Please read over the contract and fill in the required yellow fields at the bottom of the page.
THIS AGREEMENT made as of the _____DATE HERE_____ by and between Wesley Health Care Center, Inc., a New York not-for-profit corporation whose address is 131 Lawrence St. Saratoga Springs, NY 12866 and _____VENDOR NAME, ADDRESS, CITY, STATE, ZIP CODE HERE_____
W I T N E S S E T H:
WHEREAS, Wesley Health Care Center, Inc., (hereinafter “Provider”) is a New York not-for-profit Corporation licensed by the New York State Department of Health as a skilled nursing facility, adult day care, outpatient therapies and subsidized senior housing;
WHEREAS, Provider has engaged the services of _____SERVICES THEY PROVIDE HERE______ (hereinafter “Associate”);
WHEREAS, due to the nature of the services provided by Associate to Provider, Associate will receive from or on behalf of Provider or will create, maintain or transmit for Provider “protected health information” (“PHI”), as that term is defined at 45 CFR Part 164, including electronic PHI;
WHEREAS, in accordance with 45 CFR Part 164, Provider is required to obtain certain written assurances from the Associate with respect to PHI, in whatever form, (i) disclosed to the Associate by the Provider, or (ii) created, maintained, transmitted or received by the Associate on behalf of the Provider;
WHEREAS, Associate is willing to make appropriate assurances to Provider with respect to PHI, in whatever form, (i) disclosed to the Associate by the Provider, or (ii) created, maintained, transmitted or received by the Associate on behalf of the Provider.
NOW, THEREFORE, in consideration of the mutual covenants, conditions and promises contained herein, and other good and valuable consideration, the receipt of which is hereby acknowledged by the parties, the parties hereto agree as follows:
- With respect to PHI, in whatever form, (i) disclosed to the Associate by the Provider, or (ii) created, maintained, transmitted or received by the Associate on behalf of the Provider, the Associate shall:
(a) Except as otherwise limited in this Agreement, use or disclose PHI on behalf of, or to provide services to, Provider, if such use or disclosure would not violate the HIPAA Privacy Standards set forth at 45 CFR Part 164 if done by Provider, for purposes of Medicaid application processing assistance or to provide or perform services for or on behalf of Provider pursuant to a certain written agreement between Associate and Provider. In addition to such use and disclosure, the Associate may use and disclose PHI: (1) if necessary, for the proper management and administration of the Associate or to carry out the legal responsibilities of the Associate, provided: (i) such disclosure is required by law; or (ii) the Associate obtains reasonable assurances from the person to whom the PHI is disclosed that: (a) it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person; and (b) such person notifies the Associate of any instances of which it is aware in which the confidentiality of the information has been breached or; (2) if relating to the Provider’s health care operations, as defined at 45 CFR Section 164.501, for data aggregation services as defined at 45 CFR Section 164.501, as same currently exists or may hereinafter be amended;
(b) Not use or further disclose PHI other than as permitted or required hereunder or as required by law;
(c) Develop and utilize appropriate safeguards to prevent use or disclosure of PHI other than as provided for hereunder or as required by law;
(d) Report to the Provider any use or disclosure of PHI not provided for hereunder of which it becomes aware, including any security incident, as defined by 45 CFR 164.304,
and/or any breach of unsecured PHI, immediately upon Associate’s discovery of such or
as otherwise permitted pursuant to Section 4 of this Agreement; and
(e) comply with all applicable requirements of 45 CFR Part 164, Subpart C, and, without limiting the foregoing, implement and/or maintain administrative, physical, technical and organizational safeguards and such policies and procedures that reasonably and appropriately protect the confidentiality, integrity and availability of PHI as required by 45 CFR Part 164, Subpart C;
(f) enter into a written contract or obtain written assurances from each and every agent and subcontractor that creates, receives, maintains or transmits PHI on behalf of the Associate wherein the agent or subcontractor agrees to : (1) comply with all applicable requirements of 45 CFR Part 164, Subpart C, and, without limiting the foregoing, implement and/or maintain administrative, physical, technical and organizational safeguards and such policies and procedures that reasonably and appropriately protect the confidentiality, integrity and availability of PHI as required by 45 CFR Part 164, Subpart C : and (2) comply with the same restrictions and conditions that apply to the Associate with respect to such PHI;
(g) To the extent applicable, notify the Provider of any and all agents, including subcontractors, performing services on behalf of the Associate with respect to services provided by the Associate to the Provider and obtain written assurances from every such agent or subcontractor that it will safeguard PHI received by the agent to the same extent required of the Associate hereunder;
