Business Associate Agreement
You can download a PDF version of the Business Associate Agreement here.
This Agreement is between Olympus America Inc. (“Business Associate”), 3500 Corporate Parkway, Center Valley, Pennsylvania 18034, and Covered Entity. This Agreement shall become effective as of the date of purchase of Endoworks, Endocapsule-10, IN-10(a), nStream, ODMS, KE, or Unifia product(s) (the “Effective Date”). Covered Entity and Business Associate may hereafter be referred to individually as a “Party” or collectively as the “Parties”.
The purpose of this Agreement is to address the measures that Business Associate shall take to protect the confidentiality of certain individually identifiable health information that the Covered Entity may disclose to Business Associate or that the Business Associate may create, receive, maintain, or transmit on behalf of the Covered Entity or its affiliates in connection with the service, repair, trouble shooting and maintenance activities associated with ENDOWORKS, ENDOCAPSULE-10, IN-10, nStream, ODMS, KE, Unifia, or any other services and/or products the parties mutually agree to in writing (the “Services”). This Agreement applies only if and to the extent Olympus is a “business associate” (as that term is defined in 45 C.F.R. § 160.103) of Covered Entity.
WHEREAS, the use and disclosure, electronic transmission and maintenance, and security of certain individually identifiable health information is regulated by the Administrative Simplification Provisions of the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191, as amended by Health Information Technology for Economic and Clinical Health Act, Section 13400, et. seq. of the American Recovery and Reinvestment Act of 2009 (“HITECH”), and the regulations promulgated thereunder, all as may subsequently be amended (collectively referred to as “HIPAA”).
WHEREAS, the Covered Entity may, from time to time, disclose individually identifiable health information to the Business Associate, and the Business Associate may, from time to time, create, receive, maintain, and/or transmit such individually identifiable health information.
WHEREAS, both Parties are committed to complying with HIPAA, including, without limitation, the HIPAA Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”), the HIPAA Security Standards (the “Security Rule”), and the HIPAA Standards for Notification in the Case of Breach of Unsecured Protected Health Information (the “Breach Notification Rule”) (all as set forth in 45 C.F.R. Parts 160, 162 and 164), and any applicable guidance from the Department of Health and Human Services (“HHS” or the “Secretary”);
NOW THEREFORE, for and in consideration of the foregoing premises, the Covered Entity and Business Associate hereby agree as follows:
1. PERMITTED USES AND DISCLOSURES OF PHI
1.1 “Protected Health Information” or “PHI”. “Protected Health Information” or “PHI” shall have the meaning given to that term under 45 C.F.R. § 160.103, but shall be limited to the information created, received or maintained by the Business Associate from or on behalf of the Covered Entity.
1.2 Use and Disclosure. The Business Associate shall not use or further disclose PHI other than as permitted or required by this Agreement or as Required by Law, as that term is defined in 45 C.F.R. § 164.103 (“Required by Law”). All other uses or disclosures not authorized by this Agreement are prohibited.
1.3 Disclosure to perform Services. Except as otherwise limited herein, the Business Associate may use or disclose PHI as necessary to perform the Services, provided that such use or disclosure would not violate the Privacy Rule if done by the Covered Entity.
1.4 Business Activities of the Business Associate. Unless otherwise limited herein, the Business Associate may:
a. Use PHI for the Business Associate’s proper management and administration, and to carry out any of its legal responsibilities.
b. Disclose PHI to third parties for the purpose of the Business Associate’s proper management and administration, and to carry out any of its legal responsibilities, if and only if (1) Required by Law, or (2) the Business Associate obtains reasonable assurances from the third party to whom the information is disclosed that it shall be held confidentially, and be used or further disclosed only as Required by Law or the purpose for which it was disclosed to that third party, and the third party will notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
c. Provide data aggregation services to the Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
d. Report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).
