HomeMy Public PortalAbout142-2014 - HR - ELAP Services - Hipaa AgreementHIPAA BUSINESS ASSOCIATE AGREEMENT
This HIPAA Business Associate Agreement (this "Agreement") dated January 1, 2015 is
by and between City of Richmond having its principal office located at 50 North 5d' Street,
Richmond, IN 47374 ("Covered Entity") and ELAP Services, LLC, located at 961 Pottstown
Pike, Chester Springs, Pennsylvania 19425 ("Business Associate") related to the work to be
performed as described below (Covered Entity and Business Associate, each a "Party" and
collectively, the "Parties").
BACKGROUND
Covered Entity has engaged Business Associate for the purpose of assisting Covered
Entity, pursuant to the contract between the Parties made as of January 1, 2015 entitled
["Claim Review And Audit Service Agreement"] (hereinafter, the `BA Services
Contract"), in providing certain functions and activities for and on behalf of Covered
Entity (the `BA Services").
II. Covered Entity wishes to disclose information to Business Associate pursuant to the
terms of this Agreement, some of which may constitute Protected Health Information
("PHI"), including electronic protected health information ("e-PHI") (PHI and a -PHI are,
collectively, referred to hereinafter as "Covered Entity's PHI") in order for Business
Associate to perform the BA Services.
III. Covered Entity and Business Associate intend to protect the privacy and provide for the
security of PHI disclosed to Business Associate in connection with the BA Services
Contract and pursuant to this Agreement in compliance with the Health Insurance
Portability and Accountability Act of 1996, Public Law 104-191, as amended (the
"HIPAA Statute"), and its related "Privacy Rule" (45 CFR Parts 160 and 164, Subpart E)
and "Security Rule" (45 CFR Part 160 and 164, Subpart C) promulgated by the Secretary
of Health and Human Services ("HHS") (collectively, the HIPAA Statute, the Privacy
Rule and the Security Rule and are referred to, hereinafter, as "HIPAA"), all as amended
by the Health Information Technology for Economic and Clinical Health Act enacted on
February 17, 2009 (the "HITECH Statute"), and any regulations promulgated thereunder
(collectively, the "HITECH Rules," and together with the HITECH Statute, referred to
hereinafter as "HITECH"), the Genetic Information Nondiscrimination Act of 2008, as
may be amended (hereinafter, "GINA"), as well as any other applicable laws concerning
the privacy and security of health information. Together, HIPAA and HITECH are at
times referred to hereinafter as "HIPAA and HITECH."
IV. Under HIPAA, Covered Entity must document the required satisfactory assurances
through a written agreement with Business Associate that meets the applicable
requirements of HIPAA, as well as incorporate into such agreement those requirements
under HITECH that relate to privacy or security and are applicable to Business Associate,
and the Parties now wish to enter into the Agreement in order to comply with such
LV 1 1182409v2 07/01 / 10
LV11468200009/16/11 Contract #142-2014
Update for Final Rule 2013
HIPAA Business Associate Agreement
Page 2 of 14
requirements and to set forth more specifically each Party's respective obligations in
connection therewith.
In consideration of the mutual promises below and the exchange of information provided for
herein, the Parties agree as follows:
TERMS
A. Incorporation of Background. The "Background" paragraphs set forth above are
incorporated herein and made a part of the terms of this Agreement as if set forth herein
in full.
B. Effective Date. Except as specifically stated otherwise in this Agreement, the Effective
Date shall be the date that first appears above in the introductory paragraph to this
Agreement.
C. Definitions. Any capitalized terms not otherwise specifically defined in this Agreement
shall have the meanings ascribed to them in HIPAA and HITECH.
D. Obligations of Covered Entity. Covered Entity shall be responsible for using appropriate
safeguards to maintain and ensure the confidentiality, privacy and security of Covered
Entity's PHI transmitted to Business Associate pursuant to this Agreement, in accordance
with the standards and requirements of HIPAA and HITECH, until such PHI is received
by Business Associate.
