Standard Business Associate Agreement: Definition, Terms, Example

Exhibit 10.50

BUSINESS ASSOCIATE ADDENDUM

This Business Associate Addendum (the “Addendum”) is made effective January 1, 2010 among Northland Dental Partners, PLLC, a Minnesota professional limited liability company (“Northland”), its wholly owned subsidiaries, Family Periodontic Specialists, P.L.C., Family Oral Surgery Specialists, PLC, and Family Endodontic Specialists, PLC, all Minnesota professional limited liability companies (the “Subsidiaries,” and collectively with Northland, “Provider”), and American Dental Partners of Minnesota, LLC, a Delaware limited liability company (“Business Associate”).

Background Information

A. Provider and Business Associate (the “Parties”) are the parties to a Service Agreement having the same effective date as this Addendum (the “Service Agreement”). Pursuant to this Service Agreement, Business Associate will provide a variety of non-clinical administrative and management services to Provider.

B. In connection with its services under the Service Agreement, Business Associate will have access to “protected health information” and “electronic protected health information” regarding Provider’s patients (collectively, “PHI”), as those terms are defined in the Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191), 42 U.S.C. Section 1320d, et. seq., and regulations promulgated thereunder, as amended (such statute and regulations collectively, “HIPAA”). In addition, Provider is a “covered entity,” and Business Associate is a “business associate,” as those terms are defined under HIPAA.

C. The Parties are entering into this Addendum to comply with HIPAA as it relates to the use and disclosure of PHI and related matters.

Statement of Agreement

The Parties hereby acknowledge the accuracy of the foregoing Background Information and agree as follows:

1. Definitions. Any capitalized terms used but not otherwise defined in this Addendum shall have the respective meanings given those terms under HIPAA.

2. Term. The term of this Addendum shall begin on the date of this Addendum and shall end on the date on which the Service Agreement is terminated; provided that if the Parties’ post-termination activities under the Service Agreement involve the potential use or disclosure of PHI by Business Associate, then the term of this Addendum shall continue until all such post-termination activities have been completed.

3. HIPAA Compliance and Agents. During the term of this Addendum, to the extent Business Associate has access to, uses, or discloses PHI, Business Associate shall comply with the “Business Associate” requirements under HIPAA. Without limiting the foregoing, Business Associate may use or disclose PHI only if such use or disclosure is permitted by this Addendum or HIPAA.

Business Associate shall ensure that each of its agents or subcontractors to whom it provides PHI received from, or created, used or disclosed by Business Associate on behalf of, Provider, agrees, by a written agreement or Workforce training, as applicable, to the same restrictions, terms, and conditions as are applicable to Business Associate under this Addendum, including without limitation the requirement to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any electronic PHI that it creates, receives, maintains, or transmits on behalf of Provider or Business Associate.

4. Use and Disclosure; Rights. Business Associate may use or disclose the PHI received or created by it: (a) to perform functions, activities, or services for, or on behalf of, Provider pursuant to the Service Agreement, as it may be amended from time to time, or for other related purposes requested or approved by Provider, (b) to perform its obligations under this Addendum, (c) to properly manage and administer Business Associate’s business, (d) to carry out its legal responsibilities if the disclosure is ‘required by law,’ as defined by HIPAA, (e) for ‘data aggregation functions,’ as defined by HIPAA, or (f) as otherwise permitted or required by applicable law. Provider shall not request that Business Associate use or disclose PHI in any manner that would not be permitted under HIPAA if done by Provider as a ‘covered entity.’ If, pursuant to clause (c) of this section, Business Associate discloses PHI to others, Business Associate shall obtain reasonable assurances from the person, firm, association, organization, or entity (hereinafter, simply “person”) to whom the information is disclosed that (i) such PHI shall be held confidentially and used or further disclosed only as required by law or for the purpose for which it is disclosed to such person, and (ii) that such person shall notify Business Associate of any instances of which it becomes aware that the confidentiality of the information has been breached.

