Use and Disclosure of Limited Data Sets. WILLIS
may Use Protected Health Information to create Limited
Data Sets and may Use or Disclose such Limited Data Sets
for only research, public health or health care operations
purposes. Except as set forth in this Section, the
conditions and restrictions contained herein on WILLIS'
Use and Disclosure of Protected Health Information apply
to WILLIS' Use and Disclosure of Protected Health
Information contained in such Limited Data Sets. Further,
WILLIS agrees that it shall not identify the information
contained in such Limited Data Sets or contact the
Individuals who are the subject of the Protected Health
Information contained in such Limited Data Sets, except as
otherwise permitted or required by this Agreement.
III. RESPONSIBILITIES OF WILLIS.
3.1 Safeguards Against Misuse of Information. WILLIS
agrees that it will implement appropriate safeguards to
prevent the Use or Disclosure of Protected HealthInformation other than pursuant to the terms and
conditions of this Agreement.
3.2 Reporting Disclosures of Protected Health
Information. WILLIS shall, within fifteen (15) days
of becoming aware of a Disclosure of Protected
Health Information in violation of this Agreement by
WILLIS or its Representatives, report such
Disclosure to CLIENT. WILLIS agrees to have
procedures in place for mitigating, to the extent
practicable, any harmful effect known to WILLIS
and arising from such Use or Disclosure.
3.3 Agreements by Third Parties. WILLIS shall
enter into an agreement with any agent or
subcontractor that will have access to Protected
Health Information pursuant to which such agent or
contractor agrees to be bound by the same or
substantially similar restrictions, terms, and
conditions of this Agreement that apply to WILLIS
with respect to such Protected Health Information.
3.4 Access to Information. WILLIS shall provide
access, at the request of CLIENT or an Individual, to
Protected Health Information maintained by WILLIS
in a Designated Record Set(s), to CLIENT, or as
directed by CLIENT, to an Individual in order to
meet the requirements of 45 C.F.R. § 164.524.
WILLIS shall use commercially reasonable efforts to
provide such access within fifteen business (15) days
of receiving such request.
3.5 Availability of Protected Health Information for
Amendment. WILLIS shall make any amendment to
Protected Health Information maintained in a
Designated Record Set by WILLIS that is requested
by CLIENT, or as directed by CLIENT, that is
requested by an Individual. WILLIS shall use its best
efforts to make such amendments within twenty (20)
days of receiving such request.
3.6 Accounting of Disclosures. WILLIS shall
document such Disclosures of Protected Health
Information and information related to such
Disclosures as would be required for CLIENT to
respond to a request by an Individual for an
accounting of Disclosures of Protected Health
Information in accordance with 45 C.F.R. § 164.528.
WILLIS shall provide to CLIENT or, as directed
by Client, to an Individual, information collected in
accordance with the preceding paragraph to permit
CLIENT to respond to a request by an Individual for
an accounting of Disclosures of Protected Health
Information in accordance with 45 C.F.R. § 164.528.
WILLIS shall use commercially reasonable efforts to
provide such information within twenty (20) days of
receiving such written request.
3.7 Uses and Disclosures Required by Law. Except
to the extent prohibited by law, WILLIS shall
3106938.2
HIPAA Client BAA 111709
immediately notify CLIENT upon its receipt of a request
for Use or Disclosure of Protected Health Information with
which WILLIS believes it is Required by Law to comply.
WILLIS shall provide CLIENT with a copy of such
request, shall consult and cooperate with CLIENT
concerning the proper response to such request and shall
provide CLIENT with a copy of any information Disclosed
pursuant to such request.
3.8 Availability of Books and Records. WILLIS hereby
agrees to make its internal practices, books, and records
relating to the Use and Disclosure of Protected Health
Information available to the Secretary of Health and
Human Services (the "Secretary") for purposes of
determining CLIENT's compliance with the HIPAA
Rules. Notwithstanding the foregoing, nothing herein shall
be deemed to require WILLIS to waive any attorney-client,
accountant-client, or other legal privilege.
