Business association agreement

BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement (the “Agreement”) is effective as of the effective date of the Services Agreement (as defined below) (the “Effective Date”) by and between Customer (“Covered Entity”) and Physio-Control, Inc., a wholly owned subsidiary of Stryker Corporation, (“Business Associate”). Covered Entity and Business Associate are referred to herein collectively as the “Parties” and individually as a “Party.”
 
WHEREAS, Covered Entity and Business Associate are parties to a Software and Hosting Terms & Conditions Agreement (the “Services Agreement”) under which Covered Entity is licensed to utilize Stryker Software and Hosting Services as those terms are defined in the Software and Hosting Terms & Conditions located at https://www.stryker.com//us/en/emergency-care/data-solutions/software-hosting.html;

WHEREAS, Covered Entity possesses Protected Health Information (as hereinafter defined) that is protected under HIPAA (as hereinafter defined), the HIPAA Privacy Regulations (as hereinafter defined), the HIPAA Security Regulations (as hereinafter defined), and the HIPAA Breach Notification Regulations (as hereinafter defined) and is permitted to use or disclose such information only in accordance with such laws and regulations;

WHEREAS, Business Associate may receive such information from Covered Entity, or create, receive, maintain, or transmit such information on behalf of Covered Entity, in connection with the Services Agreement and one (1) or more Statements of Work entered into by the Parties under the Services Agreement; and

WHEREAS, Covered Entity wishes to ensure that Business Associate will appropriately safeguard the privacy, confidentiality, integrity and availability of Protected Health Information;

NOW, THEREFORE, in consideration of the foregoing and of the mutual covenants and agreements herein contained, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties hereto agree to the foregoing and as follows only to the extent that Business Associate acts in the capacity of a business associate (as defined in the HIPAA Privacy Regulations) for or on behalf of Covered Entity:

1. DEFINITIONS.

The following terms, when used in this Agreement, shall have the following meanings, as further defined in HIPAA, the HIPAA Privacy Regulations, the HIPAA Security Regulations, and the HIPAA Breach Notification Regulations.

Breach shall have the meaning set forth in 45 C.F.R. § 164.402.

Data Aggregation means, with respect to Protected Health Information created or received by Business Associate in its capacity as the Business Associate of Covered Entity, the combining of such Protected Health Information by Business Associate with the Protected Health Information received by Business Associate in its capacity as a Business Associate of another Covered Entity, to permit data analyses that relate to the Health Care Operations of the respective Covered Entities.

Electronic Protected Health Information or Electronic PHI means Protected Health Information that is transmitted by or maintained in Electronic Media as defined in the HIPAA Security Regulations.

HIPAA means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.

HIPAA Breach Notification Regulations shall mean the regulations promulgated under HIPAA by the United States Department of Health and Human Services to require notification in the event of a Breach, including, but not limited to, the HIPAA Omnibus Rule and 45 C.F.R. Part 164, Subpart D.

HIPAA Omnibus Rule
means the regulations promulgated under HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act by the United States Department of Health and Human Services to protect the privacy and security of Protected Health Information and provide security Breach notifications provisions applicable to a Business Associate, including, but not limited to, 45 C.F.R. Part 160 and 45 C.F.R. Part 164.

HIPAA Privacy Regulations means the regulations promulgated under HIPAA by the United States Department of Health and Human Services to protect the privacy of Protected Health Information, including, but not limited to, the HIPAA Omnibus Rule and 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subpart A and Subpart E.

HIPAA Security Regulations means the regulations promulgated under HIPAA by the United States Department of Health and Human Services to protect the security of Electronic Protected Health Information, including, but not limited to, the HIPAA Omnibus Rule and 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subpart A and Subpart C.

Individually Identifiable Health Information means information that is a subset of Health Information, including demographic information collected from an individual, that is (a) created or received by a Health Care Provider, Health Plan, employer, or Health Care Clearinghouse; and (b) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Protected Health Information or PHI means Individually Identifiable Health Information transmitted or maintained in any form or medium that (i) is received by Business Associate from Covered Entity or (ii) is created, received, transmitted or maintained by Business Associate for or on behalf of Covered Entity.  Protected Health Information excludes Individually Identifiable Health Information in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. § 1232g, records described at 20 U.S.C. § 1232g(a)(4)(B)(iv), and employment records held by the Covered Entity in its role as employer.

