Hogrefe Business Associate Agreement for HTS Customers

NOTE: Terms of the Business Associate Agreement have been communicated within the Terms and Conditions accepted and agreed to by Customer as part of account registration and setup for the Hogrefe Testsystem made available at www.hogrefe.com (“HTS”). There are references in the Business Associate Agreement to the comprehensive Terms and Conditions for HTS, which collectively apply to Customer’s use of HTS to the extent that HIPAA governs Customer’s use of HTS.

Hogrefe Publishing Corporation (“Hogrefe”), duly registered as a Massachusetts corporation authorized to do business therein (hereinafter “Business Associate”), and HTS Customer, (hereinafter “Customer”), of various addresses throughout the United States (collectively, the “Parties” and each, a “Party”), expressly agree as follows:

Whereas, Business Associate provides an online computer assessment platform, with web-based access, hereafter called HTS, for use by Customer. Such Customer may enter client data onto HTS and such client data may contain individually identifiable protected health information (hereinafter “Client PHI”) as defined by § 164.501 of the Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Parts 160 through 164, as modified by the Health Information Technology for Economic and Clinical Health Act of 2009, Public Law 111-005 (“the HITECH Act”), and other applicable laws and regulations.

Whereas, Customer, in order to meet its obligations to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the privacy and security regulations promulgated under Title II, Subtitle F, §§ 261-264 of HIPAA, the administrative regulations issued by the Department of Health and Human Services (“DHHS”) as found in 45 C.F.R. Parts 160 through 164 (hereinafter HIPAA or DHHS regulations), and the HITECH Act, as such laws and regulations may be amended from time to time, seeks reasonable assurances from Business Associate that Business Associate will comply with the portions of those laws and regulations made applicable to business associates by the HITECH Act.

Whereas, Customer and Business Associate will accomplish the need for Customer to have access to online assessments available within HTS as called for by this Agreement by electronically transmitting and receiving data in agreed formats and to assure that such transactions comply with relevant laws and regulations.

NOW, THEREFORE, the Parties agree as follows:

1. Definitions

  1. Breach shall have the meaning specified in § 17921 of the HITECH Act.
  2. Business Associate shall have the meaning specified in the Privacy Rule, the Security Rule, and § 27938 of the HITECH Act, particularly 45 C.F.R. § 160.103.
  3. Covered Entity shall have the meaning specified in 45 C.F.R. § 160.103.
  4. Designated Record Set shall have the meaning specified in 45 C.F.R. § 160.103.
  5. Electronic Health Record shall have the meaning specified in § 17921 of the HITECH Act.
  6. Privacy Rule shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Parts 160 and 164, subparts A and E.
  7. Protected Health Information (“PHI”) shall have the meaning specified in 45 C.F.R. § 164.501.
  8. Required by law shall have the meaning specified in 45 C.F.R. § 164.501.
  9. Secretary shall mean the Secretary of the Department of Health and Human Services and those employees or agents designated to act on the Secretary’s behalf.
  10. Security or Security Measures means the administrative, physical, and technical safeguards and documentation requirements specified in the Security Rule.
  11. Security Rule shall mean the Standards for Security of Electronic Protected Health Information at 45 C.F.R. Parts 160 and 164, subparts A and E.
  12. Unsecured PHI shall have the meaning specified in § 17932 of the HITECH Act and any regulations issued thereunder by the Department of Health and Human Services (“DHHS”).

 

