BUSINESS ASSOCIATE AGREEMENT FOR GRANTS OR LETTERS OF AGREEMENT

BUSINESS ASSOCIATE agreement (VT ADS/AHS)

Revised May 23, 2019

SOV Contractor or Vendor (Contractor Business Associate):

____________________________________________________

SOV Contract Number: _________ Date of Contract: _______________

This Business Associate Agreement ("Agreement") is entered into by and between the State of Vermont Agency of Digital Services as a Business Associate ("ADS") of the State of Vermont Agency of Human Services ("Covered Entity") (together "the State") and the party identified in this Agreement above as Contractor or Vendor ("Contractor Business Associate"). This Agreement supplements and is made a part of the contract identified above ("Contract").

ADS and Contractor Business Associate enter into this Agreement to comply with the Business Associate Agreement between Covered Entity and ADS, and with standards promulgated under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), including the Standards for the Privacy of Individually Identifiable Health Information, at 45 CFR Parts 160 and 164 ("Privacy Rule"), and the Security Standards, at 45 CFR Parts 160 and 164 ("Security Rule"), as amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH), and any associated federal rules and regulations.

The parties agree as follows:

1. Definitions. All capitalized terms used but not otherwise defined in this Agreement have the meanings set forth in 45 CFR Parts 160 and 164 as amended by HITECH and associated federal rules and regulations. Terms defined in this Agreement are italicized. Unless otherwise specified, when used in this Agreement, defined terms used in the singular shall be understood if appropriate in their context to include the plural when applicable.

"ADS Vendor Manager" means that person designated in the Contract as the ADS Vendor Manager, or such person who is subsequently designated in writing by ADS to the Contractor Business Associate. The ADS Vendor Manager is not authorized to enter into Contract amendments on behalf of ADS or the State."

"Agent" means an Individual acting within the scope of the agency of the Contractor Business Associate, in accordance with the Federal common law of agency, as referenced in 45 CFR § 160.402(c) and includes Workforce members and Subcontractors.

"Breach" means the acquisition, Access, Use or Disclosure of Protected Health Information (PHI) which compromises the Security or privacy of the PHI, except as excluded in the definition of Breach in 45 CFR § 164.402.

"Business Associate" shall have the meaning given for "Business Associate" in 45 CFR § 160.103.

"Contractor Business Associate" shall have the meaning given for "Business Associate" in 45 CFR § 160.103 and means Vendor and includes its Workforce, Agents and Subcontractors.

"Electronic PHI" shall mean PHI created, received, maintained or transmitted electronically in accordance with 45 CFR § 160.103.

"Individual" includes a Person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).

"Protected Health Information" ("PHI") shall have the meaning given in 45 CFR § 160.103, limited to the PHI created or received by Contractor Business Associate from or on behalf of ADS or Covered Entity.

"Required by Law" means a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law and shall have the meaning given in 45 CFR § 164.103.

"Report" means submissions required by this Agreement as provided in section 2.3.

"Security Incident" means the attempted or successful unauthorized Access, Use, Disclosure, modification, or destruction of information or interference with system operations in an Information System relating to PHI in accordance with 45 CFR § 164.304.

"Services" includes all work performed by the Contractor Business Associate for or on behalf of the State that requires the Use and/or Disclosure of PHI to perform a Business Associate function described in 45 CFR § 160.103.

"Subcontractor" means a Person to whom Contractor Business Associate delegates a function, activity, or service, other than in the capacity of a member of the Workforce of such Contractor Business Associate.

"Successful Security Incident" shall mean a Security Incident that results in the unauthorized Access, Use, Disclosure, modification, or destruction of information or interference with system operations in an Information System.

"Unsuccessful Security Incident" shall mean a Security Incident such as routine occurrences that do not result in unauthorized Access, Use, Disclosure, modification, or destruction of information or interference with system operations in an Information System, such as: (i) unsuccessful attempts to penetrate computer networks or services maintained by Contractor Business Associate; and (ii) immaterial incidents such as pings and other broadcast attacks on Contractor Business Associate's firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above with respect to Contractor Business Associate" Information System.