3.9 Security Obligations for Electronic Protected Health
Information. WILLIS shall, in accordance with the
Security Rule, implement Administrative, Physical, and
Technical Safeguards that reasonably and appropriately
protect the confidentiality, integrity, and availability of the
Electronic Protected Health Information it creates,
receives, maintains, or transmits on behalf of CLIENT.
Further, WILLIS shall ensure that any agent,
subcontractor, or other party to whom WILLIS provides
Electronic Protected Health Information agrees to
implement reasonable and appropriate safeguards to
protect such Electronic Protected Health Information. At
such time and to the extent required by the HITECH Act,
WILLIS shall implement the safeguards, policies,
procedures, and documentation required by 45 C.F.R. §§
164.308, 164.310, 164.312, and 164.316. If WILLIS
becomes aware of any Successful Security Incidents,
WILLIS shall report the same in writing to CLIENT within
fifteen (15) business days of such Successful Security
Incident, and WILLIS agrees to reasonably mitigate, to the
extent practicable, any harmful effect resulting from such
Successful Security Incidents. To avoid unnecessary
burden on either party, WILLIS shall report to CLIENT
any Unsuccessful Security Incidents of which it becomes
aware of only upon request of the CLIENT. The
frequency, content and the format of the report of
Unsuccessful Security Incidents shall be mutually agreed
upon by the parties. If the definition of "Security Incident"
is amended under the Security Rule to remove the
requirement for reporting "unsuccessful" attempts to use,
disclose, modify or destroy Electronic Protected Health
Information, then this Section shall be amended so that the
provisions relating to "Unsuccessful Security Incidents" no
longer apply as of the effective date of such change to the
law.
For the purposes of this Agreement, "Successful Security
Incidents" mean Security Incidents that result in
unauthorized access, use, disclosure, modification or
destruction of Electronic Protected Health Information and
2"Unsuccessful Security Incidents" mean Security
Incidents that do not result in unauthorized access,
use, disclosure, modification or destruction of
Electronic Protected Health Information.
At such time as required by the HITECH Act, in the
event that WILLIS has Knowledge or a Reasonable
Belief that a Breach of Unsecured Protected Health
Information of CLIENT has occurred or may have
occurred, WILLIS shall promptly (but in no event
more than twenty (20) days of Knowledge of the
Breach or Reasonable Belief that a Breach has
occurred) notify CLIENT of the identification of each
individual who has been or is reasonably believed to
have been affected by the Breach, along with any
other information that CLIENT as a Covered Entity
will be required to include its notification of the
individual under the HITECH Act or its
implementing regulations, including, without
limitation, a description of the breach, the date of the
breach and its discovery, types of Unsecured PHI
involved and description of the WILLIS
investigation, mitigation and prevention efforts.
3.10 Agreed to Restrictions. WILLIS shall abide by
any restrictions, of which WILLIS is aware, relating
to the Disclosure of Protected Health Information
which CLIENT has agreed upon pursuant to the
HITECH Act.
IV. RESPONSIBILITIES OF CLIENT
4.1 Requests for Uses or Disclosures. CLIENT shall
not request WILLIS to Use or Disclose Protected
Health Information in any manner that would violate
this Agreement or the HIPAA Rules.
4.2 Notice of Privacy Practices. CLIENT hereby
agrees to provide, to the extent required by 45 C.F.R.
§ 164.520 (or any successor provision of the Privacy
Rule), a notice of privacy practices (the "Notice") to
Individuals (or their personal representatives) who
are the subject of the Protected Health Information,
which Notice shall be sufficiently broad so as to
permit the Uses and Disclosures of Protected Health
Information by WILLIS contemplated by this
Agreement and the Arrangement. CLIENT shall not
amend such Notice unless the amended Notice is
sufficiently broad so as to permit the Uses and
Disclosures of Protected Health Information
contemplated by this Agreement and the
Arrangement.
