Business Associate Agreement
You can download a PDF version of the Business Associate Agreement here.
This Business Associate Agreement (the “Agreement”) by and between Covered Entity and Business Associate (each a “Party” and collectively the “Parties”), is effective as of the date Business Associate first provides Services, as defined below, to Covered Entity.
WHEREAS, the purpose of this Agreement is to address the measures that Business Associate shall take to protect the confidentiality of certain individually identifiable health information that the Covered Entity may disclose to Business Associate or that the Business Associate may create, receive, maintain, or transmit on behalf of the Covered Entity or its Affiliates in connection with the service, repair, trouble shooting and maintenance activities associated with the products identified at http://medical.olympusamerica.com/baaproducts (the “Services”). This Agreement applies only if and to the extent Olympus is a “business associate” (as that term is defined in 45 C.F.R. § 160.103) of Covered Entity.
WHEREAS, the use and disclosure, electronic transmission and maintenance, and security of certain individually identifiable health information is regulated by the Administrative Simplification Provisions of the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191, as amended by Health Information Technology for Economic and Clinical Health Act, Section 13400, et. seq. of the American Recovery and Reinvestment Act of 2009 (“HITECH”), and the regulations promulgated thereunder, all as may subsequently be amended (collectively referred to as “HIPAA”).
WHEREAS, the Covered Entity may from time to time disclose individually identifiable health information to the Business Associate, and the Business Associate may from time to time create, receive, maintain, and/or transmit such individually identifiable health information.
WHEREAS, both Parties are committed to complying with HIPAA, including without limitation, the HIPAA Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”), the HIPAA Security Standards (the “Security Rule”), and the HIPAA Standards for Notification in the Case of Breach of Unsecured Protected Health Information (the “Breach Notification Rule”) (all as set forth in 45 C.F.R. Parts 160, 162 and 164), and any applicable guidance from the Department of Health and Human Services (“HHS” or the “Secretary”).
NOW THEREFORE, for and in consideration of the foregoing premises, the Covered Entity and Business Associate hereby agree as follows:
1. PERMITTED USES AND DISCLOSURES OF PHI
1.1 Definitions. Except for the below, all terms used in this Agreement shall have the same meaning as set forth in HIPAA.
a. “Affiliate” shall mean any company directly or indirectly through one or more intermediate companies which now or hereafter may control, be controlled by or be under common control with the relevant party. “Control” of a company means the power to exercise 50 percent or more of the voting rights of such company.
b. “Covered Entity” shall have the meaning given to that term under 45 C.F.R. § 160.103 but shall be limited to entities receiving Services from the Business Associate pursuant to a written agreement.
c. “Protected Health Information” or “PHI” shall have the meaning given to that term under 45 C.F.R. § 160.103 but shall be limited to the information created, received or maintained by the Business Associate from or on behalf of the Covered Entity.
1.2 Use and Disclosure. The Business Associate shall not use or further disclose PHI other than as permitted or required by this Agreement or as Required by Law, as that term is defined in 45 C.F.R. § 164.103 (“Required by Law”). All other uses or disclosures not authorized by this Agreement are prohibited.
1.3 Disclosure to perform Services. Except as otherwise limited herein, the Business Associate may use or disclose PHI as necessary to perform the Services, provided that such use or disclosure would not violate the Privacy Rule if done by the Covered Entity.
1.4 Business Activities of the Business Associate. Unless otherwise limited herein, the Business Associate may:
a. Use PHI for the Business Associate’s proper management and administration and to carry out any of its legal responsibilities.
b. Disclose PHI to third parties for the purpose of the Business Associate’s proper management and administration and to carry out any of its legal responsibilities, if and only if (1) Required by Law, or (2) the Business Associate obtains reasonable assurances from the third party to whom the information is disclosed that it shall be held confidentially and be used or further disclosed only as Required by Law or the purpose for which it was disclosed to that third party. In addition, the third party will notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
c. Provide data aggregation services to the Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
d. Report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).
2. RESPONSIBILITIES OF THE PARTIES WITH RESPECT TO PHI
2.1 Responsibilities of the Business Associate. With regard to its use and/or disclosure of PHI and the privacy and security of PHI, the Business Associate hereby agrees to the following:
a. Privacy and Security.
(i) The Business Associate shall not use or further disclose PHI other than as permitted or required by this Agreement or as Required by Law.
(ii) In carrying out an obligation of the Covered Entity under the Privacy Rule, the Business Associate shall comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligation.
