BUSINESS ASSOCIATE AGREEMENT
It is our practice to sign Business Associate Agreements with our clients when they engage us. In the absence of a signed agreement with a client, we consider ourselves bound by the Business Associate Agreement set out below if we receive protected health information on behalf of a client. Our signed agreement supersedes this one.
Business Associate Agreement
Hooper, Lundy & Bookman, P.C. (“HLB” or “we”) agree to be bound by the terms of this Business Associate Agreement (“Agreement”) to the extent that: (a) you are our client that is a “covered entity” and/or “business associate” under the administrative simplification provision of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, including its “Privacy Rule,” “Security Rule,” and “Breach Notification Rule,” as amended (collectively, “HIPAA”); and (b) we are acting as your “business associate” under HIPAA. Terms used in this Agreement have the meanings given them in HIPAA except that “PHI” means “protected health information” but is limited to the protected health information created, received, maintained, or transmitted by us on your behalf.
1. Permissible Uses and Disclosures.
1.1 We may use and disclose PHI for the purpose of providing legal services to you.
1.2 We may use and disclose PHI for the proper management and administration of our law firm and to carry out our legal responsibilities, as long as, in the case of any disclosure for these purposes, either: (a) the disclosure is required by law; or (b) we obtain reasonable assurances from the person to whom we disclose the PHI that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to such person, and that the person will notify us of any instances of which the person is aware in which the confidentiality of the PHI has been breached.
1.3 Nothing in this Agreement permits any use or disclosure that you are not permitted to make under HIPAA, except as provided in Section 1.2 of this Agreement.
2. Obligations. We will:
2.1 Not use or further disclose your PHI except as permitted or required by this Agreement or as required by law.
2.2 Use appropriate safeguards to prevent use or disclosure of your PHI other than as permitted by this Agreement.
2.3 Comply with the applicable provisions of the Security Rule.
2.4 Report to you: (a) any use or disclosure of your PHI not provided for by this Agreement of which we become aware; (b) any security incident of which we become aware; and/or (c) any breach of your unsecured PHI that we discover, as required by 45 C.F.R. § 164.410. This Agreement constitutes ongoing notice to you of “unsuccessful” security incidents that do not represent substantial risks to PHI, such as pings on our firewall, unsuccessful log-on attempts, or access to encrypted information without access to a key, and no further reporting is required. The timing of the report will be consistent with our legal obligations, including the Breach Notification Rule and applicable state law.
2.5 Ensure that subcontractors that create, receive, maintain, or transmit your PHI on our behalf agree to the restrictions and conditions that apply to us with respect to the PHI and, with respect to any electronic PHI, agree to comply with the Security Rule.
2.6 Make available to you your PHI maintained in a designated record set so you can meet your obligations to provide individual access to PHI, as you may request.
2.7 Make available your PHI maintained in a designated record set so you can meet your obligations to amend incomplete or inaccurate PHI and incorporate any amendments, as you may request.
2.8 Report to you disclosures of PHI by us so you can meet your obligations to account for disclosures of PHI, as you may request. We will report only those disclosures for which you would be required to provide an accounting. We ask that you not direct an individual to request an accounting of disclosure directly from us.
2.9 Comply with the applicable provisions of the Privacy Rule that apply to you to the extent that we carry out one or more of your obligations as a HIPAA covered entity.
2.10 Make our internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the United States Department of Health and Human Services (the “Secretary”), for purposes of the Secretary determining your compliance with HIPAA. Unless otherwise required by law or authorized by you in writing, however, we will not disclose to the Secretary any confidential or privileged information that we receive from you or create on your behalf. This Agreement does not waive or amend the attorney-client privilege, the attorney work product doctrine, or other privileges or protections, including with respect to trade secrets and confidential commercial information.
2.11 Upon termination of our attorney-client relationship, return or destroy all PHI that we maintain in any form and retain no copies of such information or, if return or destruction is not feasible, extend the protections of this Agreement to such information and limit further use and disclosure of the information to those purposes that make the return or destruction of the information infeasible. Because of our responsibility to maintain a record of the services we provide, immediate return or destruction of the information generally will not be feasible.
3. You immediately may terminate your relationship with us if you determine that we have violated a material term of this Agreement.
4. Nothing express or implied in this Agreement is intended to, or does, confer upon any other person or entity any rights, remedies, obligations, or liabilities whatsoever.
5. This Agreement is to be interpreted consistently with our obligation of reasonable care in the performance of our professional services on your behalf as our client.
6. We may amend this Agreement by posting amendments on our website. The amendments will become effective upon posting.
Signed: Hooper, Lundy & Bookman, P.C.
Effective: May 23, 2018