You have reached the PMM HIPAA Associate Form page.

To automatically download a PMM HIPAA Associate Form Microsoft Word document to your computer's downloads file, nicely formatted, click here.

Otherwise , the same document follows this message in plain text.

Thank you.

Professional Management and Marketing

Consultants in Practice Excellence

HIPAA BUSINESS ASSOCIATE ADDENDUM
This HIPAA Business Associate Addendum (“Addendum”) supplements and is made a part of the agreement (“Agreement”) by and between (client) as Covered Entity (“CE”) and Professional Management and Marketing, 3468 Piner Rd, Santa Rosa CA , 95401 ph (707)-546-4433 as Business Associate (“Associate”), and is effective as of
(the “Addendum Effective Date”).
RECITALS
A. CE wishes to disclose certain information (“Information”) to Associate pursuant to the terms of the Agreement, some of which may constitute Protected Health Information (“PHI”).
B. CE and Associate intend to protect the privacy and provide for the security of PHI disclosed to Associate pursuant to the Agreement in compliance with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”) and regulations promulgated thereunder by the U.S. Department of Health and Human Services (the “HIPAA Regulations”) and other applicable laws.
C. The purpose of this Addendum is to satisfy certain standards and requirements of HIPAA and the HIPAA Regulations, including, but not limited to, Title 45, Section 164.504(e) of the Code of Federal Regulations (“CFR”), as the same may be amended from time to time.
In consideration of the mutual promises below and the exchange of information pursuant to this Addendum, the parties agree as follows:
1. Definitions.
a. “Business Associate” shall have the meaning given to such term under the HIPAA Regulations, including, but not limited to, 45 CFR Section 160.103.
b. “Covered Entity” shall have the meaning given to such term under HIPAA and the HIPAA Regulations, including, but not limited to, 45 CFR Section 160.103.
c. “Protected Health Information” or “PHI” means any information, whether oral or recorded in any form or medium: (i) that relates to the past, present or future physical or mental condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual, and (ii) that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual, and shall have the meaning given to such term under HIPAA and the HIPAA Regulations, including, but not limited to 45 CFR Section 164.501. [45 CFR § 160.103; 45 CFR § 501]
2. Obligations of Associate.
a. Permitted Uses and Disclosures. Associate may use and/or disclose PHI received by Associate pursuant to this Agreement (“CE’s PHI”) solely in accordance with the specifications set forth in Exhibit A, which is incorporated herein by reference. In the event of any conflict between this Agreement and Exhibit A, this Agreement shall control. [45 CFR § 164.504(e)(2)(i)]
b. Nondisclosure. Associate shall not use or further disclose CE’s PHI otherwise than as permitted or required by this Agreement or as required by law. [45 CFR § 164.504(e)(2)(ii)(A)]
c. Safeguards. Associate shall use appropriate safeguards to prevent use or disclosure of CE’s PHI otherwise than as provided for by this Agreement. [45 CFR § 164.504(e)(2)(ii)(B)] Associate shall maintain a comprehensive written information privacy and security program that includes administrative, technical and physical safeguards appropriate to the size and complexity of the Associate’s operations and the nature and scope of its activities.
d. Reporting of Disclosures. Associate shall report to CE any use or disclosure of CE’s PHI otherwise than as provided for by this Agreement of which Associate becomes aware. [45 CFR § 164.504(e)(2)(ii)(C)]
e. Associate’s Agents. Associate shall ensure that any agents, including subcontractors, to whom it provides PHI received from (or created or received by Associate on behalf of) CE agree to the same restrictions and conditions that apply to Associate with respect to such PHI. [45 CFR § 164.504(e)(2)(D)]
f. Availability of Information to CE. Associate shall make available to CE such information as CE may require to fulfill CE’s obligations to provide access to, provide a copy of, and account for disclosures with respect to PHI pursuant to HIPAA and the HIPAA Regulations, including, but not limited to, 45 CFR Sections 164.524 and 164.528. [45 CFR § 164.504(e)(2)(E) and (G)]
g. Amendment of PHI. Associate shall make CE’s PHI available to CE as CE may require to fulfill CE’s obligations to amend PHI pursuant to HIPAA and the HIPAA Regulations, including, but not limited to, 45 CFR Section 164.526 and Associate shall, as directed by CE, incorporate any amendments to CE’s PHI into copies of such PHI maintained by Associate. [45 CFR § 164.504(e)(2)(F)]
h. Internal Practices. Associate shall make its internal practices, books and records relating to the use and disclosure of PHI received from CE (or created or received by Associate on behalf of CE) available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Associate’s compliance with HIPAA and the HIPAA Regulations. [45 CFR § 164.504(e)(2)(H)]
i. Notification of Breach. During the term of this Agreement, Associate shall notify CE within twenty-four (24) hours of any suspected or actual breach of security, intrusion or unauthorized use or disclosure of PHI and/or any actual or suspected use or disclosure of data in violation of any applicable federal or state laws or regulations. Associate shall take (i) prompt corrective action to cure any such deficiencies and (ii) any action pertaining to such unauthorized disclosure required by applicable federal and state laws and regulations.
3. Obligations of CE. CE shall be responsible for using appropriate safeguards to maintain and ensure the confidentiality, privacy and security of PHI transmitted to Associate pursuant to this Agreement, in accordance with the standards and requirements of HIPAA and the HIPAA Regulations, until such PHI is received by Associate. Any specifications defining the point of receipt of CE’s PHI by Associate shall be set forth in Exhibit A.
4. Audits, Inspection and Enforcement. From time to time upon reasonable notice, upon a reasonable determination by CE that Associate has breached this Agreement, CE may inspect the facilities, systems, books and records of Associate to monitor compliance with this Addendum. Associate shall promptly remedy any violation of any term of this Addendum and shall certify the same to CE in writing. The fact that CE inspects, or fails to inspect, or has the right to inspect, Associate’s facilities, systems and procedures does not relieve Associate of its responsibility to comply with this Addendum, nor does CE’s (i) failure to detect or (ii) detection, but failure to notify Associate or require Associate’s remediation of any unsatisfactory practices constitute acceptance of such practice or a waiver of CE’s enforcement rights under this Agreement.
