Business Associate Agreement
This BUSINESS ASSOCIATE AGREEMENT (the “Agreement”), is incorporated by reference into the Client Services Order Form (the “Order Form”) effective as of the date of the Order Form (the “Effective Date”) by and between Client identified in the Order Form (the “Company”), on behalf of its group health plan (the “Plan”), and Sequoia Benefits and Insurance Services, LLC d/b/a Sequoia Consulting Group (“Business Associate”). Each of Company and Business Associate are referred to herein individually as “Party” and collectively as the “Parties”. This Agreement supersedes and replaces any prior Business Associate Agreements and related amendments thereto between the Parties.
WHEREAS, Company maintains the Plan that provides certain group health plan benefits to certain of Company’s employees, former employees, and their eligible dependents, if any;
WHEREAS, Business Associate performs or will perform certain services for the Plan;
WHEREAS, in the course of performing services for the Plan, Business Associate may have access to, create, maintain, and/or otherwise use and/or disclose Protected Health Information (as defined below); and
WHEREAS, the Parties desire to set forth their respective obligations with respect to Protected Health Information (as defined below) pursuant to the Health Insurance Portability and Accountability Act of 1996, as it may be amended from time to time, and the regulations promulgated at 45 C.F.R. Parts 160-164 (collectively, “HIPAA”), to the extent applicable to any services Business Associate performs for the Plan;
NOW THEREFORE, Company and Business Associate agree as follows:
The following terms have the following meaning when used in this Agreement:
- Breach means that term as defined in 45 C.F.R. § 164.402.
- Designated Record Set means that term as defined in 45 C.F.R. § 164.501.
- Electronic Protected Health Information means Protected Health Information that is transmitted or maintained in electronic media, including, but not limited to, hard drives, disks, on the internet, or on an intranet.
- HHS means the Department of Health and Human Services.
- Individual means that term as defined in 45 C.F.R. § 160.103, and includes a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
- Privacy Rule means the privacy requirements in HIPAA, as set forth in 45 C.F.R. Part 160, and Subparts A and E of 45 C.F.R. Part 164.
- Protected Health Information means that term as defined in 45 C.F.R. § 160.103, except limited to the information created, received or maintained by Business Associate from or on behalf of the Plan.
- Required by Law means that term as defined in 45 C.F.R. § 164.103.
- Secretary means the Secretary of the Department of Health and Human Services or his/her designee.
- Security Incident means that term as defined in 45 C.F.R. § 164.304.
- Security Rule means the security requirements set forth in HIPAA, as set forth in 45 C.F.R. Part 160, and Subparts A and C of 45 C.F.R. Part 164.
- Subcontractor means that term as defined in 45 C.F.R. § 160.103, except limited to any such person or entity that receives, maintains, creates or transmits Protected Health Information for Business Associate.
- Transaction means that term as defined in 45 C.F.R. § 160.103.
- Unsecured Protected Health Information means that term as defined in 45 C.F.R. § 164.402.
Any capitalized term not specifically defined herein will have the same meaning as set forth in 45 C.F.R. Parts 160 and 164, where applicable. The terms “use,” “disclose” and “discovery,” or derivations thereof, although not capitalized, shall also have the meanings set forth in HIPAA.
- Obligations and Activities of Business Associate
To the extent applicable to any services Business Associate performs for the Plan, Business Associate will:
- Not use or disclose Protected Health Information other than as permitted or required by this Agreement or as Required by Law.
- Document and use appropriate administrative, technical and physical safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to Electronic Protected Health Information, to prevent use or disclosure of Protected Health Information other than as provided for by this Agreement or in a services agreement entered into between the Parties.
