Untitled Document

HIPAA ADDENDUM
Business Associate Trading Partner and Chain of Trust Agreement

THIS AGREEMENT made this ____ day of _______________, year______, between ______________________________________, hereafter referred to as "Provider", and __CREDIT SYSTEMS OF THE FOX VALLEY, INC _, hereafter referred to as "Business Associate".

In Consideration of the agreements contained herein, the parties do hereby agree to addend all past, present and future contracts between the parties with the terms of this Agreement and agree as follows:

1. Definitions. Terms used but not otherwise defined in this Agreement shall have the same meaning as in 45 CFR 160.103 and 164.501.

2. Permitted Uses and Disclosures. Business Associate may use and disclose Protected Health Information ("Information") on behalf of or to provide collection services to Provider so long as it would not violate the Privacy Rule if done by Provider.

(a) Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.

(b) Except as otherwise limited in this Agreement, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, provided that disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

(c) Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information to provide Data Aggregation services to Provider as permitted by 42 CFR 164.504(e)(2)(i)(B).

3. Obligations and Activities of Business Associate. The Business Associate will:

(a) use or disclose the Information only as permitted by this Agreement or as Required by Law;

(b) use appropriate safeguards to prevent any other use or disclosure;

(c) report to the Provider any use or disclosure of the Information not provided for by this Agreement of which it becomes aware and minimize the harmful effect of such use or disclosure in violation of this Agreement;

(d) ensure that any agent or subcontractor who may receive such Information agrees to the same restrictions and conditions on use and disclosure of information imposed by this Agreement as set forth in attached Vendor agreement;

(e) provide access to Information in a Designated Record Set to Provider or as directed to an Individual as required by 45 CFR 164.524;

(f) amend Information in a Designated Record Set as designated by Provider so that Provider may meets its amendment obligations under 45 CRF §164.526;

(g) develop, implement, maintain and use appropriate administrative, technical and physical safeguards to comply with HIPAA, 45 CFR 164.530(c) to preserve the integrity and confidentiality of and to prevent non-permitted or violating use or disclosure of Information transmitted electronically and will document and keep safeguards current.

(h) make internal practices, books and records relating to use and disclosure of Information available to Provider or the Secretary of DHHS for compliance purposes;

(i) document disclosures of Information in accordance with Provider's accounting requirements in 45 CFR 164.528 and provide such information as directed by Provider.

(j) at termination, or upon receipt of written demand, Business Associate will immediately return or destroy all Information received from Provider or creditor or received by Business Associate on behalf of Provider and all copies and magnetic or electronic backups of Information, or if it is infeasible to return or destroy Information, protections are extended to such information for so long as Business Associate maintains such Information. This provision applies to Information in the possession of agents or subcontractors of Business Associate.

4. Obligations of Provider. Provider will:

(a) provide Business Associate with Provider's "notice of privacy practices" and all updates, (See 45 CFR 164.250);

(b) notify Business Associate of any restriction, change or revocation of permission by Individual to use or disclose Information if it would affect Business Associate's use and disclosures in accordance with 45 CFR 164.22.

(c) not ask Business Associate to use or disclose Information if not permissible under the Privacy Rule if done by the Provider.

5. Termination. This Agreement is effective until terminated. Pursuant to the terms of 45 CFR §164.504(e)(2)(iii), Provider may give written notice to immediately terminate this Agreement upon discovery of a material breach provided Business Associate has received an opportunity to cure the breach or end the violation and has failed to do so.

6. Confidentiality, Trading Partners and Chain of Trust. All Information received or created by Business Associate shall be kept confidential and shall be used only as permitted by this Agreement. This provision applies to employees, subcontractors and agents of Business Associate. If Business Associate conducts in whole or part Standard Transactions for or on behalf of Provider, Business Associate will comply, and will require any subcontractor or agent involved with the conduct of such Standard Transactions to comply, with each applicable requirement of 45 Code of Federal Regulations Part 162. Business Associate will not enter into, or permit its subcontractors or agents to enter into, any trading partner agreement in connection with the conduct of Standard Transactions for or on behalf of Provider that:

(a) Changes the definition, data condition or use of a data element or segment in a Standard Transaction;

(b) Adds any data elements or segments to the maximum defined data set;

(c) Uses any code or data element that is marked "not used" in the Standard Transaction's implementation specification or is not in the Standard Transaction's implementation specification; or

(d) Changes the meaning or intent of the Standard Transaction's implementation specification.

7. Indemnity. The parties to this Agreement shall mutually protect, indemnify and hold each other harmless from all claims and damages including attorney's fees, arising from failure of the other party to comply with applicable federal, state or local laws and regulations or the performance of the work and services by that party under this Agreement.

8. No Third Party Beneficiaries. Business Associate and Provider agree that individuals who are the subject of Protected Health Information are not intended to be third party beneficiaries of this Agreement.

9. Amendment. This Agreement may not be amended, altered or modified unless in writing and signed by the parties who agree to amend as necessary to comply with HIPAA and the Privacy Rule.

____________________________________
Provider

____________________________________
Business Associate