Email Address
Forgot password
Password
Request an Account
Log In
Home
Join Our Network
Refer a Patient
Make a Payment
Business Associate Agreement
Agreement between Atlantic Imaging Group, LLC (hereafter referred to as "Business Associate"), and the Organization designated in the Company Name field by the person duly authorized to accept the terms and conditions of
this Business Associate Agreement (hereafter referred to as "Covered Entity"). This agreement supersedes inconsistent provisions of existing agreements between the parties.
Recitals
Covered Entity is required to meet the requirements of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, including the Standards for Privacy of Individually Identifiable Health Information (codified at
45 CFR Parts 160 and 164, subparts A and E) ("Privacy Rule") and the Security Standards for the Protection of Electronic Protected Health Information (codified at 45 CFR Part 164, subparts A and C) (the "Security Rule"), together with the relevant
provisions of Section 13400 et. seq. of the Health Information Technology for Economic and Clinical Health Act and its implementing regulations, including those at 45 CFR Part 164, Subpart D (the "HITECH Act") (the foregoing statutes and
regulations are referred to herein generally as "HIPAA"). Business Associate provides services to Covered Entity and, as a result, have access to individually identifiable health information created or received by or on behalf of the Covered Entity.
(That information is hereafter described as "protected health information".) As required by HIPAA, the parties are entering this agreement related to the use and disclosure of protected health information. This agreement is required to allow the
parties to continue their existing business relationship.
1. Use and Disclosure of Protected Health Information
1.1 Access to protected health information. Business Associate shall have the right to access protected health information as necessary to enable it to perform the following services on behalf of Covered Entity: Electronic Claim Clearinghouse and
related services.
Business Associate will not seek access to protected health information except when it believes that the information is needed to enable it to perform the services described above. Business Associate will limit access to protected health
information by its employees or agents to that which is necessary to enable them to perform services on behalf of Covered Entity.
1.2 Use of protected health information. Business Associate will only use the protected health information, in compliance with each applicable requirement of 45 CFR 164.504(e) and the HITECH Act relating to privacy, for the following purposes:
� Performance of the services to Covered Entity described in 1.1; � As needed for the proper management and administration of the business of Business Associate; � As required to carry out the legal responsibilities of Business Associate.
1.3 Disclosure of protected health information to third parties. Business Associate will not disclose protected health information to third parties, except, incompliance with each applicable requirement of 45 CFR 164.504(e) and the HITECH Act
relating to privacy, as follows:
� As necessary to perform the services described in this agreement;
� As required by law;
� As permitted by the individual who is the subject of the protected health information or the personal representative of that individual;
� To subcontractors who provide services to Business Associate in connection with its work on behalf of Covered Entity and require access to protected health information to perform those services, provided that Business Associate enters a
written agreement with the subcontractor in which the subcontractor agrees to abide by the terms of this agreement.
� When required for the proper management and administration of Business Associate, to persons or organizations that must have access to protected health information to provide service to Business Associate, if those persons or
organizations agree in writing to maintain the confidentiality of the protected health information as required by law, not to re-disclose the protected health information except as required by law, and to inform Business Associate of any
unauthorized use or disclosure of the information. 1.4 Individual permission to disclose protected health information. As required by HIPAA, other provisions of law, or its own policies, Covered Entity will obtain written permission from individuals
or their personal representatives for specific uses or disclosures of individual health information which require such authorization. Covered Entity will provide Business Associate with a copy of any written permission from an individual and inform
Business Associate of any changes in, or revocations of, permission by an individual if such changes affect Business Associate's use and disclosure of protected health information.
1.5 Restrictions on use or disclosure of protected health information. Covered Entity will notify Business Associate of any restriction to the use or disclosure of protected health information to which Covered Entity has agreed in accordance with
45 CFR 164.522. Business Associate will follow any such restrictions.
1.6 Report of unauthorized use and disclosure of protected health information. In the event that Business Associate becomes aware of any use or disclosure of protected health information that is not authorized by this agreement, it will
immediately report that event to Covered Entity.
2. Breach Notification
2.1 Definition of breach. For purposes of this agreement, the term "breach" shall have the same meaning as the term "breach" in 45 CFR 164.402 and includes the unauthorized acquisition, access, use or disclosure of protected health
information that compromises the security or privacy of such information. For purposes of this definition, "compromises the security or privacy of such information" means that the acquisition, access, use or disclosure of protected health
information poses a significant risk of financial, reputational or other harm to the individual.
2.2 Definition of unsecured protected health information. For purposes of this agreement, the term "unsecured protected health information" shall mean protected health information that is not rendered unusable, unreadable, or indecipherable
to unauthorized individuals through the use of a technology or methodology specified by the Secretary of the Department of Health and Human Services.
