ATTACHMENT E BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (“Agreement”) is entered into by and between the State of Vermont Agency of Human Services, operating by and through its Department of Vermont Health Access (“Covered Entity”) and OptumInsight, Inc. (“Business Associate”) as of June 6, 2014 (“Effective Date”). This Agreement supplements and is made a part of the contract/grant to which it is attached. Covered Entity and Business Associate enter into this Agreement to comply with standards promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), including the Standards for the Privacy of Individually Identifiable Health Information, at 45 CFR Parts 160 and 164 (“Privacy Rule”), and the Security Standards, at 45 CFR Parts 160 and 164 (“Security Rule”), as amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH), and any associated federal rules and regulations. The parties agree as follows:
Business Associate Contract A. GENERAL PROVISIONS AND RECITALS
Business Associate Agreement This Agreement may require the exchange of information covered by the U.S. Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). A Business Associate Agreement (“BAA”) executed by the Parties is attached as Appendix [Letter C/D/E etc.].
Business Associate “Business Associate” shall have the same meaning as the term “business associate” at 45 C.F.R. 160.103, and shall refer to Contractor.
Business Associate Addendum The Parties acknowledge and agree that Medical Practice is a Covered Entity and Modernizing Medicine is a Business Associate under HIPAA and each Party shall comply with the Party’s respective obligations under HIPAA. Without limiting the foregoing, each Party shall comply with the Business Associate Addendum attached to these Terms and Conditions as Exhibit A (the “Business Associate Addendum”). The Business Associate Addendum is hereby incorporated into this Agreement.
Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions (a) Covered Entity shall notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity under 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of protected health information.
Business Associate Obligations Business Associate agrees to comply with applicable federal confidentiality and security laws, specifically the provisions of the HIPAA Rules and the HITECH Act applicable to business associates, including:
Business Associate’s Agents To ensure that any agents, including subcontractors, to whom Business Associate provides PHI received from or created or received by Business Associate on behalf of County, agree to the same restrictions and conditions that apply to Business Associate with respect to such PHI, including implementation of reasonable and appropriate administrative, physical, and technical safeguards to protect such PHI; and to incorporate, when applicable, the relevant provisions of this Addendum into each subcontract or subaward to such agents or subcontractors.
Responsibilities of Business Associate Business Associate agrees:
Permitted Uses and Disclosures by Business Associate 1. Business Associate may only use or disclose protected health information as necessary to perform the services as outlined in the underlying agreement.