Skip to Main

Business Associate Addendum

This Business Associate Addendum (“Addendum”) by and between the LexisNexis Legal and Professional Company (“LexisNexis” or “Business Associate”) and the customer agreeing to the terms below (“Customer”), (collectively “the Parties”), and supplements, amends, and is incorporated into the Services Agreement(s). This Addendum is entered into on this ______ day of _________, 20_____ (“Effective Date”), for the purposes of complying with the privacy, security, and breach notification provisions of the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act, and their implementing regulations, as amended from time to time (collectively, “HIPAA”).

Business Associate provides Services (as defined below) to Customer that may involve the creation, use, maintenance, or transmission of protected health information governed by HIPAA. The purpose of this Addendum is to allow for the Parties’ compliance with their obligations under HIPAA with respect to the Services.

Customer acknowledges that this Addendum applies only to the Services, and does not apply to any other LexisNexis product or service.

The Parties hereby agree as follows:

Definitions

Catch-all definition:

Capitalized terms used, but not otherwise defined, in this Addendum shall have the same meaning as those terms in HIPAA or the Services Agreement.

Specific definitions:

  • (a) “Covered Entity.” “Covered Entity” shall have the same meaning as the term “Covered Entity” at 45 CFR 160.103.
  • (b) “Electronic Protected Health Information.” “Electronic Protected Health Information” or “ePHI” shall mean PHI as defined in this Section that is transmitted or maintained in electronic media.
  • (c) “HIPAA Rules.” “HIPAA Rules” shall mean the privacy, security, and breach notification regulation at 45 CFR Part 160 and Part 164.
  • (d) “PHI.” “PHI” shall mean Protected Health Information, as defined in 45 C.F.R. § 160.103, but is limited to the Protected Health Information received from, or received or created on behalf of, Customer by Business Associate pursuant to, and as authorized by, the Services Agreement.
  • (e) “Privacy Rule.” “Privacy Rule” shall mean the standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subpart A and E.
  • (f) “Security Rule.” “Security Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subpart A and E.
  • (g) “Services.” “Services” means the HIPAA-ready functions, activities, or services that Business Associate provides to or on behalf of Customer, under the Services Agreement.
  • (h) “Services Agreement.” “Services Agreement” means the written agreement(s) entered into between Business Associate and Customer for provision of the Services, which agreement(s) may be in the form of online terms of service.

Obligations and Activities of Business Associate

Business Associate agrees to:

  • (a) Not use or disclose PHI other than as permitted or required by this Addendum or as Required by Law;
  • (b) Use appropriate physical, administrative, and technical safeguards, , to prevent use or disclosure of PHI other than as provided for by this Addendum, and with respect to ePHI, comply with the HIPAA security regulations as required by Subpart C of 45 CFR Part 164;
  • (c) Report to Customer any use or disclosure of PHI not provided for by this Addendum and any Security Incident of which it becomes aware. The parties acknowledge and agree that this Section constitutes notice by Business Associate to Customer of the ongoing existence and occurrence or attempts of unsuccessful Security Incidents for which no additional notice to Customer shall be required. “Unsuccessful Security Incidents” means, without limitation, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denial-of-service attacks, and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI;
  • (d) Following discovery of a Breach of Unsecured PHI, notify Customer as required at 45 CFR 164.410, and within fifteen (15) business days after that discovery.
  • (e) If applicable, ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to restrictions, conditions, and requirements substantially similar to, and no less stringent, than those that apply to Business Associate with respect to such information;
  • (f) To the extent Business Associate maintains a Designated Record Set of or about an Individual on behalf of Customer, within fifteen (15) business days of a request by Customer, make available PHI in a Designated Record Set to Customer as necessary to satisfy Customer’s obligations pursuant to 45 CFR 164.524. In the event any Individual requests access to PHI directly from Business Associate, Business Associate shall forward such request to Customer within five (5) business days;
  • (g) To the extent Business Associate maintains a Designated Record Set of or about an Individual on behalf of Customer, within fifteen (15) business days of a request by a Customer, make available to Customer for amendment and incorporate any such amendments PHI in a Designated Record Set pursuant to 45 CFR 164.526. In the event any Individual requests amendment of PHI directly from Business Associate, Business Associate shall forward such request to Customer within five (5) business days. Notwithstanding the above, Business Associate will not be required to maintain a Designated Record Set, and Customer will maintain a separate, primary copy of PHI disclosed to Business Associate outside of the Services;
  • (h) Document such disclosures of PHI and information related to such disclosures as would be required for Customer to respond to an Individual’s request for an accounting of disclosures of their PHI in accordance with 45 CFR §164.528 and, within fifteen (15) business days of a request by a Customer, make available to Customer the information required to provide the Individual an accounting of disclosures as set forth under 45 CFR 164.528. In the event any Individual requests an accounting of disclosures directly from Business Associate, Business Associate shall forward such request to Customer within five (5) business days;
  • (i) To the extent Business Associate is to carry out one or more of Customer’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to Customer in the performance of such obligation(s); and
  • (j) Make its internal practices, books, and records available to the Secretary for purposes of determining Customer’s compliance with the Privacy Rule.