- With respect to any use or disclosure of Unsecured PHI not permitted by the Privacy Rule that is caused solely by Business Associate’s failure to comply with one or more of its obligations under this Agreement, the Plan hereby delegates to Business Associate the responsibility for determining when any such incident is a Breach. In the event of a Breach, Business Associate will notify Company in writing of: (i) any use or unauthorized disclosure of Protected Health Information by Business Associate or any Subcontractor that is contrary to this Agreement including, without limitation, any Breach of Unsecured Protected Health Information; or (ii) any Security Incident; provided, however, that notice of routine unsuccessful unauthorized attempts to access Business Associate’s system shall be made only upon the specific request of Company and no more frequently than on an annual basis. If there is a Breach of Unsecured Protected Health Information, Business Associate will:
- Notify Company in writing of the Breach without unreasonable delay, and in no event more than sixty (60) days after discovery of the Breach, and provide (i) a list of all Individuals affected by the Breach, and (ii) any other available information that the Plan is required to include in notifications to such Individuals pursuant to 45 C.F.R. § 164.404(c). In the event any such information is not available when Company is notified of the Breach, Business Associate will provide such information to Company as soon as it becomes available; and
- Cooperate with Company to notify: (i) Individuals whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed without authorization; (ii) the media, as required by 45 C.F.R. § 164.406; and (iii) the Secretary as required by 45 C.F.R. § 164.408(b) if the legal requirements for media or HHS notification are triggered by the circumstances of such Breach, provided that Business Associate will not initiate any such notifications without Company’s express written approval.
- Establish procedures for mitigating, and follow those procedures and so mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate or by any Subcontractor that is contrary to this Agreement.
- Ensure that any Subcontractor that creates, receives, maintains or transmits Protected Health Information on behalf of Business Associate enters into a written agreement whereby the Subcontractor agrees to the same restrictions, conditions and requirements that apply to Business Associate with respect to such information, in accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2).
- Provide, as soon as practicable and in the manner reasonably requested by the Plan, access to Protected Health Information in a Designated Record Set, to the Plan or, as directed by the Plan, to an Individual, in order for the Plan to fulfill its obligations under 45 C.F.R. § 164.524 to provide access and copies of Protected Health Information to an Individual.
- Make, as soon as practicable, any amendment(s) to Protected Health Information in a Designated Record Set as directed or agreed by the Plan pursuant to 45 C.F.R. § 164.526, or take other measures to satisfy the Plan’s obligations pursuant to 45 C.F.R. § 164.526.
- Maintain and make available to the Plan or, as directed by the Plan, to an Individual, as soon as practicable, the information required for the Plan to satisfy their obligations pursuant to 45 C.F.R. § 164.528 to respond to a request for an accounting of disclosures of Protected Health Information.
- Notify the Plan as soon as practicable upon receiving, directly from an Individual, a request for (i) access to Protected Health Information pursuant to 45 C.F.R. § 164.524; (ii) amendment to Protected Health Information pursuant to 45 C.F.R. § 164.526; or (iii) an accounting of disclosures of Protected Health Information pursuant to 45 C.F.R. § 164.528.
- Comply with the requirements of Subpart E of 45 C.F.R. Part 164 that are applicable to the Plan, if Business Associate is to carry out one or more of the Plan’s obligations under Subpart E.
- In the event Business Associate transmits or receives a Transaction on behalf of the Plan, Business Associate will comply with all applicable provisions of the HIPAA standards for electronic transactions and code sets (the “EDI Standards”). Business Associate will also ensure that any Subcontractor that transmits or receives a Transaction on its behalf does so in accordance with the EDI Standards.
- Make its internal practices, books, and records available to the Secretary or the Plan for purposes of a review and assessment of Business Associate’s or the Plan’s compliance with HIPAA; and notify Company as soon as practicable upon receiving a request for any such materials directly from HHS.
- Not engage in the Sale of Protected Health Information or otherwise receive direct or indirect remuneration in exchange for the Protected Health Information of an Individual, unless Business Associate or the Plan has obtained a valid authorization from the Individual, consistent with the requirements under 45 C.F.R. § 164.508.