2.3 Notification of breach. Business Associate shall promptly notify Covered Entity of a breach of unsecured protected health information; as such terms are defined by the HITECH Act and its implementing regulations. Business Associate’s
notification to Covered Entity hereunder shall:
(a) be made to Covered Entity no later than thirty (30) calendar days after discovery of the breach of unsecured protected health information, except where a law enforcement official determines that a notification would impede a criminal
investigation or cause damage to national security. Business Associate shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person
committing the breach, who is an employee, officer or other agent of the Business Associate; (b) include a description of the breach of unsecured protected health information; (c) identify the individuals whose unsecured protected health
information has been, or is reasonably believed to have been, the subject of a breach of unsecured protected health information; and (d) include such other available information, as requested by the Covered Entity, that the Covered Entity is
required to include in its notifications to the affected individuals.
3. Security of Electronic Protected Health Information
3.1 Security. Business Associate will establish and maintain appropriate administrative, physical and technical safeguards that reasonably and appropriately protected the confidentiality, integrity and availability of electronic protected health
information. Business Associate will comply with the Security Rule requirements set forth in 45 CFR 164.308, 164.310, 164.312 and 164.316.
3.2 Agents and Subcontractors. Business Associate will ensure that any agent including a subcontractor, to whom it provides electronic protected health information, agrees to implement reasonable and appropriate safeguards to protect that information.
3.3 Security Incidents. Business Associate will report any security incident of which it becomes aware to Covered Entity. For purposes of this agreement, a "security incident" means the attempted or successful unauthorized access, use,
disclosure, modification, or destruction of information or interference with system operations. This does not include trivial incidents that occur on a daily basis, such as scans, "pings", or unsuccessful attempts to penetrate computer networks or
servers maintained by Business Associate.
4. Rights of Individuals Business Associate recognizes that HIPAA and state law grant individuals rights related to protected health information about them. Business Associate agrees to the following provisions for the protection of those individual
rights.
4.1 Procedure. Business Associate will follow the direction of the Covered Entity regarding these records, and use commercially reasonable efforts to respond in a timely manner to enable Covered Entity to comply with deadlines established by
HIPAA.
4.2 Confidential communications. Business Associate will provide confidential communications to individuals consistent with the requirements of 45 CFR 164.522.
4.3 Access to records. As directed by Covered Entity, Business Associate will provide Covered Entity with an electronic copy (or if an electronic copy is not available, a paper copy) of the "designated record set" of an individual to enable the
Covered Entity to grant the individual access to the "designated record set" in accordance with 45 CFR 164.524. Business Associate may charge a reasonable fee for copying or preparing a summary of the designated record set. The fee schedule
will be subject to the approval of Covered Entity.
4.4 "Amendment" of record. As directed by Covered Entity, Business Associate will add information to the designated record set of an individual, and forward the additional information to third parties when that information could have a material
impact on a decision about the individual, all as required by 45 CFR164.526.
4.5 Accounting of certain disclosures. Business Associate will make available to covered Entity the information required to provide individuals an accounting of disclosures in accordance with 45 CFR 164.528.
5. General Requirements
5.1 DHHS access to records. Business Associate will make its internal practices, books, and records relating to the use and disclosure of protected health information available to the United States Department of Health and Human Services
(DHHS) for purposes of enabling DHHS to determine Covered Entity’s compliance with HIPAA.
5.2 Termination.
(a) If either party knows of a pattern of activity or practice of the other party that constitutes a material breach or violation of this agreement, then the non-breaching party shall provide written notice of the breach or violation to the other party
that specifies the nature of the breach or violation. The breaching party must cure the breach or end the violation on or before thirty (30) days after receipt of the written notice. In the absence of a cure reasonably satisfactory to the non-
breaching party within the specified timeframe, or in the event the breach is reasonably incapable of cure, then the non-breaching party may do the following:
(i) if feasible, terminate this agreement; or (ii) if termination of this agreement is infeasible, report the issue to the Department of Health and Human Services.
(b) Notwithstanding the foregoing, Covered Entity may immediately terminate this and any and all agreements for services which exist between Covered Entity and Business Associate if Covered Entity determines that Business Associate has
breached a material term of this agreement and no cure is possible.
5.3 Return or destruction of protected health information. At termination of the agreement, Business Associate will, if feasible, return all copies of all protected health information to Covered Entity, or destroy any such information that it maintains
in any form. Any electronic media used to store protected health information shall be delivered to Covered Entity, destroyed, or rendered unreadable. If such return or destruction is not feasible, Business Associate will continue to follow the
terms of this agreement with regard to access, use and disclosure of the protected health information.
5.4 Existing Agreement. The provisions of any existing agreement between Covered Entity and Business Associate remain in full force and effect. If there is any conflict between the existing agreement and this
agreement, the provisions of this agreement shall apply.
5.5 Effective Date. This agreement is effective immediately.
Business Associate Agreement
THE PERSON OR PERSONS THAT HAVE ACCEPTED THIS AGREEMENT ELECTRONICALLY REPRESENT AND WARRANT THAT WE ARE LEGALLY FREE TO ENTER THIS AGREEMENT, THAT OUR EXECUTION OF THIS AGREEMENT HAS BEEN DULY AUTHORIZED, AND
THAT UPON BOTH OF OUR SIGNATURES BELOW THIS SHALL BE A BINDING AGREEMENT TO THE FOREGOING TERMS AND CONDITIONS OF THIS BUSINESS ASSOCIATE AGREEMENT.