"Targeted Unsuccessful Security Incident" means an Unsuccessful Security Incident that appears to be an attempt to obtain unauthorized Access, Use, disclosure, modification or destruction of the Covered Entity" Electronic PHI.

2. Contact Information for Privacy and Security Officers and Reports.

2.1 Contractor Business Associate shall provide, within ten (10) days of the execution of this Agreement, written notice to the ADS Vendor Manager the names and contact information of both the HIPAA Privacy Officer and HIPAA Security Officer of the Contractor Business Associate. This information must be updated by Contractor Business Associate any time these contacts change.

2.2 Covered Entity" HIPAA Privacy Officer and HIPAA Security Officer contact information is posted at: http://humanservices.vermont.gov/policy-legislation/hipaa/hipaa-info-beneficiaries/ahs-hipaa-contacts/

2.3 Contractor Business Associate shall submit all Reports required by this Agreement to the following email address:

AHS.PrivacyAndSecurity@vermont.gov

3. Permitted and Required Uses/Disclosures of PHI.

3.1 Subject to the terms in this Agreement, Contractor Business Associate may Use or Disclose PHI to perform Services, as specified in the Contract. Such Uses and Disclosures are limited to the minimum necessary to provide the Services. Contractor Business Associate shall not Use or Disclose PHI in any manner that would constitute a violation of the Privacy Rule if Used or Disclosed by Covered Entity in that manner. Contractor Business Associate may not Use or Disclose PHI other than as permitted or required by this Agreement or as Required by Law and only in compliance with applicable laws and regulations.

3.2 Contractor Business Associate may make PHI available to its Workforce, Agent and Subcontractor who need Access to perform Services as permitted by this Agreement, provided that Contractor Business Associate makes them aware of the Use and Disclosure restrictions in this Agreement and binds them to comply with such restrictions.

3.3 Contractor Business Associate shall be directly liable under HIPAA for impermissible Uses and Disclosures of PHI.

4. Business Activities. Contractor Business Associate may Use PHI if necessary for Contractor Business Associate" proper management and administration or to carry out its legal responsibilities. Contractor Business Associate may Disclose PHI for Contractor Business Associate" proper management and administration or to carry out its legal responsibilities if a Disclosure is Required by Law or if Contractor Business Associate obtains reasonable written assurances via a written agreement from the Person to whom the information is to be Disclosed that such PHI shall remain confidential and be Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed to the Person, and the Agreement requires the Person to notify Contractor Business Associate, within five (5) business days, in writing of any Breach of Unsecured PHI of which it is aware. Such Uses and Disclosures of PHI must be of the minimum amount necessary to accomplish such purposes.

5. Electronic PHI Security Rule Obligations.

5.1 With respect to Electronic PHI, Contractor Business Associate shall:

a) Implement and use Administrative, Physical, and Technical Safeguards in compliance with 45 CFR sections 164.308, 164.310, and 164.312;

b) Identify in writing upon request from the State all the safeguards that it uses to protect such Electronic PHI;

c) Prior to any Use or Disclosure of Electronic PHI by an Agent or Subcontractor, ensure that any Agent or Subcontractor to whom it provides Electronic PHI agrees in writing to implement and use Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of Electronic PHI. The written agreement must identify the State as a direct and intended third party beneficiary with the right to enforce any breach of the agreement concerning the Use or Disclosure of Electronic PHI, and be provided to the State upon request;

d) Report in writing to Covered Entity any Successful Security Incident or Targeted Security Incident as soon as it becomes aware of such incident and in no event later than five (5) business days after such awareness. Such report shall be timely made notwithstanding the fact that little information may be known at the time of the report and need only include such information then available;

e) Following such report, provide Covered Entity with the information necessary for Covered Entity to investigate any such incident; and

f) Continue to provide to Covered Entity information concerning the incident as it becomes available to it.

