This Business Associate Agreement (this “Agreement”) is made effective as of 10/10/2024 (the “Effective Date”), by and between {Name of Registry Site (Covered Entity)::11} (“Covered Entity”), and THE OUTPATIENT ENDOVASCULAR AND INTERVENTIONAL SOCIETY, INC. (“BA”).
WHEREAS, Covered Entity is a “covered entity” as that term is defined in the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996, as amended, and the regulations promulgated thereunder (“HIPAA”); and
WHEREAS, by one or more written agreements executed by the parties, Covered Entity has engaged BA to provide certain services to Covered Entity; and
WHEREAS, in conjunction with providing those services, to the extent BA receives Protected Health Information (as hereinafter defined) from Covered Entity, BA is a “business associate” as that term is defined by HIPAA, and both parties have obligations under HIPAA to protect the privacy and security of Protected Health Information as the Covered Entity.
NOW THEREFORE, in consideration of the foregoing recitals, which are hereby incorporated as an integral part of this Agreement, and of the mutual promises contained herein and other good and valuable consideration, the parties, intending to be legally bound, hereby agree as follows:
1. Definitions. In addition to any other terms whose definitions are fixed and defined by this Agreement, the Privacy Rule, or the Security Rule, each of the following defined terms, when used in this Agreement with an initial capital letter, shall have the meaning ascribed thereto by this section. Terms used, but not otherwise defined, shall have the same meaning as those terms in 45 C.F.R. §160.103 and §164.501.
(a) “Breach Notification Standards” shall mean the HIPAA regulations governing notification in the case of breach of unsecured Protected Health Information as set forth at 45 CFR § Part 164, Subpart D, as they exist now or as they may be amended.
(b) “Designated Record Set” shall mean a group of records maintained by or for Covered Entity that is: (i) the medical records and billing records about individuals maintained by or for Covered Entity, (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) used, in whole or in part, by or for Covered Entity to make decisions about individuals. As used herein, the term “Record” means any item, collection, or grouping of information that includes Protected Health Information and is maintained, collected, used, or disseminated by or for Covered Entity.
(c) “Electronic Protected Health Information” or “ePHI” shall have the same meaning as the “electronic protected health information” in 45 CFR 160.103, limited to the information created or received by BA from or on behalf of Covered Entity.
(d) “HIPAA Transaction” shall mean Transactions as defined in 45 CFR § 160.103 of the Transaction Standards.
(e) “HITECH Act” means the Health Information Technology for Economic and Clinical Health Act, found in the American Recovery and Reinvestment Act of 2009 at Division A, title XIII and Division B, Title IV.
(f) “Individual” shall have the same meaning as the term “individual” in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
(g) “Minimum Necessary” shall have the meaning set forth in the HITECH Act, § 13405(b), and as further defined by regulation in the Privacy Rule.
(h) “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E.
(i) “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health information” in 45 CFR 160.103, inclusive of ePHI, limited to the information created or received by BA from or on behalf of Covered Entity.
CFR 164.103. or his designee.
10. (j) “Required By Law” shall have the same meaning as the term “required by law” in 45
11. (k) “Secretary” shall mean the Secretary of the Department of Health and Human Services
(l) “Security Rule” shall mean the security standards for the protection of Electronic Protected Health Information at 45 CFR part 164, subpart C.
(m) “Transaction Standards” shall mean the Standards for Electronic Transactions, 45 CFR § part 160 and part 162, as they exist now or as they may be amended.
2. Obligations and Activities of BA.
(a) BA agrees to not use or disclose Protected Health Information other than as permitted or required by this Agreement or as Required By Law. BA may use and disclose Protected Health Information only if such use or disclosure, respectively, is in compliance with each applicable requirement of 45 CFR §164.504(e) and this Agreement.
(b) BA agrees to use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this Agreement.
(c) BA agrees to report to Covered Entity any use or disclosure of Protected Health Information not provided for by this Agreement of which it becomes aware, and agrees to mitigate, to the extent practicable, any harmful effect known to the BA that results from such use or disclosure.
