BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement (“BA Agreement”) is a legal agreement between the North Carolina school district you represent (“Covered Entity”) and Fairbanks LLC (“Business Associate”), effective as of the day that Covered Entity accepts this BA Agreement (“Effective Date”).  Covered Entity and Business Associate are collectively referred to as the “Parties”.

RECITALS

WHEREAS, Business Associate and Cumberland County Board of Education (“Cumberland”) have entered into a Consulting Agreement dated August 9, 2011 (the “Consulting Agreement”), pursuant to which, among other things, Business Associate has agreed to perform services for Cumberland in furtherance of Cumberland’s efforts to obtain reimbursement of Medicaid Administrative Claims for itself and other North Carolina participating school districts (including Covered Entity); and

WHEREAS, as part of the Consulting Agreement, Business Associate performs or assists in performing a function or activity on behalf of Covered Entity that involves the use and/or disclosure of Protected Health Information (as defined in 45 C.F.R. § 164.501 and § 160.103); and

WHEREAS, the Parties desire to enter into this BA Agreement regarding the use and/or disclosure of Protected Health Information as required by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”) and the Standards for Security of Electronic Protected Health Information (the “Security Rule”) promulgated thereunder, and the Health Information Technology for Economic and Clinical Health Act (Division A, Title XIII and Division B, Title IV, of the American Recovery and Reinvestment Act of 2009, Pub. L. 111-5) (the “HITECH Act”) and the Standards for Breach Notification of Unsecured Protected Health Information promulgated thereunder (the “Breach Notification Rule”).

NOW THEREFORE, in consideration of the representations, warranties and covenants contained herein, and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties hereto agree as follows:

AGREEMENT

1.  Terms Used.

Terms used but not otherwise defined in this BA Agreement shall have the same meaning given to such terms in HIPAA, the HITECH Act, or any implementing regulations promulgated thereunder, including but not limited to the Privacy Rule, Security Rule and Breach Notification Rule.

2.  Confidentiality and HIPAA.

The Parties shall comply with all applicable federal and state laws governing the confidentiality and privacy of health information including, without limitation, the Privacy Rule.

2.1  Obligations of Business Associate.

2.1.1  Use and Disclosure of Protected Health Information.

Business Associate warrants that Business Associate, its agents and subcontractors:  (a) shall use or disclose Protected Health Information only in connection with fulfilling its duties and obligations under this BA Agreement and the Consulting Agreement; (b) shall not use or disclose Protected Health Information other than as permitted or required by this Agreement or Required by Law (as defined in 45 C.F.R. § 164.501 and § 164.103); and (c) shall not use or disclose Protected Health Information in any manner that violates applicable federal and state laws or would violate such laws if used or disclosed in such manner by Covered Entity. 

Subject to the restrictions set forth in the previous paragraph and throughout this BA Agreement, Business Associate may use or disclose the Protected Health Information received from Covered Entity if necessary for (a) the proper management and administration of Business Associate; (b) to carry out the legal responsibilities of Business Associate; or (c) to provide Data Aggregation (as defined in 45 C.F.R. § 164.501) services to Covered Entity as permitted by 42 C.F.R. § 164.504(e)(2)(i)(B).

Business Associate acknowledges that, as between Business Associate and Covered Entity, all Protected Health Information shall be and remain the sole property of Covered Entity, including any and all forms thereof developed by Business Associate in the course of its fulfillment of its obligations pursuant to the BA Agreement and Consulting Agreement.

Business Associate shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Protected Health Information that it creates, receives, maintains or transmits on behalf of Covered Entity.  Business Associate covenants that such safeguards include, without limitation, implementing written policies and procedures in compliance with HIPAA and the HITECH Act conducting a security risk assessment, and training Business Associate employees who will have access to Protected Health Information with respect to the policies and procedures required by HIPAA and the HITECH Act.

2.1.2  Availability of Books and Records.

Business Associate shall make available to the Secretary of the Department of Health and Human Services or his/her designee Business Associate’s internal practices, books and records at reasonable times as they pertain to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity in order to ensure that Covered Entity is in compliance with the requirements of the Privacy Rule.

2.1.3  Access of Individuals to Information.

In order to allow Covered Entity to respond to a request by an Individual (as defined in 45 C.F.R. § 164.501 and § 160.103) for access to Protected Health Information about him/her pursuant to 45 C.F.R. § 164.524, Business Associate shall, in response to a written request by Covered Entity for access to Protected Health Information about an Individual contained in a Designated Record Set (as defined in 45 C.F.R. § 164.501), make available to Covered Entity such Protected Health Information for so long as such information is maintained in the Designated Record Set.  The provisions of this paragraph shall apply only if Business Associate has Protected Health Information in a Designated Record Set.