2. Obligations of the Business Associate

  1. If and to the extent that and so long as required by the HIPAA provisions of 42 U.S.C. §§ 1171 et seq. and regulations promulgated thereunder, and any additional security requirements contained in Subtitle D of Title IV of the HITECH Act that apply to Customer but not otherwise, Business Associate does hereby assure Customer that Business Associate will implement appropriate safeguards, including, but not limited to, the administrative, physical, and technical safeguards and documentation requirements of the Security Rule to protect the confidentiality, integrity, and availability of any electronic Client PHI that it may indirectly receive, maintain, or transmit on behalf of the Customer and will appropriately safeguard all Customer Client PHI regardless of form or format.
  2. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Customer Client PHI by Business Associate in violation of the requirements of this Agreement.
  3. Business Associate agrees to report to Customer any use or disclosure of the Customer Client PHI not provided for by this Agreement or any security incident of which it becomes aware involving Client PHI of the Customer.
  4. Business Associate shall ensure that any subcontractors or agents to whom Business Associate provides Client PHI received from Customer agree to the same restrictions and conditions that apply to Business Associate with respect to such information.
  5. Business Associate shall make available Client PHI in accordance with applicable law.
  6. Business Associate shall provide to individuals who are the subject of Client PHI received from Customer their rights as made applicable to business associates of covered entities.
  7. Business Associate shall maintain records pursuant to this agreement and to provide such records and other necessary information to the Customer or to the Secretary of HHS as may be requested or required in writing and as permitted by law. Business Associate agrees that all records kept in connection with this Agreement are subject to review and audit by the Customer upon reasonable notice and written request by the Customer.
  8. Upon termination of this Agreement in writing by Customer to Business Associate by either Party for any reason, Business Associate shall destroy all Client PHI received from Customer that Business Associate still maintains in any form and all copies thereof, shall retain no copies or files of such information, and shall remain obligated not to use, disclose, or provide such information to third Parties. Additionally, after 36 months of inactivity on the Customer HTS account, Business Associate will delete all Customer and Client PHI, and will make a presumptive determination that the Customer has ceased use of HTS.
  9. Business Associate shall incorporate any amendments or corrections to Client PHI when notified by Customer pursuant to applicable law, in the event that Customer cannot access such Client PHI.

3. Permitted Uses and Disclosures

  1. In the event that Business Associate inadvertently obtains Client PHI, Business Associate may use or disclosure such Client PHI only if such use or disclosure is in compliance with each applicable requirement of 45 C.F.R. § 164.504(e) as follows:
    a) Except as otherwise limited in this Agreement, Business Associate may use or disclose Client PHI to perform functions, activities, or services for, or on behalf of, Customer, provided that such use or disclosure would not violate the Privacy and Security Rules if done by Customer, and only if such use is disclosed on HTS to both Customer and Customer clients.
    b) Except as otherwise restricted by this Agreement, Business Associate may use Client PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. If Business Associate uses such information for the purposes set forth above, it will do so only if the disclosure is required by law or if Business Associate obtains reasonable assurances from the person(s) to whom the information is disclosed that the information disclosed will be held confidential and will be used or further disclosed only as required by law or for the purpose for which Business Associate disclosed it to the person(s). Business Associate shall also ensure that the person(s) to whom Business Associate so discloses information notifies Customer of any instances of breach of confidentiality that such person is aware of.
  2. Upon termination in writing of this Agreement for any reason, Business Associate shall return or destroy all Client PHI received from Customer or created or received by Business Associate on behalf of Customer, including Client PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate may retain no copies of the Client PHI. In the event that Business Associate determines that returning or destroying the Client PHI is not feasible, Business Associate shall provide Customer notification that return or destruction of the Client PHI is not feasible. Upon mutual agreement of the Parties that return or destruction is not feasible, Business Associate shall extend the protections of this Agreement and limit further uses and disclosures of such Client PHI to those purposes that make the return or destruction not feasible for so long as the Business Associate maintains the Client PHI. Additionally, after 36 months of inactivity on the Customer HTS account, Business Associate will delete all Customer and Client PHI.

 

4. Application of Civil And Criminal Penalties

  1. If Business Associate violates any security provision specified above or §§ 1176 and 1177 of the Social Security Act, 42 U.S.C. §§ 1320d-5 and 1320d-6 shall apply to Business Associate with respect to such violation in the same manner that such sections apply to Customer if it violates such security provisions.
  2. Business Associate shall be subject to audit of its security measures by the Office of the Inspector General (“OIG”) of DHHS.

