1. 範圍和目的
This Business Associate Agreement ("BAA") supplements and is made part of the service agreement between Covered Entity and Business Associate. It establishes the terms under which Business Associate may create, receive, maintain, or transmit Protected Health Information ("PHI") on behalf of Covered Entity in connection with the translation, transcription, and language processing services provided by Morlivo (the "Services").
The parties acknowledge that Business Associate may access, use, or disclose PHI in the course of providing the Services, and this BAA sets forth the obligations of Business Associate with respect to such PHI pursuant to the applicable provisions of HIPAA, the HITECH Act, and their implementing regulations (collectively, the "HIPAA Rules").
2. 允許的使用和揭露
業務夥伴只能在以下情況下使用或揭露 PHI:
- 執行基礎服務協議中所述的服務所必需的。
- 根據法律要求,包括但不限於美國衛生與公眾服務部部長要求的揭露。
- 為了正確管理和管理業務夥伴,前提是法律要求進行任何揭露,或業務夥伴從任何第三方獲得合理保證,資訊將保密。
- 如果服務協議中有明確授權,則提供與涵蓋實體的醫療保健營運相關的資料聚合服務。
Business Associate shall not use or disclose PHI in a manner that would violate the HIPAA Rules if done by Covered Entity, except as expressly permitted in this BAA. Business Associate shall not use PHI for marketing purposes, sell PHI, or use PHI for underwriting purposes.
3. 保障措施
Business Associate shall implement and maintain administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI, including electronic PHI (ePHI), as required by the HIPAA Security Rule. These safeguards include but are not limited to:
- 使用 AES-256 對靜態 ePHI 進行加密,並使用 TLS 1.2 或更高版本對傳輸中的 ePHI 進行加密。
- 基於角色的存取控制僅限授權人員存取 PHI。
- 對 PHI 的所有存取和修改進行全面審計記錄。
- 定期風險評估和漏洞掃描。
- 關於 HIPAA 要求和安全意識的員工培訓。
- 服務不再需要 PHI 的安全處置程序。
Business Associate shall ensure that any agent, including subcontractors, to whom it provides PHI agrees to the same restrictions and conditions that apply to Business Associate under this BAA, in accordance with 45 CFR § 164.502(e)(1)(ii).
4. 違規通知
Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted by this BAA of which it becomes aware, including any Breach of Unsecured PHI as defined in 45 CFR § 164.402. Business Associate shall provide such notification without unreasonable delay and in no event later than thirty (30) calendar days after discovery of the Breach.
通知應盡可能包括:
- 其無擔保 PHI 已被存取、取得、使用或揭露的每個個人的身份,或有理由相信已被存取、取得、使用或揭露。
- 違規性質的描述,包括涉及的 PHI 類型。
- 違規日期及其發現日期。
- 描述業務夥伴為調查和緩解違規行為並防止未來再次發生而採取的步驟。
- 可以提供更多詳細資訊的個人的聯絡資訊。
5. 期限和終止
This BAA shall be effective as of the date of execution and shall remain in effect for the duration of the underlying service agreement, unless earlier terminated as provided herein.
Either party may terminate this BAA if it determines that the other party has violated a material term of this BAA. The non-breaching party shall provide the breaching party with written notice of the violation and afford thirty (30) days to cure. If cure is not feasible, the non-breaching party may immediately terminate both this BAA and the underlying service agreement.
Upon termination, Business Associate shall, at the election of Covered Entity, return or destroy all PHI received from or created on behalf of Covered Entity. If return or destruction is not feasible, Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible.
6. 涵蓋實體的義務
- 適用實體應將其隱私權慣例通知中可能影響業務夥伴使用或揭露 PHI 的任何限制通知業務夥伴。
- 適用實體應通知業務夥伴個人使用或揭露 PHI 授權的任何變更或撤銷,只要此類變更可能影響業務夥伴的允許使用和揭露。
- 適用實體不得要求業務夥伴以任何違反 HIPAA 規則的方式使用或揭露 PHI。
7. 其他
This BAA shall be governed by and construed in accordance with applicable federal law, including the HIPAA Rules. Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Rules. This BAA constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements, whether written or oral, relating to the same subject matter.