(iii) The Business Associate shall use appropriate safeguards and comply with the Security Rule with respect to electronic PHI to
prevent use or disclosure of PHI other than as provided for by this Agreement and as Required by Law.
b. Mitigation. The Business Associate shall take reasonable measures requested by the Covered Entity to mitigate, to the extent practicable, any harmful effects to the individual who is the subject of the PHI of a use or disclosure of PHI by the Business Associate that violates this Agreement.
c. Agents and Subcontractors. The Business Associate shall, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) & 164.308(b)(2), as applicable, require all of its agents and subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate to agree, in a writing substantially the same as this Agreement, to the same (or more stringent) restrictions and conditions that apply to the Business Associate under this Agreement.
d. Reporting.
(i) The Business Associate shall, without unreasonable delay, and in no event longer than ten (10) business days, report to the Covered Entity’s Privacy Officer or other representative identified by Covered Entity, any use and/or disclosure of PHI that is not permitted by this Agreement of which it becomes aware, including instances in which an agent or subcontractor has improperly used or disclosed PHI
(ii) The Business Associate shall, without unreasonable delay, and in no event more than ten (10) business days, report to the Covered Entity’s Privacy Officer or other representative identified by Covered Entity, any Security Incident (as defined in 45 C.F.R. § 164.304) involving electronic PHI of which it becomes aware.
(iii) The Business Associate shall report to the Covered Entity, as required by the Breach Notification Rule, any Breach (as defined in 45 C.F.R. § 164.402) of Unsecured Protected Health Information (as defined in 45 C.F.R. § 164.402). Such report shall be made without unreasonable delay, and in no event longer than ten (10) business days after Business Associate discovers the Breach.
(iv) Any reports given to Covered Entity by Business Associate shall identify at a minimum: (i) the nature of the non-permitted use or disclosure, (ii) the PHI used or disclosed, (iii) party or parties who made the non-permitted use or received the non-permitted disclosure, (iv) what corrective actions the Business Associate took or will take to prevent further non-permitted use or disclosures, (v) what Business Associate did or will do to mitigate any harmful effect of the nonpermitted use or disclosure, (vi) and any such other information HHS may prescribe by regulation.
e. Access to Internal Practices. The Business Associate shall make its internal practices, books and records (including policies and procedures, and PHI) relating to the use and/or disclosure of PHI available to the Secretary for purposes of the Secretary’s determiningcompliance with HIPAA.
f. Access to PHI. The Business Associate shall make an individual’s PHI available for inspection and copying in accordance with 45 C.F.R. § 164.524. Further, at the Covered Entity’s request, and within fifteen (15) days of the Covered Entity’s request, the Business Associate shall provide the Covered Entity with the PHI requested by an individual pursuant to 45 C.F.R. § 164.524.
g. Amendments to PHI. The Business Associate shall make an individual’s PHI available for amendment and shall incorporate any amendments to the PHI in accordance with 45 C.F.R. § 164.526. Further, at the Covered Entity’s request, and within fifteen (15) days of the Covered Entity’s request, the Business Associate shall provide the Covered Entity with the PHI that an individual seeks to amend pursuant to 45 C.F.R. § 164.526.
h. Accounting of Disclosures. The Business Associate shall make available the information required to provide an accounting of disclosures to an individual pursuant to 45 C.F.R. § 164.528, and, as applicable, 42 U.S.C. § 17935(c) and any regulations promulgated thereunder. Further, at the Covered Entity’s request, and within fifteen (15) days of the Covered Entity’s request, the Business Associate shall provide the Covered Entity with such information. To fulfill this obligation, the Business Associate agrees to document those disclosures of PHI and related information that would be necessary for the Covered Entity to respond to an individual’s request for an accounting of disclosures.
i. Restrictions/Alternatives. The Business Associate shall abide by any arrangements that the Covered Entity has made with an individual regarding restricting the use or disclosure of the individual's PHI, or providing the individual with confidential communications of PHI by alternative means or at an alternative location pursuant to 45 C.F.R. § 164.522, provided that the Covered Entity has notified the Business Associate in writing of such restrictions or alternative means of communication.
j. Minimum Necessary. The Business Associate shall request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure in accordance with 45 C.F.R. § 164.502(b).
2.2 Responsibilities of the Covered Entity.
a. Notification Requirement. With regard to the use and/or disclosure of PHI by the Business Associate, the Covered Entity shall:
(i) Provide the Business Associate with its Notice of Privacy Practices (the “Notice”), which the Covered Entity provides to its participants in accordance with 45 C.F.R. § 164.520, as well as any changes to or limitations in such Notice to the extent that the changes or limitations affect the Business Associate’s use or disclosure of PHI.
(ii) Inform the Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her PHI, if such changes or revocation may affect the Business Associate’s uses or disclosures of the PHI.