5. HIPAA Security Rule; Safeguards. Business Associate shall implement, document, and use administrative, physical, and technical safeguards that prevent use or disclosure of PHI other than as permitted or required by this Addendum, and that reasonably and appropriately protect the confidentiality, integrity, and availability of any electronic PHI that it creates, receives, maintains, or transmits on behalf of Provider, including without limitation reporting to Provider any security incident of which Business Associate becomes aware. Without limiting the foregoing, on or before February 17, 2010, Business Associate shall comply with the Security Standards for the Protection of Electronic Protected Health Information (and Implementation Specifications therein) promulgated by the U. S. Department of Health and Human Services (“DHHS”) in §§ 164.308, 164.310, 164.312, and 164.316 of title 45, Code of Federal Regulations (the “Security Standards”) with respect to all electronic PHI (“ePHI”) it creates, receives, maintains or transmits on behalf of Provider. Notwithstanding the foregoing, Provider shall be solely responsible for ensuring that appropriate administrative, physical and technical safeguards are implemented with respect to ePHI Provider creates, receives, maintains, uses or discloses, in accordance with the Security Standards and other requirements under HIPAA as amended from time to time.

6. Minimum Necessary. Business Associate shall limit any use, disclosure, or request for use or disclosure to the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure or request in accordance with the requirements of HIPAA.

-2-

7. Records; Covered Entity Access. Business Associate shall maintain such records of PHI received from, or created or received on behalf of, Provider as may be reasonably necessary and appropriate in order for Provider to comply with HIPAA with respect to the services described in the Service Agreement. Business Associate shall grant Provider reasonable access to examine and copy, at Provider’s expense, such PHI, and records and documents of Business Associate related thereto, during normal business hours.

8. DHHS Access to Books, Records, and Other Information. As required by applicable law, Business Associate shall make available to the Secretary of DHHS its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of, Provider for purposes of determining the Provider’s or Business Associate’s compliance with HIPAA. Business Associate shall cooperate and assist Provider in good faith with complying with the requirements of HIPAA and any investigation of Provider regarding compliance with HIPAA conducted by DHHS, its Office for Civil Rights, or any other administrative or judicial body with jurisdiction over Provider.

9. Designated Record Set. Business Associate shall maintain a ‘designated record set,’ as defined by HIPAA, only for individuals for which it has PHI and only upon the specific written request of Provider or as required by the Service Agreement. Business Associate shall make a patient’s designated record set available to Provider for purposes of complying with such patient’s right under HIPAA to access, copy or append such record.

10. Accounting. Business Associate shall make available to Provider any PHI or any other information reasonably required to prepare, or reasonably assist in preparing, an accounting of disclosures in accordance with HIPAA. Business Associate shall document disclosures of PHI in such a manner as will assist Provider in responding to any request for an accounting of disclosures of PHI. With respect to written PHI, Business Associate shall have this information and documentation available for the six years preceding any request by Provider. If Business Associate maintains an “electronic health record” with respect to Provider’s patients, Business Associate shall have this information and documentation available for the three years preceding any request by Provider, and the exceptions under 45 C.F.R. § 164.528(a)(1)(i) shall not apply. Notwithstanding the foregoing, if Business Associate has provided services to Provider for less than the three-year or six-year, as applicable, Business Associate shall be obligated to make available to Provider only the information relating to the period during which Business Associate provided services to Provider.

11. Amendment of and Access to PHI; Notification. In accordance with an individual’s right to access his or her own PHI under HIPAA, and that individual’s right to copy or append amendments to such records, Business Associate shall make available to Provider all PHI in a designated record set that it maintains, or to the individual to whom the information pertains, or to such individual’s representative, in each case upon the written request of Provider. Business Associate shall append amendments to PHI in a designated record set that Business Associate maintains in accordance with a written request, including any amendment to be appended to such records, from Provider.

12. Individual Authorizations; Restrictions. Provider shall notify Business Associate of any restriction on the use or disclosure of PHI that Provider has agreed to with an individual, or that is otherwise required by HIPAA, or that Provider has placed in its Notice of Privacy

-3-

Practices, or of any changes in or revocation of an authorization or other permission by an individual, to the extent that such restriction, change or revocation may affect Business Associate’s use or disclosure of PHI. Provider shall notify Business Associate of any change in or revocation of any restriction on the use or disclosure of PHI that Provider had previously agreed to with an individual or that Provider had placed in its Notice of Privacy Practices.

13. Material Breach of Agreement. Pursuant to 45 C.F.R. 164.504(e)(1)(ii), if either Party knows or becomes aware of a pattern of activity or practice of the other Party that constitutes a material breach of the such Party’s obligations under this Addendum, such Party shall notify such other Party in writing, and both Parties shall, for a period of 60 days following receipt of such written notice and an explanation of the breach from the notifying Party, cooperate in good faith to take steps reasonably necessary to cure such breach; provided, however, that if such steps are unsuccessful, the non-breaching Party may, in addition to any other remedy: (a) terminate this Addendum, if feasible, or (b) if cure and termination are not feasible, discontinue use or disclosure of PHI to the extent feasible and report the breach to Secretary of DHHS.

