Business Associate Sub-Contractor Agreement (“BASA”)

This Business Associate Sub-Contractor Agreement (the “BASA”) is made and entered into as of the date hereof, by and between Pearl Health, Inc. (the “Sub-Contractor”) and the other party identified in the Pearl Network Participation Agreement (the “Business Associate”) (each a “Party” and collectively the “Parties”).  

WHEREAS, Business Associate and Sub-Contractor have entered into a services agreement or arrangement under which Sub-Contractor provides certain services to Business Associate (the “Agreement”); and

WHEREAS, in providing services pursuant to the Agreement, Sub-Contractor may have access to Protected Health Information (“PHI”) (as defined below); and

WHEREAS, the services provided by Sub-Contractor to Business Associate may cause Sub-Contractor to be considered a “Sub-Contractor” under the privacy and security regulations issued under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”), as set forth in 45 C.F.R. Parts 160 and 164, and as amended by the Health Information Technology for Economic and Clinical Health Act, Public Law 111-5 (the “HIPAA Privacy Rule” and “HIPAA Security Rule”); and

WHEREAS, Business Associate and Sub-Contractor wish to enter into a BASA to include certain provisions required by the HIPAA Privacy Rule and the HIPAA Security Rule.

NOW, THEREFORE, in consideration of the mutual covenants and conditions contained herein and the continued provision of PHI by Business Associate to Sub-Contractor under the Agreement in reliance on this BASA, the Parties agree as follows:

