HomeMy WebLinkAboutHub International Northwest, LLC - Business Associate AgreementBusiness Associate Agreement
THIS BUSINESS ASSOCIATE AGREEMENT (this "BAA"), dated as of 12/14/2021 ,
is entered into by and between Hub International Northwest LLC ("Business Associate") and
those Employee Welfare Benefit Plans (as defined in the Employee Retirement Income
Security Act of 1974) of
("Plan Sponsor") that are subject to 45 CFR Parts 160 and 164, Subparts A and E and 45 CFR
Parts 160 and 164, Subpart C (each a "Covered Entity") and on whose behalf this BAA has
been executed and delivered. Business Associate and Covered Entity are referred to herein
from time to time each individually as a "Party" and collectively as the "Parties." Capitalized
terms used herein but not otherwise defined in this BAA will have the same meaning as the
meaning ascribed to such terms in the HIPAA Rules (as defined below).
WHEREAS, pursuant to certain services agreements (the "Agreements"), Business Associate
provides services to Covered Entity that may involve the use, disclosure, transmission,
maintenance and/or creation of Protected Health Information; and
WHEREAS, Business Associate and Covered Entity are committed to compliance with the
Privacy, Security, Breach Notification and Enforcement Rules of the Health Insurance
Portability and Accountability Act of 1996 ("HIPAA") at 45 CFR Parts 160 and 164 and any
current and future regulations promulgated thereunder (collectively, the "HIPAA Rules");
NOW, THEREFORE, in consideration of the mutual covenants and agreements herein, and
for other good and valuable consideration, the Parties agree as follows:
I. DEFINITIONS
For purposes of this BAA, the following terms shall have the meanings ascribed to them
below:
A. Breach. "Breach" shall have the same meaning as the term "breach" in 45 CFR
§164.402, subject to all exclusions under 45 CFR §§164.402(1)(i), (ii) and (iii).
B. Electronic Protected Health Information. "Electronic Protected Health
Information" or "ePHI" shall have the same meaning as the term "electronic
protected health information" in 45 CFR § 160.103, limited to the information
created or received by Business Associate from or on behalf of Covered Entity.
C. Electronic Transactions Rule. "Electronic Transactions Rule" shall mean the final
regulations issued by HHS concerning standard transactions and code sets under
45 CFR Parts 160 and 162.
D. HHS. "HHS" shall mean the U.S. Department of Health and Human Services.
E. Individual. "Individual" shall have the same meaning as the term "individual" in
45 CFR § 160.103.
F. Protected Health Information. "Protected Health Information" or "PHI" shall have
the same meaning as the term "protected health information" in 45 CFR § 160.103,
Version: September 22, 2017
limited to the information created or received by Business Associate from or on
behalf of Covered Entity, including but not limited to Electronic Protected Health
Information.
G. Required By Law. "Required by Law" shall have the same meaning as the term
"required by law" at 45 CFR § 164.103 and the standards imposed at 45 CFR
§ 164.512(a).
H. Secretary. "Secretary" shall mean the Secretary of HHS.
I. Security Incident. "Security Incident" shall have the same meaning as the term
"security incident" in 45 CFR §164.304.
Transaction. "Transaction" shall have the meaning as the term "transaction" in 45
CFR § 160.103.
K. Unsecured Protected Health Information. "Unsecured protected health
information' shall have the meaning as the term "unsecured protected health
information" in 45 CFR § 164.402.
II. OBLIGATIONS OF BUSINESS ASSOCIATE
Business Associate agrees:
A. Not to use or disclose Protected Health Information other than (i) as permitted or
required by this BAA, (ii) as permitted or required to perform its obligations
pursuant to the Agreements, or (iii) as Required by Law.
B. To use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164
with respect to Electronic Protected Health Information, to prevent the use or
disclosure of PHI other than as provided for by this BAA.
C. To mitigate, to the extent practicable, any harmful effect that is known to Business
Associate of a use or disclosure of PHI by Business Associate in violation of the
requirements of this BAA.