5.2    Reporting Unsuccessful Security Incidents. Contractor Business Associate shall provide Covered Entity upon written request a Report that: (a) identifies the categories of Unsuccessful Security Incidents; (b) indicates whether Business Associate believes its current defensive security measures are adequate to address all Unsuccessful Security Incidents, given the scope and nature of such attempts; and (c) if the security measures are not adequate, the measures Business Associate will implement to address the security inadequacies.

5.3 Contractor Business Associate shall comply with any reasonable policies and procedures Covered Entity implements to obtain compliance under the Security Rule.

6. Reporting and Documenting Breaches.

6.1 Contractor Business Associate shall Report to Covered Entity any Breach of Unsecured PHI as soon as it, or any Person to whom PHI is disclosed under this Agreement, becomes aware of any such Breach, and in no event later than five (5) business days after such awareness, except when a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security. Such Report shall be timely made notwithstanding the fact that little information may be known at the time of the Report and need only include such information then available.

6.2 Following the Report described in 6.1, Contractor Business Associate shall conduct a risk assessment and provide it to Covered Entity with a summary of the event. Contractor Business Associate shall provide Covered Entity with the names of any Individual whose Unsecured PHI has been, or is reasonably believed to have been, the subject of the Breach and any other available information that is required to be given to the affected Individual, as set forth in 45 CFR § 164.404(c). Upon request by Covered Entity, Contractor Business Associate shall provide information necessary for Covered Entity to investigate the impermissible Use or Disclosure. Contractor Business Associate shall continue to provide to Covered Entity information concerning the Breach as it becomes available.

6.3 When Contractor Business Associate determines that an impermissible acquisition, Access, Use or Disclosure of PHI for which it is responsible is not a Breach, and therefore does not necessitate notice to the impacted Individual, it shall document its assessment of risk, conducted as set forth in 45 CFR § 402(2). Contractor Business Associate shall make its risk assessment available to Covered Entity upon request. It shall include 1) the name of the person making the assessment, 2) a brief summary of the facts, and 3) a brief statement of the reasons supporting the determination of low probability that the PHI had been compromised.

7. Mitigation and Corrective Action. Contractor Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to it of an impermissible Use or Disclosure of PHI, even if the impermissible Use or Disclosure does not constitute a Breach. Contractor Business Associate shall draft and carry out a plan of corrective action to address any incident of impermissible Use or Disclosure of PHI. Contractor Business Associate shall make its mitigation and corrective action plans available to the State upon request.

8. Providing Notice of Breaches.

8.1 If Covered Entity determines that a Breach of PHI for which Contractor Business Associate was responsible, and if requested by Covered Entity, Contractor Business Associate shall provide notice to the Individual whose PHI has been the subject of the Breach. When so requested, Contractor Business Associate shall consult with Covered Entity about the timeliness, content and method of notice, and shall receive Covered Entity" approval concerning these elements. Contractor Business Associate shall be responsible for the cost of notice and related remedies.

8.2 The notice to affected Individuals shall be provided as soon as reasonably possible and in no case later than 60 calendar days after Contractor Business Associate reported the Breach to Covered Entity.

8.3 The notice to affected Individuals shall be written in plain language and shall include, to the extent possible, 1) a brief description of what happened, 2) a description of the types of Unsecured PHI that were involved in the Breach, 3) any steps Individuals can take to protect themselves from potential harm resulting from the Breach, 4) a brief description of what the Contractor Business Associate is doing to investigate the Breach to mitigate harm to Individuals and to protect against further Breaches, and 5) contact procedures for Individuals to ask questions or obtain additional information, as set forth in 45 CFR § 164.404(c).

