BUSINESS ASSOCIATE AGREEMENT

Between the Covered Entity and the Accreditation Commission
for Acupuncture and Oriental Medicine
 
   
 

This Agreement governs the provision of Protected Health Information (PHI) (as defined in 45 C.F.R. Section 164.50) by                                                                                                            (Covered Entity/program) to the Accreditation Commission for Acupuncture and Oriental Medicine (Accrediting Entity or ACAOM) for its use and disclosure in accrediting all professional acupuncture and/or Oriental medicine degree and certificate programs.   The accreditation process for all the above programs is described in the “Accreditation Handbook,” on ACAOM’s web site, and documents referenced therein.
    
  Whereas, Accrediting Entity provides certain accreditation-related services to the Covered Entity and, in connection with the provision of those services, the Covered Entity discloses to Accrediting Agency PHI that is subject to the protections under the Health Insurance Portability and Accountability Act of 1996 (HIPAA);
   
 

Whereas,                                                                                                           is a “Covered Entity” as that term is defined in the HIPAA implementing regulations 45 C.F.R. Part 160 and Part 164, Subparts A and E, the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”); Whereas, the Accrediting Entity, as the recipient of PHI from Covered Entity, is a “Business Associate” of the Covered Entity as the term “Business Associate” is defined in the Privacy Rule; Whereas, pursuant to the Privacy Rule, all Business Associates of Covered Entities must agree in writing to certain mandatory provisions regarding the use and disclosure of PHI; and Whereas, the purpose of this Agreement is to comply with the requirements of the Privacy Rule, including, but not limited to, the Business Associate contract requirements at 45 C.F.R., Section 164.502(e), 164.504(e), and as may be amended;  NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein, the parties agree as follows:

 
     

1.

Definitions.  Unless otherwise provided in the Agreement, capitalized terms have the same meanings as set forth in the Privacy Rule.
 

2.

Scope of Use and Disclosure by Accrediting Entity of Protected Health Information.

A.

Accrediting Entity shall be permitted to make Use and Disclosure of PHI that is disclosed to it by Covered Entity as necessary to perform its obligations under Accrediting Entity’s established policies, procedures and requirements.

B.

Unless otherwise limited herein, in addition to any other Uses and/or Disclosures permitted or authorized by this Agreement or required by law, Accrediting Entity may:

1.

use PHI in its possession for its proper management and administration and to fulfill any legal responsibilities of the Accrediting Entity;  

2.

disclose the PHI in its possession to a third party for the purpose of Accrediting Entity’s proper management and administration, or to fulfill any legal responsibilities of Accrediting Entity; provided, however, that the disclosures are Required By Law or Accrediting Entity has received from the third party written assurances that (a) the information will be held confidentially and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the third party; and (b) the third party will notify the Accrediting Entity of any instances of which it becomes aware in which the confidentiality of the information has been breached;

3.

engage in Data Aggregation activities, consistent with the Privacy Rule; and

4.

de-identify any and all PHI created or received by the Accrediting Entity under the Agreement; provided that the de-identification conforms to the requirements of the Privacy Rule.

      
3.

Obligations of Accrediting Entity.  In connection with its Use and Disclosure of PHI, Accrediting Entity agrees that it will:

 

A.

Use or further disclose PHI only as permitted or required by this Agreement or as Required By Law.

 

B.

Use reasonable and appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement.

 

C.

To the extent practicable, mitigate any harmful effect that is known to Accrediting Entity of a Use or Disclosure of PHI by Accrediting Entity in violation of this Agreement;

 

D.

Promptly report to Covered Entity any Use or Disclosure of PHI not provided for by this agreement of which Accrediting Entity becomes aware;

 

F.

Require contractors or agents to whom Accrediting Entity provides PHI to agree to the same restrictions and conditions that apply to Accrediting Entity pursuant to this Agreement;

 

E.

Make available to the Secretary of Health and Human Services Accrediting Entity’s internal practices, books, records relating to the Use and Disclosure of PHI for purposes of determining Covered Entity’s compliance with the Privacy Rule, subject to any applicable legal privileges;

 

G.