4.3 Written Permission. CLIENT hereby agrees to
ensure that it obtains Individuals' permission or the
permission of Individuals' personal representatives,
to the extent required under the Privacy Rule and in
the form required by the Privacy Rule, for WILLIS'
Uses and Disclosures of Protected Health
Information contemplated by this Agreement and the
Arrangement and to inform WILLIS of any changes in, or
withdrawal of, such written permission provided to
CLIENT by Individuals or their personal representatives,
including without limitation revocations of authorizations
pursuant to 45 C.F.R. § 164.508.
4.4 Other Arrangements. CLIENT hereby agrees to
promptly notify WILLIS, in writing and in a timely
manner, of any arrangements permitted or required of
CLIENT under the Privacy Rule that may impact in any
manner the Use or Disclosure of Protected Health
Information by WILLIS under this Agreement or the
Arrangement, including without limitation restrictions on
the Use or Disclosure of Protected Health Information
agreed to by CLIENT, as provided for in 45 C.F.R. §
164.522 as amended by the HITECH ACT.
4.5 Compliance with HIPAA. To the extent required and
at such time as required under applicable law, CLIENT
agrees to comply with HIPAA, the Privacy Rule, Security
Rule and HITECH Act.
V. TERMINATION.
5.1 Term. This Agreement shall become effective on the
date on which CLIENT and WILLIS entered into the
Arrangement and, unless otherwise terminated as provided
herein, shall expire upon the expiration or termination of
the Arrangement.
5.2 Termination by Either Partv. The Arrangement may
be terminated by either party, subject to the delivery of the
written notice and the expiration of the cure period
provided in the Arrangement, in the event that a party
breaches any material term of this Agreement. In the event
that a party is entitled to terminate the Arrangement
pursuant to this Section 5.2 but determines, in its sole
discretion, that termination is not feasible, the non-breach
party acknowledges that the breaching party shall have the
right to report the breach to the Secretary.
5.3 Return or Destruction of Protected Health Information
Upon Termination. Upon termination of the Arrangement,
WILLIS shall, at the option of WILLIS, either return or
destroy all Protected Health Information and Electronic
Protected Health Information which WILLIS still
maintains in any form. WILLIS shall not retain any copies
of such Protected Health Information or Electronic
Protected Health Information. Notwithstanding the
foregoing, to the extent that it is not feasible, in WILLIS'
reasonable discretion, to return or destroy such Protected
Health Information and Electronic Protected Health
Information, the terms and provisions of this Agreement
shall survive the termination of the Arrangement with
respect to such Protected Health Information and
Electronic Protected Health Information, and such
Protected Health Information and Electronic Protected
Health Information shall be Used or Disclosed solely for
such purpose or purposes which prevented its return or
destruction.
3106938.2
HIPAA Client BAA 111709VI. MODIFICATIONS TO COMPLY WITH
STANDARDS.
In the event that additional standards are
promulgated under the HIPAA Rules, or any existing
standards are amended, the parties agree to enter into
a mutually acceptable amendment to this Agreement
to enable CLIENT to satisfy its obligations under
such additional or amended standard(s).
VII. MISCELLANEOUS.
7.1 The parties agree and acknowledge that, as
between CLIENT and WILLIS, CLIENT is the
owner of the Protected Health Information and
Electronic Protected Health Information.
7.2 In the event that a provision of this Agreement
conflicts with a provision of the Arrangement, the
provision of this Agreement shall control. Otherwise,
this Agreement shall be construed under, and in
accordance with, the terms of the Arrangement.
7.3This Agreement may be amended only by written
agreement between the parties. This Agreement shall
be interpreted by and construed in accordance with
the laws of the State of [Texas]. The headings of
sections in this Agreement are for reference only and
shall not affect the meaning of this Agreement.
7.4 Nothing express or implied in this Agreement is
intended to confer, nor shall anything herein confer,
upon any person other than the parties and the
respective successors and assigns of the parties any
rights, remedies, obligations, or liabilities
whatsoever.
