We are committed to helping SNFs respond to COVID-19 through our remote respiratory therapy program. Read our statement here.
BUSINESS ASSOCIATE STATEMENT
Dynamic Respiratory Services, LLC, a Delaware limited liability company (“Business Associate”) providing respiratory care services to Skilled Nursing Facilities (“Covered Entity”) (collectively the “Parties”) and the Parties having had no prior agreement, under which the Business Associate regularly uses and/or discloses Protected Health Information in its performance of the Services described below, this Business Associate Agreement (this “Agreement” or “Business Associate Agreement”) serve as such. Both Parties are committed to complying with the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Regulation”), as well as the Security Standards (the “Security Rule”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). This Agreement sets forth the terms and conditions pursuant to which Protected Health Information and Electronic Protected Health Information, that is provided by, or created or received by, the Business Associate from or on behalf of the Covered Entity (“Protected Health Information”), will be handled between the Business Associate and the Covered Entity and with third parties during the term of their Agreement and after its termination.
The Health Information Technology for Economic and Clinical Health Act (“HITECH”) was adopted as part of the American Recovery and Reinvestment Act of 2009. HITECH imposes new requirements with respect to privacy, security and breach notification and contemplates that such requirements shall be implemented by regulations to be adopted by the Department of Health and Human Services. The provisions of HITECH and the final regulations applicable are collectively referred to as the “HITECH BA Provisions”. The HITECH BA Provisions became applicable on February 17, 2010 or such subsequent date specified in the applicable regulations, whichever was later (the “Applicable Effective Date”).
Business Associate hereby acknowledges and agrees that it will comply with the HITECH BA Provisions and with the obligations of Business Associate as proscribed by HIPAA and HITECH BA Provisions commencing on the applicable effective date of each such provision. Business Associate and Covered Entity each further agree that the provisions of HIPAA and HITECH that apply and that are required to be incorporated by reference in a business associate agreement are incorporated into this Agreement between Covered Entity and Business Associate as if set forth in this Agreement in their entirety and are effective as of the Applicable Effective Date.
The Parties agrees as follows:
1. PERMITTED USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION
. Pursuant to this Agreement, the Business Associate provides services (“Services”) for the Covered Entity that involve the use and disclosure of Protected Health Information. Except as otherwise specified herein, the Business Associate may make any and all uses of Protected Health Information necessary to perform its obligations under this Agreement. All other uses not authorized by this Agreement are prohibited. Moreover, Business Associate may disclose Protected Health Information for the purposes authorized by this Agreement only, (i) to its employees, subcontractors and agents, in accordance with Section 2.1(e), (ii) as directed by the Covered Entity, or (iii) as otherwise permitted by the terms of this Agreement including, but not limited to, Section 1.2(b) below.
1.2 Business Activities of the Business Associate
. Unless otherwise limited herein, the Business Associate may:
a. use the Protected Health Information in its possession for its proper management and administration and to fulfill any present or future legal responsibilities of the Business Associate provided that such uses are permitted under state and federal confidentiality laws.
b. disclose the Protected Health Information in its possession to third parties for the purpose of its proper management and administration or to fulfill any present or future legal responsibilities of the Business Associate, provided that the Business Associate represents to the Covered Entity, in writing, that (i) the disclosures are required by law, as provided for in 45 C.F.R. § 164.512(a) or (ii) the Business Associate has received from the third party written assurances regarding its confidential handling of such Protected Health Information as required under 45 C.F.R. § 164.504(e)(4).
