Embedded Education Abroad Program Provider

Agency:	The University of Alabama
State:	Alabama
Type of Government:	State & Local
NAICS Category:	541519 - Other Computer Related Services 611710 - Educational Support Services
Posted Date:	Oct 12, 2023
Due Date:	Nov 15, 2023
Solicitation No:	UA24-105
Bid Source:	Please Login to View Page
Contact information:	Please Login to View Page
Bid Documents:	Please Login to View Page

Attachment Preview

BUSINESS ASSOCIATE AGREEMENT

This Agreement is made by and between The Board of Trustees of The University of Alabama, by and on behalf of The

University of Alabama _______________________, on behalf of its _____________________

(School/Department/Division) (hereinafter referred to as “Covered Entity”) and ____________________________,

(hereinafter “Business Associate”), collectively the Parties.

PREAMBLE

This Agreement governs the terms and conditions under which Business Associate will access Protected Health Information

(PHI) belonging to patients/clients of Covered Entity in performing services for, or on behalf of, Covered Entity.

SECTION 1 - DEFINITIONS

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in 45 CFR 160.103

and 164.501, and the final rule issued on January 17, 2013, effective March 26, 2013. For purposes of this section:

1.1 ARRA. The term “ARRA” shall mean the American Recovery and Reinvestment Act of 2009, as amended from time

to time.

1.2 Business Associate. “Business Associate” shall mean the entity listed in the first paragraph of this Agreement that is

furnishing services to Covered Entity.

1.3 Covered Entity. “Covered Entity” shall mean the entity listed in the first paragraph of this Agreement that is receiving

services from the Business Associate.

1.4 Designated Record Set (DRS). Individually identifiable data in any medium, collected and directly used by Covered

Entity. The content may be in multiple locations and media, including paper and electronic form. The DRS consists of

the Legal Medical Record and the Billing Record.

1.5 Legal Medical Record. The documentation of the health care services provided to an Individual during any aspect of

health care delivery in any type of health care organization used, in whole or in part, by or for the Covered Entity to

make decisions about the Individual.

1.6 Billing Record. The documentation in the billing records used, in whole or in part, by or for the Covered Entity to make

decisions about Individuals.

1.7 HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45

CFR Part 160 and Part 164.

1.8 Individual. “Individual” shall have the same meaning as the term “individual” in 45 CFR 160.103 and shall include a

person who qualifies as a personal representative in accordance with 45 CFR 164.502(g).

1.9 Material Alteration. “Material Alteration” shall mean any addition, deletion or change to the PHI of any subject other

than the addition of indexing, coding and other administrative identifiers for the purpose of facilitating the identification

or processing of such information.

1.10 Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45

CFR part 160 and part 164, subparts A and E.

1.11 Protected Health Information or PHI. “Protected Health Information” or “PHI” shall have the same meaning as the term

“protected health information” in 45 CFR 160.103, limited to the information created or received by Business Associate

from or on behalf of Covered Entity.

1.12 Required By Law. “Required By Law” shall have the same meaning as the term “required by law” in 45 CFR 164.103.

1.13 Secretary. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his/her designee.

-1-

1.14 Security Rule. “Security Rule” shall mean the Health Insurance Reform: Security Standards at 45 CFR Parts 160,

162, and 164 Subpart C.

1.15 Underlying Agreement. “Underlying Agreement” shall mean that certain agreement by which Business Associate

provides certain services to Covered Entity and, in connection with those services, Covered Entity discloses to

Business Associate certain individually identifiable PHI that is subject to protection under HIPAA.

SECTION II - OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE

2.1 Business Associate acknowledges that it is directly subject to the Security Rule and to certain portions of the Privacy

Rule and, upon request, will provide Covered Entity with evidence of compliance. For purposes of HIPAA, Business

Associate is not an agent of Covered Entity. Business Associate agrees to:

2.1.1 Not use or disclose PHI other than as permitted or required to furnish services under the Agreement or as

Required by Law.

2.1.2 Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI,

to prevent use or disclosure of the PHI other than as provided for by this Agreement.

2.1.3

Mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure

of PHI by Business Associate in violation of the requirements of this Agreement. Business Associate agrees

to pay the direct and indirect costs associated with the breach notification requirements as outlined in ARRA

and will indemnify and hold Covered Entity harmless from all liabilities, costs and damages arising out of or in

any manner connected with the disclosure by Business Associate of any PHI.