7.5Any ambiguity in this Agreement shall be
resolved to permit the applicable party to comply
with HIPAA, Privacy Rule, Security Rule, and the
HITECH Act. The parties acknowledge that the
HITECH Act requires the Secretary to promulgate
regulations and interpretative guidance that is not
available at the time of executing this Agreement. In
the event a party determines in good faith that any
such regulation or guidance adopted or amended after
the execution of this Agreement shall cause any
paragraph or provision of this Agreement to be
invalid, void or in any manner unlawful or subject
either party to penalty, then the parties agree modify
and amend this Agreement in a manner that would
eliminate any such risk.
IN WITNESS WHEREOF, the parties hereto have
executed this Agreement as of the day and year first
written above.
[Kerr County]
By:
Title:
[WILLIS of Texas, Inc. ]
By:
Andrew Apperson
Title: Managing Partner
3106938.2
HIPAA Client BAA 111709 4SCRIPT CARE, LTD.
Dear Valued Script Care Client,
The Health Information Technology for Economic and Clinical Health ("HITECH") Act, enacted on February
17, 2009, made significant changes to the HIPAA Privacy and Security Rules. One of the most important
revisions is that, effective February 17, 2010, business associates of covered entities will be directly governed
by the HIPAA Privacy and Security Rules. The HITECH Act specifically requires that business associate
agreements describe the business associate's new obligations.
As you know, our two organizations currently have a Business Associate Agreement (`BAA"). To comply with
the HITECH Act, we have enclosed a new Agreement that reflects the requirements to the Act. This agreement
which will replace the existing BAA, implements the language of the HITECH Act and the implementing
regulations issued on August 24, 2009 (74 Fed. Reg. 42740).
If you would please return two signed copies of the Agreement, we will execute both and return on for your
records. Thank you for your assistance and please contact your Script Care representative if you have any
questions.
Script Care, Ltd.
6380 Folsom Dr. • Beaumont, TX 77706
Phone: 1-800-880-9902 9 Fax: (409) 833-7435BUSINESS ASSOCIATE AGREEMENT
This Agreement is made as of the day of
20 , by and between
("Covered Entity") and Script Care, Ltd. ("Business Associate").
In consideration of the mutual covenants contained in this Agreement and intending to be legally
bound, the parties agree as follows:
Section 1. Definitions
(a) "Business Associate" shall include the person of entity identified in this Agreement and
all employees, agents and contractors of that person entity.
(b) "HITECH Act" shall mean the Health Information Technology for Economic and
Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act, Pub. L.
No. 111-5.
(c) "Privacy Regulations" shall mean the Standards for Privacy of Individually Identifiable
Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E.
(d) Security Regulations" shall mean the Security Standards for the Protection of Electronic
Protected Health Information at 45 C.F.R. Part 160 and 164, Subparts A and C.
(e) "Secretary" shall mean the Secretary of the federal Department of Health and Human
Services
(f) "Unsecured Protected Health Information" shall mean Protected Health Information in
any form, including electronic, paper or verbal, that is not rendered unusable, unreadable
or indecipherable to unauthorized individuals through the use of a technology or
methodology specified by the Secretary pursuant to the HITECH Act, as such guidance
may be updated by the Secretary from time to time.
Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in
45 C.F.R §§ 160.103, 1643304 and 164.501.
6380 Folsom Dr. • Beaumont, TX 77706
Phone: 1-800-880-9902 9 Fax: (409) 833-7435
Page 1 of 8Section 2. Obligations and Activities of Business Associate
Business Associate agrees to:
(a) not use or further disclose Protected Health Information other than as permitted or
required by this Agreement or as Required By Law;
(b) use appropriate safeguards to prevent use or disclosure of the Protected Health
Information other than as provided for by this Agreement;
(c) mitigate, to the extent practicable, any harmful effect that is known to Business Associate
of a use or disclosure of Protected Health Information by Business Associate in violation
of the requirements of this Agreement;
(d) Report to Covered Entity within ten (10) days, any use or disclosure of the Protected
Health Information not provided for by this Agreement of which it becomes aware, with
respect to breaches of Unsecured Protected Health Information, such report shall include
at least the following information:
(1) The identity of the individual whose information was accessed, acquired or
disclosed during the breach;
(2) a brief description of what happened;
(3) the date of discovery of the breach;
(4) the nature of the Unsecured Protected Health Information that was involved (e.g.
