Subcontractor Business Associate Agreement

This Business Associate Agreement ("Agreement") is incorporated by reference into the underlying agreement between QTC Medical Services, Inc. dba Leidos QTC Health Services ("Business Associate") and Subcontractor for the provision of services or products ("Underlying Agreement"). This Agreement applies to Subcontractor, which includes all of its current and future lines of business, affiliates, and subsidiaries that may create, receive, maintain, or transmit Protected Health Information on behalf of Subcontractor. By entering into the Underlying Agreement, Subcontractor agrees to the terms of this Agreement.

RECITALS

1. Business Associate and Subcontractor have entered into one or more arrangements and may in the future enter into additional arrangements (collectively, the “Underlying Contracts”) pursuant to which Subcontractor provides various items and/or services to Business Associate and may create, receive, maintain, or transmit Protected Health Information on behalf of Business Associate.

2. In accordance with the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively “HIPAA”), Business Associate has entered into one or more agreements with Covered Entities in which Business Associate has agreed to comply with applicable provisions of HIPAA and to contractually pass on such requirements to subcontractors.

3. Business Associate and Subcontractor are committed to complying with the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively “HIPAA”).

AGREEMENT

In consideration of the promises contained in this Agreement and the Underlying Contracts and for other good and valuable consideration, the delivery and sufficiency of which is acknowledged, the parties agree as follows:

1. Definitions

   1. All capitalized terms used but not otherwise defined in this Agreement shall have the same meaning as in the HIPAA regulations.

   2. “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).

   3. “Protected Health Information” shall have the same meaning as the term “protected health information” in 45 C.F.R. § 160.103 that is created, received, maintained, or transmitted by Subcontractor on behalf of Business Associate.

2. Permitted Uses and Disclosures by Subcontractor

   1. Performance of Main Agreement. Except as otherwise limited in this Agreement, Subcontractor may Use or Disclose Protected Health Information in its possession to perform functions, activities, or services for, or on behalf of, Business Associate as necessary to provide the items or services specified in the Underlying Contracts, provided that such Use or Disclosure would not violate HIPAA if done by Business Associate.

   2. Use for Proper Management and Administration. Except as otherwise limited in this Agreement, Subcontractor may Use Protected Health Information for the proper management and administration of Subcontractor or to carry out the legal responsibilities of Subcontractor.

   3. Disclosure for Proper Management and Administration. Except as otherwise limited in this Agreement, Subcontractor may Disclose the Protected Health Information in its possession to a third party for the proper management and administration or to fulfill any legal responsibilities of Subcontractor, provided that:

      1. The Disclosure is Required by Law; or

      2. Subcontractor has received from the third party reasonable written assurances that: (1) the information will remain confidential and will be Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed to the party; and (2) the third party will notify Subcontractor of any instances of which it becomes aware in which the confidentiality of the information has been breached.

3. Obligations and Activities of Subcontractor

   1. Prohibition on Other Uses and Disclosures. Subcontractor shall not Use or Disclose Protected Health Information other than as permitted or required by this Agreement.

   2. Safeguards to Prevent Impermissible Use and Disclosure of PHI. Subcontractor agrees to use appropriate administrative, physical, and technical safeguards to prevent Use or Disclosure of the Protected Health Information other than as provided for by this Agreement.

   3. Security Rule Compliance. Subcontractor agrees to comply with the applicable requirements of the Security Standards for Protection of Electronic Protected Health Information, 45 C.F.R. Part 164 Subpart C (the “Security Rule”), including using appropriate administrative, physical, and technical safeguards to safeguard the confidentiality, integrity, and availability of Electronic Protected Health Information.

   4. Reporting. Subcontractor agrees to report to Business Associate:

      1. Reporting of Impermissible Uses and Disclosures. Any Use or Disclosure of Protected Health Information not provided for by this Agreement, including Breaches of Unsecured Protected Health Information; and/or

      2. Reporting of Security Incidents. Any Security Incident, provided that this section shall hereby serve as notice, and no additional reporting shall be required, of any unsuccessful attempts at unauthorized Access, Use, Disclosure, modification, or destruction of information or unsuccessful interference with system operations in an information system.

      3. Breaches of Unsecured Protected Health Information. For any Breach of Unsecured Protected Health Information, Subcontractor agrees to supplement the above report with the information required by, and within the timeframe specified by, 45 C.F.R. § 164.410.