(d) BA agrees to ensure, in accordance with 45 C.F.R. 164.502(e)(1)(ii) and 164.308(b)(2), that any agent or subcontractor to whom it delegates the performance of any services for Covered Entity, and to whom BA or Covered Entity provides Protected Health Information on behalf of Covered Entity, agrees to the same restrictions and conditions that apply through this Agreement to BA with respect to such information. If BA becomes aware of a material breach by any subcontractor of BA of such subcontractor’s obligations to protect the privacy and security of PHI, BA shall either:
(i) Provide an opportunity for the subcontractor to cure the breach or end the violation and terminate their relationship and any written agreements if the subcontractor does not cure the breach or end the violation within the time specified by BA;
(ii) Immediately terminate its relationship with the subcontractor and any other written agreements if the subcontractor has breached a material obligation and cure is not possible; or
(iii) If neither termination nor cure are feasible, report the violation to the Secretary. 2
(e) BA agrees to make internal practices, books, and records, including policies and procedures and Protected Health Information relating to the use and disclosure of Protected Health Information received from, or created or received by BA on behalf of Covered Entity available to the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule.
(f) To the extent BA and/or any subcontractor of BA maintains Protected Health Information in a Designated Record Set:
(i) BA agrees to provide access, at the request of Covered Entity and in the time and manner designated by Covered Entity, to Protected Health Information in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR § 164.524.
(ii) If BA or a Subcontractor maintains the Individual’s Electronic PHI in an electronic Designated Record Set , and the Individual has requested a copy in a specified electronic form and format, BA will provide the requested Electronic PHI in the requested electronic form and format, if readily producible. If the Electronic PHI is not readily producible in the requested form and format BA shall notify Covered Entity within five (5) business days of the request. In such event BA shall provide the Electronic PHI in an alternative readable electronic form and format as agreed by or on behalf of Plans and the Individual, within five (5) business days of notice of the alternative electronic form and format.
(iii) BA agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity. If BA provides Protected Health Information to third parties, BA shall ensure such records are also amended.
(iv) For sake of clarification, BA shall not be considered or identified as the Plan’s agent for when providing access to, or otherwise responding to individual requests.
(g) BA agrees to document disclosures of Protected Health Information, and information related to such disclosures, as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528. BA agrees to implement an appropriate record keeping process that will track, at a minimum, the following information: (i) the date of the disclosure; (ii) the name of the entity or person who received the Protected Health Information, and if known, the address of such entity or person; (iii) a brief description of the Protected Health Information disclosed; and (iv) a brief statement of the purpose of such disclosure which includes an explanation of the basis for such disclosure.
(h) BA agrees to provide to Covered Entity or to an Individual in the time and manner designated by Covered Entity, information collected in accordance with Section 2(g) of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information during the six (6) years prior to the date on which the accounting was requested, in accordance with 45 CFR § 164.528.
(i) In the event BA receives a subpoena, court or administrative order or other discovery request or mandate for release of Protected Health Information, BA will respond as permitted by 45 CFR § 164.512(e) and (f) following consultation with Covered Entity. BA shall notify Covered Entity of the request as soon as reasonably practicable, but in any event within two (2) business days of receipt of such request.
(j) If, and only to the extent BA performs marketing or fundraising services on behalf of Covered Entity and uses or discloses Protected Health Information in furtherance of those services, BA shall adopt and implement a policy and procedure for removing the names of all individuals who have expressly opted out of receiving future marketing or fundraising materials from BA on Covered Entity's behalf. If Covered Entity receives information of an individual's request to opt out of future mailings, Covered Entity agrees to notify BA of such request as soon as reasonably practicable after receipt of the request. Additionally, BA will not make any communications to individuals participating in Covered Entity’s plans in violation of the restrictions on marketing in HITECH Act § 13406(a).