social security numbers, date of birth, etc.);
(5) any steps individuals should take to protect themselves from potential harm
resulting from the breach; and
(6) a brief description of what the Business Associate is doing to investigate the
breach, to mitigate harm to individuals, and to protect against any further
breaches;
(e) ensure that any agent, including a subcontractor, to who it provides Protected Health
Information received from, or created or received by, Business Associate on behalf of
Covered Entity agrees to the same restrictions and conditions that apply through this
Agreement to Business Associate with respect to such information;
(f) provide access to Protected Health Information in a Designated Record Set to Covered
Entity or, as directed by Covered Entity, to an Individual in order to meet the
requirements under 45 C.F.R. § 164.524;
6380 Folsom Dr. • Beaumont, TX 77706
Phone: 1-800-880-9902 • Fax: (409) 833-7435
Page 2 of 8(g) make any amendment(s) to Protected Health Information in a Designated Record Set that
the Covered Entity directs or agrees to pursuant to 45 C.F.R § 164.526 at the request of
Covered Entity or an Individual, and in the time and manner designated by Covered
Entity;
(h) make its internal practices, books, and records, including policies and procedures and
Protected Health Information, relating to the use and disclosure of Protected Health
Information received from, or created or received by Business Associate on behalf of,
Covered Entity available to the Secretary for purposes of the Secretary determining
Covered Entity's compliance with the Privacy Regulations;
(i) document such disclosures of Protected Health Information and information related to
such disclosures as would be required for Covered Entity of Business Associate to
respond to a request by a Individual for an accounting of disclosures of Protected Health
Information in accordance with 45 C.F.R. § 164.528;
(j) provide to Covered Entity or an Individual information collected in accordance with
Section 2(i) of this Agreement, to satisfy the requirements for an accounting of
disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528 or
Section 13405 (c)(3) of the HITECH Act;
(k) implement administrative, physical and technical safeguards that reasonably and
appropriately protect the confidentiality, integrity, and availability of any electronic
Protected Health Information that it creates, receives, maintains, or transmits on behalf of
Covered Entity, and effective February 17, 2010, to comply with the provisions of the
Security Rule identified in Section 3 (a)(1)(B) of this Agreement;
(1) ensure that any agent, including a subcontractor, to whom it provides electronic Protected
Health Information agrees to implement reasonable and appropriate safeguards to protect
it; and
(1) report to Covered Entity and material attempted or successful unauthorized access, use,
disclosure, modification, or destruction of information or interference with system
operations in an information system.
Section 3. Permitted Uses and Disclosures by Business Associate
(a) Statutory Duties
(1) Business Associate acknowledges that is has a statutory duty under the HITECH
Act to, among other duties:
(A) effective February 17, 2010, use and disclose Protected Health
Information only in compliance with 45 C.F.R. § 164.504(e) (the
provisions of which have been incorporated into this Agreement); and
6380 Folsom Dr. • Beaumont, TX 77706
Phone: 1-800-880-9902 9 Fax: (409) 833-7435
Page 3 of 8(B) effective February 17, 2010, comply with 45 C.F.R. §164.3108 ("Security
Standards: General Rules"), 164.310 ("Administrative Safeguards").
164.312 ("Technical Safeguards"), and 164.316 ("Policies and
Procedures and Documentation Requirements"). In complying with 45
C.F.R § 164.312 ("Technical Safeguards"), Business Associate shall
consider guidance issued by the Secretary pursuant to Section 134019c)
of the HITECH Act and, if a decision is made to not follow such
guidance, document the rationale for that decision.
