AADE Prevention Network

AADE Diabetes Prevention Network™ Business Associate Agreement 

PDFs of this Business Associate Agreement (BAA) and the Subscription Agreement are also available for download and printing:


EXHIBIT 1

HIPAA/HITECH PROTECTIONS OVERVIEW

The American Association of Diabetes Educators (AADE) and the AADE Prevention Network are committed to providing the appropriate HIPAA and HITECH security measures for your data. 

The Data Analysis of Participants System (DAPS) includes the following HIPAA/HITECH protections:

 Independent Login for Each User   User Access is controlled by your organization for your data
 Data Only Seen by Authorized Users  Login protects access
 Auto Logout After 30 Minutes  Protects unauthorized use at workstation
 Secure - SSL Connection  Data is secure in transit
 Encryption at Rest  Data is secure on the server
 Logging  Data usage and access is logged 
 Dedicated Tenancy  DAPS System is on a dedicated AADE separate instance of the Amazon Web Service
 Server Residence  Server is located in the United States
 Data Preservation  Data is backed up regularly

  
AADE agrees to a standard Business Associate Agreement (BAA) for all purchasers (“Covered Entities”) of the AADE Prevention Network’s DAPS Database. AADE has made a copy of the Subscription Agreement and BAA available to organizations for review prior to purchase. AADE will execute only its standard BAA and is unable to sign individual program/hospital/system BAAs. 

 

BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement (this "BAA") is entered into by and between Subscriber (hereinafter referred to as "Covered Entity") and AADE (hereinafter referred to as "Business Associate"). This BAA shall be effective upon Subscriber's acceptance of the Agreement to which this Exhibit is attached (“Effective Date”), and upon such date, the terms and conditions herein shall automatically be incorporated into the Agreement by reference. 

WITNESSETH:

WHEREAS, Sections 261 through 264 of HIPAA, Public Law 104-191, known as "the Administrative Simplification provisions," direct the Department of Health and Human Services ("HHS") to develop standards to protect the security, confidentiality and integrity of health information; 

WHEREAS, pursuant to the Administrative Simplification provisions, the Secretary of HHS has issued regulations modifying 45 CFR Parts 160 and 164, Subparts A and E (the "HIPAA Privacy Rule") and 45 CFR Parts 160 and 164, Subpart C (the "HIPAA Security Rule") (collectively, the HIPAA Privacy Rule and HIPAA Security Rule shall be referred to as "HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act, found in Title XIII of the American Recovery and Reinvestment Act of 2009 ("HITECH"); 

WHEREAS, Business Associate will make the DAPS Database System available to Covered Entity and may provide Services to Covered Entity upon request; and 

WHEREAS, pursuant to such arrangement, Business Associate may be considered a "business associate" of Covered Entity as defined in HIPAA and may have access to Protected Health Information (as defined below). 

THEREFORE, in consideration of the parties' continuing obligations under such arrangement, the parties agree to the provisions of this BAA in order to address the requirements of HIPAA and to protect the interests of both parties. 

I. DEFINITIONS

(a) "Breach" when capitalized, "Breach" shall have the meaning set forth in 45 CFR 164.402 (including all of its subsections); with respect to all other uses of the word "breach" in this Agreement, the word shall have its ordinary contract meaning. 

(b) "Protected Health Information" shall have the meaning set forth in the HIPAA Privacy Rule, limited to information that Business Associate creates, transmits, maintains or receives on behalf of Covered Entity. Protected Health Information includes "electronic protected health information," as defined in 45 CFR 160.103, limited to information that Business Associate creates, transmits, maintains or receives on behalf of Covered Entity. 

(c) Except as otherwise defined herein, terms used in this BAA shall have the same meaning as those terms set forth in HIPAA. 