Permitted Uses and Disclosures by Business Associate

  • (a) Business Associate may use or disclose PHI to perform the Services for, or on behalf of, Customer as set forth in this Addendum or the Services Agreement.
  • (b) Business Associate may use or disclose PHI as Required by Law.
  • (c) Business Associate agrees to request, and Customer agrees to provide, only the minimum PHI necessary for Business Associate’s permitted uses and disclosures of PHI under this Addendum.
  • (e) Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
  • (f) Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided the disclosures are Required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as Required by Law or for the purposes for which it was disclosed to the person, and the person will notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
  • (g) Business Associate may provide Data Aggregation services relating to the Health Care Operations of Customer.
  • (h) Business Associate may de-identify PHI, within the meaning of 45 C.F.R. §164.514. Data de-identified in accordance with HIPAA shall no longer be considered PHI under this Addendum.

Obligations of Customer

  • (a) Customer shall notify Business Associate of any limitation(s) in the notice of privacy practices of Customer (or, if Customer is a business associate, the applicable Covered Entity) under 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
  • (b) Customer shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
  • (c) Customer shall notify Business Associate of any restriction on the use or disclosure of PHI that (or, if Customer is a business associate, the applicable Covered Entity) has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
  • (d) Customer shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule.

Term and Termination

  • (a) Term. The Term of this Addendum shall be effective as of the Effective Date, and shall terminate when the Services Agreement expires or terminates, or on the date Customer terminates for cause as authorized in paragraph (b) of this Section, whichever is sooner.
  • (b) Termination for Cause. If Customer knows of a pattern of activity or practice of Business Associate that constitutes a material violation of this Addendum, Customer shall provide written notice thereof to Business Associate. Customer may terminate this Addendum if Customer determines that Business Associate has not cured the breach or ended the violation within 30 days or such longer time specified in writing by Customer.
  • (c) Obligations of Business Associate Upon Termination.
  • Upon termination of this Addendum for any reason, Business Associate, with respect to PHI received from Customer, or created, maintained, or received by Business Associate on behalf of Customer, shall:
    1. If feasible, return to Customer or, if agreed to by Customer, destroy such PHI that Business Associate maintains in any form, and retain no copies of such PHI; provided, however:
    2. If such return or destruction is not feasible, Business Associate shall notify Customer of the reasons return or destruction are not feasible, and extend the protection of this Addendum to such PHI and limit further uses and disclosures to those purposes that make the return or destruction of the PHI not feasible until such PHI is returned or destroyed. The Parties acknowledge that it is not feasible for Business Associate to return or destroy PHI upon termination of this Addendum.
  • (d) Survival. The obligations of Business Associate under this subsection (d) of the Term and Termination Section, and subsections (a), (c), and (d) of the Miscellaneous Section of this Addendum shall survive the termination of this Addendum.

Miscellaneous

  • (a) Regulatory References. A reference in this Addendum to a section in the HIPAA Rules means the section as promulgated and amended from time to time.
  • (b) Amendment. The Parties agree to take such action as is necessary to amend this Addendum from time to time as is necessary for compliance with the requirements of the HIPAA Rules.
  • (c) Interpretation. Any ambiguity in this Addendum shall be interpreted to permit compliance with the HIPAA Rules.
  • (d) Independent Contractor Relationship. Business Associate is an independent contractor of the Customer; no agency relationship within the Federal common law of agency, or otherwise, exists between the Parties as a result of this Addendum or any related Services Agreement.

IN WITNESS WHEREOF, each of the undersigned has duly executed this Addendum on behalf of the party and on the date set forth below.