(2) Business Associate acknowledges that its failure to comply with these or any
other statuary duties could result in civil and/or criminal penalties under 42
U.S.C. §§1320d-5 and 132d-6.
(b) General Use and Disclosure Provisions
Except as otherwise limited in this Agreement, Business Associate may use or disclose
Protected Health Information to perform functions, activities, or services for, or on behalf
of, Covered Entity pursuant to the underlying service agreement between the parties,
provided that use or disclosure would not violate the Privacy Regulations if done by
Covered Entity or the minimum necessary policies and procedures of the Covered Entity.
(c) Specific Use and Disclosure Provisions
(1) Except as otherwise limited in this Agreement, Business Associate may use
Protected Health Information for the proper management and administration of
the Business Associate or to carry out the legal responsibilities of the Business
Associate.
(2) Except as otherwise limited in this Agreement, Business Associate may disclose
Protected Health Information for the proper management and administration of
the Business Associate, provided that disclosures are required by law or Business
Associate obtains reasonable assurances from the person to whom the
information is disclosed that it will remain confidential and be used or further
disclosed only as required by law or for the purpose for which is was disclosed to
the person, and the person notifies the Business Associate of any instances of
which it is aware in which the confidentiality of the information has been
breached.
(3) Except as otherwise limited in this Agreement, Business Associate may use
Protected Health Information to provide Data Aggregation services to Covered
Entity as permitted by 42 C.F.R. § 164.504 (e)(2)(i)(B).
6380 Folsom Dr. • Beaumont, TX 77706
Phone: 1-800-880-9902 9 Fax: (409) 833-7435
Page 4 of 8(4) Business Associate may use Protected Health Information to report violations of
law to appropriate Federal and State authorities, consistent with 45 C.F.R
§164.502 0)(1).
(5) As of the effective date of Section 13405(d) of the HITECH Act, Business
Associate may not receive direct or indirect remuneration in exchange for
Protected Health Information unless permitted by the Act or regulations issued
by the Secretary.
Section 4. Obligations of Covered Entity
Covered Entity shall:
(a) notify Business Associate of any limitation(s) in its Notice of Privacy Practices in
accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect
Business Associate's use or disclosure of Protected Health Information;
(b) notify Business Associate of any changes in, or revocation of, permission by Individual
to use or disclose Protected Health Information, to the extent that such changes may
affect Business Associate's use or disclosure of Protected Health Information;
(c) notify Business Associate of any restriction to the use or disclosure of Protected Health
Information that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to
the extent that such restriction may affect Business Associate's use or disclosure of
Protect Health Information.
Section 5. Permissible Requests by Covered Entity
Covered Entity shall not request Business Associate to use or disclose Protected Health
Information in any manner that would not be permissible under the Privacy Regulations if done
by Covered Entity.
Section 6. Term and Termination
(a) Term. The Term of this Agreement shall be effective immediately upon execution and
shall terminate when all of the Protected Health Information provided by Covered Entity
to Business Associate, or created or received by Business Associate on behalf of Covered
Entity, is destroyed or returned to Covered Entity or, if it is not feasible to return or
destroy the Protected Health Information, protections are extended to such information,
in accordance with the termination provisions in this Section.
6380 Folsom Dr. • Beaumont, TX 77706
Phone: 1-800-880-9902 • Fax: (409) 833-7435
Page 5 of 8(b) Termination for Cause. Upon Covered Entity's knowledge of a material breach by
Business Associate, Covered Entity shall either:
(1) provide an opportunity for Business Associate to cure the breach or end the
violation and terminate this Agreement if Business Associate does not cure the
breach or end the violation within the time specified by Covered Entity;
(2) immediately terminate this Agreement if Business Associate has breached a
material term of this Agreement and cure is not possible; or
(3) if neither termination nor cure is feasible, report the violation to the Secretary.
(c) Effect of Termination.