E. Obligations of Business Associate.
1) Permitted Uses and Disclosures. Business Associate may use and/or disclose any
and all of Covered Entity's PHI received by Business Associate from Covered
Entity, or created or obtained by Business Associate on behalf of Covered Entity
as follows:
a) Purpose: Business Associate may use Covered Entity's PHI to provide or
perform the BA Services, as set forth in the BA Services Contract.
b) Type of Information: Business Associate may use any and all information
made available by Covered Entity and necessary for Business Associate to
provide the BA Services to Covered Entity.
c) Scope of Use: Business Associate may use and further disclose Covered
Entity's PHI to the extent permitted by and in accordance with this
Agreement, HIPAA and HITECH, or as otherwise required by law.
d) Minimum Necessary. After the effective date of the HHS guidance
document on what constitutes "minimum necessary" (the "Minimum
Necessary Guidance"), Business Associate shall use/disclosure/request
LV 1 1468200v1 09/16/11
Update for Final Rule 2013
HIPAA Business Associate Agreement
Page 3 of 14
only the minimum necessary amount of Covered Entity's PHI as set forth
in such Minimum Necessary Guidance. Until such effective date of the
Minimum Necessary Guidance, Business Associate shall comply with
Covered Entity's policy regarding what constitutes the "minimum
necessary" to accomplish the intended purpose of Business Associate's
use or disclosure of Covered Entity's PHI.
e) Use for Management and Administration: Business Associate may use
Covered Entity's PHI for the proper management and administration of
Business Associate, if such disclosure is necessary (1) for the proper
management and administration of Business Associate or (2) to carry out
the legal responsibilities of Business Associate.
f) Disclosure or Management and Administration: Business Associate may
disclose Covered Entity's PHI for the proper management and
administration of Business Associate if:
(1) the disclosure is required by law, or
(2) Business Associate discloses Covered Entity's PHI to a third party as
permitted under the BA Services Agreement, and Business Associate
obtains from the third party a written agreement with Business Associate
that meets the applicable requirements of HIPAA, as well as incorporate
into such agreement those requirements under HITECH that relate to
privacy or security and are applicable to Business Associate.
In no event, however, shall Business Associate disclose Covered Entity's
PHI for the foregoing purposes to any such third party not within the
borders and jurisdiction of the United States of America without the prior
written consent of Covered Entity, which may be withheld in Covered
Entity's sole and unfettered discretion.
g) Uses or Disclosures Requiring, Prior Authorization: Business Associate
agrees and understands that, except as expressly provided in this
Agreement, or permitted under HIPAA, HITECH, and state law, it shall
not use or disclose Covered Entity's PHI to any other person or entity
without first having received a HIPAA-compliant authorization. Business
Associate shall retain a copy of each authorization obtained, and the
information provided in response to the authorization, for six (6) years.
h) Nondisclosure: Business Associate shall not use or further disclose
Covered Entity's PHI other than as permitted or required by this
Agreement, or as otherwise required or permitted by law.
LV1 14682000 09/16/11
Update for Final Rule 2013
HIPAA Business Associate Agreement
Page 4 of 14
2) Security Safeguards
a) General. Business Associate shall, as of the Effective Date of this
Agreement, implement and use appropriate administrative, physical and
technical safeguards to provide for the security of Covered Entity's PHI,
including:
• Implementing policies and procedures to prevent, detect and contain,
and correct security violations;
• Limiting physical access to electronic information systems that
maintain PHI and the facility or facilities in which they are housed,
while ensuring that properly authorized access is allowed; and
• Implementing technical policies and procedures for electronic
information systems that maintain PHI to allow access only to those
persons or software programs that have been granted access rights as
specified in 45 CFR 164.308(a)(4).
b) Compliance Deadline for HITECH. In addition to the foregoing, Business
Associate shall meet all of the administrative, technical and physical
safeguard Standards as set forth in § 164.308, § 164.310, § 164.312 of the
Security Rule and as follows:
(i) Administrative Sa eguards. Business Associate shall implement
and maintain a written security program that includes
administrative, technical and physical safeguards appropriate to the
size and complexity of Business Associate's operations and the
nature and scope of its activities.
(ii) Implementation Speci tcations. Business Associate shall
implement all of the "Required" and "Addressable" (as such terms
are defined in the Security Rule) Implementation Specifications in
the Security Rule, unless Business Associate and Covered Entity
agree otherwise, and Business Associate documents: (i) the
rationale why a particular Addressable Implementation
Specification is not "reasonable and appropriate," and (ii) Business
Associate implements an alternative measure agreed to in writing
by Covered Entity.