- Permitted Uses and Disclosures by Business Associate
- Business Associate may only use or disclose Protected Health Information as necessary to perform functions, activities, or services for, or on behalf of, the Plan, provided that such use or disclosure would not violate the Privacy Rule if done by the Plan or the minimum necessary policies and procedures of the Plan, or as otherwise expressly provided in this Section 3.
- Business Associate may use Protected Health Information to de-identify the Protected Health Information in accordance with 45 C.F.R. § 164.514(a) – (c); provided, however, that Business Associate may use the de-identified information only if and to the extent expressly permitted in this Section 3.
- Business Associate may use or disclose Protected Health Information as Required by Law.
- Any use or disclosure of Protected Health Information by Business Associate will be in compliance with the minimum necessary policies and procedures of the Plan, and with the minimum necessary requirements of HIPAA.
- Business Associate may not use or disclose Protected Health Information in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by the Plan, except that Business Associate may do the following:
- Use Protected Health Information for the proper management and administration of Business Associate, or to carry out the legal responsibilities of Business Associate.
- Disclose Protected Health Information for the proper management and administration of Business Associate, or to carry out the legal responsibilities of Business Associate, provided that the disclosures are Required by Law, or Business Associate obtains reasonable written assurances from the person or entity receiving the information (each a “Recipient”) that the information will remain confidential, and be used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the Recipient; and the Recipient notifies the Business Associate of any instances of which the Recipient is aware in which the confidentiality of the information has been breached.
- Use Protected Health Information to provide data aggregation services as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B) that relate to the Health Care Operations of the Plan.
- Business Associate may use Protected Health Information to report violations of law to the appropriate federal and state authorities, consistent with 45 C.F.R. § 164.502(j)(1).
- Obligations of the Plan
The Plan will:
- Notify Business Associate of any limitations in the Plan’s Notice of Privacy Practices under 45 C.F.R. § 164.520, to the extent any such limitation may affect Business Associate’s use or disclosure of Protected Health Information.
- Notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information.
- Notify Business Associate of any restriction on the use or disclosure of Protected Health Information that the Plan has agreed to or are required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information. In the event that the Plan takes action as described in Section 4(a), Section 4(b), or this Section 4(c), Business Associate will decide which restrictions or limitations it will administer. In addition, if those limitations or restrictions materially increase Business Associate’s cost of providing services under a services agreement entered into between the Parties, including this Agreement, the Plan will reimburse Business Associate for such increase in cost.
- Not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under Subpart E of 45 C.F.R. Part 164 if done by the Plan, except for uses and disclosures of Protected Health Information by Business Associate in accordance with Section 3(e) above.
- Term and Termination
- The term of this Agreement begins on the Effective Date and ends on the date that any services agreement between the parties terminates, or if earlier, the date that Company terminates this Agreement for cause pursuant to Section 5(b) below.
- Company may terminate this Agreement for cause effective as of any date designated by the Company in a notice to Business Associate upon a determination by Company that Business Associate has breached a material term of this Agreement. Company may, in its discretion, allow Business Associate a specified period of time to cure the breach, and upon a cure satisfactory to Company, elect not to terminate the Agreement on account of the breach.
- Upon termination of this Agreement for any reason, Business Associate will (and will ensure that its Subcontractors that have had access to Protected Health Information will):
- Retain only the Protected Health Information that is necessary for Business Associate or a Subcontractor to continue its proper management and administration or to carry out its legal responsibilities;
- Return to the Plan or to the Plan’s designee, or upon the Plan’s prior written agreement, destroy (and certify in writing to the Plan that it has destroyed) any remaining Protected Health Information that Business Associate or any of its Subcontractors maintain in any form;
- Continue to use appropriate administrative, technical and physical safeguards, and to comply with Subpart C of 45 C.F.R. Part 164, with respect to any Electronic Protected Health Information so as to prevent use or disclosure of the Electronic Protected Health Information other than as specified in this Section 5(c) for as long as Business Associate or any Subcontractor retains the Electronic Protected Health Information;
- Not use or disclose the Protected Health Information retained by Business Associate or by any Subcontractor other than for the purposes for which such Protected Health Information was retained, and subject to all the conditions and limitations set forth in Sections 2 and 3 above that applied prior to termination of the Agreement;
- Return to the Plan or, upon the Plan’s prior written agreement, destroy (and certify in writing to the Plan that it has destroyed) the Protected Health Information retained by Business Associate or by any Subcontractor as of the date such Protected Health Information is not needed by Business Associate or the Subcontractor for its proper management and administration or to carry out its legal responsibilities.