1.3 Additional Activities of Business Associate
. In addition to using the Protected Health Information to perform the Services set forth in Section 1.1 of this Agreement, Business Associate may:
a. aggregate the Protected Health Information in its possession with the Protected Health Information of other covered entities that the Business Associate has in its possession through its capacity as a business associate to said other covered entities provided that the purpose of such aggregation is to provide the Covered Entity with data analyses relating to the Health Care Operations of the Covered Entity. Under no circumstances may the Business Associate disclose Protected Health Information of one Covered Entity to another Covered Entity absent the explicit authorization of the Covered Entity.
b. de-identify any and all Protected Health Information provided that the de-identification conforms to the requirements of 45 C.F.R. § 164.514(b), and further provided that the Covered Entity maintains the documentation required by 45 C.F.R. § 164.514(b) which may be in the form of a written assurance from the Business Associate. Pursuant to 45 C.F.R. § 164.502(d)(2), de-identified information does not constitute Protected Health Information and is not subject to the terms of this Agreement.
2. RESPONSIBILITIES OF THE PARTIES WITH RESPECT TO PROTECTED HEALTH INFORMATION
2.1 Responsibilities of the Business Associate
. With regard to its use and/or disclosure of Protected Health Information, the Business Associate hereby agrees to do the following:
a. use and/or disclose the Protected Health Information only as permitted or required by this Agreement or as otherwise required by law;
b. report to the designated Privacy Officer of the Covered Entity, in writing, any use and/or disclosure of the Protected Health Information that is not permitted or required by this Agreement of which Business Associate becomes aware within 5 calendar days of the Business Associate’s discovery of such unauthorized use and/or disclosure;
c. establish procedures for mitigating, to the greatest extent possible, any deleterious effects from any improper use and/or disclosure of Protected Health Information that the Business Associate reports to the Covered Entity;
d. use commercially reasonable efforts to maintain the security of the Protected Health Information and to prevent unauthorized use and/or disclosure of such Protected Health Information;
e. require all of its subcontractors and agents that receive or use, or have access to, Protected Health Information under this Agreement to agree, in writing, to adhere to the same restrictions and conditions on the use and/or disclosure of Protected Health Information that apply to the Business Associate pursuant to this Agreement;
f. make available all records, books, agreements, policies and procedures relating to the use and/or disclosure of Protected Health Information to the Secretary of HHS for purposes of determining the Covered Entity’s compliance with the Privacy Regulation, subject to attorney-client and other applicable legal privileges;
g. upon prior written request, make available during normal business hours at Business Associate’s offices all records, books, agreements, policies and procedures relating to the use and/or disclosure of Protected Health Information to the Covered Entity within 10 calendar days for purposes of enabling the Covered Entity to determine the Business Associate’s compliance with the terms of this Agreement;
h. within 20 calendar days of receiving a written request from the Covered Entity, provide to the Covered Entity such information as is requested by the Covered Entity to permit the Covered Entity to respond to a request by an individual for an accounting of the disclosures of the individual’s Protected Health Information in accordance with 45 C.F.R. § 164.528;
i. subject to Section 4 below, return to the Covered Entity or destroy, within 10 days of the termination of this Agreement, the Protected Health Information in its possession and retain no copies (which for purposes of this Agreement shall mean destroy all backup tapes);
j. disclose to its subcontractors, agents or other third parties, and request from the Covered Entity, only the minimum Protected Health Information necessary to perform or fulfill a specific function required or permitted hereunder;
k. Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that it creates, receives maintains, or transmits on behalf of the Covered Entity;
l. Ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it;
m. Report to the Covered Entity any Security Incident of which it becomes aware; and
n. Authorize termination of the Agreement by the Covered Entity, if the Covered Entity determines that the Business Associate has violated a material term of the Agreement.
2.2 Responsibilities of the Covered Entity
. With regard to the use and/or disclosure of Protected Health Information by the Business Associate, the Covered Entity hereby agrees:
a. to inform the Business Associate of any changes in the form of notice of privacy practices (the “Notice”) that the Covered Entity provides to individuals pursuant to 45 C.F.R. §164.520, and provide the Business Associate a copy of the Notice currently in use.
b. to inform the Business Associate of any changes in, or withdrawal of, the consent or authorization provided to the Covered Entity by individuals pursuant to 45 C.F.R. §164.506 or §164.508.
