Reliance ACO LLC, a Michigan Limited Liability Company (“Covered Entity”) as part of a Contract with the Center for Medicare and Medicaid Studies (“MSSP ACO Contract”) makes available to participating physicians a list of Medicare beneficiaries who are assigned to the physician.
- Compliance with Applicable Law. The parties acknowledge and agree that, beginning with the relevant effective dates, Physician shall comply with its obligations under this Agreement and with all obligations of a Physician under HIPAA, HITECH and other related laws and any implementing regulations, as they exist at the time this Agreement is executed and as they are amended, for so long as this Agreement is in place. Physician acknowledges that it is obligated to independently comply with the Security Rule, certain provisions of the Privacy Rule, and the Breach Notification Rule, and that it may be directly liable to the government for fines and other sanctions, both state and federal, for non-compliance.
- Uses and Disclosures of PHI. Physician may use and disclose PHI only as necessary and appropriate to fulfill its obligations with respect to its contractual arrangement and/or other relationship with Covered Entity. Physician shall not, and shall ensure that its directors, officers, employees, and agents do not, use or disclose PHI received from Covered Entity in any manner that is not permitted or required by this Agreement or otherwise permitted or required by law. All uses and disclosures of and requests by Physician for PHI are subject to the minimum necessary rule of the Privacy Rule and shall be limited to the information contained in a limited data set, to the extent practical, unless additional information is needed to accomplish the intended purpose, or as otherwise permitted in accordance with Section 13405(b) of HITECH and any implementing regulations. Physician may (a) use and/or disclose PHI in providing services to Covered Entity, including but not limited to the provision of data aggregation services relating to the healthcare operations of the Covered Entity; (b) use and/or disclose PHI for the proper management and administration of the Physician; (c) use and/or disclose PHI to carry out any legal responsibilities of the Physician or as otherwise required by law; and (d) “de-identify” PHI in accordance with the Privacy Rule and applicable guidelines. Physician may use such de-identified PHI for any purpose because de-identified PHI is by definition no longer PHI.
- Required Safeguards To Protect PHI. Physician agrees that it will implement safeguards in accordance with the Privacy Rule to prevent the use or disclosure of PHI other than pursuant to the terms and conditions of the Agreement. Physician further agrees to implement the requirements of the Security Rule to protect electronic PHI (“EPHI”) in its possession, including administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the EPHI that it creates, receives, maintains, or transmits on behalf of Covered Entity. By way of example only, “Appropriate Safeguards” include, but are not limited to, physical, administrative and technical safeguards such as locking cabinets or rooms where PHI is housed, using computer passwords or other security measures to prevent unauthorized access to PHI in electronic format; providing encryption protection for EPHI at rest and in motion, implementing policies and procedures describing authorized access and use for Physician’s work force; and human resources policies and procedures to enforce these rules.
- Reporting of Improper Use and Disclosures of PHI. Physician shall immediately, but in no event longer than five (5) days report to Covered Entity a use or disclosure of PHI in violation of this Agreement by Physician, its officers, directors, employees, or agents, or by a third party to whom Physician disclosed PHI.
- Reporting of Breaches of Unsecured PHI. Physician shall immediately, but in no event longer than five (5) days report to Covered Entity a Breach of Unsecured PHI, in accordance with 45 C.F.R. § 410, which Physician or its Representatives knows or reasonably should have known through the exercise of due diligence, including but not necessarily limited to providing in writing and in plain language: (a) the identification of the individual(s) whose Unsecured PHI has been, or is reasonably believed to be have been accessed, acquired, used or disclosed, including the names, addresses, telephone numbers, and email addresses of such individuals; (b) a brief description, including but not limited to the date of the occurrence; (c) a description of the types of unsecured PHI involved; (d) any steps the individual(s) subject of the breach should take to protect themselves from potential harm; (e) a brief description of actions the Physician is taking to investigate the Breach, to mitigate potential harm, and to protect against further breaches; and (f) contact information and procedures for additional information related to the Breach. Physician shall cooperate with Covered Entity in the preparation and distribution of notices of the Breach to the affected individuals, and with providing notice to DHHS and media outlets as required by HITECH and the Breach Notification Rule. Physician shall pay all expenses of Breach notification whenever it caused the Breach.
