U.S. Laboratories
U.S. Laboratories

HIPAA Business Associate Addendum

This Business Associate Addendum ("Addendum") supplements and is made a part of the Laboratory Services Agreement to which it is attached ("Agreement"), is entered into by and between

Covered Entity (herein, "CE") and U.S. Laboratories Corporation, who is or may be a business associate pursuant to HIPAA (herein, “BA”), and is made effective with the Agreement (“Addendum Effective Date”).

WHEREAS, CE wishes to disclose certain information to BA pursuant to the terms of the Addendum, some of which may constitute Protected Health Information ("PHI") and/or electronic Protected Health Information (“ePHI”).

WHEREAS, CE and BA intend to protect the privacy of PHI and ePHI disclosed to or created or received by BA pursuant to the Addendum in compliance with applicable provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 ("HIPAA") and regulations promulgated thereunder by the U.S. Department of Health and Human Services (the "Privacy Rule" and the “Security Rule”) and other applicable laws.

WHEREAS, the purpose of this Addendum is to satisfy certain standards and requirements of the Privacy Rule, including, but not limited to, Title 45, Section 164.504(e) of the Code of Federal Regulations ("CFR"), and the Security Rule, including but not limited to CFR Title 45 Sections 164.308(b) and 164.314(a) as the same may be amended from time to time.
In consideration of the mutual promises below and the exchange of information pursuant to this Addendum, the parties agree as follows:

I.  DEFINITIONS.

Terms used, but not otherwise defined, in this Addendum shall have the same meaning as those terms in the Privacy Rule and Security Rule.  In the event of a conflict between the definitions in this Addendum and the definitions in the Privacy Rule or Security Rule, the definitions in the conflicting rule shall be applied.

Protected Health Information (“PHI”) means any information, whether oral or recorded in any form or medium, including ePHI (as defined below), that

a.   Relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual; and

b.   Identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual; and

c.   Is limited to the information created or received by BA from or on behalf of CE.
Electronic Protected Health Information (“ePHI”) is a subset of PHI and means PHI that is transmitted by or maintained in electronic media.  References herein to PHI shall include ePHI. 

Security Incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

Privacy Rule means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E.

Security Rule means the Security Standards for the Protection of Electronic Protected Health Information at 45 CFR part 160 and part 164, subparts A and C.

Rules means both the Privacy Rule and the Security Rule.

Disclose means the release, transfer, provision of access to, or divulging in any other manner of PHI to parties outside the BA’s organization.

Use means the sharing, employment, application, utilization, examination, or analysis of PHI within the BA’s organization.

Secretary means the Secretary of Health and Human Services or any other officer or employee of HHS to whom the authority involved has been delegated.

Data aggregation means, with respect to PHI created or received by an BA in its capacity as a Business Associate of a CE, the combining of such PHI by the BA with the PHI received by the BA in its capacity as a Business Associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.

Individual means the person who is the subject of PHI and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g).

Required By Law means a mandate contained in law that compels a covered entity to make a use or disclosure of PHI and that is enforceable in a court of law. 

II.  OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE.

1. Nondisclosure. BA shall not use or disclose CE's PHI other than as permitted or required by this Addendum or as required by law.
2. Minimum Necessary.  BA shall use or further disclose PHI only in the minimum amount and to the minimum number of individuals necessary to achieve the purpose of the services being rendered to or on behalf of CE.
3. Safeguards. BA shall use appropriate safeguards to prevent use or disclosure of CE’s PHI otherwise than as provided for by this Addendum.
4. Reporting of Unauthorized Disclosures. BA shall report to CE any use or disclosure of CE's PHI not provided for by this Addendum of which BA becomes aware.
5. Mitigation. BA shall mitigate, to the extent practicable, any harmful effect that is known to BA of a use or disclosure of PHI by BA in violation of the requirements of this Addendum.
6. BA's Agents. BA shall ensure that any agents, including subcontractors, to whom it provides PHI received from, or created or received by BA on behalf of, CE agree to the same restrictions and conditions that apply to BA through this Addendum with respect to such PHI.
7. Access to PHI. BA shall provide access to CE, at the request of CE, and in the time and manner designated by CE, to PHI or, as directed by CE, to an Individual in order to meet the requirements under 45 CFR 164.524.  This provision shall apply if BA possesses PHI in any form.
8. Documentation of Disclosures. BA shall document such disclosures of PHI and information related to such disclosures as would be required for CE to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528.
9. Accounting of Disclosures. BA shall provide to CE or an individual, in time and manner designated by CE, information collected pursuant to this Addendum, to permit CE to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528.
10. Amendment of PHI. BA shall make any amendment(s) to PHI that the CE directs or agrees to pursuant to 45 CFR 164.526 at the request of CE or an Individual, and in the time and manner designated by CE.  This provision shall apply if BA possesses PHI in any form.
11. Internal Practices. BA shall make its internal practices, books and records relating to the use and disclosure of PHI received from CE, or created or received by BA on behalf of CE, available to the CE, or to the Secretary, for purposes of the Secretary determining CE’s compliance with the Rules.
12. Security of ePHI and Reporting of Security Incidents.  BA shall maintain ePHI in a fashion that preserves:   

a.   Availability, i.e. the property that data or information is accessible and useable upon demand by an authorized person; and
b.   Confidentiality, i.e. the property that data or information is not made available or disclosed to unauthorized persons or processes; and
c.   Integrity, i.e. the property that data or information have not been altered or destroyed in an unauthorized manner.
BA shall develop, implement, maintain, and use administrative, technical, and physical safeguards that reasonably and appropriately protect the Confidentiality, Integrity, and Availability of ePHI that BA creates, receives, maintains, or transmits on CE’s behalf as required by the Security Rule.  BA shall report to CE any attempted or successful (A) unauthorized access, use, disclosure, modification, or destruction of CE’s Electronic Protected Health Information or (B) interference with BA’s system operations in BA’s information systems, of which BA becomes aware.