14. Breach of Unsecured PHI. Pursuant to regulations promulgated under subpart D of part 164 of title 45, Code of Federal Regulations, as enacted by Section 13402(j) of the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), Business Associate is hereby delegated the authority and responsibility, on behalf of Provider, to notify individuals of any breach of unsecured PHI, as determined in good faith by Business Associate in accordance with the HIPAA Breach Notification Policy attached to this Addendum as Exhibit A, which is hereby incorporated herein by reference.

15. Electronic Standards, Code Sets, and Security Regulations. If Business Associate conducts, in whole or in part, electronic transactions on behalf of Provider of the type covered by HIPAA regulations, including Standards for Electronic Transactions and Electronic Code Sets, Business Associate shall comply, and shall require any of its agents or subcontractors to comply, with each applicable requirement of such regulations.

16. Return of PHI. At the end of the term of this Addendum, Business Associate shall return or destroy all PHI received from, or created or received by Business Associate on behalf of, Provider that Business Associate maintains in any form and retain no copies of such information; provided that, if and to the extent Business Associate reasonably determines that such return or destruction is not reasonably feasible, Business Associate shall not be required to return or destroy such PHI, but Business Associate shall extend the protections of this Addendum to such PHI.

17. Data Use Agreement. If Business Associate is the recipient of a ‘limited data set’, as defined by HIPAA, or if Business Associate is engaged by Provider to create a limited data set for purposes of Provider’s health care operations, this Addendum shall also be considered to be a ‘data use agreement,’ as defined by HIPAA, that establishes the permitted uses and disclosures of the information by Business Associate as a limited data set recipient as required by HIPAA. To the extent that, and for as long as, it possesses limited data set information for or on behalf of Provider, Business Associate hereby agrees to fully comply with the requirements of HIPAA applicable with respect to limited data set information, including without limitation, 45 C.F.R. §164.514(e). The provisions of this Addendum relative to PHI shall also apply to limited data

-4-

set information, if any, in the possession or control of Business Associate. Limited data set information may be used or disclosed by Business Associate only for the purposes of research, public health, or health care operations. Business Associate may not disclose limited data set information in a manner that would violate HIPAA if Business Associate were a covered entity thereunder. Business Associate may only disclose limited data set information to and permit the use of such information by other persons as may be agreed upon between Provider and Business Associate in writing from time to time. Business Associate shall not identify or attempt to identify the individual(s) to whom the limited data set information pertains or contact or attempt to contact the individual(s) that Business Associate believes to be the subject of any limited data set information.

18. HIPAA Amendments. In the event Congress or the U. S. Department of Health and Human Services amend HIPAA, this Addendum shall be deemed automatically amended to incorporate any supplemental, amended or modified requirements as are expressly applicable to Provider and/or Business Associate, effective on the effective date of such amendments. Without limiting the foregoing, the Parties agree to negotiate and cooperate in good faith in the execution of any amendments, agreements or other instruments deemed necessary or appropriate by the Parties in their reasonable discretion to carry out such HIPAA amendments.

19. Interpretation. This Addendum is an addendum to and a part of the Service Agreement and shall be interpreted in a manner consistent with the Service Agreement. In addition, the Addendum shall continue to apply to the Service Agreement as it may subsequently be amended or restated. In the event of any inconsistency between the provisions of the Service Agreement, as so amended and restated (if applicable), and this Addendum, the provisions of the Service Agreement shall control. This Addendum supersedes all prior agreements or understandings regarding the subject matter of this Addendum.

Subsidiary as its sole member

-5-

Exhibit A

HIPAA BREACH NOTIFICATION POLICY

SCOPE:

This HIPAA Breach Notification Policy (the “Policy”) applies to Northland Dental Partners, LLC (“Provider”), and its subsidiaries, members, directors, officers, employees, agents, and business associates (as defined in HIPAA), including American Dental Partners of Minnesota, LLC (“Business Associate”).