(k) If BA will communicate with any individuals who are the subject of Protected Health Information originating from or prepared for Covered Entity, BA agrees to implement procedures to give timely effect to an individual’s request to receive communications of Protected Health Information by alternative means or at alternative locations, pursuant to 45 CFR § 164.522(b), so as to ensure that Protected Health Information will only be communicated to those individuals designated in such a request as authorized to receive the Protected Health Information. If BA provides records to agents, including subcontractors, who may also communicate with the individual, BA shall ensure that the individual’s request for communications by alternative means is provided to and given timely effect by such agents.
(l) BA will not disclose Protected Information to a health plan for payment or health care operations purposes if Covered Entity has informed the BA that the patient has paid out of pocket in full for specific health care item(s) or service(s) to which the PHI/ePHI solely relates, and for which the patient has requested this special restriction.
(m) BA shall not directly or indirectly receive or provide remuneration in exchange for any Protected Health Information in violation of any final regulations promulgated by the Secretary under HITECH Act § 13405(d) once such regulations become effective.
(n) Upon request from Covered Entity, BA shall permit Covered Entity to review and audit BA’s policies, procedures and practices relating to the use and protection of Protected Health Information, including the right to audit contracts and relationships with agents and subcontractors who have access to Protected Health Information, and upon request shall provide Covered Entity with copies of relevant documents.
(o) BA shall request from Covered Entity, and use and disclose to its workforce, affiliates, subsidiaries, agents and subcontractors or other third parties, only the minimum Protected Health Information necessary to perform or fulfill a specific function required or permitted under this Agreement or as Required By Law. BA shall maintain policies and procedures for requesting, using, and disclosing only the minimum necessary PHI, determined necessary consistent with the requirements in the HITECH Act, § 13405(b), or as otherwise specified in regulations promulgated by the Secretary. To the extent practicable, BA shall utilize a Limited Data Set. Otherwise, BA may use or disclose only the minimum amount comply of PHI necessary to accomplish the intended purpose, except that BA will not be obligated to with this minimum necessary limitation with respect to:
1. (i) Disclosures to, or requests by, a health care provider for treatment;
2. (ii) Disclosures to the individual who is the subject the PHI, or that individual’s personal representative; §164.508;
3. (iii) Use or disclosure made pursuant to an authorization compliant with 45 C.F.R.
4. (iv) Use or disclosure that is Required by Law; or
(v) Any other use or disclosure that is excepted from the Minimum Necessary limitation as specified in 45 C.F.R. §164.502(b)(2).
3. Electronic Transactions. BA hereby represents and warrants that, to the extent that it is electronically transmitting any of the HIPAA Transactions for Covered Entity, the format and structure of such transmissions shall be in compliance with the Transaction Standards. BA will require any subcontractor or agent involved with the electronic transmissions of the HIPAA Transactions to comply with each of the Transactions Standards.
4. Electronic Data Security. To the extent that BA creates, receives, maintains or transmits electronic Protected Health Information, BA hereby represents and warrants that it:
(a) Has implemented and documented administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that BA creates, receives, maintains or transmits on behalf of Covered Entity consistent with the requirements at 45 CFR §§ 164.308, 164.310, 164.312 and 164.316;
(b) Will ensure that any agent, including a subcontractor, to whom BA provides ePHI agrees to implement reasonable and appropriate safeguards to protect the Protected Health Information;
(c) Report to Covered Entity any successful security incident that BA becomes aware of with respect to ePHI; and
(d) Will keep records of, and report to the Covered Entity, all successful security incidents involving Protected Health Information of which BA becomes aware.
(e) Complies with the requirements at 45 CFR §§ 164.308, 164.310, 164.312 and 164.316, which apply to BA in the same manner that such sections apply to Covered Entity. The additional requirements of the HITECH Act that relate to security and that are made applicable with respect to covered entities shall also be applicable to BA and shall be and by this reference hereby are incorporated into this Agreement.
5. Breach Notification. BA represents and warrants that it has implemented policies and procedures to prevent and detect inappropriate acquisition, access, use or disclosure of PHI, and that it trains its work force and agents on these procedures.
