BUSINESS ASSOCIATE ADDENDUM
This Business Associate Addendum ("Addendum") adds to and is made a part of the Q-interactive Subscription and License Agreement by and between NCS Pearson, Inc. ("Business Associate") and Covered Entity (as defined below). As stated in the Subscription and License Agreement, this Addendum is an integral part of the Subscription and License Agreement as if fully set forth therein.
SECTION 1- DEFINITIONS
Terms used in this Addendum but not otherwise defined, including the following terms, shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information (or Unsecured PHI), and Use.
1.1 Business Associate. "Business Associate" shall generally have the same meaning as the term "business associate" at 45 CFR 160.103, and in reference to the party to this Addendum, shall mean NCS Pearson, Inc.
1.2 Covered Entity. "Covered Entity" shall generally have the same meaning as the term "covered entity" at 45 CFR 160.103, and in reference to the party to this Addendum, shall mean the entity that has entered into a Subscription and License Agreement with Business Associate.
1.3 HIPAA Rules. "HIPAA Rules" shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
1.4 Protected Health Information (or PHI). "Protected Health Information" (or "PHI") shall have the same meaning that "Protected Health Information" has in the HIPAA Rules. The PHI that Covered Entity shall provide to Business Associate, and the PHI that Business Associate shall receive and/or create from or on behalf of Covered Entity, shall be limited to the data elements set forth on Exhibit A to this Addendum (unless otherwise agreed to in writing by Covered Entity and Business Associate). Exhibit A may be updated and amended from time to time unilaterally by Business Associate.
SECTION 2- OBLIGATIONS OF BUSINESS ASSOCIATE
2.1 Prohibition on Unauthorized Use or Disclosure. Business Associate shall not Use or Disclose PHI other than as permitted or required by the HIPAA Rules, this Addendum, or as Required By Law.
2.2 Safeguards. Business Associate shall use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent Use or Disclosure of PHI other than as provided for by this Addendum.
2.3 Duty to Report Violations. Business Associate shall report to Covered Entity any Use or Disclosure of PHI not provided for by the HIPAA Rules or this Addendum of which it becomes aware, including breaches of Unsecured PHI as required at 45 CFR 164.410, and any Security Incident of which it becomes aware.
2.4 Subcontractors. Business Associate shall, in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information.
2.5 Access to PHI. Within twenty (20) days of a request by Covered Entity, Business Associate shall make available PHI in a Designated Record Set to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR 164.524.
2.6 Amendment to PHI. Within twenty (20) days of a request by Covered Entity, Business Associate shall make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity's obligations under 45 CFR 164.526.
2.7 Accounting of Disclosures. Business Associate shall maintain and make available the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity's obligations under 45 CFR 164.528.
2.8 Compliance with Requirements. To the extent that Business Associate has expressly agreed in this Addendum or in the Subscription and License Agreement to carry out one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s).
2.9 Inspection of Books and Records. Business Associate shall maintain and make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.
2.10 Individual Requests to Business Associate. If an Individual makes a request directly to Business Associate for access to PHI, amendment of PHI, an accounting of Disclosures, or any similar action regarding PHI (including without limitation a request pursuant to an authorization), Business Associate shall within twenty (20) days forward such request to Covered Entity, and Covered Entity shall be solely responsible for determining whether to grant, deny or otherwise act upon such Individuals request.
SECTION 3 – PERMITTED USES AND DISCLOSURES
3.1 Permitted Use and Disclosure. Business Associate may only Use or Disclose PHI as necessary to perform the services set forth in the Subscription and License Agreement and as permitted by the Subscription and License Agreement and this Addendum.
3.2 Required by Law. Business Associate may Use or Disclose PHI as Required By Law.
3.3 Minimum Necessary. Business Associate agrees to make Uses and Disclosures and requests for PHI consistent with Covered Entity's Minimum Necessary policies and procedures, provided that Covered Entity provides Business Associate with specific instructions regarding its Minimum Necessary policies and procedures.
3.4 Other Permitted Uses and Disclosures. Business Associate may not Use or Disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity except for the specific Uses and Disclosures set forth below:
- Business Associate may Use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
- Business Associate may Disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided the Disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is Disclosed ("Recipient") that the information will remain confidential and Used or further Disclosed only as Required By Law or for the purposes for which it was Disclosed to the Recipient, and the Recipient notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
- Business Associate may provide Data Aggregation services relating to the Health Care Operations of the Covered Entity.
3.5 Pursuant to an Authorization. Business Associate may Use or Disclose PHI pursuant to a valid authorization by an Individual that satisfies the requirements of 45 C.F.R. § 164.508.
3.6 De-Identification. As set forth in the Subscription and License Agreement, Business Associate may de-identify PHI and use such de-identified data for any lawful purpose. Once PHI has been properly de-identified, then as set forth in Section 164.502(d) of the HIPAA Rule the HIPAA Rule no longer applies to or protects the de-identified information, and such information is no longer subject to the terms and conditions of this Addendum.
SECTION 4 – OBLIGATIONS OF COVERED ENTITY
4.1 Notice of Limitation. Covered Entity shall notify Business Associate of any limitation(s) in the Notice of Privacy Practices of Covered Entity under 45 CFR 164.520, to the extent that such limitation may affect Business Associate's Use or Disclosure of PHI.