PURPOSE:

This Policy has been developed to facilitate the Provider’s compliance with the requirements of the Health Information Technology for Economic and Clinical Health Act (HITECH) component of the American Recovery and Reinvestment Act of 2009 (ARRA) concerning breach notification of unsecured protected health information (PHI). The purpose of this Policy is to outline a systematic process designed to notify patients of any breach of privacy or security with respect to any unsecured PHI that is received, created, retained, used or disclosed by Provider as a Covered Entity, its owners, members, directors, officers, employees, and business associates. The phrase “received, created, retained, used or disclosed” is interpreted to include many activities a Covered Entity may take with respect to PHI, including, but not limited to: accessing, maintaining, retaining, modifying, recording, storing, destroying, or otherwise holding, using or disclosing PHI.

DEFINITIONS:

The following definitions apply to all of the Provider’s privacy and security policies and procedures related to personal health information received, created, retained, used or disclosed by the Provider as a Covered Entity, Business Associate or any other business associate of the Provider.

Breach – The acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule (as defined below), which compromises the security or privacy of the PHI. The determination of whether any breach or potential breach compromises the security or privacy of the PHI shall be made in good faith by Business Associate on behalf of the Provider, taking into consideration an assessment of whether the potential breach poses a significant risk of financial, reputational, or other harm to the individual. The term “breach” does not include:

(i) any unintentional acquisition, access, or use of PHI by an employee or other workforce member of the Provider, or by a person acting under the authority of the Provider, such as a member of Business Associate’s workforce, if such acquisition, access, or use: (1) was made in good faith and within the course and scope of the employment or authority of such person, and (2) does not result in further use or disclosure in a manner not permitted under the Privacy Rule; or

(ii) any inadvertent disclosure by a person who is authorized to access PHI by the Provider or Business Associate, to another person authorized to access PHI at the Provider or

Business Associate, or within an organized health care arrangement in which the Provider participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule; or

(iii) a disclosure of PHI where Business Associate or the Provider has determined or has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

Breach Notification Rule – Regulations promulgated at subpart D of part 164, title 45, Code of Federal Regulations.

Business Associate – A person or entity who, on behalf of the Provider, or on behalf of an organized health care arrangement in which the Provider participates (“OHCA”), but other than in the capacity as an employee, performs or assists in the performance of: (a) a function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; repricing; or any other function or activity regulated under HIPAA, or (b) provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for Provider or such OHCA, where the provision of the service involves the disclosure of individually identifiable health information from Provider or such OHCA, or from another business associate of Provider or such OHCA, to the person or entity.

Covered Entity – (1) A health plan; (2) a health care clearinghouse; or (3) a health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA.

HIPAA – The Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191), 42 U.S.C. Section 1320d, et. seq., and regulations promulgated thereunder, as amended from time to time.

Privacy Officer – The person designated by the Provider, or, with Provider’s consent, by Business Associate as the manager of certain non-clinical parts of Provider’s dental practice, to oversee and administer the Provider’s compliance with HIPAA.

Privacy Rule – Regulations promulgated at subpart E of part 164, title 45, Code of Federal Regulations.

Protected Health Information, or PHI – PHI shall have the meaning prescribed to it under 45 C.F.R. § 160.103. Generally, this includes any oral, written or electronic individually-identifiable health information received, created, retained, used or disclosed by Provider as a Covered Entity. Individually-identifiable health information includes demographic information and is information created or received by a health care provider, health plan, employer, or health care clearinghouse; and relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and that identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. PHI does not include employment records held by a Covered Entity in its role as an employer.

Security Rule – Regulations promulgated at subpart C of part 164, title 45, Code of Federal Regulations.

Unsecured PHI – Protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified in guidance published by the Secretary of the Department of Health and Human Services (HHS).

Additional Definitions – Terms not otherwise defined herein, shall have the meanings set forth in the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191), 42 U.S.C. Section 1320d, et. seq., and the HIPAA Privacy and Security Standards, 45 C.F.R. parts 160 and 164, as amended from time to time.

POLICY:

In the case of a breach of unsecured PHI, Business Associate, on behalf of the Provider, shall notify the affected patient(s) of the breach, without unreasonable delay and in no case later than sixty (60) calendar days after discovery of the breach.

Limited Data Sets (as defined under HIPAA) (except those that exclude patient zip code and date of birth) are subject to this Policy and the required breach notification.

All Provider and Business Associate directors, officers, employees and agents are expected to work collaboratively to timely and accurately report any breach of unsecured PHI to the Privacy Officer and according to this Policy, ARRA, and any and all other federal and state laws and regulations. The Privacy Officer shall maintain all documentation related to any breach of unsecured PHI, for a minimum of six (6) years from the date of notification provided hereunder.

