|
BUSINESS ASSOCIATE AGREEMENT
<br />1. Preamble and Definitions.
<br />1.1 Pursuant to the Health Insurance Portability and Accountability Act of 1996, as
<br />amended ("HIPAA"), the City of South Bend ("Covered Entity"), an Indiana municipal
<br />corporation, acting by and through its Board of Public Works, and enFocus ('Business
<br />Associate"), an Indiana nonprofit corporation (each a "Party" and together, the "Parties), enter
<br />into this Business Associate Agreeniejit ("BAA") as of J�W� 19(tl�te "Effective
<br />Date") that addresses the HIPAA requirements with respect. to "business associates," as
<br />defined under the privacy, security, breach notification, and enforcement rules at 45 C.F.R.
<br />Part 160 and Part 164 ("HIPAA Rules"). A reference in this BAA to a section in the HIPAA
<br />Rules means the section as in effect or as amended.
<br />1.2 This BAA is intended to ensure that Business Associate will establish and
<br />implement appropriate safeguards for the protected health information (the "PHI") (as defined
<br />under the HIPAA Rules) that Business Associate may receive, create, maintain, use, or
<br />disclose in connection with the functions, activities, and services that Business Associate
<br />performs for Covered Entity. The functions, activities, and services that Business Associate
<br />performs for Covered Entity are described, in part, in that certain Consulting Agreement dated
<br />December 20, 2018, as amended or renewed from time to time, and any and all other
<br />agreements between Covered Entity and Business Associate now in effect or which may be
<br />entered into following the Effective Date of this BAA (collectively, the "Underlying
<br />Agreements").
<br />1.3 Pursuant to changes required under the Health Information Technology for
<br />Economic and Clinical Health Act of 2009 (the "HITECH Act") and under the American
<br />Recovery and Reinvestment Act of 2009 ("ARRA"), this BAA also reflects federal breach
<br />notification requirements imposed on Business Associate when unsecured protected health
<br />information ("Unsecured PHI") (as defined under the HIPAA Rules) is acquired by an
<br />unauthorized party, and the expanded privacy and security provisions imposed on business
<br />associates.
<br />1.4 Unless the context clearly indicates otherwise, the following terms in this BAA
<br />shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation,
<br />Designated Record Set, disclosure, Electronic Media, Electronic Protected Health Information
<br />(ePHI), Health Care Operations, individual, Notice of Privacy Practices, Required By Law,
<br />Secretary, Security Incident, Subcontractor, Unsecured PHI, and use.
<br />1.5 A reference in this BAA to the Privacy Rule means the Privacy Rule, in
<br />conformity with the regulations at 45 C.F.R. Parts 160-164 (the "Privacy Rule") as interpreted
<br />under applicable regulations and guidance of general application published by HHS, including
<br />all amendments thereto for which compliance is required, as amended by the HITECH Act,
<br />ARRA, and the HIPAA Rules.
<br />
|