2. RESPONSIBILITIES OF THE PARTIES WITH RESPECT TO PHI
2.1 Responsibilities of the Business Associate. With regard to its use and/or disclosure of PHI and the privacy and security of PHI, the Business Associate hereby agrees to the following:
a. Privacy and Security.
(i) The Business Associate shall not use or further disclose PHI other than as permitted or required by this Agreement or as Required by Law.
(ii) In carrying out an obligation of the Covered Entity under the Privacy Rule, the Business Associate shall comply with the requirements of the Privacy Rule that apply to the Covered Entity in the performance of such obligation.
(iii) The Business Associate shall use appropriate safeguards, and comply with the Security Rule with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by this Agreement and as Required by Law.
b. Mitigation. The Business Associate shall take reasonable measures requested by the Covered Entity to mitigate, to the extent practicable, any harmful effects to the individual who is the subject of the PHI of a use or disclosure of PHI by the Business Associate that violates this Agreement.
c. Agents and Subcontractors. The Business Associate shall, in accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) & 164.308(b)(2), as applicable, require all of its agents and subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate to agree, in a writing substantially the same as this Agreement, to the same (or more stringent) restrictions and conditions that apply to the Business Associate under this Agreement.
(i) The Business Associate shall, without unreasonable delay, and in no event longer than ten (10) business days, report to the Covered Entity’s Privacy Officer any use and/or disclosure of PHI that is not permitted by this Agreement of which it becomes aware, including instances in which an agent or subcontractor has improperly used or disclosed PHI.
(ii) The Business Associate shall, without unreasonable delay, and in no event more than ten (10) business days, report to the Covered Entity’s Privacy Officer any Security Incident (as defined in 45 C.F.R. § 164.304) involving electronic PHI of which it becomes aware.
(iii) The Business Associate shall report to the Covered Entity, as required by the Breach Notification Rule, any Breach (as defined in 45 C.F.R. § 164.402) of Unsecured Protected Health Information (as defined in 45 C.F.R. § 164.402). Such report shall be made without unreasonable delay, and in no event longer than ten (10) business days after Business Associate discovers the Breach.
(iv) Any reports given to Covered Entity by Business Associate shall identify at a minimum: (i) the nature of the non-permitted use or disclosure, (ii) the PHI used or disclosed, (iii) party or parties who made the non-permitted use or received the non-permitted disclosure, (iv) what corrective actions the Business Associate took or will take to prevent further non-permitted use or disclosures, (v) what Business Associate did or will do to mitigate any harmful effect of the non-permitted use or disclosure, (vi) and any such other information HHS may prescribe by regulation.
e. Access to Internal Practices. The Business Associate shall make its internal practices, books and records (including policies and procedures, and PHI) relating to the use and/or disclosure of PHI available to the Secretary for purposes of the Secretary’s determining compliance with HIPAA.
f. Access to PHI. The Business Associate shall make an individual’s PHI available for inspection and copying in accordance with 45 C.F.R. § 164.524. Further, at the Covered Entity’s request, and within fifteen (15) days of the Covered Entity’s request, the Business Associate shall provide the Covered Entity with the PHI requested by an individual pursuant to 45 C.F.R. § 164.524.
g. Amendments to PHI. The Business Associate shall make an individual’s PHI available for amendment and shall incorporate any amendments to the PHI in accordance with 45 C.F.R. § 164.526. Further, at the Covered Entity’s request, and within fifteen (15) days of the Covered Entity’s request, the Business Associate shall provide the Covered Entity with the PHI that an individual seeks to amend pursuant to 45 C.F.R. § 164.526.
h. Accounting of Disclosures. The Business Associate shall make available the information required to provide an accounting of disclosures to an individual pursuant to 45 C.F.R. § 164.528, and, as applicable, 42 U.S.C. § 17935(c) and any regulations promulgated thereunder. Further, at the Covered Entity’s request, and within fifteen (15) days of the Covered Entity’s request, the Business Associate shall provide the Covered Entity with such information. To fulfill this obligation, the Business Associate agrees to document those disclosures of PHI and related information that would be necessary for the Covered Entity to respond to an individual’s request for an accounting of disclosures.