III.  PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE.

1. Permitted Uses and Disclosures.  Except as otherwise limited in this Addendum, BA may use or disclose PHI to perform functions, activities, or services for, or on behalf of CE as specified in the Agreement provided such use or disclosure does not violate the Rules if done by the CE. 
2. Use for Management and Administration.  Except as otherwise limited in this Addendum, BA may use PHI for the proper management and administration of the BA or to carry out the legal responsibilities of the BA.
3. Disclosure for Management and Administration.  Except as otherwise limited in this Addendum, BA may disclose PHI for the proper management and administration of the BA or to carry out the legal responsibilities of the BA, provided that:

a. Disclosures are required by law or
b. BA obtains reasonable assurances from the person to whom the information is disclosed that it shall remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and
c. The person notifies the BA of any instances of which it is aware in which the confidentiality of the information has been breached.

4. Data Aggregation.  Except as otherwise limited in this Addendum, BA may use PHI to provide Data Aggregation services to CE relating to the health care operations of the CE.
5. Report Violations of Law.  Except as otherwise limited in this Addendum, BA may use PHI to report violations of law appropriate to Federal and State authorities consistent with 45 CFR §164.502(j)(1).

IV.  OBLIGATIONS OF COVERED ENTITY.

1. Notice of Privacy Practices. CE shall provide BA with the notice of privacy practices that CE produces in accordance with 45 CFR 164.520, as well as any changes to such notice.2. Changes in permission.  CE shall notify BA of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect BA's use or disclosure of PHI.
3. Notification of Restrictions. CE shall notify BA of any restriction to the use or disclosure of PHI that CE has agreed to in accordance with 45 CFR 164.522, to the extent that such restriction may affect BA’s use or disclosure of PHI.

V.  PERMISSIBLE REQUESTS BY COVERED ENTITY.

CE shall not request BA to use or disclose PHI in any manner that would not be permissible under the Rules if done by CE.

VI.  TERM AND TERMINATION.

1. Term.  The Term of this Addendum shall be effective as of the Addendum Effective Date, and shall terminate when all of the PHI provided by CE to BA, or created or received by BA on behalf of CE, is destroyed or returned to the CE, or if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance the termination provisions in this Section.
2. Termination for Cause. Upon CE's knowledge of a material breach by BA, CE shall either:

a. Provide an opportunity for BA to cure the breach or end the violation and if BA does not cure the breach or end the violation within the time specified by CE, terminate this Addendum and the underlying Agreement;
b. Immediately terminate this Addendum and the underlying Agreement if BA has breached a material term of this Addendum and cure is not possible; or,
c. Report the violation to the Secretary if neither cure of the breach nor termination of this Addendum is feasible.

3. Effect of Termination.  Except as provided in paragraph (4) of this section, upon termination of this Addendum, for any reason, BA shall return or destroy all PHI received from CE, or created or received by BA on behalf of CE. This provision shall apply to PHI that is in the possession of subcontractors or agents of BA. BA shall retain no copies of the PHI.
4. Inability to Return or Destroy upon Termination.  In the event that BA determines that returning or destroying PHI is not feasible, BA shall notify CE in writing of the conditions that make return or destruction infeasible.  If return or destruction of the PHI is infeasible, BA shall extend the protections of this Addendum to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as BA maintains such PHI.

VII.  INDEMNIFICATION.

BA shall indemnify and hold CE harmless from and against all claims, damages, liabilities, judgments, fines, assessments, penalties, awards, or other expenses, of any kind or nature whatsoever, including, without limitation, attorney’s fees, costs and expenses relating to or arising out of any breach or alleged breach of this Addendum or disclosure of PHI in violation of applicable law or regulation.

VIII.  MISCELLANEOUS.

1. Regulatory References. A reference in this Addendum to a section in the Rules means the section as in effect or as amended, and for which compliance is required.
2. Amendment. The Parties shall take such action as is necessary to amend this Addendum from time to time for CE to comply with the requirements of the Rules.
3. Survival. The respective rights and obligations of BA under Section VI.3, VI.4 and VII of this Addendum shall survive the termination of this Addendum.
4. Interpretation. This Addendum shall be interpreted as broadly as necessary to implement and comply with the Privacy Rule, Security Rule, and applicable state laws.  Any ambiguity in this Addendum shall be resolved in favor of a meaning that permits CE to comply with the Privacy Rule, Security Rule, and applicable state laws.
5. Assistance in Litigation or Administrative Proceedings. BA shall make itself, and any subcontractors, employees or agents assisting BA in the performance of its obligations under this Addendum, available to CE, at no cost to CE, to testify as witnesses, or otherwise, in the event of litigation or administrative proceedings being commenced against CE, its directors, officers or employees based upon claimed violation of the Rules, except where BA or its subcontractor, employee or agent is a named adverse party.
6. No Third Party Beneficiaries.  Nothing express or implied in this Addendum is intended to confer, nor shall anything herein confer, upon any person other than CE or BA any rights, remedies, obligations, or liabilities whatsoever.
7. Effect on Agreement. Except as specifically required to implement the purposes of this Addendum, or to the extent inconsistent with this Addendum, all other terms of the Agreement shall remain in force and effect.