(a) BA will notify Covered Entity within fifteen (15) business days of discovering an acquisition, access, use or disclosure of PHI in a manner or for a purpose not permitted by this Agreement or HIPAA, and within thirty (30) calendar days of discovery will provide Covered Entity with the identification of each individual whose PHI has been or is reasonably believed by BA to have been acquired, accessed, used or disclosed during such incident. The report shall contain at a minimum, to the extent such information is available, the following: (i) the nature of the non-permitted acquisition, access, use or disclosure, (ii) including the date of the possible breach and when discovered, (iii) the PHI accessed, used or disclosed, and provide an exact copy or replication to the extent practicable, (iv) the identity of who caused the possible breach and who is believed to have received, accessed, or used the PHI; (v) identify the corrective action BA has taken and will take to prevent further breaches, (vi) Identify what BA has done and will do to mitigate any harmful effect as a result of the possible breach; and (vi) provide such other information, including a written report, as Covered Entity may reasonably request.
(b) BA will assist Covered Entity in assessing: (1) the nature and extent of the PHI involved in the improper acquisition access, use, or disclosure, (2) to whom the disclosure was made or who used the PHI, (3) whether the PHI was actually acquired or viewed, and (4) any extent to which the risk has been mitigated to determine whether there is a low probability that the PHI has been compromised, and whether the individuals whose information is involved must be notified. If Covered Entity determines that individuals whose data is affected by the impermissible acquisition, access, use or disclosure must be notified pursuant to the Breach Notification Standards or other applicable law, BA will reasonably assist with providing necessary information to Covered Entity, at its own expense, without unreasonable delay and in compliance with applicable law.
6. Permitted Uses and Disclosures by BA.
(a) Except as otherwise limited in this Agreement, BA may use or disclose Protected Health Information as specified in this Agreement to perform functions, activities, or services for, or on behalf of, Covered Entity, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity or the minimum necessary policies and procedures of the Covered Entity.
(b) Except as otherwise limited in this Agreement, BA may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 42 CFR 164.504(e)(2)(i)(B).
(c) BA may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR 164.502(j)(1).
(d) BA may use and disclose Protected Health Information for the purpose of de- identifying it in accordance with 45 CFR 164.514(b), which de-identified information may be used or disclosed by BA, as it deems appropriate.
(e) BA may use Protected Health Information for the proper and necessary management and administration of Business associate or to carry out the legal responsibilities of BA.
(f) BA may disclose Protected Health Information for the proper management and administration of BA, provided that disclosures are Required By Law or BA has obtained reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the BA of any instances of which it is aware in which the confidentiality of the information has been breached.
(g) BA may use and disclose Protected Health Information as otherwise directed in writing by Covered Entity.
7. Obligations of Covered Entity.
(a) Covered Entity shall not request BA to use or disclose Protected Health Information in any manner that would not be permissible under HIPAA if done by Covered Entity.
(b) Covered Entity will notify BA of any limitations in its Notice of Privacy Practices, to the extent such limitations affect BA’s use or disclosure of Protected Health Information or the provision of services contemplated by the parties.
(c) Covered Entity will notify BA of any restriction on use or disclosure of Protected Health Information agreed to by the Covered Entity pursuant to 45 CFR § 164.520 to the extent such restrictions affect BA’s use or disclosure of Protected Health Information or the provision of services contemplated by the parties.
8. Term.
(a) Term. The term of this Agreement shall be effective as of the Effective Date, and shall terminate when all of the Protected Health Information and Electronic Protected Health Information provided by Covered Entity to BA, or created or received by BA on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information or Electronic Protected Health Information, protections are extended to such information in accordance with the terms of this Agreement.