(h) Upon the request by the Provider for PHI of an individual which was disclosed to the Associate pursuant to this Agreement, make available to the Provider such PHI within ten (10) days of the Provider’s request for same;
(i) Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with § 164.526 and, upon receipt of notice from the Provider that an individual’s PHI has been amended to an individual’s PHI, immediately incorporate such amendment to the individual’s PHI maintained by the Associate;
(j) Document disclosures of PHI as would be required for the Provider, under the HIPAA Privacy Standards as set forth at 45 CFR Part 164, to respond to a request by an individual, his/her personal representative, for an accounting of disclosures of PHI;
(k) Upon the request by the Provider for an accounting of disclosures made by the Associate of an individual’s PHI, provide the Provider, within twenty (20) days of such request, with such an accounting which shall include the date of the disclosure, the name of the entity or person who received the PHI and, if known, the address of such entity or person, a brief description of the PHI disclosed and a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure, or such documentation in lieu of such statement as permitted by 45 CFR Section 164.528 as same currently provides or may hereinafter be amended;
(l) Upon the request by an individual from whom the Associate has received PHI from the Provider, his/her personal representative, except where access to PHI may be denied to a personal representative in accordance with 45 CFR Section 164.502, as same currently exists or may hereinafter be amended, or pursuant to an authorization complying with the requirements of 45 CFR Section 164.508, as same currently exists or may hereinafter be amended, provide access to the individual’s PHI for inspection and/or copying to such individual, his/her personal representative or authorized individual; and
(m) Provide to the Secretary of the United States Department of Health and Human Services (“Secretary”), or his/her designee, as designated by the Secretary of his/her designee, the Associate’s internal practices, books and records relating to the use and/or disclosure of PHI received from, or created, maintained, transmitted or received by the Associate on behalf of the Provider;
(n) Mitigate, to the extent practicable, any harmful effect that is known to Associate of a use or disclosure of PHI by Associate in violation of the requirements of this Agreement; and
(o) When carrying out any obligations of the Provider under 45 CFR Part 164, Subpart E, comply with all applicable requirements thereof that would apply to Provider in carrying out such obligations.
- The Associate shall be required to disclose PHI under the following circumstances:
(a) When required by the Secretary of the United States Department of Health and Human Services or his/her designee under 45 CFR Part 160, Subpart C, to investigate or determine the Associate’s compliance with 45 CFR Part 164, Subpart E: and
(b) To the Provider or the individual or his/her designee as necessary to satisfy the Provider’s obligations under 45 CFR Section 164.524(c)(2)(ii) and (3)(ii) with respect to the individual’s request for an electronic copy of PHI.
- Unless otherwise permitted under 45 CFR Part 164, Subpart E, the Associate shall not sell PHI. For purposes of this Agreement, a sale of PHI is defined at 45 CFR Section 164.502(c)(ii).
- In addition to the requirements and obligations set forth at Section 1 hereinabove, the Associate agrees to comply with the requirements relating to security made applicable to the Associate under Part 1 of Subtitle D of the HITECH Act and any and all implementing regulations there under. The Associate also agrees to comply with the following:
(a) To the extent Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses or discloses unsecured PHI, as defined in the HITECH Act, upon discovery of a breach pertaining to unsecured PHI, notify the Provider of such breach within two (2) business days of the Associate’s discovery thereof. Such notice shall include the identification of each individual whose unsecured PHI has been, or is reasonably believed by the Associate to have been, accessed, acquired or disclosed during such breach and such other additional information as shall allow Provider to meet its notification obligations under the HITECH Act and the implementing regulations there under;
(b) To the extent electronically stored PHI of New York Residents that constitutes “private information” under the New York SHIELD Act was accessed or acquired during a breach discovered pursuant to 4(a) above, and notice to the affected persons was provided pursuant HITECH or HIPAA, notice shall also be provided to the state attorney general, the department of state and the division of state police pursuant to paragraph (a) of subdivision eight of Section 899-aa of NY CLS Gen. Bus. Law, and to consumer reporting agencies pursuant to paragraph (b) of subdivision eight of Section 899-aa of NY CLS Gen. Bus. Law.