2.1.4 Report in writing to Covered Entity within 5 business days any use or disclosure of the PHI not provided for

by this Agreement of which it becomes aware, including breaches of unsecured PHI as required at 45 CFR

164.410, and any Security Incident (as defined in 45 CFR 164.304) of which it becomes aware.

2.1.5

In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors

and agents that create, receive, maintain, or transmit PHI on behalf of the Business Associate on behalf of

Covered Entity agree to the same restrictions, conditions and requirements that apply to Business Associate

with respect to such information and do not export PHI beyond the borders of the United States of America.

Business Associate agrees to provide a list of its subcontractors noted above upon written request of Covered

Entity.

2.1.6

Within five (5) business days of request of Covered Entity, make available PHI in a Designated Record Set to

Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524, as well as make

any amendments to PHI in a Designated Record Set (and incorporate any amendments, if required) as

directed or agreed to by the Covered Entity in order to meet the requirements under 45 CFR 164.526.

2.1.7

Within five (5) business days of request of Covered Entity, make its internal practices, books, and records

relating to the use and disclosure of PHI received from, or created or received by Business Associate on

behalf of Covered Entity, available to the Covered Entity, or at the request of the Covered Entity to the

Secretary, in a time and manner designated by the Covered Entity or the Secretary, for purposes of the

Secretary determining Covered Entity's compliance with the Privacy Rule. In the event such a request comes

directly from the Secretary, Business Associate agrees to notify Covered Entity promptly of such request.

2.1.8 Document such disclosures of PHI and information related to such disclosures as would be required for

Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance

with 45 CFR 164.528.

2.1.9 Provide to Covered Entity or an Individual, in time and manner designated by Covered Entity, information

collected in accordance with this section, to permit Covered Entity to respond to a request by an Individual for

an accounting of disclosures of PHI in accordance with 45 CFR 164.528.

2.1.10 Upon request, make its internal practices, books and records available to the Secretary and to the Covered

Entity for purposes of determining compliance with the HIPAA Rules.

2.1.11 Comply with the minimum necessary requirements under the HIPAA Rules.

-2-

2.2 Business Associate agrees that any PHI transmitted electronically and/or stored on any type of mobile media, including

lap top computers, tablet computers, smart phones, etc., must be encrypted, and that information stored whether

intentional or not is subject to HIPAA Rules provisions for Business Associates.

2.3 To the extent Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45

CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such

obligation(s).

SECTION III - PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE

3.1 Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI, as follows:

3.1.1 As necessary to perform the services specified in the Underlying Agreement.

3.1.2 As required by law.

3.2 Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and

administration of Business Associate or to carry out the legal responsibilities of the Business Associate, provided the

disclosures are required by law, or Business Associate obtains reasonable assurances from the person or organization

to whom the information is disclosed that the information will remain confidential and used or further disclosed only as

required by law or for the purposes for which it was disclosed to the person or organization, and the person or

organization notifies Business Associate of any instances of which it is aware in which the confidentiality of the

information has been breached.

3.3 Business Associate is not authorized to de-identify in accordance with 45 CFR 164.514(a)-(c), PHI received by

Business Associate by or on behalf of Covered Entity; nor is Business Associate authorized to use de-identified

information for a purpose not authorized by this Agreement, except with the prior written consent of the Covered Entity.

3.4 Business Associate agrees to make uses and disclosures and requests for PHI consistent with the requirements of

45 CFR 164.502(b) and 164.514(d), as reflected in Covered Entity’s minimum necessary policies and procedures.

3.5 Business Associate may provide data aggregation services related to the health care operations of the Covered Entity.

SECTION IV - OBLIGATIONS OF COVERED ENTITY

With regard to the use and/or disclosure of PHI by Business Associate, Covered Entity agrees:

4.1 To notify Business Associate of any limitations in the notice of privacy practices of Covered Entity under 45 CFR

164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.

4.2 To inform the Business Associate of any PHI that is subject to any arrangements permitted or required of Covered

Entity under the Privacy Rule that may materially impact in any manner the use and/or disclosure of PHI by Business

Associate under this Agreement, such as changes in, or revocation of, the permission by an Individual to use and

disclose his or her PHI as provided for in 45 CFR 164.522 and agreed to by Covered Entity, to the extent that such

restriction may affect Business Associate’s use or disclosure of PHI.