(iii) Documentation. Business Associate shall maintain the policies
and procedures implemented to comply with the Security Rule in
written (which may be electronic) form; and to the extent that an
action, activity or assessment that relates to this Agreement is
required under the Security Rule to be documented, Business
LV 1 1468200v 1 09/16/ 11
Update for Final Rule 2013
HIPAA Business Associate Agreement
Page 5 of 14
Associate shall maintain a written (which may be electronic)
record of the action, activity or assessment. Any such
documentation created shall be retained by Business Associate and
made available to Covered Entity upon request for a period of six
(6) years from the date of its creation, or the date when it last was
in effect, whichever is later.
(iv) Annual HHS Guidance. Business Associate shall, by no later than
any applicable deadlines, implement and comply with any
requirements set forth in the annual guidance issued by HHS
pursuant to § 13401(c) of HITECH concerning the most effective
Technical Safeguards for use in carrying out compliance with the
Security Rule.
3) Accounting of Disclosures through an EHR.
a) Accounting by Business Associate. If Covered Entity receives a request
from an individual for an Accounting of disclosures made through an
EHR, Covered Entity may furnish Business Associate's contact
information (e.g., mailing address, telephone number, and e-mail address)
to such individual in order for such individual to obtain an Accounting of
Business Associate's disclosures directly from Business Associate.
Business Associate shall provide an Accounting directly to the individual
in accordance with HIPAA and § 13405(c) of HITECH (including an
Accounting for treatment disclosures for the prior 3 years) upon such
individual's making the Accounting request directly to Business Associate
4) Access Rights to PHI Maintained in an EHR.
a) Electronic Copies. If Covered Entity's PHI is maintained in or used in
connection with an EHR, Business Associate shall also make available
copies of such information in an electronic format upon an individual's
request for access to the same under HIP" and, if the individual
requests, to transmit such electronic copy of the individual's PHI directly
to an entity or person designated by the individual, provided that any such
request by the individual is clear, conspicuous and specific.
b) Copy Fees. Business Associate's compliance with such "access rights"
requirements under HITECH shall be at Business Associate's cost.
Notwithstanding the immediately preceding sentence, Business Associate
may, with Covered Entity's written consent, which shall not be
unreasonably withheld, charge a "copy/labor fee" to the individual as
otherwise permitted under HIPAA and HITECH and State law.
LV 1 14682000 09/16/11
Update for Final Rule 2013
HIPAA Business Associate Agreement
Page 6 of 14
5) Requested Restrictions. Business Associate acknowledges that Covered Entity is
required under § 13405(a) of HITECH to comply with an individual's requested
restriction regarding his or her PHI (unless the disclosure is otherwise required by
law) if:
a) The disclosure is to a health plan for purposes of carrying out payment or
health care operations (but not treatment), and
b) Covered Entity's PHI pertains solely to a health care item or service for
which the health care provider has been paid out-of-pocket in full by the
individual.
Business Associate shall comply with any such requested restriction that applies
to Business Associate's further use or disclosure of Covered Entity's PHI and of
which Business Associate is made aware in writing by Covered Entity.
6) Availability of Information to Covered Entity. Business Associate shall make
available to Covered Entity such information as Covered Entity may require to
fulfill Covered Entity's obligations to provide access to, provide a copy of, and
account for disclosures with respect to Covered Entity's PHI pursuant to HIPAA
and HITECH, including, but not limited to, 45 CFR § 164.524 and § 164.528.
Nothing in this provision shall be construed to preclude or limit Business
Associate's obligations under the law, specifically with respect to the provision of
access to individuals of their PHI and the provision of an accounting of
disclosures to individuals of their PHI.
7) Amendment of PHI. Business Associate shall make Covered Entity's PHI
available to Covered Entity as Covered Entity may require to fulfill Covered
Entity's obligations to amend Covered Entity's PHI pursuant to HIPAA and
HITECH, including, but not limited to, 45 CFR §164.526, and Business Associate
shall, as directed by Covered Entity, incorporate any amendments to Covered
Entity's PHI into copies of such PHI maintained by Business Associate. Nothing
in this provision shall be construed to preclude or limit Business Associate's
obligations under the law, specifically with respect to the amendment of Covered
Entity's PHI by Business Associate.