In the event any Individual requests access to Protected Health Information directly from Business Associate, Business Associate shall forward such request to Covered Entity. Before forwarding any Protected Health Information to Covered Entity, Business Associate shall indicate in the Designated Record Set any material it deems unavailable to the Individual pursuant to 45 C.F.R. § 164.524.

Any denial of access to Protected Health Information determined by Covered Entity pursuant to 45 C.F.R. § 164.524, and conveyed to Business Associate by Covered Entity, shall be the responsibility of Covered Entity, including resolution or reporting of all appeals and/or complaints arising from denials.

2.1.4  Amendment of Information.

In order to allow Covered Entity to respond to a request by an Individual for an amendment to Protected Health Information pursuant to 45 C.F.R. § 164.526, Business Associate shall, in response to a written request by Covered Entity for amendment to Protected Health Information about an Individual contained in a Designated Record Set, make available to Covered Entity such Protected Health Information for so long as such information is maintained in the Designated Record Set.  The provisions of this paragraph shall apply only if Business Associate has Protected Health Information in a Designated Record Set.

In the event any Individual requests amendment of Protected Health Information directly from Business Associate, Business Associate shall forward such request to Covered Entity. Before forwarding any Protected Health Information to Covered Entity, Business Associate shall indicate in the Designated Record Set, any material it deems unavailable to the Individual pursuant to 45 C.F.R. § 164.526.

Any denial of amendment to Protected Health Information determined by Covered Entity pursuant to 45 C.F.R. § 164.526, and conveyed to Business Associate by Covered Entity, shall be the responsibility of Covered Entity, including resolution or reporting of all appeals and/or complaints arising from denials.

In response to a request from Covered Entity to amend an Individual’s Protected Health Information in the Designated Record Set, Business Associate shall incorporate any approved amendments, statements of disagreement, and/or rebuttals into its Designated Record Set as required by 45 C.F.R. § 164.526.

2.1.5  Accounting of Disclosures.

In order to allow Covered Entity to respond to a request by an Individual for an accounting pursuant to 45 C.F.R. § 164.528, Business Associate shall, in response to a written request by Covered Entity for an accounting of disclosures of Protected Health Information about an Individual, make available to Covered Entity such Protected Health Information.

Business Associate shall provide Covered Entity with the following information:  (i) the date of the disclosure; (ii) the name of the entity or person who received the Protected Health Information, and if known, the address of such entity or person; (iii) a brief description of the Protected Health Information disclosed; and (iv) a brief statement of the purpose of such disclosure. 

In the event any Individual requests an accounting of disclosure of Protected Health Information directly from Business Associate, Business Associate shall forward such request to Covered Entity.

Business Associate shall implement an appropriate recordkeeping process to enable it to comply with the requirements of this Agreement.

Business Associate shall support Covered Entity in a manner that enables Covered Entity to meet its obligations under 45 C.F.R. § 164.528.

The provisions of this Section shall survive the termination or expiration of this Agreement.

2.2  Obligations of Covered Entity.

Covered Entity warrants that Covered Entity, its directors, officers, subcontractors, employees, affiliates, agents, and representatives; (i) shall comply with the Privacy Rule in its use or disclosure of Protected Health Information; (ii) shall not use or disclose Protected Health Information in any manner that violates applicable federal and state laws; (iii) shall not request Business Associate to use or disclose Protected Health Information in any manner that violates applicable federal and state laws if such use or disclosure were done by Covered Entity; and (iv) may request Business Associate to disclose Protected Health Information directly to another party only for the purposes allowed by the Privacy Rule.

Covered Entity shall provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 C.F.R. § 164.520 as well as any changes to the notice.

Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information.

Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Covered entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information.

The provisions of this Section shall survive the termination or expiration of this Agreement.

3.  Disclosure to Third Parties

Business Associate shall obtain and maintain an agreement with each subcontractor and  agent that has or will have access to Protected Health Information, which is received from, or created or received by, Business Associate on behalf of Covered Entity, pursuant to which agreement such subcontractor and agent agrees to be bound by the same restrictions, terms, and conditions that apply to Business Associate pursuant to this BA Agreement with respect to such Protected Health Information.

Business Associate shall also (i) obtain reasonable assurances from the person to whom the Protected Health Information is disclosed that it will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed and (ii) obligate such person to notify Business Associate of any instances of which it is aware in which the confidentiality of the Protected Health Information has been breached.

4.  Safeguards

Business Associate shall employ appropriate administrative, technical and physical safeguards, consistent with the size and complexity of Business Associate’s operations, to protect the confidentiality of Protected Health Information and to prevent the use or disclosure of Protected Health Information in any manner inconsistent with the terms of this Agreement. 

5.  Reporting of Breaches and Improper Disclosures

In the event of a Breach of any Unsecured Protected Health Information that Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds or uses on behalf of Covered Entity, Business Associate shall report such Breach to Covered Entity as required by the Breach Notification Rule. 