i. Restrictions/Alternatives. The Business Associate shall abide by any arrangements that the Covered Entity has made with an individual regarding restricting the use or disclosure of the individual's PHI, or providing the individual with confidential communications of PHI by alternative means or at an alternative location pursuant to 45 C.F.R. § 164.522, provided that the Covered Entity has notified the Business Associate in writing of such restrictions or alternative means of communication.
j. Minimum Necessary. The Business Associate shall request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure in accordance with 45 C.F.R. § 164.502(b).
2.2 Responsibilities of the Covered Entity.
a. Notification Requirement. With regard to the use and/or disclosure of PHI by the Business Associate, the Covered Entity shall:
(i) Provide the Business Associate with its Notice of Privacy Practices (the “Notice”), which the Covered Entity provides to its participants in accordance with 45 C.F.R. § 164.520, as well as any changes to or limitations in such Notice to the extent that the changes or limitations affect the Business Associate’s use or disclosure of PHI.
(ii) Inform the Business Associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her PHI, if such changes or revocation may affect the Business Associate’s uses or disclosures of the PHI.
(iii) Notify the Business Associate of any arrangements the Covered Entity has agreed to that restrict disclosures or provide individuals with confidential communications pursuant to 45 C.F.R. § 164.522 that may affect the Business Associate’s use or disclosure of PHI.
b. No Impermissible Requests. The Covered Entity shall not request that the Business Associate use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by the Covered Entity, except as permitted by Section 1.4(a), (b) and (c) above.
3. TERM AND TERMINATION
3.1 Term. This Agreement shall become effective as of the Effective Date, and shall continue in effect until the earliest of: (1) all of the PHI provided by Covered Entity to the Business Associate, or created or received by the Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity (or, if it is infeasible to return or destroy such PHI, then such PHI shall continue to be protected as set forth in Section 3.2) and all other obligations of the parties have been met; (2) the Agreement is terminated by Covered Entity as provided below; or (3) the Services are completed, concluded or otherwise terminated, in which case this Agreement will terminate automatically and without the need for any further action or notice on the part of either Covered Entity or Business Associate, and such automatic termination shall occur simultaneously with the conclusion, completion or termination of the arrangement for Services.
3.2 Termination for Cause by Covered Entity. If the Covered Entity determines that the Business Associate has breached a material term of this Agreement, the Covered Entity may:
a. Provide the Business Associate with written notice of the material breach, and afford the Business Associate thirty (30) days to cure such breach. If the breach is not cured within the thirty (30)-day period, the Covered Entity may terminate this Agreement.
b. Immediately terminate this Agreement or any other agreement for Services, if the Business Associate has breached a material term of this Agreement and cure is not possible.
3.3 Effect of Termination. Upon termination of this Agreement for any reason, the Business Associate shall, with respect to PHI received, created, maintained, or transmitted on behalf of the Covered Entity:
a. Retain only that PHI which is necessary for the Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
b. Continue to use appropriate safeguards and comply with the Security Rule with respect to electronic PHI to prevent use or disclosure of the PHI, other than as provided for in this section, for as long as the Business Associate retains the PHI;
c. Not use or disclose the PHI retained by the Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out in Section 1.4(a) and (b) which applied prior to termination; and
d. Destroy the PHI retained by the Business Associate when it is no longer needed by the Business Associate for its proper management and administration or to carry out its legal responsibilities.