8.4 Contractor Business Associate shall notify Individuals of Breaches as specified in 45 CFR § 164.404(d) (methods of Individual notice). In addition, when a Breach involves more than 500 residents of Vermont, Contractor Business Associate shall, if requested by Covered Entity, notify prominent media outlets serving Vermont, following the requirements set forth in 45 CFR § 164.406.

9. Agreements with Subcontractors. Contractor Business Associate shall enter into a Business Associate Agreement with any Subcontractor to whom it provides PHI to require compliance with HIPAA and to ensure Contractor Business Associate and Subcontractor comply with the terms and conditions of this Agreement. Contractor Business Associate must enter into such written agreement before any Use by or Disclosure of PHI to such Subcontractor. The written agreement must identify the State as a direct and intended third party beneficiary with the right to enforce any breach of the agreement concerning the Use or Disclosure of PHI. Contractor Business Associate shall provide a copy of the written agreement it enters into with a Subcontractor to the State upon request. Contractor Business Associate may not make any Disclosure of PHI to any Subcontractor without prior written consent of the State.

10. Access to PHI. Contractor Business Associate shall provide access to PHI in a Designated Record Set to Covered Entity or as directed by Covered Entity to an Individual to meet the requirements under 45 CFR § 164.524. Contractor Business Associate shall provide such access in the time and manner reasonably designated by Covered Entity. Within five (5) business days, Contractor Business Associate shall forward to Covered Entity for handling any request for Access to PHI that Contractor Business Associate directly receives from an Individual.

11. Amendment of PHI. Contractor Business Associate shall make any amendments to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 CFR § 164.526, whether at the request of Covered Entity or an Individual. Contractor Business Associate shall make such amendments in the time and manner reasonably designated by Covered Entity. Within five (5) business days, Contractor Business Associate shall forward to Covered Entity for handling any request for amendment to PHI that Contractor Business Associate directly receives from an Individual.

12. Accounting of Disclosures. Contractor Business Associate shall document Disclosures of PHI and all information related to such Disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528. Contractor Business Associate shall provide such information to Covered Entity or as directed by Covered Entity to an Individual, to permit Covered Entity to respond to an accounting request. Contractor Business Associate shall provide such information in the time and manner reasonably designated by Covered Entity. Within five (5) business days, Contractor Business Associate shall forward to Covered Entity for handling any accounting request that Contractor Business Associate directly receives from an Individual.

13. Books and Records. Subject to the attorney-client and other applicable legal privileges, Contractor Business Associate shall make its internal practices, books, and records (including policies and procedures and PHI) relating to the Use and Disclosure of PHI available to the Secretary of Health and Human Services ("HHS") in the time and manner designated by the Secretary. Contractor Business Associate shall make the same information available to Covered Entity, upon Covered Entity" request, in the time and manner reasonably designated by Covered Entity so that Covered Entity may determine whether Contractor Business Associate is in compliance with this Agreement.

14. Termination.

14.1 This Agreement commences on the Effective Date and shall remain in effect until terminated by the State or until all the PHI is destroyed or returned to Covered Entity subject to Section 18.8.

14.2 If Contractor Business Associate fails to comply with any material term of this Agreement, the State may provide an opportunity for Contractor Business Associate to cure. If Contractor Business Associate does not cure within the time specified by the State or if the State believes that cure is not reasonably possible, the State may immediately terminate the Contract without incurring liability or penalty for such termination. If neither termination nor cure are feasible, Covered Entity shall report the breach to the Secretary of HHS. The State has the right to seek to cure such failure by Contractor Business Associate. Regardless of whether the State cures, it retains any right or remedy available at law, in equity, or under the Contract and Contractor Business Associate retains its responsibility for such failure.

15. Return/Destruction of PHI.

15.1 Contractor Business Associate in connection with the expiration or termination of the Contract shall return or destroy, at the discretion of the Covered Entity, PHI that Contractor Business Associate still maintains in any form or medium (including electronic) within thirty (30) days after such expiration or termination. Contractor Business Associate shall not retain any copies of PHI. Contractor Business Associate shall certify in writing and report to Covered Entity (1) when all PHI has been returned or destroyed and (2) that Contractor Business Associate does not continue to maintain any PHI. Contractor Business Associate is to provide this certification during this thirty (30) day period.

