KovoRCM Business Associates Agreement
UNDER OMNIBUS RULE
Last Updated: 07.06.2023
This Business Associate Agreement (the “BAA”) is with Kovo RCM and its subsidiaries and affiliates (collectively, the “Company”), and the customer identified in the signature block below (“Customer”).
Company and Customer agree as follows:
1. Term
The Term of this BAA shall be effective as of the Effective Date listed above the signature block below and shall terminate upon the termination of all agreements between the parties herein (including any runout period post-termination required by Business Associate to complete collection efforts for claims submitted prior to termination), or upon the date that Covered Entity terminates for cause as authorized in Section VII, Paragraph (a), whichever is sooner.
2. Definitions
The following terms used in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Healthcare Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
Specific definitions:
(a) Business Associate. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this BAA, shall mean the Company.
(b) Covered Entity. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this BAA, shall mean the Customer.
(c) HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164, as in effect or as amended. This shall include amendments to HIPAA contained in the HITECH Act, the American Recovery and Reinvestment Act of 2009 and The Omnibus Rule.
3. Obligations and Activities of Business Associate
Company agrees to:
(a) Not use or disclose protected health information other than as permitted or required by the BAA or as Required by Law;
(b) Use appropriate safeguards, and comply, where applicable, with Subpart C of 45 CFR Part 164 with respect to electronic protected health information (ePHI), to prevent use or disclosure of protected health information other than as provided for by the BAA;
(c) Report to Covered Entity any use or disclosure of protected health information (PHI) not provided for by the BAA of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware; The Business Associate, will report these to the Covered Entity not more than 30 business days after such a discovery.
(d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit protected health information on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;
(e) At the sole cost and expense of Covered Entity and to the extent allowed by law, Business Associate will make available PHI in a designated record set to the “Covered Entity”, in a time and manner reasonably agreed upon between the parties, as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524. Any requests for access to PHI made by an individual directly to the Business Associate will be forwarded to the Covered Entity within 5 business days of receipt of the request. Unless agreed upon by the parties in writing, the Business Associate will not respond directly to any individual making such a request.
(f) At the sole cost and expense of Covered Entity and, to the extent allowed by law, Business Associate will make any amendment(s) to PHI in a designated record set as directed or agreed to by the Covered Entity, in a time and manner reasonably agreed upon between the parties, pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526. Any request for amendment to PHI made by an individual directly to the Business Associate will be forwarded to the Covered Entity within 5 business days of receipt of request. Unless agreed upon by the parties in writing, the Business Associate will not respond directly to any individual making such a request.
(g) Maintain and make available, in a time and manner reasonably agreed upon between the parties, the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528. Business Associate may charge the Covered Entity a reasonable fee for providing such accounting, to the extent allowed by law. Any request for an accounting of disclosures made by an individual directly to the Business Associate will be forwarded to the Covered Entity within 5 business days of receipt of request. Unless agreed upon by the parties in writing, the Business Associate will not respond directly to any individual making such a request.
(h) To the extent the Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and
(i) For purposes of determining Business Associate’s compliance with the HIPAA Rules, the Business Associate will provide its internal practices, books, and records to the Secretary, upon request, and only to the extent such internal practices, books and records relate to the use and disclosure of PHI and Breach of any Unsecured PHI received from Covered Entity or created or received by the Business Associate on behalf of the Covered Entity.
4. Permitted Uses and Disclosures by Business Associate
(a) Business Associate may only use or disclose PHI as necessary to perform functions on behalf of and/or provide services to Covered Entity as set forth in the Business Associates & Covered Entities’ governing service agreements, to the extent such uses or disclosures are permitted under HIPAA Rules.
(b) Business Associate may use or disclose PHI as Required by Law.
(c) In accordance with 45 CFR 164.502(b), Business Associate will limit requests, uses and disclosures of PHI to the Minimum Necessary to accomplish the intended purpose of such request, use or disclosure, respectively, except that the restrictions set forth herein shall not apply to the exceptions set forth in 164.502(b)(2).
(d) Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity, except for the specific uses and disclosures set forth below:
(i) Business Associate may use or disclose PHI if necessary for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, provided the disclosures are Required By Law or the Business Associate obtains reasonable assurance from the person to whom the information is disclosed that:
(a) the information will remain confidential and used or further disclosed only as Required By Law or for the purposes for which it was disclosed; and
(b) the person receiving the PHI will notify the Business Associate of any instances in which the confidentiality of the PHI has been breached.
(ii) Business Associate may use PHI to provide data aggregation services relating to the healthcare operations of the Covered Entity, as permitted by HIPAA.