4.2 Notice of Revocation of Authorization. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to Use or Disclose his or her PHI, to the extent that such changes may affect Business Associate's Use or Disclosure of PHI.
4.3 Notice of Restriction. Covered Entity shall notify Business Associate of any restriction on the Use or Disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate's Use or Disclosure of PHI.
4.4 Impermissible Requests. Covered Entity shall not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity except for the specific Uses and Disclosures set forth in Section 3.4 above.
4.5 Minimum Necessary Policies and Procedures. Covered Entity shall provide Business Associate copies of, and specific instructions regarding, Covered Entity's Minimum Necessary policies and procedures.
4.6 Subpoenas, Court Orders and Other Proceedings. If Business Associate receives a request to disclose PHI of Covered Entity in the course of any judicial, administrative or similar proceeding (whether by way of subpoena, court order or other means), then to the extent allowed by applicable law Business Associate shall promptly forward the request to Covered Entity, and Covered Entity shall be responsible for responding to the request.
SECTION 5 – BREACH NOTIFICATION
5.1 Breach Notification. As soon as reasonably possible, and in all cases within thirty (30) days of the first day on which any employee, officer, or agent of Business Associate either knows or, by exercising reasonable due diligence, would have known that a Breach of Unsecured PHI has occurred, Business Associate shall notify Covered Entity of such Breach. The notification shall include the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, Used, or Disclosed during such Breach. The notification shall also include: (1) a brief description of what happened, including the date of the Breach and the date of the discovery of the Breach, if known; (2) a description of the types of Unsecured PHI that were involved in the Breach (such as full name, social security number, date of birth, home address, account number, or disability code); (3) recommended steps that Individuals should take to protect themselves from potential harm resulting from the Breach; and (4) a brief description of what Business Associate is doing to investigate the Breach, to mitigate harm to Individuals, and to protect against any further Breaches. Business Associate shall maintain evidence to demonstrate that any required notification under this paragraph was made unless Business Associate determines that a delayed notification applies.
5.2 Delayed Notification to Covered Entity. If a law enforcement official states in writing to Business Associate that the notification to Covered Entity required under Section 5.1 above would impede a criminal investigation or cause damage to national security, then Business Associate may delay the notification for any period of time set forth in the written statement of the law enforcement official. If the law enforcement official provides an oral statement, then Business Associate shall document the statement in writing, including the name of the law enforcement official making the statement, and may delay the required notification for no longer than thirty (30) days from the date of the oral statement, unless the law enforcement official provides a written statement during that time that specifies a different time period. Business Associate shall be obligated to maintain evidence to demonstrate that the required notification under this paragraph was made.
SECTION 6 – TERM & TERMINATION
6.1 Term. The term of this Addendum shall be effective as of the effective date of the Subscription and License Agreement, and shall terminate when all PHI is returned to Covered Entity or destroyed, or, if it is infeasible to return or destroy PHI, protections are extended to such PHI, in accordance with the termination provisions of this Section 6.
6.2 Termination for Cause. Upon Covered Entity's knowledge of a material breach of this Addendum by Business Associate, Covered Entity shall provide written notice of the breach and provide an opportunity for Business Associate to cure the breach or end the violation within thirty (30) business days of such written notice, unless cure is not possible. If Business Associate fails to cure the breach or end the violation within the specified time period or cure is not possible, Covered Entity may terminate this Addendum immediately upon written notice, unless termination is infeasible. 6.3 Effect of Termination. Except as provided in this Section 6.3, upon termination of this Addendum for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:
- Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
- Return to Covered Entity or, if agreed to by Covered Entity, destroy the remaining PHI that Business Associate still maintains in any form;
- Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI to prevent Use or Disclosure of the PHI, other than as provided for in this Section 6.3, for as long as Business Associate retains the PHI;
- Not Use or Disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set forth in Section 3 above which applied prior to termination; and
- Return to Covered Entity or, if agreed to by Covered Entity, destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.
SECTION 7 – MISCELLANEOUS
7.1 Regulatory References. A reference in this Addendum to a section in the HIPAA Rules means the section as in effect or as amended.
7.2 Amendment. Business Associate and Covered Entity agree to take such action as is necessary to amend this Addendum from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.
7.3 Survival. The respective rights and obligations of Business Associate under Sections 6 and 7 shall survive the termination of this Addendum.
7.4 Interpretation. Any ambiguity in this Addendum shall be interpreted to permit compliance with the HIPAA Rules.
Protected Health Information
The PHI that Covered Entity shall provide to Business Associate, and the PHI that Business Associate shall receive and/or create from or on behalf of Covered Entity, shall be limited to the following data elements (unless otherwise agreed to in writing by Covered Entity and Business Associate):
- Phone number(s)
- Email address
- Pearson qualification level
- Log-in ID and password
- Examinee ID
- Date of birth
- Race and ethnicity
- Home language
- Clinical history
- Education history and issues
- Work and employment status, history and issues
- Health conditions
- Marital status
- Family information and history
- Living arrangements
- Names of parents or guardians
- Test results and raw scores