Mal Moore Athletic Facility Cleaning Services
|Agency:||The University of Alabama|
|Level of Government:||State & Local|
|Posted Date:||Aug 19, 2020|
|Due Date:||Aug 24, 2020|
Mal Moore Athletic Facility Cleaning Services
08/03/2020 10:27 AM CT
08/19/2020 1:45 PM CT
08/24/2020 2:00 PM CT
Ready for Responses
BUSINESS ASSOCIATE AGREEMENT
This Agreement is made by and between The Board of Trustees of The University of Alabama, by and on behalf of The
University of Alabama _______________________, on behalf of its _____________________
(School/Department/Division) (hereinafter referred to as “Covered Entity”) and ____________________________,
(hereinafter “Business Associate”), collectively the Parties.
This Agreement governs the terms and conditions under which Business Associate will access Protected Health Information
(PHI) belonging to patients/clients of Covered Entity in performing services for, or on behalf of, Covered Entity.
SECTION 1 - DEFINITIONS
Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in 45 CFR 160.103
and 164.501, and the final rule issued on January 17, 2013, effective March 26, 2013. For purposes of this section:
1.1 ARRA. The term “ARRA” shall mean the American Recovery and Reinvestment Act of 2009, as amended from time
1.2 Business Associate. “Business Associate” shall mean the entity listed in the first paragraph of this Agreement that is
furnishing services to Covered Entity.
1.3 Covered Entity. “Covered Entity” shall mean the entity listed in the first paragraph of this Agreement that is receiving
services from the Business Associate.
1.4 Designated Record Set (DRS). Individually identifiable data in any medium, collected and directly used by Covered
Entity. The content may be in multiple locations and media, including paper and electronic form. The DRS consists of
the Legal Medical Record and the Billing Record.
1.5 Legal Medical Record. The documentation of the health care services provided to an Individual during any aspect of
health care delivery in any type of health care organization used, in whole or in part, by or for the Covered Entity to
make decisions about the Individual.
1.6 Billing Record. The documentation in the billing records used, in whole or in part, by or for the Covered Entity to make
decisions about Individuals.
1.7 HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45
CFR Part 160 and Part 164.
1.8 Individual. “Individual” shall have the same meaning as the term “individual” in 45 CFR 160.103 and shall include a
person who qualifies as a personal representative in accordance with 45 CFR 164.502(g).
1.9 Material Alteration. “Material Alteration” shall mean any addition, deletion or change to the PHI of any subject other
than the addition of indexing, coding and other administrative identifiers for the purpose of facilitating the identification
or processing of such information.
1.10 Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45
CFR part 160 and part 164, subparts A and E.
1.11 Protected Health Information or PHI. “Protected Health Information” or “PHI” shall have the same meaning as the term
“protected health information” in 45 CFR 160.103, limited to the information created or received by Business Associate
from or on behalf of Covered Entity.
1.12 Required By Law. “Required By Law” shall have the same meaning as the term “required by law” in 45 CFR 164.103.
1.13 Secretary. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his/her designee.
1.14 Security Rule. “Security Rule” shall mean the Health Insurance Reform: Security Standards at 45 CFR Parts 160,
162, and 164 Subpart C.
1.15 Underlying Agreement. “Underlying Agreement” shall mean that certain agreement by which Business Associate
provides certain services to Covered Entity and, in connection with those services, Covered Entity discloses to
Business Associate certain individually identifiable PHI that is subject to protection under HIPAA.
SECTION II - OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
2.1 Business Associate acknowledges that it is directly subject to the Security Rule and to certain portions of the Privacy
Rule and, upon request, will provide Covered Entity with evidence of compliance. For purposes of HIPAA, Business
Associate is not an agent of Covered Entity. Business Associate agrees to:
2.1.1 Not use or disclose PHI other than as permitted or required to furnish services under the Agreement or as
Required by Law.
2.1.2 Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI,
to prevent use or disclosure of the PHI other than as provided for by this Agreement.
Mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure
of PHI by Business Associate in violation of the requirements of this Agreement. Business Associate agrees
to pay the direct and indirect costs associated with the breach notification requirements as outlined in ARRA
and will indemnify and hold Covered Entity harmless from all liabilities, costs and damages arising out of or in
any manner connected with the disclosure by Business Associate of any PHI.