Notice of a Breach shall include the identification of each individual whose Protected Health Information has been, or is reasonably believed to have been, accessed, acquired, or disclosed during the Breach. At the request of Covered Entity, Business Associate shall identify: the date of the Breach, the scope of the Breach, the Business Associate’s response to the Breach and the identification of the party responsible for causing the Breach, if known.

In the event of any use or disclosure that does not constitute a Breach, but that is an unauthorized or improper use or disclosure of any Protected Health Information under this Agreement or applicable laws, Business Associate shall report to Covered Entity such unauthorized or improper use or disclosure as soon as practicable, consistent with the requirements of the Breach Notification Ruls. In such event, Business Associate shall, in consultation with Covered Entity, mitigate, to the extent practicable, any harmful effect that is known to Business Associate of such unauthorized or improper use disclosure.

6.  Term and Termination

6.1  General Term and Termination.

This BA Agreement shall become effective on the Effective Date set forth above and shall terminate upon the termination or expiration of the Consulting Agreement and when all Protected Health Information provided by either party to the other, or created or received by Business Associate on behalf of Covered Entity is, in accordance with Section 7 below, destroyed or returned to Covered Entity or, if it is not feasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the terms of this Agreement.

6.1.1  Material Breach.

Where either Party has knowledge of a material breach by the other Party, and cure is possible, the non-breaching Party shall provide the breaching Party with an opportunity to cure.  Where said breach is not cured within 30 days of the breaching Party’s receipt of notice from the non-breaching Party of said breach, the non-breaching Party shall terminate this Agreement. 

In the event that ether Party has knowledge of a material breach of this Agreement by the other Party, and cure is not possible, the non-breaching Party shall terminate the portion of the Consulting Agreement that is affected by the breach.  When neither cure nor termination is feasible, the non-breaching Party shall report the violation to the Secretary.

7.  Return/Destruction of Protected Health Information Upon Termination

Upon termination of this Agreement for any reason, Business Associate shall: (a) if feasible, return or destroy all Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity that Business Associate or any of its subcontractors and agents still maintain in any form, and Business Associate shall retain no copies of such information; or (b) if Business Associate and Covered Entity determine that such return or destruction is not feasible, extend the protections of this Agreement to such information and limit further uses and disclosures to those purposes that make the return or destruction of the Protected Health Information infeasible, in which case Business Associate’s obligations under this Section shall survive the termination or expiration of this Agreement.

8.  Amendment

If any of the regulations promulgated under HIPAA or the HITECH Act are amended or interpreted in a manner that renders this Agreement inconsistent therewith, the Parties shall amend this Agreement to the extent necessary to comply with such amendments or interpretations.  Notwithstanding the foregoing, if Covered Entity and Business Associate have not amended this BA Agreement to address a law or final regulation that becomes effective after the Effective Date hereof and that is applicable to this BA Agreement, then upon the effective date of such law or regulation (or any portion thereof) this BA Agreement shall be amended automatically and deemed to incorporate such new or revised provisions as are necessary for this BA Agreement to be consistent with such law or regulation and for Covered Entity and Business Associate to be and remain in compliance with all applicable laws and regulations.  Except as provided in this Section, no amendment to this BA Agreement shall be effective unless it is in writing and signed on behalf of Covered Entity and Business Associate.

9.  Conflicting Terms

In the event any terms of this BA Agreement conflict with any terms of the Consulting Agreement, the terms of this BA Agreement shall govern and control.

10.  Regulatory and Statutory References

Any references in this BA Agreement to a section of HIPAA, the Privacy Rule, the Security Rule, the Breach Notification Rule, the HITECH Act, or any other regulations implementing HIPAA or the HITECH Act, shall mean such regulation or statute as in effect at the time of execution of this BA Agreement or, if and to the extent applicable, as subsequently updated, amended or revised.

11.  No Third Party Beneficiary.

Nothing in this BA Agreement is intended, nor shall be deemed, to confer any benefits on any third party.

12.  Notices.

All notices, requests, approvals, demands and other communications required or permitted to be given under this Agreement shall be in writing and delivered either personally, or by certified mail with postage prepaid and return receipt requested, or by overnight courier to the party to be notified.  All communications will be deemed given when received.  The addresses of the parties shall be as follows; or as otherwise designated by any party through notice to the other party:

If by Covered Entity: to Fairbanks LLC, 500 N. Michigan Ave, Suite 300  Chicago, IL  60611, Attention: Lisa Carnes, or such other address as changed upon 30 days written notice to Covered Entity

If by Business Associate: to the address, e-mail address or facsimile number provided by Covered Entity through the Business Associate’s online registration process or such other address, e-mail address or facsimile number as changed upon 30 days written notice to Business Associate.

13.  Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the State of North Carolina, without regard to conflict of laws principles.