Jordan S. Sparks, D.M.D.,
President
Business Associate HIPAA Contract Provisions
DentOffice Software
1462 Commercial St SE
Salem, Oregon 97302
Definitions
a. DentOffice Software will hereafter be referred to as the “business
associate”.
b. The “covered entity” is Dr. ______________________________________________.
c. “CFR” is the Code of Federal Regulations.
d. “PHI” is Protected Health Information, as defined in 45 CFR 164.501,
pertains to the information received by the Business Associate from the Covered
Entity.
e. The Secretary of the U.S. Department of Health and Human Services or his
designee shall be referred to as “the secretary”
Obligations and Activities of Business Associate
a. The business associate agrees not to use or disclose PHI other than as specifically
permitted or required by this agreement or as required by law.
b. The business associate agrees to use appropriate safeguards to prevent use
or disclosure of PHI other than as provided for by this agreement.
c. The business associate agrees to minimize, to the extent possible, any harmful
effect that results from a use or disclosure of PHI by the business associate
in violation of the requirements of this agreement.
d. The business associate agree to report to the covered entity any use or disclosure
of PHI not provided for by this Agreement of which it becomes aware. The business
associate's report will 1) identify the nature of the non-permitted or violating
use or disclosure. 2) identify the PHI used or disclosed. 3) identify, if possible,
who made the non-permitting or violating use or received the non-permitted or
violating disclosure. 4) identify any corrective action the business associate
has taken or will take to prevent further disclosure. 5) identify any actions
the business associate has taken or will take to mitigate any deleterious effect
of the nonpermitted or violating use or disclosure. 6) provide any other information
that the covered entity may reasonably request.
e. The business associate agrees that any agent, including a subcontractor,
to whom it provides/receives PHI, on its behalf, must agree to the same restrictions
and conditions specified in this agreement in regards to all information exchanged.
f. The business associate agrees to provide access, within 2 weeks upon request
of the covered entity, to PHI in a designated record form, to the covered entity
in order for the covered entity to meet the patient access and copying requirements
under 45 CFR 164.524.
g. The business associate agrees to make any amendment(s) to PHI in a designated
record form pursuant to 45 CFR 164.526. All amendments must be made within 2
weeks upon notification.
h. The business associate agrees to create internal practices, books, and records,
relating to the use and disclosure of PHI. This information is to be available
to the covered entity or to the secretary, within 2 weeks upon request or by
a time set by the secretary, for the purpose of the secretary determining the
business associate's compliance with the Privacy Rule.
i. The business associate agrees to document such disclosures (as stated in
the above Section) of PHI and any related information that would be required
for the covered entity to respond to such inquires for an accounting of disclosures
of PHI in accordance with 45 CFR 164.528
j. The business associate agrees to provide, within 2 weeks, information collected
in accordance with the above section(i) of this Agreement in order to allow
response to an individual for an accounting of disclosures of PHI in accordance
with 45 CFR 164.528.
Permitted Uses and Disclosures by Business Associate
a. Except as otherwise limited in this agreement, the business associate may
use or disclose PHI to perform functions, activities, or services for or on
the behalf of the covered entity as specified in this document, provided that
such use or disclosure would not violate the Privacy Rule or the minimum necessary
policies and procedures.
Specific Use and Disclosure Provisions
a. Except as otherwise limited in this agreement, the business associate may
use PHI for the proper administration and management of their business, or in
order to carry out legal responsibilities.
b. Except as otherwise limited in this agreement, the business associate may
disclose PHI for the proper administration and management of their business,
provided that disclosures are required by law, or they obtain reasonable assurance
from the person to whom the information is disclosed that it will remain confidential
and used or further disclosed only as is required by law or for the purpose
for which it was disclosed to that person, and the person notifies them of any
instances of which they are aware in which the confidentiality of the information
has been breached.
c. Except as otherwise limited in this agreement, the business associate may
use PHI to provide data aggregation services as permitted by 45 CFR 164.504(e)(2)(i)(B).
d. The business associate is permitted to use PHI to report violations of laws
to appropriate Federal and State authorities, consistent with 45 CFR 164.502(j)(1).
Obligations of Covered Entity
a. The covered entity shall notify the business associate of any limitation(s)
in their Notice of Privacy Practices in accordance with 45 CFR 164.520, if the
limitations affect the use or disclosure of PHI.
b. The covered entity shall notify the business associate of any changes in,
or revocation of, permission by a individual to use or disclose PHI, if the
changes affect the use or disclosure of PHI.
c. The covered entity shall notify the business associate of any restriction
to the use or disclosure of PHI that they have agreed to in accordance with
45 CFR 164.522, if the changes affect the use or disclosure of PHI.
Permissible Requests
a. The covered entity shall not request that the business associate use or disclose
PHI in any manner that would not be permissible under the Privacy Rule.
Term and Termination
a. Term: The term of the agreement shall be effective as of the date signed
below, and shall terminate only when all PHI provided to the business associate
is destroyed or returned. If it is infeasible to return or destroy PHI, protections
are extended to such information, in accordance with the termination provisions
in this section.
b. Termination: Upon the covered entity's knowledge of a material breach by
the business associate, they shall either:
1. Provide an opportunity for the the other party to remedy the breach or end
the violation. If they do not cure the breach or end the violation within the
time specified, this agreement is terminated.
2. Immediate termination of this agreement will occur if either party has breached
this agreement and a cure is not possible.
3. If neither cure nor termination are feasible, the violation shall be reported
to the Secretary of the Department of Health and Human Services.
Result of Termination
a. Except as provided in paragraph (b) of this section, upon termination of
this agreement, for any reason, the business associate shall return or destroy
all PHI received by or on behalf of the covered entity. This provision also
applies to PHI that is in the possession of any subcontractor or agents of the
business associate. Under no circumstances shall the business associate retain
any copies of PHI.
b. In the event that returning or destroying PHI is infeasible, written notification
is to be provided of the conditions that make it impossible to return/destroy.
Upon the written agreement that return or destruction of PHI is infeasible,
the business associate will extend the protections of this agreement to such
PHI and limit further use and disclosures of such PHI, for so long as the business
associate maintains such PHI.
Miscellaneous
a. All parties involved agree to the necessary actions to amend this agreement
from time to time as is necessary for both parties to comply with the requirements
of the Privacy Rule and the Health Insurance Portability and Accountability
Act of 1996, Pub. L. No. 104-191.
b. This agreement is between the covered entity and the business associate and
shall not be construed to confer any rights to any third party.
c. The respective rights and obligations of both parties shall service the termination
of this Agreement.
d. Any ambiguity in this Agreement is to be resolved to permit both parties
to comply with the Privacy Rule.
Business Associate:
Jordan S. Sparks, D.M.D.,
President
Covered Entity:
Signature:________________________________________________
Name:___________________________________________________
Date:__________________