5. Information Breach Notification Requirements

  1. Business Associate recognizes that Customer has certain reporting and disclosure obligations to the Secretary of HHS and others, including the individual, in case of a security breach of unsecured Client PHI. In cases in which Business Associate accesses, maintains, retains, modifies, records, stores, destroys, uses, or discloses Client PHI, Business Associate without unreasonable delay and in no case later than 60 days following discovery of a breach of such information shall notify Customer of any such breach. Such notice shall include the identification of any individual whose unsecured Client PHI has been or is reasonably believed to have been accessed, acquired, or disclosed during the breach.
  2. Business Associate shall be liable for the costs associated with such breach if caused by Business Associate’s negligent or willful acts or omissions or the negligent or willful acts or omissions of Business Associate’s agents, officers, employees, or subcontractors.

6. Miscellaneous

  1. Third-party Service Providers. The Parties may transmit documents electronically to each Party, either directly or through any third-party service provider with which either Party may contract. Either Party may modify its election to use, not use, or change a third-party service provider upon 30 days’ prior written notice to the other Party.
  2. Costs of Third-party Service Providers. Each Party shall be responsible for the costs of any third-party service provider with which it contracts unless otherwise set forth via written (emailed, faxed, or letter) communication between the Parties.
  3. Liability for Acts of Third-party Service Providers. Each Party shall be liable for the acts or omissions of its third-party service providers while transmitting, receiving, storing, or handling documents or performing related activities for, with, to, or from such Party, provided that, if both Parties use the same third-party service provider to effect the transmission and receipt of a document, the originating Party shall be liable for the acts or omissions of such third-party service provider as to such Document.
  4. System Operations. Each Party, at its own expense, shall provide and maintain the equipment, software, services, and testing necessary to effectively, reliably, and confidentially transmit and receive documents.
  5. Signatures. Each Party shall adopt as its signature (“Signature”) an electronic identification consisting of symbol(s) or code(s) that are to be affixed to or contained in each Document transmitted by such Party. Each Party agrees that any Signature of such Party affixed to or contained in any transmitted Document shall be sufficient to verify that such Party originated such document. Neither Party shall disclose to any unauthorized person the Signature of the other Party. Such Signature may be represented by the combination of the email address and password of the Customer.
  6. Proper Receipt. Documents shall not be deemed to have been properly received, and no document shall give rise to any obligation, until accessible to the receiving Party at such Party’s email address as utilized for HTS registration.
  7. Verification. Upon proper receipt of any document, the receiving Party shall promptly and properly transmit a functional acknowledgment in return. A functional acknowledgment shall constitute conclusive evidence that the receiving Party has properly received a document.
  8. Integrity. The Parties will take reasonable measures to protect the integrity of all documents and data. Neither Party will insert any virus, key locks, or other programs into the system, regardless of whether or not a dispute exists between the Parties. The receiving Party will return the information in usable form upon request or at the end of the contract.
  9. Business Associate may amend this Agreement from time to time to the extent required by the provisions of 42 U.S.C. §§ 1171 et seq., HIPAA, the HITECH Act, and regulations promulgated thereunder to ensure that this Agreement is consistent therewith.

7. Term of Contract

  1. The term of the Agreement shall be effective as of the effective date when such terms are electronically accepted by the Customer and shall terminate when all Client PHI provided by Customer to Business Associate or created or received by Business Associate on behalf of Customer is destroyed or, if it is not feasible to destroy such Client PHI, protections are extended to such Client PHI in accordance with the termination provisions above.
  2. Without limiting the rights and remedies of Customer elsewhere set forth in this Agreement or available under applicable law, Customer may terminate this Agreement without penalty or recourse to Customer if Customer determines that Business Associate has violated a material term of the provisions of this Agreement and has not cured the breach to the satisfaction of the Customer, in the Customer’s sole discretion.
  3. This Agreement also contains a number of terms that are specific to the use of HTS by the Customer, and such terms have been included in the Terms of Use, HTS Terms and Conditions, and/or additional disclosures contained in this document, to which the Customer agrees. By accepting this Agreement, Customer also agrees to be bound by the additional terms.