II. CONFIDENTIALITY REQUIREMENTS

(a) Business Associate shall:

(i) use or disclose any Protected Health Information to provide services to Covered Entity and solely as permitted or required by this BAA, the Agreement, or as Required By Law; 

(ii) in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), ensure that any Subcontractor, that creates, receives, maintains or transmits Protected Health Information on behalf of the Business Associate agree to the same restrictions, requirements and conditions that apply to Business Associate with respect to such information.; 

(iii) implement appropriate safeguards to prevent use or disclosure of Protected Health Information other than as permitted or required by this BAA; 

(iv) in accordance with Subpart C of 45 CFR 164, implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic Protected Health Information; 

(v) make its internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary of HHS, upon request, for purposes of determining Covered Entity's compliance with the terms of HIPAA; 

(vi) report to Covered Entity any  use or disclosure of Protected Health Information which is not in compliance with the terms of this BAA, including breaches of unsecured Protected Health Information as required at 45 CFR 164.410, and  any Security Incident of which Business Associate becomes aware; 

(vii) mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this BAA, HIPAA or other applicable federal or state law; 

(viii) comply with the requirements of Subpart C of 45 CFR Part 164 regarding electronic data security to the same extent such requirements apply to Covered Entity; 

(ix) in the event a Breach of Unsecured Protected Health Information (as defined in 45 CFR 164.402) occurs, Business Associate shall, without unreasonable delay, but in no event later than ten (10) calendar days of the discovery of a Breach, report such Breach to Covered Entity in accordance with the requirements of 45 CFR 164.410.  

Under such circumstances Business Associate shall provide to the Covered Entity the following information as soon as possible and without unreasonable delay, but in no event later than thirty (30) calendar days from the date of discovery of a Breach:

a. the date of the Breach;
b. the date of the discovery of the Breach
c. a description of the types of unsecured PHI that were involved;
d. identification of each individual whose unsecured PHI has been or is reasonably believed to have been, accessed, acquired, used, or disclosed; and
e. any other details necessary to assess the probability that the PHI has been compromised.

(x) to the extent Business Associate is to carry out one or more functions of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and

(xi) Business Associate shall limit its use or disclosure of Protected Health Information to the minimum necessary to accomplish the intended purpose of such use, disclosure or request.

(xii) Business Associate will document disclosures of PHI as would be required by Covered Entity to respond to a request by an individual for an account of disclosures of PHI.  Business Associate shall retain accounting of disclosures on an ongoing basis for a period of at least seven (7) years following the Effective Date of this agreement.

(b) Notwithstanding the prohibitions set forth in this BAA, Business Associate may use and disclose Protected Health Information as follows:

(i) if necessary, for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that as to any such disclosure, the following requirements are met: 

(A) the disclosure is Required By Law;  

(B) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; 

(ii) to de-identify the Protected Health Information obtained by Business Associate under this BAA and the Agreement in accordance with the de-identification requirements of 45 CFR 164.514 (“De-identified Data”); or 

(iii) to provide date aggregation services for Covered Entity’s health care operations.  

III. AVAILABILITY OF PROTECTED HEALTH INFORMATION

If Business Associate maintains Protected Health Information in a Designated Record Set, Business Associate shall: 

(a) at the request of Covered Entity, provide access to Protected Health Information in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual, in a time and manner sufficient to permit Covered Entity to comply with the requirements of 45 CFR 164.524. 

(b) at the request of Covered Entity or an Individual, make any amendment(s) to Protected Health Information in a Designated Record Set that are directed by or agreed to by Covered Entity, in a time and manner sufficient to permit Covered Entity to comply with the requirements of 45 CFR 164.526. 

(c) document disclosures of Protected Health Information and information related to such disclosures in a manner sufficient to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528 and provide such documentation to Covered Entity or an Individual as directed by Covered Entity.  

IV. DE-IDENTIFIED DATA

(a) Business Associate shall own all right, title and interest in and to the De-identified Data and any reports, analysis, programs and output.  

