CONFIDENTIALITY OF HEALTH INFORMATION AGREEMENT
This Confidentiality of Health Information Agreement (the “Agreement”) is entered into
as of this _____________ day of ________, 20__ (the “Effective Date”) by and between
and (“Service Provider”).
Company X is engaged in the business of providing health care management services and
related consulting services (“Company X Services”) for Health Plans and Health Care Providers
that are Covered Entities under the Administrative Simplification provisions of the Health
Insurance Portability and Accountability Act of 1996 (this Subpart of the Act and the regulations
promulgated thereunder by the United States Department of Health and Human Services,
including but not limited to the provisions in 45 C.F.R. Parts 160 and 164, are referred to
together herein as “HIPAA”) and their Business Associates. (All capitalized terms used in this
Agreement and not defined herein shall have the meaning provided in HIPAA.) In providing
Company X Services for a Covered Entity or its Business Associate, Company X may use and
disclose Protected Health Information (“PHI”). Company X is therefore a Business Associate of
the Covered Entity to which it provides Company X Services directly, and a subcontractor to a
Business Associate when it provides Company X Services for the Covered Entity through
Company X has entered into the Services Agreement with Service Provider pursuant to
which Service Provider provides certain services for Company X that are necessary for the
proper management and administration of Company X’s business or for the performance and
delivery of Company X Services to a Covered Entity or its Business Associate, and may require
the disclosure of PHI to Service Provider and the use and disclosure of PHI by Service Provider.
As required by HIPAA and in order to comply with Company X’s obligations as a Business
Associate or a subcontractor to a Business Associate, Company X and Service Provider hereby
agree as follows:
A. Administrative Safeguards means administrative actions, and policies
and procedures, to manage the selection, development, implementation, and maintenance
of privacy and security measures to protect PHI and to manage the conduct of Service
Provider’s workforce in relation to the protection of PHI.
B. Availability means the property that data or information is accessible and
useable upon demand by an authorized person.
C. Confidentiality means that data or information is not made available or
disclosed to unauthorized persons or processes.
D. Electronic Protected Health Information (“ePHI”) means Protected
Health Information that is transmitted, stored, processed, or maintained, in electronic
media, and includes transportation of storage media such as magnetic tape, disks or
compact disk media from one location to another.
E. HITECH Act means Subtitle D of the Health Information Technology for
Economic and Clinical Health Act, as incorporated in the American Recovery and
Reinvestment Act of 2009 (42 U.S.C. §§ 17921 – 53).
F. Individually Identifiable Health Information means information,
including demographic data, that relates to an individual's past, present or future physical
or mental health or condition; the provision of health care to the individual; or past,
present or future payment for the provision of health care to the individual, and identifies
the individual or for which there is a reasonable basis to believe it could be used to
identify an individual. This may include name, birth date, address, Social Security or
member identification number, in addition to other data.
G. Integrity means that data or information have not been altered or
destroyed in an unauthorized manner.
H. Physical Safeguards means physical measures, policies, and procedures
to protect an entity’s electronic information systems and related buildings and equipment,
from natural and environmental hazards, and unauthorized intrusion.
I. Privacy Standards means the rules and definitions issued to implement
the Privacy Rule of HIPAA and describes permissible or impermissible uses and
disclosures of an individual’s PHI.
J. Protected Health Information (or PHI) means individually identifiable
health information held, crea