HIPAA Compliance Print
HIPAA COMPLIANCE 
“BUSINESS ASSOCIATE”
ADDENDUM
This Addendum is entered into between [NAME] (“Hospital”) and the Rural Comprehensive Care Network of Nebraska (“RCCN”).  This Addendum is intended to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Standards for Privacy of Individually Identifiable Health Information promulgated under 45 CFR Parts 160 and 164 (“Privacy Standards”).  This Addendum supplements the Patient Satisfaction Survey Agreement between Hospital and RCCN (the “Survey Services Agreement”).   
In further consideration of the mutual promises of and benefits to the Parties as set forth in the Survey Services Agreement, it is agreed to as follows:
1.Term.  Except as otherwise provided for herein, this Addendum will continue in full force and effect through the term of the Survey Services Agreement between RCCN and Hospital.

2.Representations.

2.1.Hospital and RCCN each represent that it is not, and at no time has been, excluded from participation in any federally funded health care program, including Medicare and Medicaid.

2.2.RCCN represents that if at any time RCCN, or an individual employed by RCCN, is debarred, excluded, or otherwise prohibited from participation in any federal or state health care program, or is convicted of a criminal offense related to health care, RCCN will immediately provide written notice to Hospital and RCCN, or such individual, will immediately cease from providing services under the Survey Services Agreement between the Parties.

2.3.Hospital and RCCN each represent and warrant to each other that all services to be provided hereunder will fully comply with all applicable federal, state, and local statutes, rules, and regulations, including without limitation, all applicable statutes, rules, and regulations under Medicare, Medicaid, and any other federal or state health program; HIPAA and the Privacy Standards; and all amendments or changes to such statutes, rules, and regulations.

3.Definitions.  As used in this subsection, the terms below will have the meanings as stated thereafter:

3.1.“Patient” means the individual receiving services from Hospital, or the individual receiving services from RCCN as a result of a contract between RCCN and Hospital for such services. 

3.2.“Disclose” and “Disclosure” mean, with respect to Protected Health Information (defined below), the release, transfer, provision of, access to, or divulging in any other manner a Patient’s Protected Health Information to persons other than employees of RCCN.

3.3. “Protected Health Information” and “PHI” mean information, including demographic information, that: (a) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual, or the past present or future payment for the provision of health care to an individual; (b) identifies the individual (or for which there is a reasonable basis for believing that the information can be used to identify the individual); and (c) is received by RCCN from or on behalf of Hospital, or is created by RCCN, or is made accessible to RCCN by Hospital.

3.4.“Use” or “Uses” mean, with respect to PHI, the sharing, employment, application, utilization, examination or analysis of PHI.

4.Use and Disclosure.  During the term of any Agreement between the Parties, RCCN may have access to a Patient’s PHI.  RCCN will not Use or Disclose PHI for any purpose, other than: (a) to fulfill RCCN obligations under any contract(s) with Hospital, (b) if necessary, for RCCN’S proper management and administration, or to carry out RCCN legal responsibilities, (c) with Hospital’s authorization, or (d) if authorized or required by law to do so, provided however, that if RCCN is so authorized or required, then RCCN will first give Hospital a reasonable opportunity to contest the disclosure, and if necessary, obtain a protective order.  RCCN further agrees as follows:

4.1.1.Adequate Safeguards for PHI.  RCCN will implement and maintain appropriate safeguards to prevent the Use or Disclosure of PHI in any manner other than as permitted by this Addendum.

4.1.2.Reporting Non-Permitted Use or Disclosure. RCCN will immediately notify Hospital’s Privacy Officer of each Use or Disclosure, of which it becomes aware, that is made by RCCN, RCCN employees, representatives, agents or RCCN that is not specifically permitted by this Addendum.

4.1.3.Other Contractors and Agents.  RCCN will require each of RCCN agents and contractors that receive PHI from RCCN to execute a written agreement obligating the agent or contractor to comply with all the conditions and restrictions of this Section.

4.1.4.Inspection and Copying of PHI.  RCCN will make PHI specified by Hospital available to those individual(s), including the Patient, identified by Hospital as entitled to inspect and copy PHI, subject to any limitations for inspection imposed by HIPAA, the Privacy Standards, or otherwise by law.

4.1.5.Amendment of PHI.  RCCN will make PHI available to Hospital for the purpose of amending PHI, and will incorporate such amendments into PHI within the time, and in the manner, specified by Hospital.

4.1.6.Accounting Disclosures.  Upon Hospital’s request, RCCN will provide to Hospital an accounting of each Disclosure of PHI made by RCCN or RCCN employees, agents, representatives or contractors.  Any accounting provided by RCCN under this Section will include: (a) the date of the Disclosure; (b) the name, and address if known, of the entity or person who received PHI; (c) a brief description of PHI disclosed; and (d) a brief statement of the purpose of the Disclosure.  For each Disclosure that could require an accounting under this Section, RCCN will document the information specified in (a) through (d) above, and will securely retain this documentation for six (6) years from the date of the Disclosure.

4.1.7.Availability of Internal Practices Books and Records to  Government  Agencies.  RCCN agrees to make RCCN internal practices, books and records relating to the Use and Disclosure of any PHI received from Hospital, or received or created on behalf of Hospital, available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Hospital’s compliance with HIPAA and the Privacy Standards.  RCCN will immediately notify Hospital of any requests made by the Secretary and provide Hospital with copies of all documents produced in response to such request.

4.1.8.Disposition of PHI Upon Termination or Expiration.  Upon termination or expiration of any contract for services between the Parties, RCCN will either return or destroy, in Hospital’s sole discretion and in accordance with any instructions by Hospital, all PHI in the possession or control of RCCN, RCCN’s agents, and RCCN’s subcontractors.  However, if RCCN determines that neither the return nor destruction of PHI is feasible, RCCN may retain PHI provided that RCCN complies with those reasonable restrictions imposed by Hospital.

4.1.9.Survivability.  This Section will survive the termination of this Addendum, and any contract(s) of any kind between the Parties.

4.1.10.Privacy Officer.  If RCCN has any questions, or is required to report an unauthorized Use or Disclosure of PHI, then RCCN agrees to contact Hospital’s Privacy Officer.

5.Termination of Contracts.  In addition to any rights Hospital may otherwise have to terminate the Survey Services Agreement with RCCN, Hospital shall have the additional right to terminate the Survey Services Agreement if RCCN is in material breach of this Addendum, as determined in the sole discretion of Hospital.