(1) Except as provided in paragraph (2) of this section, upon termination of this
Agreement for any reason, Business Associate shall return or destroy all
Protected Health Information received from Covered Entity, or created or
received by Business Associate on behalf of Covered Entity. This provision shall
apply to Protected Health Information that is in the possession of subcontractors
or agents of Business Associate. Business Associate shall retain no copies of the
Protected Health Information.
(2) In the event that Business Associate determines that returning or destroying the
Protected Health Information is not feasible, Business Associate shall provide to
Covered Entity notification of the conditions that make return or destruction
infeasible. Upon mutual agreement of the parties that return or destruction of
Protected Health Information is not feasible, Business Associate shall extend the
protections of this Agreement to such Protected Health Information and limit
further uses and disclosures of such Protected Health Information to those
purposes that make the return or destruction infeasible, for so long as Business
Associate maintains such Protected Health Information.
Section 7. Miscellaneous
(a) Re ug latory References. A reference in this Agreement to a section in the Privacy
Regulations or Security Regulations means the section in effect, or as amended.
(b) Amendment. The parties agree to take such action as is necessary to amend this
Agreement from time to time as is necessary for Covered Entity to comply with the
requirements of the Privacy Regulations, the Security Regulations, and the Health
Insurance Portability and Accountability Act, Public Law 104-191.
6380 Folsom Dr. • Beaumont, TX 77706
Phone: 1-800-880-9902 • Fax: (409) 833-7435
Page 6 of 8(c) Survival. The respective rights and obligations of Business Associate under Section 6(c)
of this Agreement shall survive the termination of this Agreement.
(d) Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered
Entity to comply with the Privacy Regulations and Security Regulations.
(e) Identity Theft Regulations. To the extent that Business Associate provides services in
connection with an account maintained by the Covered Entity that permits patients to
make multiple payments for service rendered by the Covered Entity (including, but not
limited to, billing and collection services), Business Associate shall have and follow
policies to detect and prevent identity theft in accordance with the identity theft
regulations of the Federal Trade Commission, 16 C.F.R § 681.2. In addition, Business
Associate shall: (1) report to Covered Entity any pattern, practice, or specific activity that
indicates the possible existence of identify theft ("Red Flags") involving anyone
associated with Covered Entity, including its patients, employees, and contractors, and
(2) take appropriate steps to prevent or mitigate identity theft when a Red Flag is
detected.
(f) This Agreement voids and supercedes any previous Business Associate Agreement
between the parties.
The parties have caused this Agreement to be executed on the date first written above.
COVERED ENTITY
Company
Signature
Print Name
Title
Date
BUSINESS ASSOCIATE
Script Care, Ltd.
Signature
Print Name
Title
Date
6380 Folsom Dr. • Beaumont, TX 77706
Phone: 1-800-880-9902 • Fax: (409) 833-7435
Page 7 of 8Acknowledgement of Business Associate Agreement
Script Care agrees to disclose PHI only to those business associates authorized by the entity health plan
and under the terms indicated below (Please list only one company per Business Associate
Agreement):
Entity Health Plan
Group Name
Signature
Printed Name
Title
Date
Phone
E-mail
Business Associate
Company Name
Address
City State Zip
Phone
Contact Name
Email
Contact Name
Email
Contact Name
Email
The above Entity Health Plan authorizes Script Care, Ltd. to provide PHI to the above name Business
Associate as specified below:
A. ? Full access to PHI as detennined by the Business Associate.
B. ? Only the following specified data, for the person/persons and for the period of time indicated.
C. ? Only the following specified periodic reports for the time period indicated.
D. ? Will not allow any PHI released to anyone other than the Entity Health Plan.
Please complete this form for each Business Associate of the Entity Health Plan. Access to PHI can be terminated at
any time by the entity Health Plan upon written notice to Script Care, Ltd.
6380 Folsom Dr. • Beaumont, TX 77706
Phone: 1-800-880-9902 9 Fax: (409) 833-7435
Page 8 of 8