BUSINESS ASSOCIATE ADDENDUM FOR TRANSCRIBERS
Last Updated: March 2020
This Business Associate Addendum for Transcribers (“BAA”) is entered into between you or the entity you represent (the “Transcriber”) on behalf of Transcriber Provider and all of its Affiliates (defined below) and VerbIT Software Ltd. (“Verbit”) on behalf of itself and its Affiliates, with respect to Transcriber’s access or use of Protected Health Information (as defined in 45 C.F.R. §160.103) (“PHI”).
This Addendum forms part of the Verbit Terms and Conditions for Transcription Services (“Terms”), entered into by Transcriber and Verbit, pursuant to which Transcriber is engaged to perform certain services, including transcription services (“Services”) on behalf of Verbit and its customers.
If you, the Transcriber do not agree or cannot commit to the protections and limitations on the use of PHI you receive, access or use while providing the Services and the other obligations and terms set forth in this BAA, then you may not enter the Terms or provide Services to Verbit.
- As used in this BAA, the following terms shall have the following definitions. Any undefined terms shall have the meaning set forth in the Terms or in the HIPAA Rules (defined below).
- “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103.
- “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164, Health Information Technology for Economic and Clinical Health Act (as incorporated in Title XIII of the American Recovery and Reinvestment Act of 2009) (“HITECH Act”), and any related amendments or implementing regulations, including but not limited to the Final Rule to Modify the Privacy Rule and Security Rule issued by the Department of Health and Human Services on January 25, 2013, and effective as of March 26, 2013, (“Omnibus Rule”).
- The following terms used in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
- Transcriber’s Obligations and Activities. Transcriber shall:
- Submit and fully cooperate with any background checks, information security risk assessment or audits of Transcriber requested by Verbit.
- Not Use or Disclose protected health information other than as permitted or required by the Agreement or as Required By Law;
- Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent Use or Disclosure of PHI other than as provided for by the Agreement;
- Immediately and in any event within twenty-four (24) hours report to Verbit any Use or Disclosure of protected health information not provided for by the Terms or requiring for the performance of the Services, or in violation of this BAA of which it becomes aware, including Breaches of Unsecured Protected Health Information as required at 45 CFR 164.410, and any Security Incident of which it becomes aware;
- In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of the Transcriber agree to the same restrictions, conditions, and requirements that apply to Transcriber with respect to such information;
- Immediately notify Verbit of any request Transcriber receives with respect to any PHI, including by an Individual who is the subject of the PHI and promptly comply with Verbit’s instructions with respect to such request;
- To the extent Transcriber maintains a record of any PHI, immediately upon Verbit’s request make such PHI available in a Designated Record Set to Verbit or its designee in the manner instructed by Verbit and as necessary to satisfy Verbit’s and the applicable Covered Entity’s obligations under 45 CFR 164.524;
- Make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by Verbit pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Verbit’s or the applicable Covered Entity’s obligations under 45 CFR 164.526;
- Maintain and make available the information required to provide an accounting of Disclosures to the applicable Individual (if any) as necessary to satisfy Verbit or the applicable Covered Entity’s obligations under 45 CFR 164.528;
- To the extent Transcriber is to carry out one or more of Verbit’s or a Covered Entity’s obligations under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to Verbit or the Covered Entity in the performance of such obligation(s); and
- Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.
- Permitted Uses and Disclosures of PHI
- Transcriber may only Use or disclose PHI as necessary to perform the services set forth in the Terms.
- Transcriber may not take any other action with respect to PHI, including, without limitation to de-identify the PHI or Use de-identified information based on the PHI.
- Transcriber agrees to make its Use and Disclosures and requests for PHI consistent with Verbit’s Minimum Necessary policies and procedures and any other instructions or guidelines provided by Verbit.
- Transcriber may not Use or Disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Verbit or Covered entity.
- Term and Termination
- This BAA shall commence as of the commence date of the Terms and shall automatically terminate upon termination or expiration of the Terms.
- Without limitation to Section 15 of the Terms, Verbit may terminate the Services and the Terms in the event it determines that Transcriber has breached any provision of this BAA.
- Upon termination of this BAA or the Terms for any reason, Transcriber shall return to Verbit all PHI. Transcriber shall destroy or permanently delete, as applicable any remaining copies that it retains. Without limitation to the foregoing, in the event that for any reason nevertheless maintains any PHI, the obligations and restrictions on Transcriber with respect to the PHI shall apply for so long as Transcriber maintains the PHI. This Section 4.3 shall survive the termination of this BAA.
- A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.
- Transcriber agrees to execute any amendment to this BAA or additional agreements as Verbit deems necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.
- Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Rules.