- Mitigation of Harmful Effects. Physician agrees to mitigate, to the extent practicable, any harmful effect of a use or disclosure of PHI by Physician in violation of the requirements of this Agreement, including, but not limited to, compliance with any state law or contractual data breach requirements.
- Documentation of Disclosures. Physician agrees to document disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. At a minimum, Physician shall provide Covered Entity with the following information: (a) the date of the disclosure; (b) the name of the entity or person who received the PHI, and if known, the address of such entity or person; (d) a brief description of the PHI disclosed; and (c) a brief statement of the purpose of such disclosure which includes an explanation of the basis for such disclosure.
- Accounting of Disclosures. Within five (5) days of notice by Covered Entity to Physician that it has received a request for an accounting of disclosures of PHI regarding an individual during the six (6) years prior to the date on which the accounting was requested, Physician shall make available to Covered Entities information collected in accordance with Section 11 of this Agreement, to permit Covered Entities to respond to the request for an accounting of disclosures of PHI, as required by 45 C.F.R. § 164.528. In the case of an electronic health record maintained or hosted by Physician on behalf of Covered Entity, the accounting period shall be three (3) years and the accounting shall include disclosures for treatment, payment and healthcare operations, in accordance with the applicable effective date of Section 13402(a) of HITECH. In the event the request for an accounting is delivered directly to Physician, Physician shall within five (5) days forward such request to Covered Entity. Physician hereby agrees to implement an appropriate record keeping process to enable it to comply with the requirements of this Section 12.
- Sale of PHI. Physician shall not directly or indirectly receive remuneration in exchange for PHI that is created or received by Physician from or on behalf of Covered Entity unless: (a) pursuant to an authorization by the individual in accordance with 45 CFR § 164.508 that includes a specification for whether the PHI can be further exchanged for remuneration by the entity receiving the PHI; or (b) as provided in Section 13405(d)(2) of HITECH and any regulations with respect to the same issued by the Secretary. In no event shall a Physician receive remuneration for PHI pursuant to this Section 14 without the Covered Entity’s written consent.
- Restriction. A Physician shall honor and comply with any restriction on use and disclosure requested by an individual to Covered Entity and communicated to Physician by Covered Entity, and must do so if (a) the disclosure is to a health plan for the purpose of carrying out payment or health care operations (and is not for the purpose of carrying out treatment); and (b) the PHI pertains to a health care item or service for which the individual has paid in full out of pocket to the health care provider.
Term and Termination. This Agreement shall commence on the Effective Date and continue as long as the contractual arrangement between the Parties exists (or Physician continues to provide services for Covered Entity if no express contractual arrangement exists), or unless and until terminated in accordance with this Agreement. This Agreement may be terminated as follows:
Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Physician, Covered Entity shall, at its sole option, do either of the following:
- Provide a 15 day opportunity for Physician to cure the breach to Covered Entity’s satisfaction, or terminate this Agreement and the relationship with Physician if Physician does not cure the breach to Covered Entity’s satisfaction, or
- Immediately terminate this Agreement and the relationship with Physician without an opportunity to cure if Covered Entity determines, in its sole discretion, that cure is not possible.
In addition to the termination for cause provisions stated above, this Agreement may also be terminated in any of the following circumstances:
- The contractual arrangement or relationship between Physician and Covered Entity is terminated for any reason;
- The provisions of the Privacy Rule or Security Rule or HIPAA or HITECH are amended, modified or changed such that an Agreement such as this is no longer mandated;
- By the mutual agreement of the Parties.
- Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Physician, Covered Entity shall, at its sole option, do either of the following:
- Effect of Termination of Agreement. Upon the termination of the contractual arrangement between the Parties or this Agreement for any reason, Physician shall return to Covered Entity, or, at Covered Entity’s direction, destroy, all PHI that Physician maintains in any form, recorded on any medium, or stored in any storage system, unless said information has been de-identified and is no longer PHI. This provision shall apply to PHI that is in the possession of Physician or agents of Physician. Provided, however, that in the event Physician notifies Covered Entities in writing that (A) return is not feasible and the reason for that determination, and (B) that Physician will (and will require its agents and subcontractors to) extend the protections of this Agreement to PHI retained for so long as Physician or its agents and subcontractors maintain such PHI, Physician will not be obligated to return the PHI. Physician shall remain bound by the provisions of this Agreement, even after termination of the Agreement or Agreement until such time as all PHI has been returned, de-identified or otherwise destroyed as provided in this Section.