2.1.4 Report in writing to Covered Entity within 5 business days any use or disclosure of the PHI not provided for
by this Agreement of which it becomes aware, including breaches of unsecured PHI as required at 45 CFR
164.410, and any Security Incident (as defined in 45 CFR 164.304) of which it becomes aware.
In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors
and agents that create, receive, maintain, or transmit PHI on behalf of the Business Associate on behalf of
Covered Entity agree to the same restrictions, conditions and requirements that apply to Business Associate
with respect to such information and do not export PHI beyond the borders of the United States of America.
Business Associate agrees to provide a list of its subcontractors noted above upon written request of Covered
Within five (5) business days of request of Covered Entity, make available PHI in a Designated Record Set to
Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524, as well as make
any amendments to PHI in a Designated Record Set (and incorporate any amendments, if required) as
directed or agreed to by the Covered Entity in order to meet the requirements under 45 CFR 164.526.
Within five (5) business days of request of Covered Entity, make its internal practices, books, and records
relating to the use and disclosure of PHI received from, or created or received by Business Associate on
behalf of Covered Entity, available to the Covered Entity, or at the request of the Covered Entity to the
Secretary, in a time and manner designated by the Covered Entity or the Secretary, for purposes of the
Secretary determining Covered Entity's compliance with the Privacy Rule. In the event such a request comes
directly from the Secretary, Business Associate agrees to notify Covered Entity promptly of such request.
2.1.8 Document such disclosures of PHI and information related to such disclosures as would be required for
Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance
with 45 CFR 164.528.
2.1.9 Provide to Covered Entity or an Individual, in time and manner designated by Covered Entity, information
collected in accordance with this section, to permit Covered Entity to respond to a request by an Individual for
an accounting of disclosures of PHI in accordance with 45 CFR 164.528.
2.1.10 Upon request, make its internal practices, books and records available to the Secretary and to the Covered
Entity for purposes of determining compliance with the HIPAA Rules.
2.1.11 Comply with the minimum necessary requirements under the HIPAA Rules.
2.2 Business Associate agrees that any PHI transmitted electronically and/or stored on any type of mobile media, including
lap top computers, tablet computers, smart phones, etc., must be encrypted, and that information stored whether
intentional or not is subject to HIPAA Rules provisions for Business Associates.
2.3 To the extent Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45
CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such
SECTION III - PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
3.1 Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI, as follows:
3.1.1 As necessary to perform the services specified in the Underlying Agreement.
3.1.2 As required by law.
3.2 Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and
administration of Business Associate or to carry out the legal responsibilities of the Business Associate, provided the
disclosures are required by law, or Business Associate obtains reasonable assurances from the person or organization
to whom the information is disclosed that the information will remain confidential and used or further disclosed only as
required by law or for the purposes for which it was disclosed to the person or organization, and the person or
organization notifies Business Associate of any instances of which it is aware in which the confidentiality of the
information has been breached.
3.3 Business Associate is not authorized to de-identify in accordance with 45 CFR 164.514(a)-(c), PHI received by
Business Associate by or on behalf of Covered Entity; nor is Business Associate authorized to use de-identified
information for a purpose not authorized by this Agreement, except with the prior written consent of the Covered Entity.
3.4 Business Associate agrees to make uses and disclosures and requests for PHI consistent with the requirements of
45 CFR 164.502(b) and 164.514(d), as reflected in Covered Entity’s minimum necessary policies and procedures.
3.5 Business Associate may provide data aggregation services related to the health care operations of the Covered Entity.
SECTION IV - OBLIGATIONS OF COVERED ENTITY
With regard to the use and/or disclosure of PHI by Business Associate, Covered Entity agrees:
4.1 To notify Business Associate of any limitations in the notice of privacy practices of Covered Entity under 45 CFR
164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
4.2 To inform the Business Associate of any PHI that is subject to any arrangements permitted or required of Covered
Entity under the Privacy Rule that may materially impact in any manner the use and/or disclosure of PHI by Business
Associate under this Agreement, such as changes in, or revocation of, the permission by an Individual to use and
disclose his or her PHI as provided for in 45 CFR 164.522 and agreed to by Covered Entity, to the extent that such
restriction may affect Business Associate’s use or disclosure of PHI.
4.3 That it will only provide or deliver PHI that is minimally necessary to enable the Business Associate to meet its
obligations under the Underlying Agreement.