Security Incident shall have the same meaning given to such term in 45 C.F.R. § 164.304.

Any terms capitalized, but not otherwise defined, in this Agreement shall have the same meaning as those terms presently have under HIPAA, the HIPAA Privacy Regulations, the HIPAA Security Regulations and the HIPAA Breach Notification Regulations.

2. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE

Use or Disclosure.  Business Associate agrees to not use or further disclose Protected Health Information other than as permitted or required to perform its functions, activities, or services as described in the Services Agreement, as permitted or required under this Agreement, or as Required by Law.

Safeguards
.  Business Associate agrees to use appropriate safeguards to prevent any use or disclosure of Protected Health Information other than uses and disclosures expressly provided for by this Agreement.  Business Associate further agrees to comply with the HIPAA Security Regulations and use appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of Electronic PHI in accordance with the HIPAA Security Regulations. So that Business Associate may promptly disable access by any terminated workforce member or agent of Covered Entity to Business Associate systems and equipment (including, but not limited to, iPads and computer servers), Covered Entity agrees to notify Business Associate immediately upon, but in no event more than twenty-four (24) hours after, the termination of any workforce member or agent who had access to Business Associate systems and equipment.

Mitigation.  Business Associate agrees to reasonably cooperate with Covered Entity’s efforts to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement.

Reporting.
  Business Associate agrees to report to Covered Entity any use or disclosure of Protected Health Information in violation of this Agreement and any Breach, of which Business Associate becomes aware, without unreasonable delay, and in any event no more than ten (10) business days following discovery.  Business Associate further agrees to report promptly to Covered Entity any successful Security Incident of which it becomes aware; provided, however, that the Parties acknowledge and agree that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Covered Entity shall be required.  “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access to, or use or disclosure of, Electronic PHI. 

Subcontractors.  Business Associate agrees to ensure that any subcontractors to whom it provides Protected Health Information received from, or created, received, maintained, or transmitted by Business Associate for or on behalf of, Covered Entity, agree to restrictions and conditions no less restrictive than those that apply through this Agreement to Business Associate with respect to such information.

Access.  In the event that Business Associate maintains Protected Health Information in a Designated Record Set, Business Associate will provide Covered Entity with access to such Protected Health Information in accordance with the HIPAA Privacy Regulations as necessary for Covered Entity to fulfill a request from an individual pursuant to 45 C.F.R. § 164.524.  In the event any individual requests access to Protected Health Information directly from Business Associate, Business Associate shall forward such request to Covered Entity in the time and manner reasonably designated by Covered Entity such that Covered Entity can respond to such individual in accordance with 45 C.F.R. § 164.524.  Any denials of access to the Protected Health Information requested shall be the responsibility of Covered Entity.

Amendment. 
In the event that Business Associate maintains Protected Health Information in a Designated Record Set, Business Associate will provide Protected Health Information to Covered Entity for amendment or incorporate any such amendments in the Protected Health Information requested by Covered Entity pursuant to 45 C.F.R. §164.526. In the event any individual requests amendment of Protected Health Information directly from Business Associate, Business Associate shall forward such request to Covered Entity in the time and manner reasonably designated by Covered Entity such that Covered Entity can respond to such individual in accordance with 45 C.F.R. § 164.526.

Audit and Inspection.  Business Associate agrees to make its internal practices, books, and records relating to the use and disclosure of Protected Health Information and the security of Electronic Protected Health Information, available to the Secretary of Health and Human Services (the “Secretary of HHS”) or any officer or employee of HHS to whom the Secretary of HHS has delegated such authority for the purposes of the Secretary of HHS determining Covered Entity’s compliance with the HIPAA Privacy Regulations, the HIPAA Security Regulations, and the HIPAA Breach Notification Regulations.  Such information shall be made available in the reasonable time and manner designated by the Secretary of HHS. 

Documentation of Disclosures.  Business Associate agrees to document and maintain documentation of such disclosures of Protected Health Information, and such information related to such disclosures, as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 164.528.

Accounting.  Upon receipt of notice by or on behalf of Covered Entity that Covered Entity has received a request for an accounting of disclosures of Protected Health Information, Business Associate shall make available to Covered Entity, in the time and manner reasonably designated by Covered Entity, that information collected in accordance with Section 2(i) (“Documentation of Disclosures”) of this Agreement, to permit Covered Entity to respond to the request in accordance with 45 C.F.R. § 164.528. 