D. To report to the appropriate Covered Entity any use or disclosure of PHI not
provided for by this BAA of which it becomes aware and any Successful Security
Incident of which Business Associate becomes aware. For purposes of this BAA,
a "Successful Security Incident" is any Security Incident that results in
unauthorized access, use, disclosure, modification, or destruction of Electronic
Protected Health Information of Covered Entity. The parties further stipulate and
agree that this paragraph constitutes notice by Business Associate to Covered
Entity with respect to any "Unsuccessful Security Incident," which is defined for
purposes of this BAA as any Security Incident that is not a Successful Security
Incident. Covered Entity and Business Associate agree that reporting of
Unsuccessful Security Incidents are too numerous to be meaningful or helpful and
2
therefore this BAA constitutes the report from Business Associate that these
incidents occur.
E. In accordance with 45 CFR §§164.502(e)(1)(ii) and 164.308(b)(2), if applicable,
to ensure that any subcontractor that creates, receives, maintains or transmits
Protected Health Information on behalf of Business Associate agrees to the same
restrictions and conditions that apply through this BAA to Business Associate with
respect to such PHI. If Business Associate becomes aware of a pattern or practice
by the subcontractor that violates such agreement, Business Associate shall take
steps to cure the breach or end the violation. If efforts to cure the breach or end
the violation are not successful, Business Associate shall terminate its arrangement
with the subcontractor, if feasible. If not feasible, Business Associate shall notify
Covered Entity of the breach or violation.
F. To make available, at the request of Covered Entity, and in the form and format
designated by such Covered Entity, PHI in a Designated Record Set, to Covered
Entity or, as directed by Covered Entity, to the requesting Individual or such
Individual's designee, within the time period necessary to meet the requirements
under 45 CFR § 164.524; provided, however, that this Section II.F is applicable
only to the extent Business Associate is required to maintain a Designated Record
Set for the particular Covered Entity pursuant to the terms of the Agreements.
G. To make any amendment(s) to PHI in a Designated Record Set as directed or
agreed to by Covered Entity pursuant to 45 CFR § 164.526, or to take other
measures as necessary to satisfy Covered Entity's obligations under 45 CFR §
164.526; provided, however, that this Section II.G is applicable only to the extent
Business Associate is required to maintain a Designated Record Set for the
particular Covered Entity pursuant to the terms of the Agreements.
H. To make applicable internal practices, books and records available to the Secretary
or his designee for purposes of the Secretary's determining Business Associate's
compliance with the HIPAA Rules.
I. To maintain and make available upon request by Covered Entity the information
required to provide an accounting of disclosures as necessary to satisfy Covered
Entity's obligations under 45 CFR § 164.528.
Without unreasonable delay and in no case later than sixty (60) days following
discovery by Business Associate (except as otherwise required under 45 CFR
§ 164.412), Business Associate will notify Covered Entity in writing of any Breach
of Unsecured Protected Health Information, Business Associate shall provide
Covered Entity, to the extent known, the identity of each Individual whose
Unsecured Protected Health Information has, or is reasonably believed by
Business Associate, to have been affected by the Breach. In addition, Business
Associate shall provide to Covered Entity, either at the time it provides notice to
Covered Entity of the Breach or promptly thereafter as information becomes
available, any other information that Covered Entity is required to include in its
notification to an Individual under 45 CFR § 164.404(c).
K. In the event Business Associate transmits or receives a Transaction on behalf of
Covered Entity, it shall comply with all provisions of the Electronic Transactions
Rule to the extent applicable.
L. To the extent Business Associate is to carry out one or more of Covered Entity's
obligation(s) under Subpart E of 45 CFR Part 164, Business Associate shall
comply with the requirements of Subpart E that apply to Covered Entity in the
performance of such obligation(s).
M. In its performance of the functions, activities, services, and operations for Covered
Entity, Business Associate agrees to make only the minimum necessary uses and
disclosures and requests for Protected Health Information.
N. Business Associate shall not engage in the Sale of Protected Health Information or
otherwise directly or indirectly receive direct or indirect remuneration in exchange
for the disclosure of Protected Health Information of an Individual, unless Covered
Entity or Business Associate has obtained a valid authorization from the
Individual, consistent with the requirements under 45 CFR § 164.508.
III. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
Except as otherwise limited in this BAA, Business Associate may:
A. Use or disclose PHI for purposes of performing the functions, activities or services
for, or on behalf of, each Covered Entity as specified in the Agreements, provided
that such use or disclosure would not violate Subpart E of 45 CFR Part 164 if done
by Covered Entity or is permitted under paragraphs B and C below.
B. Use PHI for all appropriate management and administrative functions of Business
Associate, or as needed to carry out the legal responsibilities of Business
Associate.
C. Disclose PHI for all appropriate management and administrative functions of
Business Associate, or as needed to carry out the legal responsibilities of Business
Associate, provided that such disclosures are either Required by Law, or Business
Associate obtains reasonable assurances from the person to whom the information
is disclosed that it will remain confidential and will be used or further disclosed
only as Required by Law or for the purpose for which it was disclosed to the
person, and the person notifies Business Associate of any instances of which it is
aware in which the confidentiality of the information has been breached.
IV. OBLIGATIONS OF COVERED ENTITY
Each Covered Entity shall:
4
A. Provide Business Associate with the notice of privacy practices that Covered
Entity produces in accordance with 45 CFR § 164.520, as well as any changes to
such notice.
B. Provide Business Associate with any changes in, or revocation of, permission by
an Individual to use or disclose PHI, if such changes affect Business Associate's
permitted or required uses and disclosures.
C. Notify Business Associate of any restriction to the use or disclosure of PHI that
Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent
that such restriction may affect Business Associate's use or disclosure of PHI.
D. Not request Business Associate to use or disclose PHI in any manner that would
not be permissible under the Subpart E of 45 CFR Part 164 if done by Covered
Entity, except as set forth in Sections III.B and C.
E. Disclose only the minimum necessary Protected Health Information to Business
Associate as may be required for Business Associate to perform its services to
Covered Entity, except that Covered Entity will not be obligated to comply with
this minimum necessary limitation if neither Business Associate nor Covered
Entity is required to limit its use, disclosure or request to the minimum necessary.
V. TERM AND TERMINATION
A. Term. As to each Covered Entity, the term of this BAA shall be effective as
of the date set forth above in the first paragraph. This BAA shall terminate on the
date Business Associate ceases to be obligated to perform functions, activities or
services for Covered Entity under the Agreements. However, Business
Associate's obligations under Articles II, III and V shall survive the termination of
this BAA with respect to any PHI so long as it remains in the possession of
Business Associate.
B. Termination for Cause. Without limiting the rights of the Parties respecting
termination under the Parties' Agreements:
1. By Covered Entity. Upon Covered Entity's knowledge of a pattern of an
activity or practice of Business Associate that constitutes a material breach
or violation of this BAA by Business Associate with respect to PHI
maintained for that Covered Entity, such Covered Entity shall provide an
opportunity for Business Associate to cure the breach or end the violation.
Covered Entity shall terminate this BAA and the Agreements if Business
Associate does not cure the breach or end the violation within such
reasonable time as is specified by Covered Entity, or immediately
terminate this BAA and the Agreements if Business Associate has
breached or violated a material term of this BAA and cure is not possible.
However, Business Associate's Agreement(s) and the terms of this BAA
with respect to any other Covered Entity shall continue to remain in effect
until otherwise terminated.
5
2. By Business Associate. Upon Business Associate's knowledge of a
pattern of an activity or practice of Covered Entity that constitutes a
material breach or violation of this BAA by such Covered Entity, Business
Associate shall provide an opportunity for Covered Entity to cure the
breach or end the violation. Business Associate shall terminate this BAA
and the Agreements with respect to that Covered Entity if Covered Entity
does not cure the breach or end the violation within such reasonable time
as is specified by Business Associate, or immediately terminate this BAA
and the Agreements with respect to that Covered Entity if Covered Entity
has breached or violated a material term of this BAA and cure is not
possible. However, Business Associate's Agreement(s) and the terms of
this BAA with respect to any other Covered Entity shall continue to remain
in effect until otherwise terminated.