c. to inform the Business Associate of any opt-outs exercised by any individual from marketing and/or fundraising activities of the Covered Entity pursuant to 45 C.F.R. § 164.514(f) if applicable.
d. to notify the Business Associate, in writing and in a timely manner, of any arrangements permitted or required of the Covered Entity under 45 C.F.R. part 160 and 164 that may impact in any manner the use and/or disclosure of Protected Health Information by the Business Associate under this Agreement, including, but not limited to, restrictions on use and/or disclosure of Protected Health Information as provided for in 45 C.F.R. § 164.522 agreed to by the Covered Entity.
e. that Business Associate may make any use and/or disclosure of Protected Health Information permitted under 45 C.F.R. § 164.512 except uses or disclosure for research are not permitted without prior approval by the covered entity.
3. ADDITIONAL RESPONSIBILITIES OF THE PARTIES WITH RESPECT TO PROTECTED HEALTH INFORMATION
3.1 Responsibilities of the Business Associate with Respect to Handling of Designated Record Set
. In the event that the Parties mutually agree in writing that the Protected Health Information constitutes a Designated Record Set, the Business Associate hereby agrees to do the following:
a. at the request of, and in the time and manner designated by the Covered Entity, provide access to the Protected Health Information to the Covered Entity or the individual to whom such Protected Health Information relates or his or her authorized representative in order to meet a request by such individual under 45 C.F.R. § 164.524.
b. at the request of, and in the time and manner designated by the Covered Entity, make any amendment(s) to the Protected Health Information that the Covered Entity directs pursuant to 45 C.F.R. § 164.526. Provided, however, that the Covered Entity makes the determination that the amendment(s) are necessary because the Protected Health Information that is the subject of the amendment(s) has been, or could foreseeably be, relied upon by the Business Associate or others to the detriment of the individual who is the subject of the Protected Health Information to be amended.
3.2 Responsibilities of the Covered Entity with Respect to the Handling of the Designated Record Set
. In the event that the Parties mutually agree in writing that the Protected Health Information constitutes a Designated Record Set, the Covered Entity hereby agrees to do the following:
a. notify the Business Associate, in writing, of any Protected Health Information that Covered Entity seeks to make available to an individual pursuant to 45 C.F.R. § 164.524 and the time, manner and form in which the Business Associate shall provide such access.
b. notify the Business Associate, in writing, of any amendment(s) to the Protected Health Information in the possession of the Business Associate that the Business Associate shall make and inform the Business Associate of the time, form and manner in which such amendment(s) shall be made.
4. TERM AND TERMINATION
. This Agreement shall become effective on the Effective Date and shall continue to be validly existing and in full force and effect until that certain Respiratory Services Agreement, dated as of the date hereof, between the Parties (the “Service Agreement”) remains in full force and effect or for as long as the Business Associate continues to retain the Protected Health Information.
4.2 Automatic Termination. This Agreement will automatically terminate without any further action of the Parties upon termination or expiration of the Service Agreement.
5.1 Confidentiality Obligations
. In the course of performing under this Agreement, each Party may receive, be exposed to or acquire the Confidential Information including but not limited to, all information, data, reports, records, summaries, tables and studies, whether written or oral, fixed in hard copy or contained in any computer data base or computer readable form, as well as any information identified as confidential (“Confidential Information”) of the other Party. For purposes of this Agreement, “Confidential Information” shall not include Protected Health Information, the security of which is the subject of this Agreement and is provided for elsewhere. The Parties including their employees, agents or representatives (i) shall not disclose to any third party the Confidential Information of the other Party except as otherwise permitted by this Agreement, (ii) only permit use of such Confidential Information by employees, agents and representatives having a need to know in connection with performance under this Agreement, and (iii) advise each of their employees, agents, and representatives of their obligations to keep such Confidential Information confidential. Notwithstanding anything to the contrary herein, each Party shall be free to use, for its own business purposes, any ideas, suggestions, concepts, know-how or techniques contained in information received from each other that directly relates to the performance under this Agreement. This provision shall not apply to Confidential Information: (a) after it becomes publicly available through no fault of either Party; (b) which is later publicly released by either Party in writing; (c) which is lawfully obtained from third parties without restriction; or (d) which can be shown to be previously known or developed by either Party independently of the other Party.