Within fifteen (15) days or receiving a request from Covered Entity, make available the information necessary for Covered Entity to make an accounting of Disclosures of PHI about an individual in a Designated Record Set;

 

H.

Within ten (10) days of receiving a written request from Covered Entity, make available PHI in a Designated Record Set necessary for Covered Entity to respond to individuals’ requests for access to PHI about them that is not in the possession of the Covered Entity;

 

I.

Within fifteen (15) days of receiving a written request from Covered Entity incorporate any amendments or corrections to the PHI in a Designated Record Set in accordance with the Privacy Rule;

 

J.

Not make any disclosures of PHI that Covered Entity would be prohibited from making.

      
4. Obligations of Covered Entity.  Covered Entity agrees that it:
  A.

Has included, and will include, in Covered Entity’s Notice of Privacy Practices required by the Privacy Rule that Covered Entity may disclose PHI for health care operation purposes;
  B.

Has obtained, and will obtain, from Individuals any consents, authorizations and other permissions necessary or required by the laws applicable to Covered Entity for Accrediting Entity and Covered Entity to fulfill their obligations under this Agreement;

  C.

Will promptly notify Accrediting Entity in writing of any restrictions of the Use and Disclosure of PHI about Individuals that Covered Entity has agreed to that may affect Accrediting Entity’s ability to perform its obligations under this Agreement;

  D.

Will promptly notify Accrediting Entity in writing of any changes in, or revocation of, permission by an Individual to use or disclose PHI, if such changes or revocation may affect Accrediting Entity’s ability to perform its obligations under this Agreement.

     
5.

Termination:
A.

Termination for Cause.   Upon Covered Entity’s knowledge of a material breach by Accrediting Entity, Covered Entity shall either:

1.

provide an opportunity for Accrediting Entity to cure the breach or end the violation and terminate this Agreement if Accrediting Entity does not cure the breach, or end the violation within the time specified by the Covered Entity;

2. immediately terminate this Agreement if Accrediting Entity has breached a material term of this Agreement and cure is not possible;
3.

if neither termination nor cure are feasible, Covered Entity shall report the violation to the Secretary of Health and Human Services.
 
B.

Automatic Termination.   This Agreement will automatically terminate upon the cessation of
[school or facility] conducting accredited activities.

 
C. Effect of Termination.
1.

Except as provided in paragraph (2) of this section, upon termination of this Agreement for any reason, Accrediting Entity shall return or destroy all PHI received from the Covered Entity, or created or received by Accrediting Entity on behalf of Covered Entity that Accrediting Entity still maintains and retain no copies of such PHI;  

2.

In the event that Accrediting Entity determines that returning or destroying the PHI is infeasible, Accrediting Entity shall provide to Covered Entity notification of the conditions that make return or destruction infeasible.   Accrediting Entity shall then extend the protections of this Agreement to the PHI and limit further Use and Disclosure to those purposes that make the return or destruction of the information infeasible, for so long as the Accrediting Entity maintains such PHI.

     
6.

Amendment.   Accrediting Entity and Covered Entity agree to take such action as is necessary to amend this Agreement for Covered Entity to comply with the requirements of the Privacy Rule or other applicable law.

7.

Survival.   The obligations of Accrediting Entity under Section 5.C. of this Agreement shall survive any termination of this Agreement.  

8.

No Third Party Beneficiaries.   Nothing express or implied in this Agreement is intended to confer, nor wall anything herein confer, upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.  

9.

Other Applicable Law.   This Agreement does not, and is not intended to, abrogate any responsibilities of the parties under any other applicable law.    This Agreement shall be interpreted in accordance with the laws of the State of Maryland.

10.

Effective Date.   This Agreement shall be effective on                                                  

   
 
SName of Program /Institution  Accreditation Commission for Acupuncture & Oriental Medicine
By:___________________________________      By:____________________________________   
Name:_______________________________ Name:_________________________________   
Title: ________________________________ Title: __________________________________   
Date:  ________________________________ Date: __________________________________