Compliance with the HIPAA Privacy Regulations.  To the extent that Business Associate carries out any of Covered Entity’s obligations under the HIPAA Privacy Regulations, Business Associate shall comply with the requirements of the HIPAA Privacy Regulations that apply to Covered Entity in the performance of such obligations.

Minimum Necessary Use and Disclosure.  In conducting functions and/or activities under the Services Agreement and this Agreement that involve the use and/or disclosure of Protected Health Information, Business Associate shall make reasonable efforts to limit the request for and use or disclosure of Protected Health Information to the minimum amount of information necessary to accomplish the intended purpose of the request, use or disclosure.

Scope.  The terms of this Agreement apply to Business Associate only to the extent Business Associate acts in such capacity (as defined in the HIPAA Privacy Regulations) for or on behalf of Covered Entity and only with regard to PHI.  For the avoidance of doubt, this Agreement does not apply to the extent that Business Associate is acting as a Health Care Provider (as defined in the HIPAA Privacy Regulations) to which Covered Entity is disclosing or otherwise sharing Protected Health Information for Treatment purposes as described in the HHS HIPAA FAQ 490, or where Business Associate receives Protected Health Information from Covered Entity in connection with 45 C.F.R. 164.512(b)(1)(iii), including the report of an adverse event or product defect.

3. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE

General Use and Disclosure Provisions.  Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information in connection with its performance of the services under the Services Agreement if such use or disclosure of Protected Health Information would not violate HIPAA or the HIPAA Privacy Regulations.

Specific Use and Disclosure Provisions.


Except as otherwise limited in this Agreement, Business Associate may use and disclose Protected Health Information for the proper management and administration of the Business Associate or to meet its legal responsibilities; provided, however, that such Protected Health Information may be disclosed for such purposes only if the disclosures are Required by Law or the Business Associate obtains certain reasonable assurances from the person to whom the information is disclosed.  The required reasonable assurances are that:

-the information will remain confidential;
-the information will be used or further disclosed only as Required by Law or for the purpose for which the information was disclosed to the person; and
-the person will notify the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

Business Associate may use and disclose Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).

Business Associate may use and disclose Protected Health Information to provide Data Aggregation services relating to the Health Care Operations of Covered Entity and other customers of Business Associate, in connection with the performance of services that involve data aggregation under the Services Agreement. 

Business Associate may de-identify Protected Health Information in accordance with the standards set forth in 45 C.F.R. § 164.514(b), including in connection with the performance of services that involve de-identification under the Services Agreement. Business Associate’s use and disclosure of such de-identified information will not be subject to the requirements set forth in this Agreement. 

4. OBLIGATIONS OF COVERED ENTITY

Permissible Requests by Covered Entity.  Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the HIPAA Privacy Regulations if done by Covered Entity or that is not otherwise expressly permitted under Section 3 (“Permitted Uses and Disclosures by Business Associate”) of this Agreement.

Notice of Privacy Practices.  Covered Entity shall notify in writing Business Associate of any limitation(s) in its notice of privacy practices that may affect Business Associate’s use or disclosure of PHI. 

Notification of Changes Regarding Individual Permission.  Covered Entity shall obtain any consent or authorization that may be required by the HIPAA Privacy Regulations, and/or applicable state law, prior to furnishing Business Associate with PHI.  Covered Entity shall notify Business Associate in writing of any changes in, or revocation of, permission by an Individual to use or disclose PHI that may affect Business Associate’s use or disclosure of PHI.

Notification of Restrictions to the Use or Disclosure of PHI.  Covered Entity shall notify Business Associate in writing of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522 that may affect Business Associate’s use or disclosure of PHI. 

5. TERM AND TERMINATION

Term.  This Agreement shall be effective for the term of the subscription, support or hosting services period set forth in the Software and Hosting Terms and Conditions or until terminated in accordance with the provisions of Section 5 (“Termination for Cause”) or 7 (“Amendment”).

Termination for Cause.  Upon either Party’s knowledge of a material breach of this Agreement by the other party, the non-breaching party may provide the breaching party with notice of and a reasonable opportunity to cure such breach and then terminate this Agreement if the breaching party does not cure the breach within the reasonable time period specified by the non-breaching party. In the event that termination of the Agreement is not feasible, the Parties acknowledge and agree that the non-breaching party has the right to report the breach to the Secretary of HHS.