5 Termination.
a. Material Breach. A breach by Associate of any provision of this Addendum, as determined by CE, shall constitute a material breach of the Agreement and shall provide grounds for immediate termination of the Agreement by CE.
b. Reasonable Steps to Cure Breach. If CE knows of a pattern of activity or practice of Associate that constitutes a material breach or violation of the Associate’s obligations under the provisions of this Addendum or another arrangement and does not terminate this Agreement pursuant to Section 4(a), then CE shall take reasonable steps to cure such breach or end such violation, as applicable. If CE’s efforts to cure such breach or end such violation are unsuccessful, CE shall either (i) terminate this Agreement, if feasible or (ii) if termination of this Agreement is not feasible, CE shall report Associate’s breach or violation to the Secretary of the Department of Health and Human Services. [45 CFR § 164.504(e)(1)(ii)]
c. Judicial or Administrative Proceedings. Either party may terminate this Agreement, effective immediately, if (i) the other party is named as a defendant in a criminal proceeding for a violation of HIPAA or (ii) a finding or stipulation that the other party has violated any standard or requirement of HIPAA or other security or privacy laws is made in any administrative or civil proceeding in which the party has been joined.
d. Effect of Termination. Upon termination of this Agreement for any reason, Associate shall return and destroy all PHI received from CE (or created or received by Associate on behalf of CE) that Associate still maintains in any form, and shall retain no copies of such PHI or, if return or destruction is not feasible, it shall continue to extend the protections of this Agreement to such information, and limit further use of such PHI to those purposes that make the return or destruction of such PHI infeasible. [45 CFR § 164.504(e)(2)(I)]
6. Indemnification. Each party will indemnify, hold harmless and defend the other party to this Agreement from and against any and all claims, losses, liabilities, costs and other expenses incurred as a result of, or arising directly or indirectly out of or in connection with: (i) any misrepresentation, breach of warranty or non-fulfillment of any undertaking on the part of the party under this Agreement; and (ii) any claims, demands, awards, judgments, actions and proceedings made by any person or organization arising out of or in any way connected with the party’s performance under this Agreement. [This provision should be negotiated.]
7. Limitation of Liability. CE shall indemnify Associate against any claims related to a breach by CE.
8. Disclaimer. CE makes no warranty or representation that compliance by Associate with this Addendum, HIPAA or the HIPAA Regulations will be adequate or satisfactory for Associate’s own purposes or that any information in Associate’s possession or control, or transmitted or received by Associate, is or will be secure from unauthorized use or disclosure. Associate is solely responsible for all decisions made by Associate regarding the safeguarding of PHI.
9. Certification. To the extent that CE determines that such examination is necessary to comply with CE’s legal obligations pursuant to HIPAA relating to certification of its security practices, CE or its authorized agents or contractors, may, at CE’s expense, examine Associate’s facilities, systems, procedures and records as may be necessary for such agents or contractors to certify to CE the extent to which Associate’s security safeguards comply with HIPAA, the HIPAA Regulations or this Addendum.
10. Amendment.
a. Amendment to Comply with Law. The parties acknowledge that state and federal laws relating to electronic data security and privacy are rapidly evolving and that amendment of this Agreement may be required to provide for procedures to ensure compliance with such developments. The parties specifically agree to take such action as is necessary to implement the standards and requirements of HIPAA, the HIPAA Regulations and other applicable laws relating to the security or confidentiality of PHI. The parties understand and agree that CE must receive satisfactory written assurance from Associate that Associate will adequately safeguard all PHI that it receives or creates pursuant to this Agreement. Upon CE’s request, Associate agrees to promptly to enter into negotiations with CE concerning the terms of an amendment to this Agreement embodying written assurances consistent with the standards and requirements of HIPAA, the HIPAA Regulations or other applicable laws. CE may terminate this Agreement upon [30] days written notice in the event (i) Associate does not promptly enter into negotiations to amend this Agreement when requested by CE pursuant to this Section or (ii) Associate does not enter into an amendment to this Agreement providing assurances regarding the safeguarding of PHI that CE, in its sole discretion, deems sufficient to satisfy the standards and requirements of HIPAA and the HIPAA Regulations.
b. Amendment of Exhibit A. Exhibit A may be modified or amended by mutual agreement of the parties at any time without amendment of this Agreement.
11. Assistance in Litigation or Administrative Proceedings. Associate shall make itself, and any subcontractors, employees or agents assisting Associate in the performance of its obligations under this Agreement, available to CE, at no cost to CE, to testify as witnesses, or otherwise, in the event of litigation or administrative proceedings being commenced against CE, its directors, officers or employees based upon claimed violation of HIPAA, the HIPAA Regulations or other laws relating to security and privacy, except where Associate or its subcontractor, employee or agent is a named adverse party.
12. No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than CE, Associate and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
13. Effect on Agreement. Except as specifically required to implement the purposes of this Addendum, or to the extent inconsistent with this Addendum, all other terms of the Agreement shall remain in force and effect.
14. Interpretation. This Addendum and the Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA, HIPAA Regulations and applicable state laws.
The parties agree that any ambiguity in this Addendum shall be resolved in favor of a meaning that complies and is consistent with HIPAA and the HIPAA Regulations.
IN WITNESS WHEREOF, the parties hereto have duly executed this Addendum as of the Addendum Effective Date.
CE