C. Effect of Termination. Upon termination of this BAA for any reason, Business
Associate, with respect to Protected Health Information received from Covered
Entity, or created, maintained, or received by Business Associate on behalf of
Covered Entity, shall:
Retain only that PHI which is necessary for Business Associate to continue
its proper management and administration or to carry out its legal
responsibilities;
2. Return to Covered Entity or destroy the remaining PHI that Business
Associate still maintains in any form;
Continue to use appropriate safeguards and comply with Subpart C of 45
CFR Part 164 with respect to Electronic Protected Health Information to
prevent use or disclosure of the PHI, other than as provided for in this
Section V.C, for as long as Business Associate retains the PHI;
4. Not use or disclose the PHI retained by Business Associate other than for
the purposes for which such PHI was retained and subject to the same
conditions set out under Sections III.B and III.0 which applied prior to
termination; and
5. Return to Covered Entity or destroy the PHI retained by Business Associate
when it is no longer needed by Business Associate for its proper
management and administration or to carry out its legal responsibilities.
VI. MISCELLANEOUS PROVISIONS
A. Regulatory References. A reference in this BAA to a section in the HIPAA Rules
means the section as in effect or as amended, and for which compliance is required
at the time of the use or disclosure in question. In case a specific regulatory
reference used in this BAA changes, as may occur when an enforcement body
moves or otherwise changes its numbering system, this BAA shall remain in place
and the Parties subject to the BAA shall use all reasonable efforts to discern the
on
correct and applicable reference currently in effect in order to optimally satisfy
compliance obligations as set forth under governing law.
B. Amendment. The Parties agree to take appropriate action as necessary to amend
this BAA from time to time in order for Covered Entity and Business Associate to
comply with the HIPAA Rules. Moreover, to the extent permitted by applicable
law, upon the compliance date of any final regulation, or amendment to final
regulation promulgated by HHS that affects Business Associate or Covered
Entity's obligations under this BAA, this BAA will automatically amend such that
the obligations imposed on Business Associate or Covered Entity remain in
compliance with the final regulation or amendment to final regulation.
C. Survival. The respective rights and obligations of the Parties to this BAA shall
survive the termination of this BAA.
D. Governing Law. This BAA shall be governed by the laws of the State of
E. Notices. All notices hereunder shall be in writing and delivered by hand, by
certified mail, return receipt requested or by overnight delivery. Notices shall be
directed to the Parties at their respective addresses set forth below their signature,
as appropriate, or at such other addresses as the Parties may from time to time
designate in writing.
F. Entire Agreement; Modification. This BAA represents the entire agreement
between Business Associate and each Covered Entity relating to the subject matter
hereof and supersedes all prior oral and written agreements relating to the subject
matter hereof. No provision of this BAA may be modified, except in writing,
signed by the Parties.
G. No Third Party Beneficiaries. There shall be no third party beneficiaries to this
BAA, and no individual (including an Individual) or entity who is not a party to
this BAA shall have any rights in connection with a breach or violation of this
BAA.
H. Binding Effect. This BAA shall be binding upon the Parties hereto and their
successors and assigns.
Counterparts and Signature. This BAA may be executed in any number of
counterparts, which, when taken together, shall constitute one original. This BAA
may be executed by an electronic or facsimile signature of an authorized
representative of the Parties, and any such signature shall be deemed to be an
original signature and shall be binding on the Parties to the same extent as if such
electronic or facsimile signature were an original signature.
J. Interpretation of this Agreement. Any ambiguity in this BAA shall be resolved
in favor of a meaning that permits the Parties to comply with applicable law.
7
[Remainder of page left intentionally blank]
IN WITNESS WHEREOF, the Parties hereto have caused this BAA to be executed as of the
date first above written.
BUSINESS ASSOCIATE: Hub Northwest International LLC
By:
Name: Tim Kennedy
Title: Executive Vice President, Employee Benefits
PLAN SPONSOR:
on behalf of its group health plan as Covered Entity
By:
Name: LO��TGi� (�G14/;1
1� Title: G� l f^e-C-1r ✓
Address of Plan Sponsor:
Version: September 22, 2017