PROCEDURE:

Breach Analysis:

Upon discovering a potential breach, in order to determine if a breach has actually occurred, Business Associate, in consultation with Provider, shall conduct a breach analysis. Such analysis consists of:

The following information, in addition to any other relevant facts and circumstances, should be considered when determining whether the unauthorized use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individuals/participants/patients (number 3, above): who impermissibly used or to whom the information was impermissibly disclosed; whether immediate steps have been taken to mitigate an impermissible use or disclosure such that the risk of harm has been eliminated or reduced to less than a significant amount of harm; and the type and amount of PHI involved in the impermissible use or disclosure. The risk assessment should be fact specific.

Business Associate, on behalf of Provider, shall document its breach analysis and maintain such documentation for a minimum of six (6) years.

Notification of Affected Individuals/Patients:

1. After a prompt investigation and breach analysis, without unreasonable delay and in no case later than sixty (60) calendar days of Business Associate or Provider (as the case may be) discovering a breach, Business Associate, on behalf of the Provider, shall provide written notice to each patient whose unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed as a result of such breach. In the following situations, the persons listed shall be notified:

2. Written notification must be sent by first-class mail to the last known address of the patient, or, if previously agreed to by the patient and not revoked, by encrypted electronic mail.

3. In the case where there is insufficient or out-of-date contact information that precludes written notification to the patient, substitute notice reasonably calculated to reach the patient shall be provided, in accordance with §164.404(d)(2) of title 45, Code of Federal Regulations.

4. In any case that Business Associate, on behalf of the Provider, determines that the patient should be notified urgently of a breach because of possible imminent misuse of unsecured PHI, Business Associate may, in addition to providing notice as outlined in steps 1-3 above, contact the patient by telephone or other means, as appropriate.

5. If a law enforcement official determines that a notification would impede a criminal investigation or cause damage to national security, such notification shall be delayed in the same manner as provided under §164.528(a)(2) of title 45, Code of Federal Regulations.

Media Notification:

1. In any case where a breach involves more than 500 patients who are residents of the same State or jurisdiction, Business Associate, on behalf of the Provider, shall notify prominent media outlets, without unreasonable delay and in no case later than sixty (60) calendar days after discovery of the breach. The content of the media notice must meet the same requirements as the content of written notification to patients.

2. The Privacy Officer should work with Provider’s leadership and Business Associate management to coordinate any media notification required hereunder.

HHS Notification:

Content of Notification:

Regardless of the method by which the notice is provided to patients, notice of the breach must include:

1. A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.

2. A description of the types of unsecured PHI that were involved in the breach, such as whether or not the patient’s full name, Social Security Number, date of birth, home address, account number, diagnosis code or disability code or other types of information were involved. Only the generic type of PHI should be listed in the notice (i.e., “date of birth” rather than the patient’s actual birth date).

3. The steps the individual should take to protect themselves from potential harm resulting from the breach.

4. A brief description of what the Provider, or Business Associate on behalf of the Provider, is doing to investigate the breach, mitigate harm to the patients, and to protect against any further breaches.

5. Contact procedures for patients to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, website, or postal address.

6. Any other information required by the Breach Notification Rule.

7. Provider is required to maintain documentation that all required notifications were made, for a minimum of six (6) years.

Notification by the Provider’s Business Associates:

All business associates of Provider (as defined above) shall be required, either by the applicable Business Associate Agreement entered into with Provider, or by adherence to this Policy, to notify Business Associate of any breach of unsecured PHI, without unreasonable delay and in no event later than five (5) business days after the discovery of the breach by the business associate or any director, officer, employee, or agent of the business associate (excluding the person who may have committed the breach). Provider shall immediately notify Business Associate of any notices of breach it receives from its other business associates.

State Law or Other Legal Requirements:

In the event of a breach of PHI, Business Associate, on behalf of Provider, shall review and take appropriate actions under any applicable state breach notification laws, and/or other federal laws that may be applicable to the incident.

POLICY OVERSIGHT:

This Policy shall be administered by the Privacy Officer in consultation with Business Associate. The Privacy Officer shall review this Policy annually for updates and revisions required in order to comply with applicable state, federal or local laws. Proposed modifications, updates, or revisions required by law shall be presented by the Privacy Officer to the Provider and Business Associate for approval.

Reference:
Security Exchange Commission - Edgar Database, EX-10.50 7 dex1050.htm BUSINESS ASSOCIATE ADDENDUM, Viewed January 28, 2022, View Source on SEC.