By:
Print Name:
Title:
Date:

ASSOCIATE
Professional Management & Marketing
By: Keith C Borglum via Internet
Print Name: Keith C Borglum
Title: Consultant
Date:

EXHIBIT A
PERMITTED USES AND DISCLOSURES
This Exhibit sets forth the permitted uses and disclosures of Information by Associate pursuant to Section 2 of the Addendum to the HIPAA BUSINESS ASSOCIATE ADDENDUM (“Agreement”) by and between CE and Associate. This Exhibit may be amended from time to time as provided in Section 5(b) of the Addendum.
1. Purpose(s) of Disclosure. The purpose(s) for which CE shall disclose Information to Associate are as follows:
Associate may use PHI received by Associate in its capacity as a Business Associate of CE for the proper management and administration of Associate, if such disclosure is necessary (i) for the proper management and administration of Associate or (ii) to carry out the legal responsibilities of Associate.
2. Information to be Disclosed. CE shall disclose the following Information to Associate in accordance with the terms of the Agreement:
Practice and patient records
3. Permitted Uses and Disclosures of Information. Associate shall be limited to the following uses and/or disclosures of CE’s PHI:
As directed by CE
4. Subcontractor(s). If Associate intends to utilize any subcontractor(s) in performing Associate’s obligations under the Agreement, such subcontractor(s) shall be identified as follows:
None
5. Disclosure for Management and Administration. Associate may disclose PHI received by Associate in its capacity as a Business Associate of CE for the proper management and administration of Associate if (i) the disclosure is required by law or (ii) Associate (a) obtains reasonable assurances from the person to whom the PHI is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person and (b) the person notifies Associate of any instances of which it becomes aware in which the confidentiality of the PHI has been breached.
6. Data Aggregation Services. For purposes of this Section, “Data Aggregation” means, with respect to CE’s PHI, the combining of such PHI by Associate with the PHI received by Associate in its capacity as a Business Associate of another Covered Entity to permit data analyses that relate to the health care operations of the respective Covered Entities.