8) Business Associate's Agents. Business Associate shall ensure that any agents,
including subcontractors, to whom it provides Covered Entity's PHI, agree in
writing to the same restrictions and conditions that apply to Business Associate
with respect to Covered Entity's PHI. Business Associate shall not disclose any
of Covered Entity's PHI to any agent or subcontractor that is not within the
borders and jurisdiction of the United States of America without the prior written
consent of Covered Entity, which may be withheld in Covered Entity's sole and
unfettered discretion.
LV 1 1468200vI 09/16/11
Update for Final Rule 2013
HIPAA Business Associate Agreement
Page 7 of 14
9) Internal Practices. Business Associate shall make its internal practices, books and
records relating to the use and disclosure of Covered Entity's PHI available to the
HHS for purposes of determining Covered Entity's compliance with HIPAA and
HITECH.
10) Security Breach Notification.
a) Compliance. Business Associate shall comply with the standards and
requirements that relate to notifications required in the event of a breach of
information in accordance with the Breach Notification Laws (as defined
hereinbelow). For purposes of this Agreement, the term "Breach
Notification Laws" shall include, collectively, those provisions concerning
breach notification obligations set forth in HITECH and its related
regulations, including the Final Rule for Breach Notification for
Unsecured Protected Health Information (45 CFR Parts 160 and 164).
b) Securing PHI. Business Associate shall secure any and all of Covered
Entity's PHI that it accesses, maintains, retains, modifies, records, stores,
destroys, or otherwise holds, uses, or discloses for or on behalf of Covered
Entity by implementing such technologies and methodologies (e.g.,
encryption) that are specifically set forth in the Breach Notification Laws
and recognized by the Secretary of HHS in its guidance document on such
topic released annually pursuant to HITECH, and which render Covered
Entity's PHI unusable, unreadable and indecipherable. If Business
Associate and Covered Entity otherwise agree that it is not reasonable or
possible for Business Associate to implement such technologies and
methodologies to secure certain of Covered Entity's PHI, then Business
Associate shall implement reasonable alternative methods, as agreed to in
writing by Covered Entity in its sole and unfettered discretion, to
safeguard the information, and in such instance shall comply in full with
the Breach Notification Laws in the event of a Breach (as such term is
defined under the Breach Notification Laws) of any unsecured PHI.
c) Business Associate's Oblations In The Event of a Breach.
(i) Duty to Discover and Report Breaches to Covered Entity.
Business Associate shall promptly notify Covered Entity of any
Breach of Covered Entity's PHI, irrespective of the medium in
which the Breach occurred (e.g., electronic, paper or oral), that
Business Associate discovers, or should reasonably have
discovered, including through any employee, agent or contractor of
Business Associate. Business Associate shall take all reasonable
steps (e.g., audits; anonymous internal reporting, etc.) to allow it to
discover Breaches involving Covered Entity's PHI.
LV 1 1468200v 1 09/16/11
Update for Final Rule 2013
HIPAA Business Associate Agreement
Page 8 of 14
(ii) Reporting Contact. Business Associate shall notify Covered
Entity's Privacy Officer and/or Security Officer, or their designee,
either in person or by telephone at a number to be provided by
Covered Entity of any discovered Breach.
(iii) Information To Be Provided. Business Associate shall provide
Covered Entity with the following information in connection with
the Breach:
• a brief description of what happened;
• the date of the Breach and the date of discovery of the
Breach, if known;
• what type of unsecured PHI was involved in the Breach
(e.g., name; SSN, etc.);
• identification of each individual whose unsecured PHI has
been, or reasonably believed by Business Associate to have
been, breached;
• what Business Associate is doing to investigate, mitigate
and protect against further Breaches of a similar or
dissimilar nature;
• contact information at Business Associate (specific for the
Breach), including toll -free number, e-mail address, Web
site, or postal address where individuals may contact
Business Associate directly for further information about
the Breach; and
• any additional information that Covered Entity may require
for purposes of furnishing required notices under the
Breach Notification Laws.