   5. Further Subcontractors. Subcontractor shall ensure that any agents or subcontractors that create, receive, maintain, or transmit Protected Health Information on Subcontractor’s behalf agree in writing to the same restrictions, conditions, and obligations that apply to Subcontractor under this Agreement with respect to such Protected Health Information.

   6. Internal Records. Subcontractor agrees to make its internal practices, books, and records relating to the Use and Disclosure of Protected Health Information received from, or created or received by Subcontractor on behalf of Business Associate, available to the Secretary of the Department of Health and Human Services (“Secretary”) for the purposes of the Secretary determining compliance with HIPAA. Nothing in this section shall be construed as a waiver of any legal privilege or of any protections for trade secrets or confidential commercial information.

   7. Access to Designated Record Sets. Subcontractor, upon request by Business Associate, will make Protected Health Information in a Designated Record Set available to Business Associate or, at the request of Business Associate, the Individual, as necessary to allow Business Associate’s Covered Entity clients to comply with their obligations to provide Individuals access to their health information as required by 45 C.F.R. § 164.524.

   8. Amendment of Designated Record Sets. Subcontractor, upon request by Business Associate, will make Protected Health Information in a Designated Record Set available to Business Associate and will incorporate any amendments to such information as instructed by Business Associate, as necessary to allow Business Associate’s Covered Entity clients to comply with their amendment obligations as required by 45 C.F.R. § 164.526.

   9. Accounting of Disclosures. Subcontractor will maintain and, upon request by Business Associate, provide Business Associate with the information necessary for Business Associate to provide an Individual with an accounting of Disclosures as required by 45 C.F.R. § 164.528.

   10. Delegation of Privacy Rule Obligations. To the extent that Subcontractor is to carry out one or more of a Business Associate’s Covered Entity client’s obligations under the Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Part 164 Subpart E (the “Privacy Rule”), including but not limited to the provision of a notice of privacy practices on behalf of Business Associate, Subcontractor shall comply with the requirements of the Privacy Rule that apply to Business Associate’s Covered Entity client in the performance of such obligations.

   11. Offshore Access. Subcontractor shall not store, process, or otherwise access Protected Health Information outside of the United States, or allow any of its personnel or agents to do so, without prior written consent from Business Associate.

   12. Personnel Requirements. Subcontractor shall ensure that its employees, officers, and agents who are permitted to access Protected Health Information receive training annually on the Privacy Act, HIPAA, and the federal regulations on confidentiality of alcohol and drug abuse individual records, 42 CFR Part 2.

        

   13. Encryption. Subcontractor shall use FIPS 140-2/140-3 validated encryption for Protected Health Information at rest and in transit, including on mobile devices, removable media, and backups. Subcontractor shall not store Protected Health Information on unencrypted portable media.

4. Term and Termination

   1. Term. The term of this Agreement shall commence as of the Effective Date and shall terminate when all Underlying Contracts have terminated.

   2. Termination. Upon Business Associate’s knowledge of a breach of this Agreement by Subcontractor or its agents or subcontractors, Business Associate may terminate the Underlying Contracts: (i) immediately if Business Associate determines that there is a continuing risk to the confidentiality, integrity, or availability of Protected Health Information that cannot be immediately cured; or (ii) after Business Associate has notified Subcontractor of the breach and provided at least 30 calendar days for Subcontractor to cure the breach if Subcontractor has not cured the breach in such period of time.

   3. Effect of Termination.

      1. Except as provided in section 4.3.2 of this section, upon termination of this Agreement or the Underlying Contracts for any reason, Subcontractor shall promptly return or destroy all Protected Health Information created or received by Subcontractor in connection with providing the services under the Agreement. If Subcontractor elects to destroy the Protected Health Information, Subcontractor shall certify in writing to Business Associate that such Protected Health Information has been destroyed in accordance with NIST SP 800-88 Rev. 1, Guidelines for Media Sanitization.  This provision shall also apply to Protected Health Information that is in the possession of Subcontractor’s agents. Subcontractor shall retain no copies of the Protected Health Information.

      2. In the event that returning or destroying the Protected Health Information obtained by Subcontractor is not feasible, then Subcontractor shall extend the protections of this Agreement to such Protected Health Information and limit further Uses and Disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for as long as Subcontractor maintains such Protected Health Information. This Section shall survive the termination of this Agreement or the Underlying Contract.