4.3 That it will only provide or deliver PHI that is minimally necessary to enable the Business Associate to meet its

obligations under the Underlying Agreement.

SECTION V - PERMISSIBLE REQUESTS BY COVERED ENTITY

5.1 Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be

permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity, except if there is a written agreement by

and between Business Associate and Covered Entity for the Business Associate to use or disclose PHI for data

aggregation or management and administrative and legal responsibilities of the Business Associate.

SECTION VI - TERM AND TERMINATION

6.1 Term. The obligations set forth in this section shall be effective as of the date the first PHI is released to Business

Associate pursuant to this Agreement, and shall terminate only when all of the PHI provided by Covered Entity to

Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or

returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information,

in accordance with the termination provisions in this Section.

-3-

6.2 Termination for Cause. Upon Covered Entity's knowledge of a violation of a term of this Agreement by Business

Associate, Covered Entity shall provide an opportunity for Business Associate to cure or end the violation. Covered

Entity may terminate this Agreement if Business Associate does not cure or end the violation within the time specified

by Covered Entity.

6.3 Obligations of Business Associate Upon Termination. Except as otherwise agreed to in the Underlying Agreement,

upon termination of this Agreement for any reason, Business Associate, with respect to PHI received from Covered

Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:

6.3.1 Retain only that PHI which is necessary for Business Associate to continue its proper management and

administration or to carry out its legal responsibilities;

6.3.2 Return to Covered Entity [or, if agreed to by Covered Entity, destroy] the remaining PHI that the Business

Associate still maintains in any form;

6.3.3 Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to

electronic PHI to prevent use or disclosure of the PHI, other than as provided for in this Section, for as long

as Business Associate retains the PHI;

6.3.4 Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI

was retained and subject to the same conditions set out in Section II of this Agreement which applied prior to

termination; and

6.3.5 Return to Covered Entity [or, if agreed to by Covered Entity, destroy] the PHI retained by Business Associate

when it is no longer needed by Business Associate for its proper management and administration or to carry

out its legal responsibilities.

6.4 Survival. The obligations of Business Associate under this Section shall survive the termination of this Agreement.

SECTION VII - OWNERSHIP OF INFORMATION

7.1 Covered Entity holds all right, title, and interest in and to the PHI and Business Associate does not hold and will not

acquire by virtue of this Agreement or by virtue of providing goods or services to Covered Entity, any right, title, or

interest in or to the PHI or any portion thereof.

SECTION VIII - RIGHT TO INJUNCTIVE RELIEF

8.1 Business Associate expressly acknowledges and agrees that a violation of a term of this Agreement, or threatened

violation, by it of any provision of this Agreement may cause Covered Entity to be irreparably harmed and that Covered

Entity may not have an adequate remedy at law. Therefore, Business Associate agrees that upon such violation, or

threatened violation, Covered Entity will be entitled to seek injunctive relief to prevent Business Associate from

commencing or continuing any action constituting such violation without having to post a bond or other security and

without having to prove the inadequacy of any other available remedies. Nothing in this paragraph will be deemed to

limit or abridge any other remedy available to Covered Entity at law or in equity.

8.2 Indemnification. Business Associate shall indemnify, defend, and hold Covered Entity, its employees,

directors/trustees/officers/representatives and agents (collectively the Indemnitees) harmless from and against all

claims, causes of action, liabilities, judgments, fine, assessments, penalties, damages, awards or other expenses, of

any kind or nature whatsoever, including, without limitation, attorney’s fees, expert witness fees, and costs of

investigation, litigation or dispute resolution, incurred by the Indemnitees and relating to or arising out of any breach

or alleged breach of the terms of this Agreement by Business Associate or its agent or representative. Business

Associate shall provide covered Entity with prompt notice of any claim that may trigger the foregoing indemnification

requirements. Upon demand by the Covered Entity, Business Associate shall defend any investigation, claim litigation

or other proceeding brought or threatened against the Covered Entity, at the Business Associate’s expense, by

counsel acceptable to the Covered Entity. Business Associate shall not enter into any settlement of a claim that

triggers the indemnification requirements without the written consent of the Covered Entity.

8.3 Insurance. Business Associate shall obtain and maintain insurance or self-insurance coverage against improper uses

and disclosures of PHI by Business Associates and shall provide to Covered Entity a Certificate of Insurance or

Certificate of Coverage upon request.

