Loading...
HomeMy WebLinkAboutHub International Northwest, LLC - Business Associate AgreementBusiness Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT (this "BAA"), dated as of 12/14/2021 , is entered into by and between Hub International Northwest LLC ("Business Associate") and those Employee Welfare Benefit Plans (as defined in the Employee Retirement Income Security Act of 1974) of ("Plan Sponsor") that are subject to 45 CFR Parts 160 and 164, Subparts A and E and 45 CFR Parts 160 and 164, Subpart C (each a "Covered Entity") and on whose behalf this BAA has been executed and delivered. Business Associate and Covered Entity are referred to herein from time to time each individually as a "Party" and collectively as the "Parties." Capitalized terms used herein but not otherwise defined in this BAA will have the same meaning as the meaning ascribed to such terms in the HIPAA Rules (as defined below). WHEREAS, pursuant to certain services agreements (the "Agreements"), Business Associate provides services to Covered Entity that may involve the use, disclosure, transmission, maintenance and/or creation of Protected Health Information; and WHEREAS, Business Associate and Covered Entity are committed to compliance with the Privacy, Security, Breach Notification and Enforcement Rules of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") at 45 CFR Parts 160 and 164 and any current and future regulations promulgated thereunder (collectively, the "HIPAA Rules"); NOW, THEREFORE, in consideration of the mutual covenants and agreements herein, and for other good and valuable consideration, the Parties agree as follows: I. DEFINITIONS For purposes of this BAA, the following terms shall have the meanings ascribed to them below: A. Breach. "Breach" shall have the same meaning as the term "breach" in 45 CFR §164.402, subject to all exclusions under 45 CFR §§164.402(1)(i), (ii) and (iii). B. Electronic Protected Health Information. "Electronic Protected Health Information" or "ePHI" shall have the same meaning as the term "electronic protected health information" in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity. C. Electronic Transactions Rule. "Electronic Transactions Rule" shall mean the final regulations issued by HHS concerning standard transactions and code sets under 45 CFR Parts 160 and 162. D. HHS. "HHS" shall mean the U.S. Department of Health and Human Services. E. Individual. "Individual" shall have the same meaning as the term "individual" in 45 CFR § 160.103. F. Protected Health Information. "Protected Health Information" or "PHI" shall have the same meaning as the term "protected health information" in 45 CFR § 160.103, Version: September 22, 2017 limited to the information created or received by Business Associate from or on behalf of Covered Entity, including but not limited to Electronic Protected Health Information. G. Required By Law. "Required by Law" shall have the same meaning as the term "required by law" at 45 CFR § 164.103 and the standards imposed at 45 CFR § 164.512(a). H. Secretary. "Secretary" shall mean the Secretary of HHS. I. Security Incident. "Security Incident" shall have the same meaning as the term "security incident" in 45 CFR §164.304. Transaction. "Transaction" shall have the meaning as the term "transaction" in 45 CFR § 160.103. K. Unsecured Protected Health Information. "Unsecured protected health information' shall have the meaning as the term "unsecured protected health information" in 45 CFR § 164.402. II. OBLIGATIONS OF BUSINESS ASSOCIATE Business Associate agrees: A. Not to use or disclose Protected Health Information other than (i) as permitted or required by this BAA, (ii) as permitted or required to perform its obligations pursuant to the Agreements, or (iii) as Required by Law. B. To use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, to prevent the use or disclosure of PHI other than as provided for by this BAA. C. To mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA. D. To report to the appropriate Covered Entity any use or disclosure of PHI not provided for by this BAA of which it becomes aware and any Successful Security Incident of which Business Associate becomes aware. For purposes of this BAA, a "Successful Security Incident" is any Security Incident that results in unauthorized access, use, disclosure, modification, or destruction of Electronic Protected Health Information of Covered Entity. The parties further stipulate and agree that this paragraph constitutes notice by Business Associate to Covered Entity with respect to any "Unsuccessful Security Incident," which is defined for purposes of this BAA as any Security Incident that is not a Successful Security Incident. Covered Entity and Business Associate agree that reporting of Unsuccessful Security Incidents are too numerous to be meaningful or helpful and 2 therefore this BAA constitutes the report from Business Associate that these incidents occur. E. In accordance with 45 CFR §§164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to ensure that any subcontractor that creates, receives, maintains or transmits Protected Health Information on behalf of Business Associate agrees to the same restrictions and conditions that apply through this BAA to Business Associate with respect to such PHI. If Business Associate becomes aware of a pattern or practice by the subcontractor that violates such agreement, Business Associate shall take steps to cure the breach or end the violation. If efforts to cure the breach or end the violation are not successful, Business Associate shall terminate its arrangement with the subcontractor, if feasible. If not feasible, Business Associate shall notify Covered Entity of the breach or violation. F. To make available, at the request of Covered