In the event that some or all of the foregoing information is not
readily available when the Breach is discovered, Business
Associate shall still promptly notify Covered Entity of the Breach
and may provide the additional information required under this
paragraph (iii) as soon as possible thereafter, but without
unreasonable delay and in no case longer than thirty (30) days after
the Breach is discovered.
d) Agreement to Cooperate and Assist. Business Associate shall cooperate
with Covered Entity and provide such assistance as Covered Entity may
need in order to comply with the Breach Notification Laws. With respect
to any Breach of Covered Entity's PHI that results from an act or omission
of Business Associate, including any of Business Associate's employees,
owners, directors, agents, independent contractors or affiliates, Business
Associate shall provide administrative support and other resources as may
LV 1 1468200v 1 09/16/ 11
Update for Final Rule 2013
HIPAA Business Associate Agreement
Page 9 of 14
be requested by Covered Entity in order to furnish written notices to
individuals affected by the Breach and otherwise comply with the Breach
Notification Laws. Covered Entity agrees to consult with Business
Associate in the preparation of the written notices to individuals affected
by the Breach. In the event that Business Associate does not provide such
requested assistance and resources in a timely manner, as determined by
Covered Entity in its sole and unfettered discretion, then Business
Associate shall reimburse Covered Entity for all costs and expenses (e.g.,
postage, supplies, administrative staff time, etc.) incurred by Covered
Entity in its efforts to comply with the notification requirements under the
Breach Notification Laws.
11) Prohibition on "Sale" of PHI.
a) Effective Date of Compliance. Business Associate shall comply with
§ 13405(d) of HITECH, this subparagraph 11) (a), and the additional
restrictions HHS promulgates by regulation concerning prohibitions under
HIPAA and HITECH on "sale" of PHI.
b) General Prohibition. Business Associate shall not directly or indirectly
receive remuneration in exchange for any of Covered Entity's PHI unless
Business Associate obtained from the individual a valid authorization that
includes, in accordance with HITECH, a specification that Covered
Entity's PHI can be further exchanged for remuneration by Business
Associate, except that Business Associate may accept such remuneration
in exchange for Covered Entity's PHI for the following limited purposes:
(i) Public Health Activities;
(ii) Research, but only if the price charged reflects the costs of
preparation and transmittal of the data for such purpose;
(iii) Treatment (subject to future HHS regulation restricting
inappropriate exchanges under this exception);
(iv) Health Care Operations related to the sale, transfer, merger or
consolidation of all or part of Business Associate with another
Business Associate, but only with the prior written consent of
Covered Entity, which shall not be unreasonably withheld;
(v) Performance of services or functions by Business Associate for or
on behalf of Covered Entity (e.g., pursuant to the BA Services
Agreement);
(vi) Providing an individual with Access to a copy of his or her PHI; or
(vii) As may be determined by HHS in future regulations to be similarly
necessary and appropriate.
12) Health Care Operations That Are Not "Marketing". Business Associate may use
or disclose Covered Entity's PHI to make a communication about a product or
LV 1 1468200v 1 09/ 16/ 11
Update for Final Rule 2013
HIPAA Business Associate Agreement
Page 10 of 14
service and that encourages recipients of the communication to purchase or use
the product or service only if the communication is made by Business Associate
on behalf of Covered Entity and is consistent with the terms of the BA Services
Agreement and is otherwise pursuant to and in accordance with this Agreement,
HIPAA and HITECH.
F) State Law. Business Associate shall comply with any provision or requirement
concerning privacy or security of information under applicable State law that is more
stringent than a similar provision or requirement under HITECH and this Agreement.
G) Red Flags Rule. With respect to Business Associate's access to, use or handling of
information in connection with Covered Entity's "Covered Accounts" (as defined under
the Federal Trade Commission's Red Flags Rule (the "Red Flags Rule") and identified by
Covered Entity), Business Associate shall, as of the Effective Date of this Agreement:
I) Implement reasonable administrative, physical and technical policies and
procedures to detect, prevent and mitigate the risk of identity theft at Business
Associate;
2) Cooperate with and take such steps as are reasonably necessary to assist Covered
Entity with compliance with its Identity Theft Prevention Program; and
3) Promptly report to Covered Entity any specific Red Flags, as identified in
Covered Entity's Red Flag policies, which Business Associate detects, and, as
appropriate, respond to, or reasonably assist Covered Entity in responding to, such
Red Flags in accordance with Covered Entity's policies and procedures.
