HIPAA Business Associate Agreement

This HIPAA Business Associate Subcontractor Agreement ("Agreement") is made and entered into as of the date of mutual execution of an Order Form, Statement of Work or similarly executed document between Administr ("Subcontractor"), a Delaware corporation with offices at 336 East University Pkwy, Orem, UT 84058, and the party detailed as Customer ("Customer" or "Business Associate") on the applicable Order Form or Statement of Work (together with Administr, the "Parties").

WHEREAS, Business Associate has entered into contracts with certain covered entities (each such covered entity a "Covered Entity," and collectively "Covered Entities") that require Business Associate to provide satisfactory assurances that Business Associate will appropriately safeguard all health information protected under the Privacy Rule and Security Rule (as defined below) that is disclosed by, or created or received by, Business Associate on behalf of such Covered Entities; and

WHEREAS, Subcontractor provides certain services to Business Associate.

THEREFORE, and in consideration for the benefits and obligations exchanged, the Parties agree as follows:

1. Definitions

Unless otherwise specified in this Agreement, all capitalized terms used in this Agreement not otherwise defined have the meanings established for purposes of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, "HIPAA") and American Recovery and Reinvestment Act of 2009 ("ARRA").
"Affiliate" shall mean any entity that is controlled by or under common control with Subcontractor. "Control" means legal or beneficial ownership of 50% or more of the capital stock or voting rights.
"Electronic Protected Health Information" ("ePHI") shall mean PHI as defined in Section 1.e that is transmitted or maintained in electronic media.
"PHI" shall mean Protected Health Information, as defined in 45 C.F.R. § 160.103, received from, or created on behalf of, Business Associate by Subcontractor pursuant to performance of the Services.
"Services" shall mean, to the extent they involve the creation, use, or disclosure of PHI, the services provided by Subcontractor to Business Associate under the Agreement.

2. Responsibilities of Subcontractor

With regard to its use and/or disclosure of PHI, Administr (Subcontractor) agrees to:

Permitted Use: Use and/or disclose PHI only as necessary to provide the Services, as permitted by this Agreement, or as Required by Law.
Safeguards: Implement appropriate administrative, physical, and technical safeguards to prevent unauthorized use/disclosure and protect the confidentiality and integrity of ePHI.
Reporting: Promptly, and not greater than 15 days after discovery, report to Business Associate any unauthorized use or disclosure of PHI or any Security Incident (excluding routine, unsuccessful pings or scans).
Agents and Subcontractors: Ensure any agents or subcontractors that handle PHI agree in writing to the same restrictions and conditions that apply to Administr.
Access to Records: Make internal practices, books, and records relating to PHI available to the Secretary of HHS for compliance purposes.
Accounting of Disclosures: Within 15 days of a request, provide information necessary for Business Associate to provide an accounting of disclosures.
Electronic Health Records: If Administr maintains PHI in an Electronic Health Record, it shall provide an accounting of disclosures directly to an Individual within 15 days if directed by Business Associate.
Access to PHI: Provide access to PHI in a Designated Record Set to Business Associate within 15 days of a request.
Minimum Necessary: Request and use only the minimum PHI necessary to accomplish the intended purpose.
Remuneration & Marketing: Not receive remuneration in exchange for PHI or engage in prohibited marketing/fundraising communications as defined by ARRA.

3. Responsibilities of Business Associate

Notification: Business Associate notifies Administr that it considers client benefit enrollment data to be PHI.
Minimum PHI: Business Associate shall provide Administr only the minimum PHI necessary for the Services.
Restrictions: Business Associate shall notify Administr of any restrictions in its Notice of Privacy Practices that may affect Administr's use of PHI.
Secure Transmission: Business Associate is responsible for using safeguards to ensure the security of PHI until it is received by Administr.

4. Permitted Uses and Disclosures

Unless otherwise limited, Administr may:

Use and disclose PHI as necessary to provide the Services.
Use PHI for its own proper management and administration or to carry out legal responsibilities, provided third parties provide written assurances of confidentiality.
De-identification: De-identify PHI in accordance with the Privacy Rule. Once de-identified, the information is no longer subject to this Agreement.
Data Aggregation: Provide data aggregation services relating to the health care operations of the Covered Entity.

5. Termination and Cooperation

Termination for Breach: If a material breach occurs, the non-breaching party shall provide written notice. The breaching party has 30 days to cure the violation. If not cured, the non-breaching party may terminate the Agreement or report the issue to HHS.
Effect of Termination: Upon termination, Administr shall return or destroy all PHI if feasible. If return/destruction is not feasible, Administr shall extend the protections of this Agreement to the retained PHI and limit further uses.
Cooperation: Both parties shall cooperate in good faith with any governmental investigations or inquiries.

6. Miscellaneous