. The parties agree to indemnify, defend and hold harmless each other and each other’s respective employees, directors, officers, subcontractors, agents or other members of its workforce, each of the foregoing hereinafter referred to as “indemnified party,” against all actual and direct losses suffered by the indemnified party and all liability to third parties arising from in connection with any breach of this Agreement or of any warranty hereunder or from any negligence or wrongful acts or omissions, including failure to perform its obligation under the Privacy Regulation, by the indemnifying party or its employees, directors, officers, subcontractors, agents or other members of its workforce. Accordingly, on demand, the indemnifying party shall reimburse any indemnified party for any and all actual and direct losses, liabilities, lost profits, fines, penalties, costs or expenses (including reasonable attorneys’ fees) which may for any reason be imposed upon any indemnified party by reason of any suit, claim, action, proceeding or demand by any third party which results from the indemnifying party’s breach hereunder. The Parties’ obligation to indemnify any indemnified party shall survive the expiration or termination of this Agreement for any reason.
7.1 Covered Entity
. For purposes of this Agreement, Covered Entity shall include the named Covered Entity herein.
7.2 Business Associate
. For purposes of this Agreement, Business Associate shall include the named Business Associate herein. However, in the event that the Business Associate is otherwise a covered entity under the Privacy Regulation, that entity may appropriately designate a health care component of the entity, pursuant to 45 C.F.R. § 164.504(a), as the Business Associate for purposes of this Agreement.
. The respective rights and obligations of Business Associate and Covered Entity solely with respect to Protected Health Information Business Associate retains in accordance with Section 4 because it is not feasible to return or destroy such Protected Health Information, shall survive termination of this Agreement indefinitely. In addition, Section 2 and 3 shall survive termination of this Agreement, provided that the Covered Entity determines that the Protected Health Information being retained pursuant to Section 4 herein constitutes a Designated Record Set.
7.4 Amendments; Waiver
. This Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.
7.5 No Third Party Beneficiaries
. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.
. Any notices to be given hereunder to a Party shall be made via U.S. Mail or express courier to such Party’s address.
7.7 Counterparts; Facsimiles
. This Agreement may be executed in any number of counterparts, each of which shall be deemed an original. Facsimile copies hereof shall be deemed to be originals.
. If any controversy, dispute or claim arises between the Parties with respect to this Agreement, the Parties shall make good faith efforts to resolve such matters informally.
7.9 Governing Law. This Agreement shall be construed and governed by the laws of the State of New Jersey without regard to conflict of laws principles. The Covered Entity and Business Associate irrevocably submit to the exclusive jurisdiction and venue of the federal and state courts of New Jersey to resolve any disputes arising hereunder or related hereto.
8.1 Designated Record Set
. Designated Record Set shall have the meaning set out in its definition at 45 C.F.R. § 164.501, as such provision is currently drafted and as it is subsequently updated, amended, or revised.
8.2 Health Care Operations
. Health Care Operations shall have the meaning set out in its definition at 45 C.F.R. § 164.501, as such provision is currently drafted and as it is subsequently updated, amended or revised.
8.3 Privacy Officer
. Privacy Officer shall have the meaning as set out in its definition at 45 C.F.R. § 164.530(a)(1) as such provision is currently drafted and as it is subsequently updated, amended or revised.
8.4 Protected Health Information
. Protected Health Information shall have the meaning as set out in its definition at 45 C.F.R. § 164.501, as such provision is currently drafted and as it is subsequently updated, amended or revised.
Dynamic Respiratory Services is a leader in respiratory care for post-acute facilities. Our programs optimize respiratory therapy services, reimbursement and regulatory compliance, giving skilled nursing facilities the resources they need to manage their complex respiratory population.