4.1 Covered Entity and Business Associate agree to indemnify, defend and hold harmless each other and each other’s respective employees, directors, officers, or other members of its workforce, each of the foregoing hereinafter referred to as “indemnified party”, against all claims (“Claims”) for actual and direct losses suffered by the indemnified party and all liability to third parties arising from or in connection with any breach of this Agreement, including failure to perform its obligations under this Agreement, by the indemnifying party or its employees, directors, officers, subcontractors, agents, or other members of its workforce. Provided the indemnifying party is (i) notified promptly in writing of any such Claim; (ii) given authority to control fully any such suit or proceeding; and (iii) in receipt of information and reasonable assistance and cooperation from the indemnified party in preparation of the defense of any such suit or proceeding, the indemnifying party shall pay for any and all actual and direct losses, liabilities, fines, penalties, costs or expenses, including reasonable attorneys’ fees of third parties (excluding the indemnified party and affiliates of the indemnified party) that may for any reason be imposed upon any indemnified party by reason of any suit, claim, action, proceeding or demand by any third party that results from the indemnifying party’s breach hereunder. Both Business Associate’s and Covered Entity’s obligation to indemnify the indemnified party shall survive the expiration or termination of this Agreement for any reason.
4.2 Notwithstanding subsection 4.1 above, the indemnifying party shall not be liable to the indemnified party to the extent that the Claim is based on or arises out of the negligence, omissions, or other misconduct of the indemnified party. THE FOREGOING SETS FORTH THE PARTIES’ EXCLUSIVE REMEDY AND THE INDEMNIFYING PARTY’S SOLE OBLIGATION WITH RESPECT TO ANY CLAIMS RELATING TO THE SUBJECT MATTER DESCRIBED HEREIN. IN NO EVENT SHALL THE INDEMNIFYING PARTY BE RESPONSIBLE, WHETHER UNDER THIS SECTION, IN CONTRACT, TORT, OR OTHERWISE, FOR ANY INDIRECT, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL LOSSES OR DAMAGES, WHETHER OR NOT THE INDEMNIFYING PARTY SHALL BE OR SHOULD BE AWARE OF THE POSSIBILITY OF SUCH POTENTIAL LOSS OR DAMAGE.
5.1 Definitions. Except for the below, all terms used in this Agreement shall have the same meaning as set forth in HIPAA.
a. “Protected Health Information” or “PHI” shall have the meaning given to that term under 45 C.F.R. § 160.103, but shall be limited to the information created, received or maintained by the Business Associate from or on behalf of the Covered Entity.
b. “Affiliate” shall mean any company directly, or indirectly through one or more intermediate companies which now; or hereafter may control, be controlled by or be under common control with the relevant party. “Control” of a company means the power to exercise 50 percent or more of the voting rights of such company.
5.2 Regulatory References. A reference in this Agreement to a provision in HIPAA means the provision as in effect or as amended, and for which compliance is required.
5.3 Survival. The provisions of this Agreement shall survive the expiration or any termination of the term of this Agreement to the extent that the Business Associate continues to maintain PHI.
5.4 Interpretation. Any ambiguity in this Agreement shall be resolved to permit the Covered Entity and the Business Associate to comply with HIPAA.
5.5 Amendments; Waiver. This Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the Parties. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for the Parties to comply with the requirements of, or conform to, any changes in HIPAA. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.
5.6 No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.
5.7 Counterparts; Facsimiles. This Agreement may be executed in any number of counterparts, each of which shall be deemed an original. Facsimile copies hereof shall be deemed to be originals.
5.8 Disputes. If any controversy, dispute or claim arises between the Parties with respect to this Agreement, the Parties shall make good-faith efforts to resolve such matters informally.
5.9 Notices. Any notices to be given hereunder to a Party shall be made via U.S. mail or express courier to such Party’s address given above. Each Party named above may change its notification address and that of its representative by giving notice thereof in the manner herein provided.
5.10 Entire Agreement. This Agreement contains the entire agreement and understanding between the Parties relating to the subject matter herein and supersedes all prior agreements, understandings, and representations relating to that subject matter. Notwithstanding the aforesaid, in the event the parties entered into a Business Associate Agreement after September 13, 2013 which was signed by both parties (“Fully Executed BAA), the Fully Executed BAA shall supersede the terms and conditions found herein.