  1. Definitions.  For purposes of this BASA, the terms below shall have the meanings given to them in this Section.
    1. Breach shall mean the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 C.F.R. § 164.402.
    2. Business Associate shall mean the entity or entities identified above as Business Associate.
    3. Data Aggregation shall mean, with respect to PHI created or received by Sub-Contractor in its capacity as the Sub-Contractor of Business Associate, the combining of such PHI by Sub-Contractor with the PHI received by Sub-Contractor in its capacity as a Sub-Contractor of another Business Associate, to permit data analyses that relate to the Health Care Operations (defined below) of the respective Covered Entities.  The meaning of “data aggregation” in this BASA shall be consistent with the meaning given to that term in the Privacy Rule.  
    4. Designated Record Set shall mean a group of Records maintained by or for the Business Associate that: (a) consists of medical records and billing records about individuals maintained by or for the Business Associate; (b) consists of the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (c) consists of Records used, in whole or part, by or for the Business Associate to make decisions about individual patients.  As used herein, the term “Record” shall mean any item, collection or grouping of information that includes PHI and is maintained, collected, used or disseminated by or for a provider.  The term “designated record set”, however, shall not include any information in the possession of Sub-Contractor that is (i) the same as information in the possession of Business Associate (information shall be considered the same information even if the information is held in a different format, medium or presentation or it has been standardized); (ii) any information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding, including but not limited to, any information subject to the attorney-client privilege, trial preparation immunity, attorney work product, peer review privilege or other privilege under applicable law; or (iii) any information that constitutes “psychotherapy notes” as defined in 45 C.F.R. § 164.501.
    5. De-Identify shall mean to alter the PHI such that the resulting information meets the requirements described in 45 C.F.R. § 164.514(a) and (b).
    6. Effective Date shall mean the date first written above.
    7. Electronic PHI shall mean any PHI maintained in or transmitted by electronic media as defined in 45 C.F.R. § 160.103.
    8. Health Care Operations shall have the meaning given to that term at 45 C.F.R. § 164.501.
    9. (i) HHS shall mean the U.S. Department of Health and Human Services.
    10. HITECH Act shall mean the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-5.
    11. Privacy Rule shall mean that portion of the HIPAA Regulations set forth in 45 C.F.R. Part 160 and in subparts A and E of 45 C.F.R. Part 164.
    12. Protected Health Information or PHI shall mean information transmitted or maintained in any form or medium, including demographic information collected from an individual, that (i) is created or received by Business Associate; and (ii) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual, and (a) identifies the individual or (b) with respect to which there is a reasonable basis to believe the information can be used to identify the individual;But limited to the information created or received by the Sub-Contractor from or on behalf of the Business Associate in connection with the Services.The meaning of “protected health information” or “PHI” in this BASA shall be consistent with the meaning given to that term in the Privacy Rule.
    13. Security Incident shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.  This term shall not include trivial incidents that occur on a daily basis, such as scans, “pings,” or unsuccessful attempts to penetrate computer networks or servers maintained by Sub-Contractor.
    14. Services means the services provided by Sub-Contractor, as specified in the Agreement.
    15. Sub-Contractor shall mean the entity or entities identified above as Sub-Contractor.
    16. Unsecured PHI shall mean PHI that has not been secured in accordance with standards promulgated by the Secretary of HHS under Section 13402(h)(2) of the HITECH Act.
  2. Use and Disclosure of PHI.
    1. Except as otherwise provided in this BASA, Sub-Contractor may use or disclose PHI as reasonably necessary to provide the Services described in the Agreement to the Business Associate, and to undertake other activities of Sub-Contractor permitted or required of Sub-Contractor by this BASA or as required by law.
    2. Except as otherwise limited by this BASA, Business Associate authorizes Sub-Contractor to use the PHI in its possession for the proper management and administration of Sub-Contractor’s business and to carry out its legal responsibilities.  Sub-Contractor may disclose PHI for its proper management and administration, provided that (i) such disclosures are required by law; or (ii) Sub-Contractor obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from such third party that the PHI will be held confidential as provided under this BASA and used or further disclosed only as required by law or for the purpose for which it was disclosed to such third party; and (b) an agreement from such third party to notify Sub-Contractor immediately of any breaches of the confidentiality of the PHI, to the extent it has knowledge of such breach.
    3. Business Associate does not authorize Sub-Contractor to provide Data Aggregation services with respect to the PHI unless authorized expressly in writing.  
    4. Sub-Contractor shall not use or disclose PHI in a manner other than as provided in this BASA, as permitted under the Privacy Rule, or as required by law.  Sub-Contractor shall use or disclose only the minimum necessary amount of PHI, in accordance with Section 13405(b) of the HITECH Act, or any implementing regulations adopted thereunder, for each use or disclosure of PHI hereunder.
    5. Upon request, Sub-Contractor shall make available to Business Associate any of Business Associate’s PHI that Sub-Contractor has in its possession.
  3. Safeguards Against Misuse of PHI.  Sub-Contractor shall use appropriate safeguards to prevent the use or disclosure of PHI other than as provided by the Agreement or this BASA; and Sub-Contractor agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of Business Associate, to the extent applicable to Sub-Contractors under the HIPAA Security Rule and HITECH Act.  Sub-Contractor agrees to take reasonable steps to ensure that the actions or omissions of its employees or agents do not cause Sub-Contractor to breach the terms of this BASA.
  4. Reporting Disclosures of PHI and Security Incidents.  Sub-Contractor shall report to Business Associate in writing any use or disclosure of PHI not provided for by this BASA of which it becomes aware; and Sub-Contractor agrees to report to Business Associate any Security Incident affecting Electronic PHI of Business Associate of which it becomes aware.  Sub-Contractor agrees to report any such event without unreasonable delay, but in no event later than ten (10) business days of becoming aware of the event
  5. Reporting Breaches of PHI.  Sub-Contractor shall notify Business Associate in writing without unreasonable delay after discovery of any Breach of Unsecured PHI in accordance with 45 C.F.R. § 164.410, but in no case later than ten (10) business days after discovery.  Sub-Contractor shall provide information regarding such Breach (including, to the extent possible, identification of each individual whose Unsecured PHI has been or is reasonably believed by Sub-Contractor to have been accessed, acquired, used, or disclosed during the Breach).
  6. Mitigation of Disclosures of PHI.  Sub-Contractor shall take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to Sub-Contractor of any use or disclosure of PHI by Sub-Contractor or its agents or subcontractors in violation of the requirements of this BASA.
  7. Agreements with Agents or Subcontractors.  
    Sub-Contractor shall ensure that any of its agents or subcontractors that have access to or to which Sub-Contractor provides PHI agree in writing to the restrictions and conditions concerning uses and disclosures of PHI contained herein and agrees to implement reasonable and appropriate safeguards to protect any Electronic PHI that it creates, receives, maintains or transmits on behalf of Sub-Contractor or Business Associate