15.2 Contractor Business Associate shall report to Covered Entity any conditions that Contractor Business Associate believes make the return or destruction of PHI infeasible. Contractor Business Associate shall extend the protections of this Agreement to such PHI and limit further Uses and Disclosures to those purposes that make the return or destruction infeasible for so long as Contractor Business Associate maintains such PHI.

16. Penalties. Contractor Business Associate understands that: (a) there may be civil or criminal penalties for misuse or misappropriation of PHI and (b) violations of this Agreement may result in notification by Covered Entity to law enforcement officials and regulatory, accreditation, and licensure organizations.

17. Training. Contractor Business Associate understands its obligation to comply with the law and shall provide appropriate training and education to ensure compliance with this Agreement. If requested by the State, Contractor Business Associate shall participate in Covered Entity" training regarding the Use, Confidentiality, and Security of PHI; however, participation in such training shall not supplant nor relieve Contractor Business Associate of its obligations under this Agreement to independently assure compliance with the law and this Agreement.

18. Miscellaneous.

18.1 In the event of any conflict or inconsistency between the terms of this Agreement and the terms of the Contract, the terms of this Agreement shall govern with respect to its subject matter. Otherwise, the terms of the Contract continue in effect.

18.2 Each party shall cooperate with the other party to amend this Agreement from time to time as is necessary for such party to comply with the Privacy Rule, the Security Rule, or any other standards promulgated under HIPAA. This Agreement may not be amended, except by a writing signed by all parties hereto.

18.3 Any ambiguity in this Agreement shall be resolved to permit the parties to comply with the Privacy Rule, Security Rule, or any other standards promulgated under HIPAA.

18.4 In addition to applicable Vermont law, the parties shall rely on applicable federal law (e.g., HIPAA, the Privacy Rule, Security Rule, and HITECH) in construing the meaning and effect of this Agreement.

18.5 Contractor Business Associate shall not have or claim any ownership of PHI.

18.6 Contractor Business Associate shall abide by the terms and conditions of this Agreement with respect to all PHI even if some of that information relates to specific services for which Contractor Business Associate may not be a "Contractor Business Associate" of Covered Entity under the Privacy Rule.

18.7 Contractor Business Associate is prohibited from directly or indirectly receiving any remuneration in exchange for an Individual" PHI. Contractor Business Associate will refrain from marketing activities that would violate HIPAA, including specifically Section 13406 of the HITECH Act. Reports or data containing PHI may not be sold without Covered Entity" or the affected Individual" written consent.

18.8 The provisions of this Agreement that by their terms encompass continuing rights or responsibilities shall survive the expiration or termination of this Agreement. For example: (a) the provisions of this Agreement shall continue to apply if Covered Entity determines that it would be infeasible for Contractor Business Associate to return or destroy PHI as provided in Section 14.2 and (b) the obligation of Contractor Business Associate to provide an accounting of disclosures as set forth in Section 12 survives the expiration or termination of this Agreement with respect to accounting requests, if any, made after such expiration or termination.

 

For ADS:

Signature: ________________________________________________

Name: ________________________________________________

Title: ________________________________________________

Date: _______________________

 

For Contractor Business Associate:

Signature: ________________________________________________

Name: ________________________________________________

Title: ________________________________________________

Date: _______________________

 

(End of Attachment E)

 
BAA Facts
  • Who needs a BAA?
  • What if I don't have a BAA
  • BAA Quick FAQ
  • WHY BAA?
  • Planning Your BAA
 Sample BAA
  • Simple BAA
  • Better BAA
  • Best BAA
 Office Locations:

100 Florida Ave
Tampa Fl 33615