H) Audits Inspection and Enforcement. Covered Entity may, upon reasonable notice,
inspect the facilities, systems, books and records of Business Associate to monitor
compliance with this Agreement. Business Associate shall promptly remedy any
violation of any term of this Agreement and notify Covered Entity of the outcome.
I) Termination
1) Noncompliance. If either Party notifies (the "Notifying Party") the other
Party regarding an activity or practice that constitutes a material breach or
violation of such other Party's obligation under this Agreement, HIPAA and
HITECH (the "Breaching Party"), and such Breaching Party does not take
reasonable steps to or otherwise does not successfully cure the breach or end the
violation, as applicable, within a reasonable timeframe as agreed to by the Parties,
the Notifying Party is permitted to either:
(a) If feasible, terminate this Agreement and the BA Services Contract; or
(b) If termination is not feasible, report the problem to HHS.
LV 1 1468200v 1 09/16/11
Update for Final Rule 2013
HIPAA Business Associate Agreement
Page 11 of 14
2) Judicial or Administrative Proceedings. Either Party may terminate this
Agreement and the BA Services Contract, effective immediately, if
(a the other Party is named as a defendant in a criminal proceeding for a
violation of HIPAA and HITECH, or
(b) a finding or stipulation that the other Party has violated any standard or
requirement of HIPAA and HITECH or other security or privacy laws is
made in any administrative or civil proceeding in which the Party has been
joined.
3) Effect of Termination. Upon termination of the BA Services Contract for any
reason, Business Associate shall return to Covered Entity and destroy all of
Covered Entity's PHI that Business Associate still maintains in any form, and
shall retain no copies of such PHI, or if return or destruction is not feasible,
Business Associate agrees, at Covered Entity's reasonable expense, to continue to
extend the protections of this Agreement to such information, and limit further
use of such PHI to those purposes that make the return or destruction of such PHI
infeasible.
J) Indemnification. Covered Entity and Business Associate will indemnify, hold harmless
and defend the other Party to this Agreement from and against any and all claims, losses,
liabilities, costs and other expenses, including court costs and reasonable attorneys fees
and disbursements, incurred as a result of, or arising directly or indirectly out of or in
connection with:
1) any misrepresentation, breach of warranty or non -fulfillment of any undertaking
on the part of the Party under this Agreement; and
2) any claims, demands, awards, judgments, actions and proceedings made by any
person or organization arising out of or in any way connected with the Party's
performance under this Agreement.
K) Disclaimer. Covered Entity makes no warranty or representation that compliance by
Business Associate with this Agreement, HIPAA and HITECH will be adequate or
satisfactory for Business Associate's own purposes or that any information in Business
Associate's possession or control, or transmitted or received by Business Associate, is or
will be secure from unauthorized use or disclosure. Business Associate is solely
responsible for all decisions made by Business Associate regarding the safeguarding of
PHI.
L) Amendment. The Parties acknowledge that state and federal laws relating to electronic
data security and privacy are rapidly evolving and that amendment of this Agreement
may be required to provide for procedures to ensure compliance with such developments.
The Parties specifically agree to take such action as is necessary to implement the
standards and requirements of HIPAA and HITECH and other applicable laws relating to
LVI 14682000 09/16/11
Update for Final Rule 2013
HIPAA Business Associate Agreement
Page 12 of 14
the security or confidentiality of PHI. The Parties understand and agree that Covered
Entity must receive satisfactory written assurance from Business Associate that Business
Associate will adequately safeguard all PHI that it receives or creates pursuant to the
delivery of BA Services and this Agreement. Upon either Party's request, both Parties
agree to promptly enter into negotiations concerning the terms of an amendment to this
Agreement embodying written assurances consistent with the standards and requirements
of HIPAA and HITECH or other applicable laws. Either Party may terminate the BA
Services upon 30 days written notice in the event
1) the other Party does not promptly enter into negotiations to amend this Agreement
when requested by a Party pursuant to this Section or
2) the other Party does not enter into an amendment to this Agreement providing
assurances regarding the safeguarding of PHI sufficient to satisfy the standards
and requirements of HIPAA and HITECH.
M) No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended
to confer, nor shall anything herein confer, upon any person other than Covered Entity,
the Covered Entity Affiliates and Business Associate and their respective heirs,
representatives, successors and assigns, any rights, remedies, obligations or liabilities
whatsoever, whether as creditor beneficiary, donor beneficiary or otherwise.
