Business Associate Agreement

THIS BUSINESS ASSOCIATE AGREEMENT (this “Business Associate Agreement” or “Exhibit”) is by and between American Fidelity Assurance Company (“We”, “Business Associate” or “American Fidelity”) and the employer (“You” or “Covered Entity”) executing the Master Employer Services Agreement in which this Exhibit is referenced and incorporated (the “Master Agreement”). American Fidelity provides services to You pursuant to the Master Agreement, and in providing certain services We may have access to, create or receive Protected Health Information, as hereinafter defined, on Your behalf. Both parties want to satisfy the applicable requirements of the HIPAA Rules as more particularly set forth in this Business Associate Exhibit.

American Fidelity agrees to comply with the requirements of HIPAA (defined below) and the HITECH Act (defined below) dealing with the confidentiality, security and standardized transmission of health or health-related information, to the extent applicable based on the services provided.

NOW THEREFORE, for and in consideration of the foregoing premises, which are incorporated into and made a part of this Business Associate Exhibit, the parties agree as follows:

1. EFFECTIVE DATE

This Business Associate Exhibit shall be effective as of the effective Date of the Master Agreement.

2. DEFINITIONS

Terms used, but not otherwise defined, in this Exhibit shall have the same meaning as those terms in the HIPAA Rules.

“Breach” means the acquisition, access, use, or disclosure, or possibility of acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted by the Privacy Rule.
“Designated Record Set” shall have the same meaning as set forth in 45 CFR § 164.501 and refers to an item, collection, or storing of information that contains protected health information that is used, in whole or in part, to make decisions about individuals, their treatment or billing for services rendered, including medical records and billing records, enrollment, payment, claims adjudication and case or medical management record systems.
“Electronic Health Record” shall have the same meaning as set forth in section 13400(5) of Public Law 111-5 and any implementing regulations.
“HHS” means the U.S. Department of Health and Human Services.
“HIPAA” means the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191)
“HIPAA Rules” means the Privacy Rule, Security Rule and Standard Transactions Rule, collectively.
“HITECH Act” shall mean the Health Information Technology for Economic and Clinical Health Act included in the American Recovery and Reinvestment Act of 2009, Public Law 111-5.
“Limited Data Set” shall have the same meaning as set forth in 45 CFR § 164.514(e)(2).
“Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.
“Protected Health Information” shall have the same meaning as the term “protected health information” in 45 CFR § 160.103, but for purposes of this Exhibit shall be limited to such information created or received by American Fidelity from You or on Your behalf.
“Required By Law” shall have the same meaning as the term “required by law” in 45 CFR § 164.103. In general, Required by Law means a mandate contained in law that compels a person to make a use or disclosure of Protected Health Information and that is enforceable in a court of law.
“Secretary” means the Secretary of the U.S. Department of Health and Human Services or designee.
“Security Incident” means the attempted or successful unauthorized access, acquisition, use, disclosure, modification, or destruction of Protected Health Information (whether electronic or non-electronic) or interference with system operations of an information system involving Protected Health Information.
“Security Rule” means the Security Standards set forth at 45 CFR Parts 160 and 164.
“Standard Transactions Rule” means the Standards for Electronic Transactions set forth at 45 CFR, Parts 160 and 162.
“Unsecured Protected Health Information” or “Unsecured PHI” means any Protected Health Information that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary in the guidance issued pursuant to the HITECH Act or by subsequent guidance issued pursuant to HIPAA, the HITECH Act, or related federal law.

3. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE

Business Associate agrees not to use or disclose Protected Health Information other than as permitted by this Exhibit.
Business Associate agrees to use appropriate safeguards to prevent any use or disclosure of Protected Health Information for any purpose other than as permitted by this Exhibit.
Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information agrees to the same restrictions and conditions applicable, as set forth in this Exhibit, to Business Associate, with respect to Protected Health Information and agrees to implement reasonable and appropriate administrative, technical and physical safeguards to protect the confidentiality and security of Protected Health Information.
Business Associate will make available to HHS its internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule. By virtue of this provision, Business Associate is not waiving any legal privilege
Business Associate acknowledges that the Privacy Rule requires Covered Entity to provide individuals with a number of privacy rights, including the right to inspect and copy Protected Health Information within the possession or control of Covered Entity and its business associates, the right to amend such Protected Health Information, and the right to obtain an accounting of disclosures of Protected Health Information to third parties for certain purposes. To assist Covered Entity in complying with these requirements, Business Associate agrees to the following:
1. Within ten (10) days of a request by Covered Entity, Business Associate shall, as directed by Covered Entity, either (a) provide a copy of such Protected Health Information as is specified by Covered Entity to Covered Entity or to an individual specified by Covered Entity or (b) make such Protected Health Information available for inspection and copying by an individual specified by Covered Entity. To the extent that Business Associate uses or maintains an Electronic Health Record with respect to Protected Health Information, Business Associate shall comply with the requirement of this Section to provide a copy of Protected Health Information upon request by providing an electronic copy of such information to Covered Entity, the individual or a third party designated by the individual, as directed by Covered Entity. Business Associate shall maintain a record of any access to Protected Health Information provided under this Section in such form as may be specified by Covered Entity and shall provide a copy of such record to Covered Entity promptly upon request. If any individual requests access to Protected Health Information directly from Business Associate, Business Associate shall notify the individual that the request will be forwarded to Covered Entity and shall promptly forward such request to Covered Entity.
2. Within a reasonable time after a request by Covered Entity, Business Associate agrees to amend or correct Protected Health Information as directed by Covered Entity.
3. Business Associate agrees to record each disclosure made to a third party of Protected Health Information as would be required by Covered Entity to respond to a request by an individual for an accounting of disclosures of Protected Health Information as required by law, with the exception of disclosures made for any of the following purposes:
  1. treatment, payment, or Covered Entity’s health care operations;
  2. in response to a request from the individual who is the subject of the disclosed Protected Health Information or that individual’s personal representative;
  3. to persons involved in that individual’s health care or payment for health care;
  4. for national security or intelligence purposes;
  5. to law enforcement officials or correctional institutions regarding inmates; or
  6. that are part of a Limited Data Set.

At a minimum, Business Associate shall track the following information regarding each disclosure:

1. 1. Date of the disclosure;
  2. Name of the third party to whom Protected Health Information was disclosed and if known, the address of the third party;
  3. A brief description of the disclosed information; and
  4. A brief description of the purpose and basis for disclosure.

Business Associate shall maintain a record of such information for no less than six (6) years from the date of disclosure and shall provide such information to Covered Entity within thirty (30) days of a request by Covered Entity or, if directed to do so by Covered Entity, shall respond to requests for an accounting of disclosures on behalf of Covered Entity in a manner and timeframe that will allow Covered Entity to comply with the Privacy Rule.

It is not anticipated that Business Associate will use or maintain Electronic Health Records on behalf of Covered Entity. However, to the extent that Business Associate does use or maintain any Electronic Health Records on behalf of Covered Entity, Business Associate shall maintain such records of its disclosures of Protected Health Information to third parties with respect to such Electronic Health Records as necessary for Covered Entity to comply with applicable law. Business Associate shall provide such records of disclosure to Covered Entity upon request or, if directed to do so by Covered Entity, shall respond to requests for an accounting of disclosures on behalf of Covered Entity in a manner and timeframe that will allow Covered Entity to comply with applicable law.

f. Business Associate agrees to implement administrative, physical and technical safeguards and security policies and procedures and documentation standards to protect the confidentiality, integrity and availability of Protected Health Information in compliance with HIPAA, HITECH, and related federal laws in the same manner as such sections apply to Covered Entity.

g. Business Associate agrees to report any Security Incident to Covered Entity. Business Associate shall make such report promptly in writing but in no case more than thirty (30) business days after Business Associate learns of a Security Incident. Such report shall include the following:

1. A description of what happened, including the date of the Security Incident and the date of discovery of the Security Incident;
2. A description of the types of Protected Health Information that were involved in the Security Incident (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code or other types of information were involved) and whether any such information was Unsecured Protected Health Information;
3. Identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, disclosed, modified or destroyed during such Security Incident;
4. Business Associate’s assessment of whether the Security Incident constitutes a Breach, including Business Associate’s reasons for concluding that the Security Incident is, or is not, a Breach. This assessment should address, at minimum, information as to the likelihood of reidentification of the information, the person(s) who acquired the information, whether the PHI was actually acquired or viewed, and the extent to which the risk has been mitigated;
5. Such other information as Covered Entity may request.

h. Business Associate agrees to cooperate reasonably with Covered Entity in investigating any Security Incident and implementing such measures to mitigate any harmful or potentially harmful effects of such Security Incident, as deemed appropriate by Covered Entity in its sole and absolute discretion, including, but not limited to, notifying affected individuals, appropriate authorities and media of the Security Incident, regardless of whether the Security Incident constitutes a Breach and regardless of whether notification is Required by Law, and providing affected individuals with services to protect themselves against identity theft.