(iii) Notify the Business Associate of any arrangements the Covered Entity has agreed to that restrict disclosures or provide individuals with confidential communications pursuant to 45 C.F.R. § 164.522 that may affect the Business Associate’s use or disclosure of PHI.
b. No Impermissible Requests. The Covered Entity shall not request that the Business Associate use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by the Covered Entity, except as permitted by Section 1.4(a), (b) and (c) above.
3. TERM AND TERMINATION
3.1 Term. This Agreement shall become effective as of the Effective Date, and shall continue unless terminated as provided below.
3.2 Termination for Cause by Covered Entity. If the Covered Entity determines that the Business Associate has breached a material term of this Agreement, the Covered Entity may:
a. Provide the Business Associate with written notice of the material breach, and afford the Business Associate thirty (30) days to cure such breach. If the breach is not cured within the thirty (30)-day period, the Covered Entity may terminate this Agreement.
b. Immediately terminate this Agreement or any other agreement for Services if the Business Associate has breached a material term of this Agreement and cure is not possible.
3.3 Effect of Termination. Upon termination of this Agreement for any reason, the Business Associate shall, with respect to PHI received, created, maintained, or transmitted on behalf of the Covered Entity:
a. Retain only that PHI which is necessary for the Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
b. Continue to use appropriate safeguards and comply with the Security Rule with respect to electronic PHI to prevent use or disclosure of the PHI, other than as provided for in this section, for as long as the Business Associate retains the PHI;
c. Not use or disclose the PHI retained by the Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out in Section 1.4(a) and (b) which applied prior to termination; and
d. Destroy the PHI retained by the Business Associate when it is no longer needed by the Business Associate for its proper management and administration or to carry out its legal responsibilities.
4. INDEMNIFICATION.
Business Associate agrees to indemnify and defend Covered Entity and their respective employees, officers and directors, (“Indemnified Parties”) from and against any and all losses or costs the Indemnified Parties may suffer, pay or incur as a result of third party claims, demands or actions (“Claim”) against any of the Indemnified Parties to the extent such losses are attributable to the actions of the Business Associate or the failure of the Business Associate to comply with this Agreement or applicable laws, rules and regulations. Notwithstanding the aforesaid, the indemnifying party shall not be liable to the Indemnified Parties to the extent that the Claim is based on or arises out of the negligence, omissions, or other misconduct of the Indemnified Party.
THE FOREGOING SETS FORTH THE PARTIES’ EXCLUSIVE REMEDY AND THE INDEMNIFYING PARTY’S SOLE OBLIGATION WITH RESPECT TO ANY CLAIMS RELATING TO THE SUBJECT MATTER DESCRIBED HEREIN. IN NO EVENT SHALL THE INDEMNIFYING PARTY BE RESPONSIBLE, WHETHER UNDER THIS SECTION, IN CONTRACT, TORT, OR OTHERWISE, FOR ANY INDIRECT, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL LOSSES OR DAMAGES, WHETHER OR NOT THE INDEMNIFYING PARTY SHALL BE OR SHOULD BE AWARE OF THE POSSIBILITY OF SUCH POTENTIAL LOSS OR DAMAGE.
5. MISCELLANEOUS
5.1 Regulatory References. A reference in this Agreement to a provision in HIPAA means the provision as in effect or as amended, and for which compliance is required.
.2 Survival. The provisions of this Agreement shall survive the expiration or any termination of the term of this Agreement to the extent that the Business Associate continues to maintain PHI.
5.3 Interpretation. Any ambiguity in this Agreement shall be resolved to permit the Covered Entity and the Business Associate to comply with HIPAA.
5.4 Amendments; Waiver. This Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the Parties. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for the Parties to comply with the requirements of, or conform to, any changes in HIPAA. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.
5.5 No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.
5.6 Counterparts; Facsimiles. This Agreement may be executed in any number of counterparts, each of which shall be deemed an original. Facsimile copies hereof shall be deemed to be originals.
5.7 Disputes. If any controversy, dispute or claim arises between the Parties with respect to this Agreement, the Parties shall make goodfaithefforts to resolve such matters informally.
5.8 Notices. Any notices to be given hereunder to Olympus shall be given to:
Olympus America Inc.
3500 Corporate Parkway
Center Valley, PA 18034
Attention: OCA Privacy Officer
Email: leslie.cox@olympus.com
With a copy to:
Olympus Corporation of the Americas
3500 Corporate Parkway
Center Valley, PA 18034
Attention: General Counsel
Covered Entity shall send its notification address, along with all other contact information to BAA@olympus.com.
Notification shall be made via U.S. mail or express courier to such Party’s provided address. Each Party named above may change its notification address and that of its representative by giving notice thereof in the manner herein provided.
5.9 Entire Agreement. This Agreement contains the entire agreement and understanding between the Parties relating to the subject matter herein and supersedes all prior agreements, understandings, and representations relating to that subject matter.