(b) Termination for Breach by BA. Upon Covered Entity’s knowledge of a material breach of the terms of this Agreement by BA, Covered Entity shall either:
i. Provide an opportunity for BA to cure the breach or end the violation and terminate this Agreement and any other written agreements between the parties if BA does not cure the breach or end the violation within the time specified by Covered Entity;
ii. Immediately terminate this Agreement and any other written agreements between the parties if BA has breached a material term of this Agreement and cure is not possible; or
iii. If neither terminating nor cure are feasible, report the violation to the Secretary. 6
(c) Effect of Termination.
i. Except as provided in paragraph (2) of this subsection, upon termination of this Agreement, for any reason, BA shall return or destroy all Protected Health Information received from Covered Entity, or created or received by BA on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of BA. BA shall retain no copies of Protected Health Information.
ii. In the event that BA determines that returning or destroying Protected Health Information is infeasible, BA shall provide to Covered Entity notification of the conditions that make return or destruction of Protected Health Information infeasible, and BA shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as BA maintains such Protected Health Information.
9. Miscellaneous.
(a) Ownership of PHI. Under no circumstances shall BA be deemed in any respect to be the owner of any Protected Health Information used or disclosed by or to BA pursuant to the terms of this or any underlying services agreement. Covered Entity shall at all times be deemed the “records owner” and retain all title and rights to the PHI, whether in the possession of BA, a subcontractor, or otherwise.
(b) Regulatory References. A reference in this Agreement to a section in the Transaction Standards, Privacy Rule or Security Rule means the section as in effect or as amended.
(c) Amendment. No amendment, change, or modification of this Agreement shall be valid unless set forth in writing and signed by the parties. The parties agree to take such action as is necessary to amend or further amend, as the case may be, this Agreement from time to time as is necessary for Covered Entity to comply with the applicable law, including but not limited to the requirements of HIPAA, the HITECH Act, and regulations promulgated thereunder. If within ninety (90) days of either party first providing written notice to the other of the need to amend this Agreement and any other written agreements between the parties to comply with applicable law, the parties, acting in good faith, are: i) unable to mutually agree upon and make amendments or alterations to this Agreement and any other written agreements between the parties to meet the requirements in question, or ii) alternatively, the parties determine in good faith that amendments or alterations to the requirements are not feasible, then either party may terminate the Agreement upon thirty (30) days written notice.
(d) No Third Party Rights. The terms of this Agreement are not intended, nor should they be construed, to grant any rights to any parties other than BA and Covered Entity.
(e) Notices. Any notice pertaining to or called for by this Agreement shall be effective if mailed by certified or registered mail, return receipt requested, or by Federal Express or other overnight mail delivery for which evidence of delivery is obtained by the sender, to the respective party at the following addresses:
If to BA, notice shall be mailed to the address provided during registry enrollment.
If to Covered Entity, notice shall be mailed to the address below:
THE OUTPATIENT ENDOVASCULAR AND INTERVENTIONAL SOCIETY, INC.
2800 W. Higgins Rd Suite 440
Hoffman Estates, IL 60169
(f) Survival. The respective rights and obligations of the parties shall survive any termination of this Agreement so long as BA is providing services to Covered Entity or otherwise maintaining Protected Health Information and/or Electronic Protected Health Information.
(g) Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the requirements of HIPAA and the HITECH Act, and other applicable law. In the case of conflict between this Agreement and any other written agreement between the parties, the language of this Agreement shall control with regard to the subject matter herein.
(h) Governing Law; Venue; Attorneys’ Fees. This Agreement shall be governed by and construed under the laws of the State of Illinois, without regard to choice of law rules. The jurisdiction and venue for any action or proceeding under this Agreement will be exclusively the state and federal courts having jurisdiction over Cook County, Illinois and each of the parties consent to the exclusive jurisdiction of such courts in any such action or proceeding and waives any objection to venue laid therein. In the event of any dispute over the terms of this Agreement or their enforcement, the prevailing party shall have its attorneys’ fees and costs (whether before trial, during trial, on appeal, or otherwise) paid by the other party.
(i) Entire Agreement. This Agreement constitutes the entire agreement between the parties with respect to the subject matter hereof, and supersedes all prior oral or written agreements, commitments, or understandings with respect thereto as of the Effective Date.
IN WITNESS THEREOF, the Parties have executed this Agreement effective as of the Effective Date: 10/10/2024