|
|
Business Associate Contract for
Privacy and Security
To our Covered Entity Clients:
At Davis Wright Tremaine LLP, we recognize that
we may be your business associate under the administrative simplification
provisions of the Health Insurance Portability and Accountability
Act of 1996 and its privacy and security regulations (“HIPAA”)
if you are a covered entity and we receive protected health information
from you in the course of providing legal services. This contract
supplements and serves as an addendum to our existing engagement
letter and our Standard Terms of Engagement and replaces, in its
entirety, any business associate contract you may have received
from us in the past. Terms used in this contract have the meanings
given them in HIPAA. Additionally, any reference to “protected
health information” will refer to such information in any
medium, unless specifically referred to as “electronic protected
health information.” Our sending you this contract does
not imply that we have made a determination that you are a covered
entity.
To assist you in complying with HIPAA, and in consideration
of our ongoing relationship, we agree as follows to the extent
that you are a covered entity and that we possess or have created
any protected health information or electronic protected health
information on your behalf:
| 1. |
We may use protected health information for
the purpose of providing legal services to you. Nothing in
this contract permits any use or disclosure that you are not
permitted to make under HIPAA, except that we may use and
disclose protected health information for the proper management
and administration of our law firm and to carry out our legal
responsibilities, as long as, in the case of any disclosure
for these purposes, either: |
| |
1.1 |
The disclosure is required by law; or |
| |
1.2 |
We obtain reasonable assurances from the person to whom
we disclose the protected health information that it will
be held confidentially and used or further disclosed only
as required by law or for the purposes for which it was disclosed
to such person, and that the person will notify us of any
instances of which it is aware in which the confidentiality
of the information has been breached. |
| 2. |
We will: |
| |
2.1 |
Not use or further disclose your protected health information
except as permitted or required by this contract, by our engagement
for legal services by you, or as required by law. |
| |
2.2 |
Use appropriate safeguards to prevent use or disclosure
of your protected health information other than as permitted
by this contract and implement administrative, physical, and
technical safeguards that reasonably and appropriately protect
the confidentiality, integrity, and availability of the electronic
protected health information that we create, receive, maintain,
or transmit on your behalf. |
| |
2.3 |
Report to you any use or disclosure of your protected health
information not provided for by this contract, including any
security incident involving electronic protected health information,
of which we become aware. The timing of the report will be
consistent with the level of risk reasonably likely to be
presented by the use, disclosure, or incident. |
| |
2.4 |
Ensure that our agents, including any subcontractors, to
whom we provide your protected health information agree to
the restrictions and conditions that apply to us with respect
to such information and, with respect to any electronic protected
health information, agree to implement reasonable and appropriate
safeguards to protect it. |
| |
2.5 |
Make available your protected health information to you
so you can meet your obligations to provide individual access
to such protected health information, if you instruct us to
do so. |
| |
2.6 |
Make available your protected health information so you
can meet your obligations to amend incomplete or inaccurate
protected health information and incorporate any amendments
as you may instruct. |
| |
2.7 |
Report to you, upon your request, all disclosures of protected
health information by us, as necessary to enable you to comply
with your obligation to account for uses and disclosures of
protected health information. We will report only those disclosures
for which you would be required to provide an accounting.
For example, if (as is usually the case) we are engaged to
assist you with matters relating to treatment, payment, or
health care operations, then we will not report uses and disclosures
within the scope of that engagement, because you are not obligated
to account for uses and disclosures for these purposes. We,
however, will report disclosures that otherwise are subject
to an accounting, for example, if we disclose protected health
information in response to a discovery request. |
| |
2.8 |
Make our internal practices, books, and records relating
to the use and disclosure of protected health information
available to the Secretary of the United States Department
of Health and Human Services (“Secretary”), for
purposes of determining your compliance with your legal obligations.
Unless otherwise required by law or authorized by you in writing,
however, we will not disclose any confidential or privileged
information that we receive from you or create on your behalf
to the Secretary. This contract does not waive or amend either
the attorney-client privilege, the attorney work product doctrine,
or other privileges or protections. |
| |
2.9 |
Upon termination of our attorney-client relationship, return
or destroy all protected health information that we maintain
in any form and retain no copies of such information or, if
return or destruction is not feasible, extend the protections
of this contract to such information and limit further use
and disclosure of the information to those purposes that make
the return or destruction of the information infeasible. Because
of our responsibility to maintain a record of the services
we provide, return or destruction of the information will
generally not be feasible. |
| 3. |
You may immediately terminate your relationship
with us if you determine that we have violated a material
term of this contract. |
| 4. |
Nothing express or implied in this contract
is intended to, or does, confer upon any other person or entity
any rights, remedies, obligations, or liabilities whatsoever.
|
| 5. |
This contract is to be interpreted consistently
with our obligation of reasonable care in the performance
of our professional services on your behalf as our client.
|
This contract is effective the later of April 20,
2005 or the date this contract is executed with respect to provisions
that reference electronic protected health information and the
date this contract is executed with respect to all other protected
health information.
|
| |
| |
|