SECTION V - PERMISSIBLE REQUESTS BY COVERED ENTITY
5.1 Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be
permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity, except if there is a written agreement by
and between Business Associate and Covered Entity for the Business Associate to use or disclose PHI for data
aggregation or management and administrative and legal responsibilities of the Business Associate.
SECTION VI - TERM AND TERMINATION
6.1 Term. The obligations set forth in this section shall be effective as of the date the first PHI is released to Business
Associate pursuant to this Agreement, and shall terminate only when all of the PHI provided by Covered Entity to
Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or
returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information,
in accordance with the termination provisions in this Section.
6.2 Termination for Cause. Upon Covered Entity's knowledge of a violation of a term of this Agreement by Business
Associate, Covered Entity shall provide an opportunity for Business Associate to cure or end the violation. Covered
Entity may terminate this Agreement if Business Associate does not cure or end the violation within the time specified
by Covered Entity.
6.3 Obligations of Business Associate Upon Termination. Except as otherwise agreed to in the Underlying Agreement,
upon termination of this Agreement for any reason, Business Associate, with respect to PHI received from Covered
Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:
6.3.1 Retain only that PHI which is necessary for Business Associate to continue its proper management and
administration or to carry out its legal responsibilities;
6.3.2 Return to Covered Entity [or, if agreed to by Covered Entity, destroy] the remaining PHI that the Business
Associate still maintains in any form;
6.3.3 Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to
electronic PHI to prevent use or disclosure of the PHI, other than as provided for in this Section, for as long
as Business Associate retains the PHI;
6.3.4 Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI
was retained and subject to the same conditions set out in Section II of this Agreement which applied prior to
6.3.5 Return to Covered Entity [or, if agreed to by Covered Entity, destroy] the PHI retained by Business Associate
when it is no longer needed by Business Associate for its proper management and administration or to carry
out its legal responsibilities.
6.4 Survival. The obligations of Business Associate under this Section shall survive the termination of this Agreement.
SECTION VII - OWNERSHIP OF INFORMATION
7.1 Covered Entity holds all right, title, and interest in and to the PHI and Business Associate does not hold and will not
acquire by virtue of this Agreement or by virtue of providing goods or services to Covered Entity, any right, title, or
interest in or to the PHI or any portion thereof.
SECTION VIII - RIGHT TO INJUNCTIVE RELIEF
8.1 Business Associate expressly acknowledges and agrees that a violation of a term of this Agreement, or threatened
violation, by it of any provision of this Agreement may cause Covered Entity to be irreparably harmed and that Covered
Entity may not have an adequate remedy at law. Therefore, Business Associate agrees that upon such violation, or
threatened violation, Covered Entity will be entitled to seek injunctive relief to prevent Business Associate from
commencing or continuing any action constituting such violation without having to post a bond or other security and
without having to prove the inadequacy of any other available remedies. Nothing in this paragraph will be deemed to
limit or abridge any other remedy available to Covered Entity at law or in equity.
8.2 Indemnification. Business Associate shall indemnify, defend, and hold Covered Entity, its employees,
directors/trustees/officers/representatives and agents (collectively the Indemnitees) harmless from and against all
claims, causes of action, liabilities, judgments, fine, assessments, penalties, damages, awards or other expenses, of
any kind or nature whatsoever, including, without limitation, attorney’s fees, expert witness fees, and costs of
investigation, litigation or dispute resolution, incurred by the Indemnitees and relating to or arising out of any breach
or alleged breach of the terms of this Agreement by Business Associate or its agent or representative. Business
Associate shall provide covered Entity with prompt notice of any claim that may trigger the foregoing indemnification
requirements. Upon demand by the Covered Entity, Business Associate shall defend any investigation, claim litigation
or other proceeding brought or threatened against the Covered Entity, at the Business Associate’s expense, by
counsel acceptable to the Covered Entity. Business Associate shall not enter into any settlement of a claim that
triggers the indemnification requirements without the written consent of the Covered Entity.
8.3 Insurance. Business Associate shall obtain and maintain insurance or self-insurance coverage against improper uses
and disclosures of PHI by Business Associates and shall provide to Covered Entity a Certificate of Insurance or
Certificate of Coverage upon request.