i. Until such time as the Secretary issues guidance on what constitutes “minimum necessary” for purposes of the Privacy Rule and such guidance becomes effective, Business Associate agrees to limit the use, disclosure or request for Protected Health Information, to the extent practicable, to the Limited Data Set or, if needed by Business Associate, to the minimum necessary to accomplish the intended purpose of such use, disclosure or request in accordance with 45 CFR § 164.502(b). On and after the effective date of guidance first issued by the Secretary on what constitutes “minimum necessary,” Business Associate shall limit the use, disclosure or request for Protected Health Information to the minimum necessary in accordance with such guidance. In the case of the disclosure of Protected Health Information by Business Associate, Business Associate shall determine what constitutes the minimum necessary to accomplish the intended purpose of such disclosure, consistent with performance of the services for which Business Associate has been retained by Covered Entity and any directives or guidelines Covered Entity may specify.

j. Business Associate agrees that it shall not directly or indirectly receive remuneration in exchange for any Protected Health Information; provided, however, that this provision shall not prohibit Business Associate from (a) accepting remuneration from Covered Entity in consideration for the services performed by Business Associate for Covered Entity or (b) charging individuals a reasonable, cost-based fee approved by Covered Entity for providing a Copy of Protected Health Information pursuant to Section 3(e)(1) of this Exhibit.

k. If and to the extent that Business Associate conducts any transaction subject the Standard Transactions Rule for or on behalf of Covered Entity, Business Associate shall comply, and shall require any agent or subcontractor conducting such transaction to comply, with each applicable requirement of the Standard Transactions Rule in the same manner as such requirement applies to Covered Entity. Business Associate shall not enter into, or permit its agents or subcontractors to enter into, any agreement in connection with the conduct of any transaction for or on behalf of Covered Entity that:

1. changes any definition, data condition, or use of a data element or segment as described in the Standard Transactions Rule;
2. adds any data elements or segments to the maximum defined data set as described in the Standard Transactions Rule;
3. uses any code or data elements that are either marked “not used” in the Standard Transactions Rule’s implementation specifications or are not in the Standard Transaction Rule’s implementation specifications; and
4. changes the meaning or intent of any of the Standard Transactions Rule’s implementation specifications.

l. To the extent required by law, Business Associate shall defend, indemnify and hold harmless Covered Entity from and against any penalties, attorneys’ fees, costs, expenses, losses, claims, damages or liabilities (or actions in respect thereof) to which Covered Entity may become subject insofar as such penalties, attorneys’ fees, costs, expenses, losses, claims, damages or liabilities (or actions in respect thereof) arise out of or are based upon any Security Incident, breach of this Exhibit or any unauthorized use or disclosure of Protected Health Information by Business Associate and/or agents or subcontractors acting or accessing PHI on behalf of Business Associate.

4. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE

Except as otherwise limited in this Exhibit, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity as necessary to perform any written agreement for services between Covered Entity and Business Associate, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity.
Except as otherwise limited in this Exhibit, Business Associate may use or disclose Protected Health Information to the extent necessary for Business Associate’s proper management and administration, or to carry out Business Associate’s legal responsibilities if:
1. The disclosure is Required by Law; or
2. Business Associate obtains reasonable assurances, evidenced by written contract, from any person or organization to which Business Associate shall disclose such Protected Health Information that such person or organization shall:
  1. hold such Protected Health Information in confidence and use or further disclose it only for the purpose for which Business Associate disclosed it to the person or organization or as Required by Law; and
  2. notify Business Associate, who shall in turn promptly notify Covered Entity, of any instance which the person or organization becomes aware of in which the confidentiality of such Protected Health Information was breached.
Except as otherwise limited in this Exhibit, Business Associate may use Protected Health Information to provide data aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B).

5. OBLIGATIONS OF COVERED ENTITY

Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
Covered Entity shall notify Business Associate of any limitation(s) in Covered Entity’s notice of privacy practices in accordance with 45 CFR § 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of Protected Health Information.
Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an individual to use or disclose Protected Health Information to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information.
Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information requested by an individual to which Covered Entity has agreed in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of Protected Health Information.

