PRIVACY OF PROTECTED HEALTH INFORMATION
1. Permitted Uses and Disclosures.Business Associate is permitted or required to use or disclose
Protected Health Information it creates or receives for or from Dental Practice only as follows:
a) Functions and Activities on Dental Practice’s Behalf. Business Associate is permitted to use and disclose Protected Health Information it creates or receives for or from Dental Practice solely for the purposes of performing and billing for dental laboratory work sent to Business Associate from Dental Practicer dental laboratory work sent to Business Associate from Dental Practice
b) Business Associate’s Operations. Business Associate may use Protected Health Information it creates or receives for or from Dental Practice as necessary for Business Associate’s proper management and administration or to carry out Business Associate’s legal responsibilities. Business Associate may disclose such Protected Health Information as necessary for Business Associate’s proper management and administration or to carry out Business Associate’s legal responsibilities only if:
The disclosure is required by law; or
Business Associate obtains reasonable assurance, evidenced by written contract, from any person or organization to which Business Associate will disclose such Protected Health Information that the person or organization will:
Hold such Protected Health Information in confidence and use or further disclose it only for the purpose for which Business Associate disclosed it to the person or organization or as required by law; and
Notify Business Associate (who will in turn promptly notify Dental Practice) of any instance of which the person or organization becomes aware in which the confidentiality of such Protected Health Information was breached.
2. Prohibition on Unauthorized Use or Disclosure. Business Associate will neither use nor disclose Protected Health Information it creates or receives for or from Dental Practice or from another Business Associate of Dental Practice, except as permitted or required by this Addendum or as required by law or as otherwise permitted in writing by Dental Practice.
3. Information Safeguards. Business Associate will develop, implement, maintain and use appropriate administrative, technical and physical safeguards, in compliance with Social Security Act § 1173(d) (42 U.S.C. § 1320d-2(d)), 45 Code of Federal Regulation § 164.530(c) and any other implementing regulations issued by the U.S. Department of Health and Human Services, to preserve the integrity and confidentiality of and to prevent non-permitted or violating use or disclosure of Protected Health Information created or received for or from Dental Practice. Business Associate will document and keep these safeguards current.
Sub-Contractors and Agents. Business Associate will require any of its subcontractors and agents, to which Business Associate is permitted by this Addendum or in writing by Dental Practice to disclose any of the Protected Health Information Business Associate creates or receives for or from Dental Practice, to provide reasonable assurance, evidenced by written contract, that subcontractor or agent will comply with the same privacy and security obligations as Business Associate with respect to such Protected Health Information.
4.Compliance with Standard Transactions. If Business Associate conducts in whole or part Standard Transactions for or on behalf of Dental Practice, Business Associate will comply, and will require any subcontractor or agent involved with the conduct of such Standard Transactions to comply, with each applicable requirement of 45 Code of Federal Regulations Part 162.
Protected Health Information Access, Amendment and Disclosure Accounting.
Access. Business Associate will promptly upon Dental Practice’s request make available to Dental Practice or, at Dental Practice’s direction, to the patient (or the patient’s personal representative) for inspection and obtaining copies any Protected Health Information about the patient which Business Associate created or received for or from Dental Practice and that is in Business Associate’s custody or control, so that Dental Practice may meet its access obligations under 45 Code of Federal Regulations § 164.524.
5. Amendment. Business Associate will, upon receipt of notice from Dental Practice, promptly amend or permit Dental Practice access to amend any portion of the Protected Health Information which Business Associate created or received for or from Dental Practice, so that Dental Practice may meet its amendment obligations under 45 Code of Federal Regulations § 164.526.
Disclosure Accounting. So that Dental Practice may meet its disclosure accounting obligations under 45 Code of Federal Regulations § 164.528:
Disclosure Tracking. Starting April 14, 2003, Business Associate will record for each disclosure, not excepted from disclosure accounting under Addendum Section 5(a) “Exceptions from Disclosure Tracking” below, that Business Associate makes to Dental Practice or a third party of Protected Health Information that Business Associate creates or receives for or from Dental Practice, (i) the disclosure date, (ii) the name and (if known) address of the person or entity to whom Business Associate made the disclosure, (iii) a brief description of the Protected Health Information disclosed, and (iv) a brief statement of the purpose of the disclosure (items i-iv, collectively, the “disclosure information”). For repetitive disclosures Business Associate makes to the same person or entity (including Dental Practice) for a single purpose, Business Associate may provide (x) the disclosure information for the first of these repetitive disclosures, (y) the frequency, periodicity or number of these repetitive disclosures and (z) the date of the last of these repetitive disclosures. Business Associate will make this disclosure information available to Dental Practice promptly upon Dental Practice’s request.
Exceptions from Disclosure Tracking. Business Associate need not record disclosure information or otherwise account for disclosures of Protected Health Information that this Addendum or Dental Practice in writing permits or requires (i) for the purpose of Dental Practice’s treatment activities, payment activities, or healthcare operations, (ii) to the patient who is the subject of the Protected Health Information disclosed or to that patient’s personal representative;; (iii) to persons involved in that patient’s healthcare or payment for healthcare;; (iv) for notification for disaster relief purposes, (v) for national security or intelligence purposes, or (vi) to law enforcement officials or correctional institutions regarding inmates.