V. TERM and TERMINATION

(a) The term of this BAA shall be effective as of the Effective Date and shall continue in effect unless terminated as provided in Section V(b) or the Agreement between the Business Associate and Covered Entity terminates.   

(b) In the event either party determines that the other has engaged in a pattern of activity or practice that constitutes a material breach of a term of this BAA and such violation continues for thirty (30) days after written notice of such breach has been provided, the party claiming a breach shall have the right to terminate this BAA for cause, or, if termination is not feasible, to report the breach to the Secretary of HHS. 

(c) Upon any termination or expiration of the Agreement, or upon request of Covered Entity, whichever occurs first, Business Associate shall: 

(i) if feasible, return or destroy all Protected Health Information created by Covered Entity or received, transmitted, or maintained by Business Associate on behalf of Covered Entity that Business Associate still maintains in any form. In its sole discretion, Business Associate may choose not to destroy Protected Health Information unless it has the written approval of Covered Entity; or

(ii) if return or destruction is not feasible, Business Associate will provide Covered Entity with documentation explaining the reason that it is not feasible. If Business Associate retains any Protected Health Information, Business Associate will extend the protections of this BAA to the Protected Health Information and limit further uses and disclosures to those purposes that make the return or destruction of the Protected Health Information infeasible. 

(d) Business Associate may retain all of the De-identified Data after any expiration or termination of this Agreement. 

(e) With respect to Protected Health Information retained by Business Associate, the obligations of Business Associate under this BAA shall survive the expiration, termination, or cancellation of this BAA, the Agreement and/or the business relationship of the parties, and shall continue to bind Business Associate, its agents, employees, and assigns as set forth herein. 

VI. COVERED ENTITY OBLIGATIONS

Covered Entity shall promptly notify Business Associate of limitation(s) in its notice of privacy practices, of any changes or revocation of permission from an Individual to use Protected Health Information, or any other self-imposed restrictions agreed to by Covered Entity. 

VII. MISCELLANEOUS

(a) All Protected Health Information that is created, transmitted, maintained or received by Covered Entity and disclosed or made available in any form, including paper record, oral communication, audio recording, and electronic display by Covered Entity or its operating units to Business Associate or is created, maintained, transmitted or received by Business Associate on Covered Entity's behalf shall be subject to this BAA. 

(b) A reference in this BAA to a section in HIPAA means the section as in effect or as amended. 

(c) In the event of an inconsistency between the provisions of this BAA (including definitions) and mandatory provisions of HIPAA, as amended, the applicable HIPAA provision shall control. Where provisions of this BAA are different than those mandated by HIPAA, but are nonetheless permitted by HIPAA, the provisions of this BAA shall control. 

(d) Except as expressly stated herein or in HIPAA, the parties to this BAA do not intend to create any rights in any third parties. 

(e) The parties shall amend this BAA from time to time by mutual written agreement in order to keep this BAA consistent with any changes made to HIPAA or regulations in effect as of the date of this BAA and with any new regulations promulgated under HIPAA. Either party may terminate the BAA in whole or in part if the parties are unable to agree to such changes by the compliance date for such new or revised HIPAA laws or regulations and the party reasonably believes that such termination is necessary to remain in compliance with HIPAA. 

(f) This BAA supersedes all previous contracts or agreements between the parties with respect to the subject matter hereof. 

(g) Should any of the information on the agreement be outdated or incorrect in any material respect, the Business Associate will promptly provide the Covered Entity in writing with such revisions or updates to agreement as may be necessary or appropriate to update or correct the same; provided that the agreement shall be deemed as having been amended, modified or superseded by any such correction or update. Date and version number will be included on the agreement.

Updates to this agreement will be available at: https://www.diabeteseducator.org/prevention-network/business-associate-agreement 

By clicking the "I accept" button or by accessing or using the DAPS Database System, Subscriber agrees to be bound by the terms and conditions of this Agreement, including all Exhibits.