-4-

SECTION IX - DISCLAIMER

9.1 COVERED ENTITY MAKES NO WARRANTY OR REPRESENTATION THAT COMPLIANCE BY BUSINESS

ASSOCIATE WITH THIS AGREEMENT OR THE HIPAA REGULATIONS WILL BE ADEQUATE OR

SATISFACTORY FOR BUSINESS ASSOCIATE’S OWN PURPOSES OR THAT ANY INFORMATION IN THE

POSSESSION OF BUSINESS ASSOCIATE OR CONTROLLED, OR TRANSMITTED OR RECEIVED BY

BUSINESS ASSOCIATE, IS OR WILL BE SECURE FROM UNAUTHORIZED USE OR DISCLOSURE, NOR SHALL

COVERED ENTITY BE LIABLE TO BUSINESS ASSOCIATE FOR ANY CLAIM, LOSS OR DAMAGE RELATING

TO THE UNAUTHORIZED USE OR DISCLOSURE OF ANY INFORMATION RECEIVED BY BUSINESS

ASSOCIATE FROM COVERED ENTITY OR FROM ANY OTHER SOURCE. BUSINESS ASSOCIATE IS SOLELY

RESPONSIBLE FOR ALL DECISIONS MADE BY BUSINESS ASSOCIATE REGARDING THE SAFEGUARDING

OF PHI.

SECTION X - MISCELLANEOUS

10.1 Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect

or as amended, and for which Compliance is required.

10.2 Construction and Interpretation. This Agreement shall be construed as broadly as necessary to implement and

comply with HIPAA, the HIPAA privacy and security regulations, and ARRA. The Parties agree that any ambiguity

in this Agreement shall be resolved in favor or a meaning that complies and is consistent with HIPAA, HIPAA

regulations, and ARRA.

10.3 Notice. All notices and other communications required or permitted pursuant to this Agreement shall be in writing,

addressed to the party at the address set forth at the end of this Agreement, or to such other address as either party

may designate from time to time. All notices and other communications shall be mailed by registered or certified

mail, return receipt requested, postage pre-paid, or transmitted by hand delivery or telegram. All notices shall be

ffective as of the date of delivery of personal notice or on the date of receipt, whichever is applicable.

10.4 Modification of Agreement. The Parties recognize that this Agreement may need to be modified from time to time to

ensure consistency with amendments to and changes in applicable federal and state laws and regulations, including,

but not limited to, HIPAA. The Parties agree to execute any additional amendments to this Agreement reasonably

necessary for each party to comply with HIPAA, including any requirements related to a Chain of Trust Agreement

between the Parties pursuant to the HIPAA security standards. This Agreement shall not be waived or altered, in

whole or in part, except in writing signed by the Parties.

10.5 Transferability. Covered Entity has entered into this Agreement in specific reliance on the expertise and qualifications

of Business Associate. Consequently, Business Associate’s interest under this Agreement may not be transferred or

assigned or assumed by any other person, in whole or in part, without the prior written consent of Covered Entity.

10.6 Governing Law and Venue. This Agreement shall be governed by, and interpreted in accordance with, the internal

laws of the State of Alabama, without giving effect to its conflict of laws provisions.

10.7 Binding Effect. This Agreement shall be binding upon, and shall ensure to the benefit of, the Parties hereto and their

respective permitted successors and assigns.

10.8 Execution. This Agreement may be executed in multiple counterparts, each of which shall constitute an original and

all of which shall constitute but one Agreement.

10.9 Gender and Number. The use of the masculine, feminine or neuter genders and the use of the singular and plural

shall not be given an effect of any exclusion or limitation herein. The use of the word “person” or “party” shall mean

and include any individual, trust, corporation, partnership or other entity.

10.10 Priority of Agreement. If any portion of this Agreement is inconsistent with the terms of the Underlying Agreement,

the terms of this Agreement shall prevail. Except as set forth above, the remaining provisions of the Underlying

Agreement are ratified in their entirety.

10.11 No Third Party Beneficiaries. Nothing in this Business Associate Agreement shall confer upon any person other than

the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.

-5-

	Attachments
	Business Associate Agreement.pdf
	Attachment- State of Alabama Immigration Compliance Law.pdf
	FERPA Appendix.pdf

Embedded Education Abroad Program Provider

Attachment Preview

Sign-up for a Free Trial, Government Bid Alerts

See Also