(c) To the extent breach notification was provided for PHI that is not “private information” under the New York SHIELD Act, to the secretary of health and human services pursuant to HITECH or HIPAA, notice shall be provided to the attorney general within five business days of notifying the secretary.
(d) Comply with the “Minimum Necessary” requirements of Section 13405 of the HITECH Act and any and all implementing regulations thereunder when using or disclosing PHI or when requesting PHI from a covered entity, as defined in the HIPAA Privacy Standards set forth at 45 CFR Part 164, which shall include the requirements of the Secretary’s “Minimum Necessary” Guidance when enacted;
(e) Upon the direct request by an individual, his or her personal representative, for an accounting of disclosures of PHI pertaining to the Provider’s use, if any, of electronic health records, comply with the disclosure requirements of Section 13405 of the HITECH Act and any and all implementing regulations there under; and
(f) Except to the extent permitted in Section 13405(d)(2) of the HITECH Act and any and all implementing regulations there under, not directly or indirectly receive remuneration in exchange for any PHI relating to an individual unless pursuant to a valid authorization by the individual, his or her personal representative, in compliance with 45 CFR Section 164.508 and that includes a specification as to whether the PHI can be further exchanged for remuneration by the entity receiving the individual’s PHI; and
(g) Comply with all laws, rules and regulations regarding limitations on marketing and fundraising communications.
- Upon the termination of the business relationship between the Provider and the Associate unless the Associate is required by law to maintain PHI received from the Provider for a specified period of time, if feasible, return or destroy all PHI received from, or created or received by the Associate on behalf of, the Provider and retain no copies of such information. If such return or destruction is not feasible, comply with the requirements of this Agreement and applicable law with regard to such retained PHI for as long as such information is maintained by the Associate.
- Notwithstanding anything herein to the contrary, the Provider shall have the right to terminate its business relationship with the Associate in the event the Provider determines, in its sole discretion, that the Associate has violated any provision of or obligation of the Associate under this Agreement, unless the Associate has cured such violation to the sole satisfaction of the Provider within fifteen (15) days of written notice to the Associate of the Provider’s determination of a violation of this Agreement.
- A reference in the Agreement to 45 CFR Parts 160 or 164 or to a specific section thereof means 45 CFR Parts 160 or 164 or the section thereof as in effect or as amended.
- The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Provider to comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 and/or 45 CFR Part 164.
- The Associate agrees to defend, indemnify and hold harmless the Provider, its officers, directors and employees, from and against any and all claims, actions, damages, losses, fines, penalties, liabilities, costs and expenses (including, without limitation, reasonable attorneys’ fees) suffered or incurred by the Provider arising or resulting from or in connection with any breach of this Agreement by the Associate or any negligence or wrongful acts or omissions on the part of the Associate, its members, officers, directors, employees, agents or sub contractors, in complying with or performing under this Agreement.
- The obligations of the Associate under this Agreement shall survive the termination of this Agreement.
- Any ambiguity in this Agreement shall be resolved to permit Provider to comply with the Health Insurance Portability and Accountability Act of 1996 and/or 45 CFR Part 164.
IN WITNESS WHEREOF, this Agreement was signed as of the date hereinabove set forth.
Wesley Health Care Center, Inc.
VENDOR ELECTRONIC SIGNATURE HERE
Company name: _____COMPANY NAME HERE_____
Title: _____TITLE HERE_____
Date: _____DATE HERE_____