SECTION IX - DISCLAIMER
9.1 COVERED ENTITY MAKES NO WARRANTY OR REPRESENTATION THAT COMPLIANCE BY BUSINESS
ASSOCIATE WITH THIS AGREEMENT OR THE HIPAA REGULATIONS WILL BE ADEQUATE OR
SATISFACTORY FOR BUSINESS ASSOCIATE’S OWN PURPOSES OR THAT ANY INFORMATION IN THE
POSSESSION OF BUSINESS ASSOCIATE OR CONTROLLED, OR TRANSMITTED OR RECEIVED BY
BUSINESS ASSOCIATE, IS OR WILL BE SECURE FROM UNAUTHORIZED USE OR DISCLOSURE, NOR SHALL
COVERED ENTITY BE LIABLE TO BUSINESS ASSOCIATE FOR ANY CLAIM, LOSS OR DAMAGE RELATING
TO THE UNAUTHORIZED USE OR DISCLOSURE OF ANY INFORMATION RECEIVED BY BUSINESS
ASSOCIATE FROM COVERED ENTITY OR FROM ANY OTHER SOURCE. BUSINESS ASSOCIATE IS SOLELY
RESPONSIBLE FOR ALL DECISIONS MADE BY BUSINESS ASSOCIATE REGARDING THE SAFEGUARDING
SECTION X - MISCELLANEOUS
10.1 Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect
or as amended, and for which Compliance is required.
10.2 Construction and Interpretation. This Agreement shall be construed as broadly as necessary to implement and
comply with HIPAA, the HIPAA privacy and security regulations, and ARRA. The Parties agree that any ambiguity
in this Agreement shall be resolved in favor or a meaning that complies and is consistent with HIPAA, HIPAA
regulations, and ARRA.
10.3 Notice. All notices and other communications required or permitted pursuant to this Agreement shall be in writing,
addressed to the party at the address set forth at the end of this Agreement, or to such other address as either party
may designate from time to time. All notices and other communications shall be mailed by registered or certified
mail, return receipt requested, postage pre-paid, or transmitted by hand delivery or telegram. All notices shall be
ffective as of the date of delivery of personal notice or on the date of receipt, whichever is applicable.
10.4 Modification of Agreement. The Parties recognize that this Agreement may need to be modified from time to time to
ensure consistency with amendments to and changes in applicable federal and state laws and regulations, including,
but not limited to, HIPAA. The Parties agree to execute any additional amendments to this Agreement reasonably
necessary for each party to comply with HIPAA, including any requirements related to a Chain of Trust Agreement
between the Parties pursuant to the HIPAA security standards. This Agreement shall not be waived or altered, in
whole or in part, except in writing signed by the Parties.
10.5 Transferability. Covered Entity has entered into this Agreement in specific reliance on the expertise and qualifications
of Business Associate. Consequently, Business Associate’s interest under this Agreement may not be transferred or
assigned or assumed by any other person, in whole or in part, without the prior written consent of Covered Entity.
10.6 Governing Law and Venue. This Agreement shall be governed by, and interpreted in accordance with, the internal
laws of the State of Alabama, without giving effect to its conflict of laws provisions.
10.7 Binding Effect. This Agreement shall be binding upon, and shall ensure to the benefit of, the Parties hereto and their
respective permitted successors and assigns.
10.8 Execution. This Agreement may be executed in multiple counterparts, each of which shall constitute an original and
all of which shall constitute but one Agreement.
10.9 Gender and Number. The use of the masculine, feminine or neuter genders and the use of the singular and plural
shall not be given an effect of any exclusion or limitation herein. The use of the word “person” or “party” shall mean
and include any individual, trust, corporation, partnership or other entity.
10.10 Priority of Agreement. If any portion of this Agreement is inconsistent with the terms of the Underlying Agreement,
the terms of this Agreement shall prevail. Except as set forth above, the remaining provisions of the Underlying
Agreement are ratified in their entirety.
10.11 No Third Party Beneficiaries. Nothing in this Business Associate Agreement shall confer upon any person other than
the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
This is the opportunity summary page. You are currently viewing an overview of this opportunity and a preview of the attached documentation. For more information, please visit the Publication URL Web page.
TRY FOR FREE
Not a USAOPPS Member Yet?
Get unlimited access to thousands of active local, state and federal government bids and awards in All 50 States.