BUSINESS ASSOCIATE AGREEMENT
THIS BUSINESS ASSOCIATE AGREEMENT (this “Agreement”), is entered into between and among
Coastal Developmental Services Foundation, doing business as WESTSIDE REGIONAL CENTER (“Business
Associate” of the Department of Developmental Services (“DDS”)) and
(“Subcontractor”). Business Associate and Subcontractor are sometimes collectively referred to herein
as the “Parties”.
1.
Definitions
1.1.
“Breach” shall mean the impermissible, unlawful or unauthorized acquisition, use,
access, or disclosure of Protected Health Information (“PHI”) (defined below) which compromises the
security or privacy of PHI as set forth in the HIPAA interim final rule of 2009 and the HIPAA Omnibus
Rule of 2013.
1.2.
“Business Associate” shall have the meaning given to such term under HIPAA (45 CFR
160.103). It includes a third party that performs functions for or on behalf of Covered Entity or another
Business Associate and has access to Covered Entity’s PHI and uses such PHI in the performance of its
functions. A subcontractor who fulfills this requirement is a Business Associate despite a designation as
a “subcontractor.”
1.3.
“Covered Entity” shall have the meaning given to such term under HIPAA (45 CFR
160.103). It includes any health plan, health care clearing house, or health care provider who transmits
any health information in electronic form in a manner described under the HIPAA regulations. Under
this agreement it means the Department of Developmental Services.
1.4.
“Data Aggregation” shall have the meaning given to such term under HIPAA (45 CFR
164.501)and shall include the combining of PHI received or created by Subcontractor to permit data
analyses relating to healthcare operations of Business Associate.
1.5.
“Designated Record Set” shall have the meaning given to such term under HIPAA (45
CFR 164.501) and shall include consumers’ (defined below) medical or billing records or any group of
records which contains PHI that is used, in whole or in part, by or for Business Associate in rendition or
facilitation of services on behalf of consumers.
1.6.
“Disclosure” shall have the meaning given to such term under HIPAA (45 CFR 160.103),
and includes the release, transfer, provision of access to, or divulging in any manner of information
outside the entity or individual holding the information.
1.7.
“HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996,
Public Law 104-191, Title XIII of the American Recovery and Reinvestment Act of 2009, Public Law 111-
005, and regulations promulgated thereunder by the U. S. Department of Health & Human Services, as
amended from time to time, including the Final Omnibus Rule of 2013.
1.8.
“Limited Data Set” shall have the meaning as “de-identified protected health
information” under HIPAA (45 CFR 164.514).
Page 1 of 9
July 2017