Last Revision Date: November 19th, 2020
WHEREAS, Business Associate provides services (“Services”) to Covered Entity through Covered Entity’s use of the Roche Diabetes Care Platform; and
WHEREAS, in connection with those Services, Covered Entity may disclose or provide access to Business Associate Protected Health Information (“PHI”) (as defined in 45 C.F.R. §164.501); and
WHEREAS, as required under HIPAA, an appropriate Business Associate Agreement must be executed between Covered Entity and Business Associate to address the obligations related to any PHI provided by Covered Entity to Business Associate, or accessed, created, received, maintained or transmitted by Business Associate on behalf of Covered Entity; and
WHEREAS, Covered Entity and Business Associate acknowledge their respective obligations to protect the privacy and provide for the security of PHI in compliance with the Health Insurance Portability and Accountability Act of 1996, and regulations promulgated thereunder by the U.S. Department of Health and Human Services (“HHS”), as amended from time to time including by the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Final Omnibus Rule (collectively “HIPAA”).
NOW THEREFORE, in consideration of the mutual promises and covenants herein, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows:
- Definitions. For purposes of this BA Agreement, capitalized terms used but not otherwise defined in this BA Agreement shall have the meanings set forth in HIPAA, as applicable.
Obligations of Business Associate
Permitted Uses and Disclosures. Business Associate may use and disclose PHI as permitted or required under the Services Agreement, this BA Agreement and as Required by Law, but shall not otherwise use or disclose any PHI. Business Associate may not use or disclose PHI received from Covered Entity in any manner that would constitute a violation of HIPAA if so used or disclosed by Covered Entity (except as set forth in Sections 2.1(a), (b) and (c) of this BA Agreement). To the extent Business Associate carries out any of Covered Entity’s obligations under the HIPAA privacy standards, Business Associate shall comply with the requirements of the HIPAA privacy standards that apply to Covered Entity in the performance of such obligations. Business Associate is permitted to use or disclose PHI as set forth below:
- Business Associate may use PHI internally for its proper management and administrative services or to carry out its legal responsibilities;
- Business Associate may disclose PHI to a third party for Business Associate’s proper management and administration, provided that the disclosure is Required by Law or Business Associate obtains reasonable assurances from the third party to whom the PHI is to be disclosed that the third party will (1) protect the confidentiality of the PHI, (2) only use or further disclose the PHI as Required by Law or for the purpose for which the PHI was disclosed to the third party and (3) notify Business Associate of any instances of which the third person is aware in which the confidentiality of the PHI has been breached;
- Business Associate may use PHI to provide Data Aggregation services as defined by HIPAA; and
- Business Associate may use Protected Health Information to create de-identified health information in accordance with the HIPAA de-identification requirements. Business Associate may disclose de-identified health information for any purpose permitted by law.
- Safeguards. Business Associate shall use reasonable and appropriate safeguards to prevent the use or disclosure of PHI, except as otherwise permitted or required by this BA Agreement. In addition, Business Associate shall implement Administrative Safeguards, Physical Safeguards and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of PHI transmitted or maintained in Electronic Media (“EPHI”) that it creates, receives, maintains or transmits on behalf of Covered Entity. Business Associate shall comply with the HIPAA Security Rule with respect to EPHI.
- Minimum Necessary Standard. To the extent required by the “minimum necessary” requirements of HIPAA, Business Associate shall only request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure.
- Mitigation. Business Associate shall take reasonable steps to mitigate, to the extent practicable, any harmful effect (that is known to Business Associate) of a use or disclosure of PHI by Business Associate in violation of this BA Agreement.
- Subcontractors. Business Associate shall enter into a written agreement meeting the requirements of 45 C.F.R. §§ 164.504(e) and 164.314(a)(2) with each Subcontractor (including, without limitation, a Subcontractor that is an agent under applicable law) that creates, receives, maintains or transmits PHI on behalf of Business Associate. Business Associate shall ensure that the written agreement with each Subcontractor obligates the Subcontractor to comply with restrictions and conditions that are at least as restrictive as the restrictions and conditions that apply to Business Associate under this BA Agreement.
Reporting Security Incidents
- If Business Associate becomes aware of a use or disclosure of PHI in violation of this BA Agreement by Business Associate or by a third party to which Business Associate disclosed PHI, Business Associate shall report any such use or disclosure to Covered Entity without unreasonable delay.