Entity, and in the form and format designated by such Covered Entity, PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to the requesting Individual or such Individual's designee, within the time period necessary to meet the requirements under 45 CFR § 164.524; provided, however, that this Section II.F is applicable only to the extent Business Associate is required to maintain a Designated Record Set for the particular Covered Entity pursuant to the terms of the Agreements. G. To make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by Covered Entity pursuant to 45 CFR § 164.526, or to take other measures as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.526; provided, however, that this Section II.G is applicable only to the extent Business Associate is required to maintain a Designated Record Set for the particular Covered Entity pursuant to the terms of the Agreements. H. To make applicable internal practices, books and records available to the Secretary or his designee for purposes of the Secretary's determining Business Associate's compliance with the HIPAA Rules. I. To maintain and make available upon request by Covered Entity the information required to provide an accounting of disclosures as necessary to satisfy Covered Entity's obligations under 45 CFR § 164.528. Without unreasonable delay and in no case later than sixty (60) days following discovery by Business Associate (except as otherwise required under 45 CFR § 164.412), Business Associate will notify Covered Entity in writing of any Breach of Unsecured Protected Health Information, Business Associate shall provide Covered Entity, to the extent known, the identity of each Individual whose Unsecured Protected Health Information has, or is reasonably believed by Business Associate, to have been affected by the Breach. In addition, Business Associate shall provide to Covered Entity, either at the time it provides notice to Covered Entity of the Breach or promptly thereafter as information becomes available, any other information that Covered Entity is required to include in its notification to an Individual under 45 CFR § 164.404(c). K. In the event Business Associate transmits or receives a Transaction on behalf of Covered Entity, it shall comply with all provisions of the Electronic Transactions Rule to the extent applicable. L. To the extent Business Associate is to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s). M. In its performance of the functions, activities, services, and operations for Covered Entity, Business Associate agrees to make only the minimum necessary uses and disclosures and requests for Protected Health Information. N. Business Associate shall not engage in the Sale of Protected Health Information or otherwise directly or indirectly receive direct or indirect remuneration in exchange for the disclosure of Protected Health Information of an Individual, unless Covered Entity or Business Associate has obtained a valid authorization from the Individual, consistent with the requirements under 45 CFR § 164.508. III. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE Except as otherwise limited in this BAA, Business Associate may: A. Use or disclose PHI for purposes of performing the functions, activities or services for, or on behalf of, each Covered Entity as specified in the Agreements, provided that such use or disclosure would not violate Subpart E of 45 CFR Part 164 if done by Covered Entity or is permitted under paragraphs B and C below. B. Use PHI for all appropriate management and administrative functions of Business Associate, or as needed to carry out the legal responsibilities of Business Associate. C. Disclose PHI for all appropriate management and administrative functions of Business Associate, or as needed to carry out the legal responsibilities of Business Associate, provided that such disclosures are either Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. IV. OBLIGATIONS OF COVERED ENTITY Each Covered Entity shall: 4 A. Provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 CFR § 164.520, as well as any changes to such notice. B. Provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes affect Business Associate's permitted or required uses and disclosures. C. Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI. D. Not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Subpart E of 45 CFR Part 164 if done by Covered Entity, except as set forth in Sections III.B and C. E. Disclose only the minimum necessary Protected Health Information to Business Associate as may be required for Business Associate to perform its services to Covered Entity, except that Covered Entity will not be obligated to comply with this minimum necessary limitation if neither Business Associate nor Covered Entity is required to limit its use, disclosure or request to the minimum necessary. V. TERM AND TERMINATION A. Term. As to each Covered Entity, the term of this BAA shall be effective as of the date set forth above in the first paragraph. This BAA shall terminate on the date Business Associate ceases to be obligated to perform functions, activities or services for Covered Entity under the Agreements. However, Business Associate's obligations under Articles II, III and V shall survive the termination of this BAA with respect to any PHI so long as it remains in the possession of Business Associate. B. Termination for Cause. Without limiting the rights of the Parties respecting termination under the Parties' Agreements: 1. By Covered Entity. Upon Covered Entity's knowledge of a pattern of an activity or practice of Business Associate that constitutes a material breach or violation of this BAA by Business Associate with respect to PHI maintained for that Covered Entity, such Covered Entity shall provide an opportunity for Business Associate to cure the breach or end the violation. Covered Entity shall terminate this BAA and the Agreements if Business Associate does not cure the breach or end the violation within such reasonable time as is specified by Covered Entity, or immediately terminate this BAA and the Agreements if Business Associate has breached or violated a material term of this BAA and cure is not possible. However, Business Associate's Agreement(s) and the terms of this BAA with respect to any other Covered Entity shall continue to remain in effect until otherwise terminated. 