(iii) Business Associate is authorized to use PHI to de-identify the information in accordance with 45 CFR 164.514(a)-(c).
5. Provisions for Covered Entity to Inform Business Associate of Privacy Practices and
Restrictions
(a) Covered Entity shall notify Business Associate of any limitation(s) in the Notice of Privacy Practices of Covered Entity under 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
(b) Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her PHI, to the extent that such changes or revocation may affect Business Associate’s use or disclosure of PHI.
(c) Covered Entity shall notify Business Associate of any restriction on the use or disclosure of protected health information that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
(d) Covered Entity agrees to disclose to Business Associate only the minimum amount of PHI necessary to accomplish the services covered in the service agreements between the parties.
(e) Covered Entity shall obtain all necessary consents and authorizations necessary and/or Required by Law for Business Associate to provide its services and to engage in uses and disclosures required by the service agreement between the parties.
(f) Upon any suspected or actual Breach of Unsecured PHI, unauthorized disclosure of PHI or breach of this BAA, Covered Entity shall meet and confer in good faith with Business Associate before notifying affected individuals, reporting to government agencies, and/or commencing any legal action.
(g) Covered Entity agrees to negotiate new payment terms with Business Associate to account of any increased cost in providing services to Covered Entity because of restrictions to PHI agreed to or implemented by Covered Entity.
6. Permissible Requests by Covered Entity
Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity, except as provided under Section IV, Paragraph (d), Permitted Uses and Disclosures by Business Associate.
7. Termination
(a) Termination for Cause. Upon either party’s discovery of a material breach by the other party, the non-breaching party shall deliver written notice of the breach to the breaching party. The breaching party will then have 30 days from receipt of the breach notice to cure the alleged breach. If the breaching party does not cure the breach within 30 days, then the non-breaching party may terminate this BAA.
(b) Obligations of Business Associate Upon Termination. Upon termination of this BAA for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:
1. Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
2. Return to Covered Entity or destroy the remaining PHI that the Business Associate still maintains in any form;
(a) Covered Entity may request that Business Associate transmit the PHI to another Business Associate of the Covered Entity at termination, however, Covered Entity agrees to pay Business Associate’s data migration fees, if applicable, in advance of any data migration. Business Associate will confirm the transfer of PHI and then ensure the destruction of PHI created, received, or maintained by subcontractors.
3. Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to ePHI to prevent use or disclosure of the PHI, other than as provided for in this Section, for as long as Business Associate retains the PHI;
4. Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set in Sections III and IV, which applied prior to termination; and
5. Return to Covered Entity or destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.
(c) Survival. The obligations of Business Associate under this Section shall survive the termination of this BAA.
8. Miscellaneous
(a) Indemnification. Covered Entity shall be liable for and agree to indemnify and defend the Business Associate for any and all claims, costs and expenses arising from, related to, or connected with any alleged or actual negligent act or omission of Covered Entity, including non-permitted use or disclosure of PHI of Covered Entity, its agents or employees, in the performance of its obligations under this BAA or service agreements between the parties. This provision shall survive expiration or termination of this BAA.
(b) LIMITATION OF LIABILITY. BUSINESS ASSOCIATE SHALL NOT BE LIABLE FOR ANY CONSEQUENTIAL, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR PUNITIVE DAMAGES HOWEVER ARISING, WHETHER IN CONTRACT OR IN TORT, RELATING TO THIS BAA OR BREACH THEREOF.
(c) No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than the parties and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.
(d) Governing Law. This BAA shall be governed by and construed in accordance with the laws of the State of Colorado without regard to conflicts of law principles.
(e) Notice. Each party shall deliver all notices required or permitted herein in writing and addressed to the other party at the contact information contained in the signature block below (or to such other address that the receiving party may designate from time to time in accordance with this Section). Each party shall deliver all notices by personal delivery, nationally recognized overnight courier (with all fees prepaid), facsimile or email (with confirmation of transmission), or certified or registered mail (in each case, return receipt requested, postage prepaid). A notice is effective only if the party giving the notice has complied with the requirements of this Section, and notice will be deemed received (a) upon receipt by the receiving party if personally delivered, or if personal delivery is rejected by the receiving party, then the date of the attempted delivery; (b) two business days after deposit with an overnight courier, or certified or registered mail; and (c) upon the sending of a facsimile or email with confirmation of transmission.
(f) Regulatory References. A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.
(g) Amendment. Amendments to this BAA must be in writing and signed by both parties to be effective. The parties agree amend this BAA as necessary to comply with HIPAA Rules and any other applicable law.
(h) Interpretation. Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Rules by the Business Associate’s legal counsel.