- Business Associate shall report any Security Incident involving EPHI of which it becomes aware in the following manner: (1) any actual, successful Security Incident will be reported to Covered Entity in writing without unreasonable delay, and (2) any attempted, unsuccessful Security Incident of which Business Associate becomes aware will be reported to Covered Entity orally or in writing on a reasonable basis, as requested by Covered Entity.
- Business Associate shall, following the discovery of a Breach of Unsecured PHI, notify the Covered Entity of such Breach in accordance with 45 C.F.R. § 164.410 without unreasonable delay and in no case later 60 days after discovery of the Breach.
- Access to PHI. Within 15 business days of a written request by Covered Entity for access to PHI about an Individual contained in any Designated Record Set of Covered Entity maintained by Business Associate, if any, Business Associate shall make available to Covered Entity such PHI for so long as Business Associate maintains such information in the Designated Record Set. If Business Associate receives a request for access to PHI directly from an Individual, Business Associate shall forward such request to Covered Entity within ten business days. Covered Entity shall have the sole responsibility for determining whether to approve a request for access to PHI.
- Availability of PHI for Amendment. Within 15 business days of receipt of a written request from Covered Entity for the amendment of an Individual’s PHI contained in a Designated Record Set of Covered Entity maintained by Business Associate, if any, Business Associate shall provide such information to Covered Entity for amendment and incorporate any such amendments in the PHI (for so long as Business Associate maintains such information in the Designated Record Set) as required by 45 C.F.R. § 164.526. If Business Associate receives a request for amendment to PHI directly from an Individual, Business Associate shall forward such request to Covered Entity within ten business days. Covered Entity shall have the sole responsibility for determining whether to approve an amendment to PHI.
- Accounting of Disclosures. Within 30 business days of written notice by Covered Entity to Business Associate that it has received a request for an accounting of disclosures of PHI (other than disclosures to which an exception to the accounting requirement applies), Business Associate shall make available to Covered Entity such information as is in Business Associate’s possession and is required for Covered Entity to make the accounting required by 45 C.F.R. § 164.528. Covered Entity shall have the sole responsibility for providing an accounting to the Individual.
- Availability of Books and Records. Following reasonable advance written notice, Business Associate shall make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary for purposes of determining Covered Entity’s compliance with HIPAA.
- Permitted Uses and Disclosures. Business Associate may use and disclose PHI as permitted or required under the Services Agreement, this BA Agreement and as Required by Law, but shall not otherwise use or disclose any PHI. Business Associate may not use or disclose PHI received from Covered Entity in any manner that would constitute a violation of HIPAA if so used or disclosed by Covered Entity (except as set forth in Sections 2.1(a), (b) and (c) of this BA Agreement). To the extent Business Associate carries out any of Covered Entity’s obligations under the HIPAA privacy standards, Business Associate shall comply with the requirements of the HIPAA privacy standards that apply to Covered Entity in the performance of such obligations. Business Associate is permitted to use or disclose PHI as set forth below:
Obligations of Covered Entity
- Permissible Requests. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Covered Entity (except as provided in Sections 2.1(a), (b) and (c) of this BA Agreement).
- Minimum Necessary PHI. When Covered Entity discloses PHI to Business Associate, Covered Entity shall provide the minimum amount of PHI necessary for the accomplishment of Business Associate’s purpose.
- Permissions; Restrictions. Covered Entity warrants that it has obtained and will obtain any consents, authorizations and/or other legal permissions required under HIPAA and other applicable law for the disclosure of PHI to Business Associate. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI. Covered Entity shall not agree to any restriction on the use or disclosure of PHI under 45 CFR § 164.522 that restricts Business Associate’s use or disclosure of PHI under this Agreement unless such restriction is Required By Law or Business Associate grants its written consent, which consent shall not be unreasonably withheld.
- Notice of Privacy Practices. Except as Required by law, with Business Associate’s consent or as set forth in the Services Agreement or this BA Agreement, Covered Entity shall not include any limitation in the Covered Entity’s notice of privacy practices that limits Business Associate’s use or disclosure of PHI under the Services Agreement.