5 2. By Business Associate. Upon Business Associate's knowledge of a pattern of an activity or practice of Covered Entity that constitutes a material breach or violation of this BAA by such Covered Entity, Business Associate shall provide an opportunity for Covered Entity to cure the breach or end the violation. Business Associate shall terminate this BAA and the Agreements with respect to that Covered Entity if Covered Entity does not cure the breach or end the violation within such reasonable time as is specified by Business Associate, or immediately terminate this BAA and the Agreements with respect to that Covered Entity if Covered Entity has breached or violated a material term of this BAA and cure is not possible. However, Business Associate's Agreement(s) and the terms of this BAA with respect to any other Covered Entity shall continue to remain in effect until otherwise terminated. C. Effect of Termination. Upon termination of this BAA for any reason, Business Associate, with respect to Protected Health Information received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall: Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities; 2. Return to Covered Entity or destroy the remaining PHI that Business Associate still maintains in any form; Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information to prevent use or disclosure of the PHI, other than as provided for in this Section V.C, for as long as Business Associate retains the PHI; 4. Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out under Sections III.B and III.0 which applied prior to termination; and 5. Return to Covered Entity or destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities. VI. MISCELLANEOUS PROVISIONS A. Regulatory References. A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended, and for which compliance is required at the time of the use or disclosure in question. In case a specific regulatory reference used in this BAA changes, as may occur when an enforcement body moves or otherwise changes its numbering system, this BAA shall remain in place and the Parties subject to the BAA shall use all reasonable efforts to discern the on correct and applicable reference currently in effect in order to optimally satisfy compliance obligations as set forth under governing law. B. Amendment. The Parties agree to take appropriate action as necessary to amend this BAA from time to time in order for Covered Entity and Business Associate to comply with the HIPAA Rules. Moreover, to the extent permitted by applicable law, upon the compliance date of any final regulation, or amendment to final regulation promulgated by HHS that affects Business Associate or Covered Entity's obligations under this BAA, this BAA will automatically amend such that the obligations imposed on Business Associate or Covered Entity remain in compliance with the final regulation or amendment to final regulation. C. Survival. The respective rights and obligations of the Parties to this BAA shall survive the termination of this BAA. D. Governing Law. This BAA shall be governed by the laws of the State of E. Notices. All notices hereunder shall be in writing and delivered by hand, by certified mail, return receipt requested or by overnight delivery. Notices shall be directed to the Parties at their respective addresses set forth below their signature, as appropriate, or at such other addresses as the Parties may from time to time designate in writing. F. Entire Agreement; Modification. This BAA represents the entire agreement between Business Associate and each Covered Entity relating to the subject matter hereof and supersedes all prior oral and written agreements relating to the subject matter hereof. No provision of this BAA may be modified, except in writing, signed by the Parties. G. No Third Party Beneficiaries. There shall be no third party beneficiaries to this BAA, and no individual (including an Individual) or entity who is not a party to this BAA shall have any rights in connection with a breach or violation of this BAA. H. Binding Effect. This BAA shall be binding upon the Parties hereto and their successors and assigns. Counterparts and Signature. This BAA may be executed in any number of counterparts, which, when taken together, shall constitute one original. This BAA may be executed by an electronic or facsimile signature of an authorized representative of the Parties, and any such signature shall be deemed to be an original signature and shall be binding on the Parties to the same extent as if such electronic or facsimile signature were an original signature. J. Interpretation of this Agreement. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits the Parties to comply with applicable law. 7 [Remainder of page left intentionally blank] IN WITNESS WHEREOF, the Parties hereto have caused this BAA to be executed as of the date first above written. BUSINESS ASSOCIATE: Hub Northwest International LLC By: Name: Tim Kennedy Title: Executive Vice President, Employee Benefits PLAN SPONSOR: on behalf of its group health plan as Covered Entity By: Name: LO��TGi� (�G14/;1 1� Title: G� l f^e-C-1r ✓ Address of Plan Sponsor: Version: September 22, 2017