Disclosure Tracking Time Periods. Business Associate must have available for Dental Practice the disclosure information required by Addendum Section 5(a) “Disclosure Tracking” for the 6 years preceding Dental Practice’s request for the disclosure information (except Business Associate need have no disclosure information for disclosures occurring before April 14, 2003).
6. Inspection of Books and Records. Business Associate will make its internal practices, books, and records, relating to its use and disclosure of the Protected Health Information it creates or receives for or from Dental Practice, available to Dental Practice and to the U.S. Department of Health and Human Services to determine compliance with 45 Code of Federal Regulations Parts 160-64 or this Addendum.
BREACH OF PRIVACY OBLIGATIONS.
7. Reporting. Business Associate will report to Dental Practice any use or disclosure of Protected Health Information not permitted by this Addendum. Business Associate will make the report to Dental Practice not less than 24 hours after Business Associate learns of such non-permitted or violating use or disclosure. Business Associate’s report will at least:
a) Identify the nature of the non-permitted or violating use or disclosure;
b) Identify the Protected Health Information used or disclosed;
c) Identify who made the non-permitted or violating use or received the non-permitted or violating disclosure;
d) Identify what corrective action Business Associate took or will take to prevent further non- permitted or violating uses or disclosures;
e) Identify what Business Associate did or will do to mitigate any deleterious effect of the non- permitted or violating use or disclosure; and
f) Provide such other information, including a written report, as Dental Practice may reasonably request.
8. Termination of Agreement.
a) Right to Terminate for Breach. Dental Practice may terminate Agreement if it determines, in its sole discretion, that Business Associate has breached any provision of this Addendum. Dental Practice may exercise this right to terminate Agreement by providing Business Associate written notice of termination, stating the breach of the Addendum that provides the basis for the termination. Any such termination will be effective immediately or at such other date specified in Dental Practice’s notice of termination.
b) Obligations upon Termination.
Return or Destruction. Upon termination, cancellation, expiration or other conclusion of Agreement, Business Associate will, if feasible, return to Dental Practice or destroy all Protected Health Information, in whatever form or medium (including in any electronic medium under Business Associate’s custody or control), that Business Associate created or received for or from Dental Practice, including all copies of and any data or compilations derived from and allowing identification of any patient who is a subject of the Protected Health Information. Business Associate will complete such return or destruction as promptly as possible, but not later than 30 days after the effective date of the termination, cancellation, expiration or other conclusion of Agreement. Business Associate will identify any Protected Health Information that Business Associate created or received for or from Dental Practice that cannot feasibly be returned to Dental Practice or destroyed, and will limit its further use or disclosure of that Protected Health Information to those purposes that make return or destruction of that Protected Health Information infeasible. Within such 30 days, Business Associate will certify on oath in writing to Dental Practice that such return or destruction has been completed, will deliver to Dental Practice the identification of any Protected Health Information for which return or destruction is infeasible and, for that Protected Health Information, will certify that it will only use or disclose such Protected Health Information for those purposes that make return or destruction infeasible.
Continuing Privacy Obligation. Business Associate’s obligation to protect the privacy of the Protected Health Information it created or received for or from Dental Practice will be continuous and survive termination, cancellation, expiration or other conclusion of Agreement.
9. Indemnity. Business Associate will indemnify and hold harmless Dental Practice and any Dental Practice affiliate, officer, director, employee or agent from and against any claim, cause of action, liabilit y, damage, cost or expense, including attorneys’ fees and court or proceeding costs, arising out of or in connection with any non-permitted or violating use or disclosure of Protected Health Information or other breach of this Addendum by Business Associate or any subcontractor, agent, person or entity under Business Associate’s control.
a) Right to Tender or Undertake Defense. If Dental Practice is named a party in any judicial, administrative or other proceeding arising out of or in connection with any non-permitted or violating use or disclosure of Protected Health Information or other breach of this Addendum by Business Associate or any subcontractor, agent, person or entity under Business Associate’s control, Dental Practice will have the option at any time either (i) to tender its defense to Business Associate, in which case Business Associate will provide qualified attorneys, consultants and other appropriate professionals to represent Dental Practice’s interests at Business Associate’s expense, or (ii) undertake its own defense, choosing the attorneys, consultants and other appropriate professionals to represent its interests, in which case Business Associate will be responsible for and pay the reasonable fees and expenses of such attorneys, consultants and other professionals.
b) Right to Control Resolution. Dental Practice will have the sole right and discretion to settle, compromise or otherwise resolve any and all claims, causes of actions, liabilities or damages against it, notwithstanding that Dental Practice may have tendered its defense to Business Associate. Any such resolution will not relieve Business Associate of its obligation to indemnify Dental Practice under this Addendum Section 9.
GENERAL PROVISIONS
10. Definitions. The capitalized terms “Protected Health Information” and “Standard Transaction” have the meanings set out in, respectively, 45 Code of Federal Regulations § 164.501 and 45 Code of Federal Regulations § 160.103.
11. Amendment to Agreement. Upon the effective date of any final regulation or amendment to final regulations promulgated by the U.S. Department of Health and Human Services with respect to Protected Health Information or Standard Transactions, this Addendum and the Agreement of which it is part will automatically amend such that the obligations they impose on Business Associate remain in compliance with these regulations.
Conflicts. The terms and conditions of this Addendum will override and control any conflicting term or condition of Agreement. All non-conflicting terms and conditions of Agreement remain in full force and effect.