6. TERM AND TERMINATION

Term. This Exhibit shall be effective when Business Associate first receives Protected Health Information from or on behalf of Covered Entity, and will terminate when all such Protected Health Information, or Protected Health Information created by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity or, if it is not feasible or permitted by law to return or destroy Protected Health Information, protections are extended to such information in accordance with the termination provisions in this Section.
Termination for Cause. Upon Covered Entity’s knowledge of a material breach of this Exhibit by Business Associate, Covered Entity shall either:
1. Provide an opportunity for Business Associate to cure the breach and terminate this Exhibit and any Exhibit for Services under the Master Agreement between the parties if Business Associate does not cure the breach within such reasonable time period specified by Covered Entity (not less than thirty (30) days) after Covered Entity notifies Business Associate in writing of the breach; or
2. Immediately terminate this Exhibit and any Exhibit for Services under the Master Agreement between the parties if Business Associate has breached a material term of this Exhibit and cure is not possible; or
3. If neither termination nor cure is feasible, Covered Entity shall report the violation to the Secretary.

Covered Entity’s remedies under this Section shall be cumulative and the exercise of any remedy shall not preclude the exercise of any other. Before exercising any of these options, Covered Entity shall provide reasonable written notice to Business Associate describing the violation and the action it intends to take.

c. Effect of Termination.

1. Except as provided in paragraph 2 herein below, upon termination of this Exhibit for any reason, upon direction of Covered Entity, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall also apply to Protected Health Information that is in the possession of agents or subcontractors of Business Associate. Business Associate shall retain no copies of Protected Health Information, unless Required by Law or as agreed between the parties.
2. In the event Business Associate reasonably determines that returning or destroying Protected Health Information is not feasible, Business Associate will provide to Covered Entity notification of the conditions that make return or destruction not feasible and will extend the protections of this Exhibit to such Protected Health Information and limit further uses and disclosures of such Protected Health Information for so long as Business Associate maintains such Protected Health Information.

7. MISCELLANEOUS

Regulatory References. All references to the HIPAA Rules codified in 45 CFR shall mean the referenced sections as in effect now or as amended by the HITECH Act and as may be further amended by law or regulation.
Amendment. The Parties agree to take such action as is necessary to amend this Exhibit from time to time as is necessary for Covered Entity to comply with the requirements of HIPAA, the HIPAA Rules, and any other related, applicable federal law.
HITECH Act Compliance. The parties acknowledge that the HITECH Act includes several provisions impacting the health care industry, including significant changes to the HIPAA Rules. The Privacy Subtitle of the HITECH Act sects forth provisions that significantly change the requirements for business associates and the agreements between business associates and covered entities under the HIPAA Rules and many of these changes will be clarified in forthcoming regulations. Each party agrees to comply with the applicable provisions of the HITECH Act and any implementing regulations issued thereunder and agree to take such action to modify this Amendment as reasonably necessary to comply with the HITECH Act and its implementing regulations, guidance, and interpretations as they become effective.
Ownership of Information. As between Covered Entity and Business Associate, Covered Entity shall retain all right, title and interest in and to all Protected Health Information as it is provided by Covered Entity to Business Associate. Subject to the terms and conditions of this Exhibit, Covered Entity grants Business Associate a limited and non-exclusive license to use Protected Health Information as necessary or allowed in the underlying agreement between the parties.
Business Associate’s compliance with this Exhibit, including without limitation, providing access to Protected Health Information; accounting for disclosures of Protected Health Information; correction or amendment of Protected Health Information; cooperation with the implementation of mitigating measures deemed appropriate by Covered Entity following a Security Incident; the return or destruction of Protected Health Information; and cooperation with any examination of the use, disclosure or maintenance of Protected Health Information by Business Associate, shall be at Business Associate’s sole expense.
Severability. To the greatest extent possible, each provision under this Exhibit shall be interpreted in such a manner as to be valid under applicable law, but if any provision of this Exhibit is found to be invalid, such provision shall be deemed omitted, and the balance hereof shall remain enforceable.
Survival. The rights and obligations of the parties under Section 3(l) and Section 6(c) (“Effect of Termination”) of this Exhibit shall survive the termination of this Exhibit.
Interpretation. Any ambiguity in this Exhibit shall be resolved to permit Covered Entity to comply with the HIPAA, the HIPAA Rules, the HITECH Act and any other applicable law.
No Third Party Beneficiaries. Nothing express or implied in this Exhibit is intended to confer, nor shall anything confer, upon any person other than the Covered Entity and Business Associate, and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
No Agency Relationship. Nothing express or implied in this Exhibit is intended to establish, nor shall anything establish, an agency relationship between the Covered Entity and Business Associate, and their respective successors or assigns.
No Waiver. No change, waiver or discharge of obligations arising under this Exhibit shall be valid unless executed in writing by the party to whom such change, waiver or discharge is sought to be enforced.

Solutions for Employers

Resource Library

An Employer's Guide to a Successful Enrollment