- Regulatory References. A reference in this Agreement to a section in the Privacy Rule, the Security Rule, or to any other regulation promulgated under HIPAA means the section as in effect or as amended.
- Survival. Sections 2, 3, 5(c) and 6 of this Agreement shall survive the termination of this Agreement.
- Interpretation. Any ambiguity in this Agreement will be resolved to permit the Plan to comply with the Privacy Rule, Security Rule and other provisions of HIPAA.
- Effect. This Agreement shall be binding upon, and shall inure to the benefit of, Company, the Plan and Business Associate, and their respective successors, assigns, administrators and other legal representatives.
- No Third Party Beneficiary. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than Company, the Plan and Business Associate, and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
- Independent Contractors. Nothing contained herein shall be deemed or construed by the Parties or by any third party to create a relationship of employer and employee, principal and agent, or joint venture of the Parties, it being understood and agreed that Business Associate provides services to Company and the Plan hereunder as an independent contractor; Business Associate retains full and complete control over its performance under this Agreement; and Company and the Plan have no authority to direct or control Business Associate’s conduct or activities in connection with this Agreement.
- Governing Law. The construction, interpretation and performance of this Agreement and all transactions under this Agreement shall be governed and enforced pursuant to the laws of the State of California except as such laws are preempted by any provision of federal law, including by ERISA or HIPAA. The parties will attempt in good faith promptly by negotiations to resolve any dispute or controversy arising out of or relating to the Agreement. In the event the parties are unable to settle such controversy amicably through negotiations, the dispute will be submitted to binding arbitration before the American Arbitration Association before a single arbitrator in accordance with the Rules of the American Arbitration Association provided that: (i) the prevailing party, as determined by the arbitrator, shall be entitled to an award from the losing party for the prevailing party’s attorney’s fees and costs; (ii) discovery may be conducted pursuant to California Code of Civil Procedure Paragraph 1283.05; (iii) the arbitrator’s judgment will be final and binding upon the parties, except that it may be challenged on the grounds of fraud or gross misconduct; and (iv) the arbitration will be held in San Mateo County, California. Judgment upon any decision in arbitration may be entered in any court of competent jurisdiction.
- Severability. In the event any provision of this Agreement is rendered invalid or unenforceable under any new or existing law or regulation, or declared null and void by any court of competent jurisdiction, the remaining provisions of this Agreement shall remain in full force and effect if they reasonably can be given effect.
- Notices. All notices to be given pursuant to the terms of this Agreement shall be in writing and shall be deemed given five (5) business days after being sent by certified mail, return receipt requested, postage prepaid or one (1) business day after being sent by reputable overnight mail delivery or by email to the other Party, at the address or email address set forth in the underlying agreement between the Parties or at such other address or email address as a Party may designate from time to time.
If to the Company, notice may be sent to the address or e-mail address Sequoia has on record.
If to the Business Associate, notice shall be sent to:
Attn: Legal Department
Sequoia Benefits and Insurance Services, LLC
1850 Gateway Drive, Suite 700
San Mateo, CA 94104
- Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for the Plan to comply with the requirements of HIPAA.
- Counterparts. This Agreement may be executed in any number of counterparts, each of which shall be deemed an original. Facsimile copies thereof shall be deemed to be originals.