  8. Access to PHI by Individuals.
    1. Upon request, Sub-Contractor agrees to furnish Business Associate with copies of the PHI maintained by Sub-Contractor in a Designated Record Set to enable Business Associate to provide access to the PHI under 45 C.F.R. § 164.524, in the time and manner designated by Business Associate.
    2. In the event any individual or personal representative requests access to the individual’s PHI directly from Sub-Contractor, Sub-Contractor shall forward that request promptly to Business Associate.  Any disclosure of, or decision not to disclose, the PHI requested by an individual or a personal representative and compliance with the requirements applicable to an individual’s right to obtain access to PHI shall be the sole responsibility of the Business Associate
  9. Amendment of PHI.
    1. Upon request from Business Associate, Sub-Contractor shall amend PHI or a Record about an individual in a Designated Record Set that is maintained by, or otherwise within the possession of, Sub-Contractor, as directed by Business Associate in accordance with procedures established by 45 C.F.R. § 164.526.  Any request by Business Associate to amend such information shall be completed by Sub-Contractor within thirty (30) business days of Business Associate’s written request.
    2. In the event that any individual requests that Sub-Contractor amend such individual’s PHI or Record in a Designated Record Set, Sub-Contractor shall forward such request promptly to Business Associate.  Any amendment of, or decision not to amend, the PHI or Record as requested by an individual and compliance with the requirements applicable to an individual’s right to request an amendment of PHI shall be the sole responsibility of the Business Associate.
  10. Accounting of Disclosures.
    1. Sub-Contractor shall document any disclosures of PHI made by it, to the extent that Business Associate would have an obligation to account for such disclosures under 45 C.F.R. § 164.528.  Sub-Contractor also shall make available information related to such disclosures as would be required for Business Associate to respond to a request for an accounting of disclosures in accordance with 45 C.F.R. § 164.528.  At a minimum, Sub-Contractor shall furnish Business Associate the following with respect to any covered disclosures by Sub-Contractor:  (i) the date of disclosure of PHI; (ii) the name of the entity or person who received PHI, and, if known, the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure which includes the basis for such disclosure.
    2. Sub-Contractor hereby agrees to implement an appropriate recordkeeping system to enable it to comply with the requirements of this Section.  Sub-Contractor agrees to retain such records for a minimum of six (6) years.
    3. Sub-Contractor shall furnish to Business Associate information collected in accordance with this Section, promptly, but in no event later than thirty (30) days after written request by the Business Associate, to permit Business Associate to make an accounting of disclosures as required by 45 C.F.R. § 164.528, or in the event that Business Associate elects to provide an individual with a list of its Sub-Contractors, Sub-Contractor will provide an accounting of its disclosures of PHI upon request of the individual, if and to the extent required under Section 13405(c) of the HITECH Act and any regulations adopted thereunder.
    4. In the event that an individual delivers the request for an accounting directly to Sub-Contractor, Sub-Contractor shall forward such request promptly to Business Associate.
  11. Availability of Books and Records.  Sub-Contractor shall make available its internal practices, books, and records relating to the use and disclosure of PHI, upon request, to the Secretary of HHS for purposes of determining Business Associate’s compliance with the HIPAA Privacy Rule, the HIPAA Security Rule, and this BASA.
  12. Term and Termination.
    1. This BASA shall become effective on the date first written above, and shall continue in effect until all obligations of the Parties have been met under the Agreement and under this BASA.
    2. Either party may terminate immediately this BASA, the Agreement, and any other related agreements if that party makes a determination that the other party has breached a material term of this BASA and the defaulting party has failed to cure that material breach, to the non-defaulting party’s reasonable satisfaction, within thirty (30) days after written notice from the non-defaulting party.  
    3. Upon termination of the Agreement or this BASA for any reason, all PHI maintained by Sub-Contractor shall be returned to Business Associate or destroyed by Sub-Contractor.  Sub-Contractor shall not retain any copies of such information.  This provision shall apply to PHI in the possession of Sub-Contractor’s agents and subcontractors.  If return or destruction of the PHI is not feasible, in Sub-Contractor’s reasonable judgment, Sub-Contractor shall furnish Business Associate with notification, in writing, of the conditions that make return or destruction infeasible.  Upon mutual agreement of the Parties that return or destruction of the PHI is infeasible, Sub-Contractor will extend the protections of this BASA to such information for as long as Sub-Contractor retains such information and will limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible.  This Section 12(c) shall survive any termination of this BASA.
  13. Effect of BASA.
    1. This BASA is a part of and subject to the terms of the Agreement, except that to the extent any terms of this BASA conflict with any term of the Agreement, the terms of this BASA shall govern.  
    2. Except as expressly stated herein or as provided by law, this BASA shall not create any rights in favor of any third party.
  14. Regulatory References. A reference in this BASA to a section in the HIPAA Privacy Rule or the HIPAA Security Rule means the section as amended by the HITECH Act, and as further amended, from time to time.
  15. Notices.  All notices, requests and demands or other communications to be given hereunder to a Party shall be made via first class mail, registered or certified or express courier to such Party’s address reflected in the Pearl Network Participation Agreement, and/or via facsimile to the facsimile listed in that Agreement.
  16. Amendments; Waiver. This BASA may not be modified, nor shall any provision be waived or amended, except in writing duly signed by authorized representatives of the Parties.  A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.
  17. HITECH Act Compliance. The Parties acknowledge that the HITECH Act includes significant changes to the HIPAA Privacy Rule and the HIPAA Security Rule.  The Privacy Subtitle of the HITECH Act sets forth provisions that significantly change the requirements for Sub-Contractors and the agreements between Sub-Contractors and covered entities under the HIPAA Regulations and many of these changes will be clarified in forthcoming regulations.  Each Party agrees to comply with the applicable provisions of the HITECH Act and any implementing regulations issued thereunder.  Also, each Party agrees to negotiate in good faith to modify this BASA as reasonably necessary to comply with the HITECH Act and its implementing regulations, as they become effective.
  18. Assumption of Business Associate Obligations.
    Except as expressly provided herein, Sub-Contractor has not assumed any obligations of Business Associate under the Privacy Rule.  To the extent that Sub-Contractor is to carry out any of Business Associate’s obligations under the Privacy Rule, as expressly provided herein, Sub-Contractor shall comply with the requirements of the Privacy Rule that apply to Business Associate in the performance of such obligation.
  19. No Third Party Beneficiaries. Sub-Contractor and Business Associate do not intend to confer, nor does anything express or implied in this BASA confer, upon any person other than Sub-Contractor and Business Associate, and their respective successors or assigns, any rights, remedies or obligations or liabilities whatsoever.
  20. Independent Contractor.  Sub-Contractor is performing services pursuant to the Agreement and for all purposes hereunder, Sub-Contractor’s status shall be that of an independent contractor.