N) Interpretation. This Agreement shall be interpreted as broadly as necessary to implement
and comply with HIPAA and HITECH and applicable state laws.
O) Independent Contractor. Nothing contained herein shall be deemed or construed by the
Parties hereto or by any third party as creating the relationship of employer and
employee, principal and agent, partners, joint venturers or any similar relationship,
between the Parties hereto. Covered Entity and Business Associate acknowledge and
agree that Business Associate is an independent contractor, and not an agent of Covered
Entity, and Business Associate shall be solely liable for the payment of all income,
unemployment, workers compensation, Social Security insurance or similar taxes or
assessments on the fees or other remuneration paid or to be paid to Business Associate by
Covered Entity.
P) Miscellaneous.
1) Entire Agreement. This Agreement supersedes all previous agreements between
Covered Entity and Business Associate and contains the entire understanding and
agreement between the Parties with respect to the subject matter hereof.
2) Headiness. The headings in this Agreement are for convenience of reference only
and shall not be used to interpret or construe its provisions.
LV 11468200v 1 09/16/11
Update for Final Rule 2013
HIPAA Business Associate Agreement
Page 13 of 14
3) Governing Law. This Agreement shall be construed in accordance with and
governed by the laws of Pennsylvania without regard to conflicts of laws
principles.
4) Binding Effect. This Agreement shall be binding upon, and inure to the benefit of,
each Party hereto and their respective successors and assigns.
5) Mutual Negotiation. Each and every provision of this Agreement has been
mutually negotiated, prepared and drafted and, in connection with the
construction of any provisions hereof, no consideration shall be given to the issue
of which Party actually prepared, drafted, requested or negotiated any provision
of this Agreement, or its deletion.
6) Notices. All notices, demands and other communications to be made hereunder
("Notice") shall be given in writing and shall be deemed to have been duly given
if personally delivered or sent by confirmed facsimile transmission, recognized
overnight courier service which provides a receipt against delivery, or certified or
registered mail, postage prepaid, return receipt requested, to the other Party at the
address set forth in the first paragraph of this Agreement. Notice shall be deemed
effective, if personally delivered, when delivered; if sent by confirmed facsimile
transmission, when sent; if sent via overnight delivery, on the first business day
after being sent, and if mailed, at midnight on the third business day after deposit
in the U.S. mail.
7) liModi rcation. This Agreement may be amended, superseded, terminated or
extended, and the terms hereof may be waived, only by a written instrument
signed by all of the Parties or, in the case of a waiver, signed by the Party waiving
compliance.
8) Preservation of Rights. No delay on the part of any Party in exercising any right,
power or privilege hereunder shall operate as a waiver thereof, nor shall any
waiver on the part of any Party of any such right, power or privilege, nor any
single or partial exercise of any right, power or privilege, preclude any further
exercise thereof or the exercise of any other such right, power or privilege. The
rights and remedies herein provided are cumulative and are not exclusive of any
rights or remedies that any Party may otherwise have at law, in equity or
otherwise.
9) Provisions Severable. The provisions of this Agreement are independent of and
severable from each other. No provisions will be affected or rendered invalid or
unenforceable by virtue of the fact that for any reason any one or more of any of
the provisions hereof may be invalid or unenforceable in whole or in part.
10) Counterparts. This Agreement may be executed by the Parties hereto in separate
counterparts, each of which when so executed and delivered shall be an original,
but all such counterparts shall together constitute one and the same instrument.
LV 1 1468200v 109/16/11
Update for Final Rule 2013
HIPAA Business Associate Agreement
Page 14 of 14
Each counterpart may consist of a number of copies hereof each signed by less
than all, but together signed by all of the Parties hereto.
11) Interpretation. The Parties agree that any ambiguity in this Agreement shall be
resolved in favor of a meaning that complies and is consistent with HIPAA and
HITECH.
IN WITNESS WHEREOF, the Parties hereto have duly executed this Agreement on the day and
year below written:
City of Richmond
By:
Print Nam : Soberson
Date: (Z`z-u � / T
EIN: 35 - 660 l k `-1
LV 1 1468200v1 09/16/11
Update for Final Rule 2013
ELAP Serv' , LLC %r
By:
Print Name: Stiphen P. It lly
Date: j ���
EIN: 27-1535821