1. 范围和目的
This Business Associate Agreement ("BAA") supplements and is made part of the service agreement between Covered Entity and Business Associate. It establishes the terms under which Business Associate may create, receive, maintain, or transmit Protected Health Information ("PHI") on behalf of Covered Entity in connection with the translation, transcription, and language processing services provided by Morlivo (the "Services").
The parties acknowledge that Business Associate may access, use, or disclose PHI in the course of providing the Services, and this BAA sets forth the obligations of Business Associate with respect to such PHI pursuant to the applicable provisions of HIPAA, the HITECH Act, and their implementing regulations (collectively, the "HIPAA Rules").
2. 允许的使用和披露
业务伙伴只能在以下情况下使用或披露 PHI:
- 执行基础服务协议中描述的服务所必需的。
- 根据法律要求,包括但不限于美国卫生与公众服务部部长要求的披露。
- 为了正确管理和管理业务伙伴,前提是法律要求进行任何披露,或者业务伙伴从任何第三方获得合理保证,信息将得到保密。
- 如果服务协议中有明确授权,则提供与涵盖实体的医疗保健运营相关的数据聚合服务。
Business Associate shall not use or disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity, except as expressly permitted in this BAA. Business Associate shall not use PHI for marketing purposes, sell PHI, or use PHI for underwriting purposes.
3. 保障措施
Business Associate shall implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, including electronic PHI (ePHI), as required by the HIPAA Security Rule. These safeguards include but are not limited to:
- 使用 AES-256 对静态 ePHI 进行加密,并使用 TLS 1.2 或更高版本对传输中的 ePHI 进行加密。
- 基于角色的访问控制仅限授权人员访问 PHI。
- 对 PHI 的所有访问和修改进行全面审计记录。
- 定期风险评估和漏洞扫描。
- 关于 HIPAA 要求和安全意识的员工培训。
- 服务不再需要 PHI 的安全处置程序。
Business Associate shall ensure that any agent, including subcontractors, to whom it provides PHI agrees to the same restrictions and conditions that apply to Business Associate under this BAA, in accordance with 45 CFR § 164.502(e)(1)(ii).
4. 违规通知
Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted by this BAA of which it becomes aware, including any Breach of Unsecured PHI as defined in 45 CFR § 164.402. Business Associate shall provide such notification without unreasonable delay and in no event later than thirty (30) calendar days after discovery of the Breach.
通知应尽可能包括:
- 其无担保 PHI 已被访问、获取、使用或披露的每个个人的身份,或有理由相信已被访问、获取、使用或披露。
- 对违规性质的描述,包括涉及的 PHI 类型。
- 违规日期及其发现日期。
- 描述业务伙伴为调查和缓解违规行为并防止未来再次发生而采取的步骤。
- 可以提供更多详细信息的个人的联系信息。
5. 期限和终止
This BAA shall be effective as of the date of execution and shall remain in effect for the duration of the underlying service agreement, unless earlier terminated as provided herein.
Either party may terminate this BAA if it determines that the other party has violated a material term of this BAA. The non-breaching party shall provide the breaching party with written notice of the violation and afford thirty (30) days to cure. If cure is not feasible, the non-breaching party may immediately terminate both this BAA and the underlying service agreement.
Upon termination, Business Associate shall, at the election of Covered Entity, return or destroy all PHI received from or created on behalf of Covered Entity. If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.
6. 涵盖实体的义务
- 适用实体应将其隐私惯例通知中可能影响业务伙伴使用或披露 PHI 的任何限制通知业务伙伴。
- 适用实体应通知业务伙伴个人使用或披露 PHI 授权的任何变更或撤销,只要此类变更可能影响业务伙伴的允许使用和披露。
- 适用实体不得要求业务伙伴以任何违反 HIPAA 规则的方式使用或披露 PHI。
7. 其他
This BAA shall be governed by and construed in accordance with applicable federal law, including the HIPAA Rules. Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Rules. This BAA constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements, whether written or oral, relating to the same subject matter.