Effect of Termination. Upon termination of this Agreement, for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created, received, maintained, or transmitted by Business Associate for or on behalf of Covered Entity. Business Associate shall retain no copies of the Protected Health Information.  Notwithstanding the foregoing, in the event that Business Associate determines that returning or destroying the Protected Health Information is not feasible, Business Associate shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction not feasible, for so long as Business Associate maintains such Protected Health Information.

6. LIMITATION OF LIABILITY

Business Associate’s liability, if any, for damages to Covered Entity for any cause whatsoever arising out of or related to this Agreement, and regardless of the form of the action, shall be limited to Covered Entity’s actual damages, in an amount no more than the maximum amount of Business Associate’s relevant insurance policy.  Business Associate shall not be liable for any indirect, incidental, punitive, exemplary, special or consequential damages of any kind whatsoever sustained as a result of a breach of this Agreement or any action, inaction, alleged tortious conduct, or delay by Covered Entity.

7. MISCELLANEOUS

Regulatory References.  A reference in this Agreement to a section in HIPAA, the HIPAA Privacy Regulations, the HIPAA Security Regulations, or the HIPAA Breach Notification Regulations means the section as currently in effect.

Amendment. 
This Agreement may be modified, or any rights under it waived, only by a written document executed by the authorized representatives of both Parties.

Assignment. 
Either Party may transfer or assign any or all of its rights or interests under this Agreement or delegate any of its obligations without the prior written consent of the other Party.  This Agreement shall be binding upon, and inure to the benefit of the Parties hereto and their successors and assigns, and the agreements, representations, warranties, covenants and acknowledgments contained herein shall be deemed to be made by, and be binding upon, such successors and assigns.

Survival.  The respective rights and obligations of Business Associate under Section 5 (“Effect of Termination”) and this Section 7 (“Survival”) of this Agreement shall survive the termination of this Agreement.

Interpretation. In the event of any inconsistency between the provisions of this Agreement and the Services Agreement, the provisions of this Agreement shall control.  In the event of inconsistency between the provisions of this Agreement and mandatory provisions of the HIPAA Privacy Regulations, the HIPAA Security Regulations or the HIPAA Breach Notification Regulations, or their interpretation by any court or regulatory agency with authority over Business Associate or Covered Entity, such interpretation shall control; provided, however, that if any relevant provision of the HIPAA Privacy Regulations, the HIPAA Security Regulations or the HIPAA Breach Notification Regulations are amended in a manner that changes the obligations of Business Associate or Covered Entity that are embodied in terms of this Agreement, then the Parties agree to negotiate in good faith appropriate non-financial terms or amendments to this Agreement to give effect to such revised obligations.  Where provisions of this Agreement are different from those mandated in the HIPAA Privacy Regulations, the HIPAA Security Regulations, or the HIPAA Breach Notification Regulations, but are nonetheless permitted by such rules as interpreted by courts or agencies, the provisions of this Agreement shall control.

No Third Party Beneficiaries. 
Nothing express or implied in this Agreement is intended or shall be deemed to confer upon any person other than Covered Entity, Business Associate, and their respective successors and assigns, any rights, obligations, remedies or liabilities.

Primacy. 
To the extent that any provisions of this Agreement conflict with the provisions of any other agreement or understanding between the Parties, this Agreement shall control with respect to the subject matter of this Agreement.

Independent Contractors.  No provision of this Agreement is intended to create, nor shall be deemed or construed to create, any employment, agency or joint venture relationship between Covered Entity and Business Associate other than that of independent entities contracting with each other hereunder solely for the purpose of effectuating the provisions of this Agreement.  None of the Parties nor any of their respective representatives shall be construed to be the agent, employer, or representative of the other.  The Parties have reviewed the factors to determine whether an agency relationship exists under the federal common law of agency and it is not the intention of either Covered Entity or Business Associate that Business Associate constitute an “agent” under such common law.  Business Associate shall retain sole and absolute discretion in the manner and means of carrying out its activities and responsibilities under this Agreement.

General.  This Agreement is governed by, and shall be construed in accordance with, the laws of the State that govern the Services Agreement. All notices relating to the Parties’ legal rights and remedies under this Agreement shall be provided in writing to a Party, shall be sent to its address set forth in the signature block below, or to such other address as may be designated by that Party by notice to the sending Party, and shall reference this Agreement.