Term and Termination
- Term. This Business Associate Agreement shall be effective as of the date indicated above and shall terminate upon the later of the termination or expiration of the Services Agreement, or when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity is destroyed by Business Associate, or its subcontractors, or returned to Covered Entity, or, if it is infeasible for Business Associate, or its subcontractors, to return or destroy, protections are extended to such information, in accordance with the termination provisions in this Business Associate Agreement.
- Termination. Any other provision of this Business Associate Agreement notwithstanding, this Business Associate Agreement and the Services Agreement may be terminated by either Party (the “Non-Breaching Party”) upon thirty (30) business days prior written notice to the other Party (the “Breaching Party”) in the event the Breaching Party materially breaches any of its obligations under this BA Agreement and fails to cure the breach within such thirty (30) day period; provided, however, that in the event that termination of this BA Agreement is not feasible, Covered Entity, in its discretion, shall have the right to report the breach to the Secretary.
- Return or Transfer of PHI. Upon termination of this BA Agreement, Business Associate shall return or destroy all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity and which Business Associate still maintains as PHI. Notwithstanding the foregoing, to the extent that Business Associate reasonably and in good faith determines that it is not feasible to return or destroy such PHI, the terms and provisions of this BA Agreement shall survive termination of the BA Agreement or Services Agreement and such PHI shall be used or disclosed solely for such purpose or purposes which prevented the return or destruction of such PHI.
- Notices. Any notices pertaining to this BA Agreement shall be given in writing and shall be deemed duly given when personally delivered to a Party at the address (and to the individual) listed below, or sent by means of a reputable overnight carrier, or sent by means of certified mail, return receipt requested, postage prepaid. A notice sent by certified mail shall be deemed given on the date of receipt or refusal of receipt.
- Amendments. This BA Agreement may not be changed or modified in any manner except by express written agreement of the Parties. The Parties, however, agree to amend this BA Agreement as may be warranted to assure Covered Entity’s and Business Associate's compliance with the requirements of the Rules or changes in Covered Entity's HIPAA Privacy Notice, as applicable.
- Choice of Law. This BA Agreement and the rights and the obligations of the Parties hereunder shall be governed by and construed under the laws of the State of Indiana, without regard to applicable conflict of laws principles.
- Assignment of Rights and Delegation of Duties. This BA Agreement is binding upon and inures to the benefit of the Parties hereto and their respective successors and permitted assigns. However, neither Party may assign any of its rights or delegate any of its obligations under this BA Agreement without the prior written consent of the other Party, which consent shall not be unreasonably withheld or delayed.
- No Waiver. Failure or delay on the part of either Party to exercise any right, power, privilege or remedy hereunder shall not constitute a waiver thereof. No provision of this BA Agreement may be waived by either Party except by a writing signed by an authorized representative of both Parties.
- Severability. The provisions of this BA Agreement shall be severable, and if any provision of this BA Agreement shall be held or declared to be illegal, invalid or unenforceable, the remainder of this BA Agreement shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein.
- No Third Party Beneficiaries. Nothing in this BA Agreement is intended to confer on any person or individual other than the Parties to this Business Associate Agreement or their respective successors and assigns any rights, remedies, obligations or liabilities under or by reason of this BA Agreement. Nothing in this BA Agreement shall be considered or construed as conferring any right or benefit on a person not party to this BA Agreement nor imposing any obligations on either Party hereto to persons not a party to this BA Agreement.
- Headings. The descriptive headings of the articles, sections, subsections, exhibits and schedules of this BA Agreement are inserted for convenience only, do not constitute a part of this BA Agreement t and shall not affect in any way the meaning or interpretation of this BA Agreement.
- Entire Business Associate Agreement. This BA Agreement, together with attached exhibits, riders and amendments, if applicable, which are fully completed and signed by authorized agents on behalf of both Parties from time to time while this Business Associate Agreement is in effect, constitutes the entire BA Agreement between the Parties hereto with respect to the subject matter hereof and supersedes all previous written or oral understandings, BA Agreement, negotiations, commitments, and any other writing and communication by or between the Parties with respect to the subject matter hereof. In the event of any inconsistencies between any provisions of this Business Associate Agreement and any provisions of any exhibits or riders, the provisions of this BA Agreement shall control.
- Regulatory References. A citation in this BA Agreement to any laws or regulations shall mean the cited section as that section may be amended from time to time.