HIPAA Notification
This notification is being sent by OCI Insurance and Financial
Services INC. in order to comply with HIPAA regulations. This will
allow us to continue to send you personal information we receive
from or about your clients.
Please accept the terms of this agreement at the bottom of the
page.
BUSINESS ASSOCIATE AGREEMENT
THIS BUSINESS ASSOCIATE AGREEMENT (“Agreement”), entered into and effective this day in
February, 2010, is by and between you, the broker, (“Business Associate”) and OCI Insurance and
Financial Services INC. (“OCI”); and shall be collectively known herein as the “Parties”.
WHEREAS, OCI wishes to commence a business relationship with “Business Associate” as defined in
the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) including all pertinent
regulations, issued by the U.S. Department of Health and Human Services as either have been
amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act
(“the HITECH Act”), as Title XIII of Division A and Title IV of Division B of the American Recovery and
Reinvestment Act of 2009; and
WHEREAS, the nature of the prospective contractual relationship between OCI and Business
Associate may involve the exchange of Protected Health Information (“PHI”) as defined under HIPAA;
and
For good and lawful consideration OCI and Business Associate enter into this agreement for the
purpose of ensuring compliance with the requirements of HIPAA, its implementing regulations, and the
HITECH Act.
In consideration of the premises and promises contained herein, it is mutually agreed by and between
OCI and its Business Associates as follows:
I. DEFINITIONS
A. Individual. “Individual” shall have the same meaning as the term “individual” in 45 CFR
164.501 and shall include a person who qualifies as a personal representative in accordance
with 45 CFR 164.502(g).
B. Breach. “Breach” shall have the same meaning as the term “breach” in 13400 of the HITECH
Act and shall include the unauthorized acquisition, access, use or disclosure of PHI that
compromises the security or privacy of such information.
C. Designated Record Set. “Designated Record Set” shall have the same meaning as the term
“designated record set” in 45 CFR 164.501.
D. Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable
Health Information in 45 CFR Part 160 and Part 164, Subparts A and B, as amended by the
HITECH Act and as may otherwise be amended from time to time.
E. Protected Health Information. “Protected Health Information” or “PHI” shall have the same
meaning as the term “protected health information” in 45 CFR 164.501, limited to the
information created or received by Business Associate from or on behalf of OCI.
F. Required By Law. “Required By Law” shall have the same meaning as the term “required by
law” in 45 CFR 164.501.
G. Secretary. “Secretary” shall mean the “Secretary of the U. S. Department of Health and
Human Services” or his designee.
H. Unsecured Protected Health Information. “Unsecured Protected Health Information” or
“Unsecured PHI” shall mean PHI that is not secured through the use of a technology or
methodology specified by the Secretary in guidance or as otherwise defined in the 13402(h)
of the HITECH Act.
II. USE OR DISCLOSURE OF PHI BY BUSINESS ASSOCIATE
A. Except as otherwise limited in this Agreement, Business Associates may use or disclose PHI
to perform functions, activities, or services for, or on behalf of OCI, provided that each use or
disclosure would not violate the Privacy Rule.
B. Business Associate shall only use and disclose PHI if such use or disclosure complies with
each applicable requirement of 45 CFR 164.504(e).
C. Business Associate shall be directly responsible for full compliance with the relevant
requirements of the Privacy Rule to the same extent as OCI.
III. DUTIES OF BUSINESS ASSOCIATE RELATIVE TO PHI
A. Business Associate shall not use or disclose PHI other than as permitted or required by this
Agreement or as Required by Law.
B. Business Associate shall implement administrative, physical and technical safeguards that
reasonably and appropriately protect the confidentiality, integrity, and availability of the
electronic PHI that it creates, receives, maintains or transmits on behalf of OCI.
C. Business Associate shall immediately notify OCI of any use or disclosure of PHI in violation of
this Agreement.
D. Business Associates shall orally notify OCI of a Breach of Unsecured PHI within 24 hours of
Business Associate’s (or Business Associate’s employee, officer, or agent) discovery of such
Breach, followed by a report in writing, except where a law enforcement official determines
that a notification would impede a criminal investigation or cause damage to national security.
Business Associate’s written notification to OCI here under shall:
1. Be made to OCI within 48 hours of the initial oral report,
2. Include the individual whose Unsecured PHI has been, or is reasonably believed to
have been, the subject of a Breach, and
3. Be in substantially the same form as EXHIBIT A hereto.
E. In the event of an unauthorized use or disclosure of PHI or a Breach of Unsecured PHI,
Business Associate shall mitigate to the extent practicable any harmful effects of said
disclosure that are known to it.
F. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it
provides PHI, received from, or created or received by Business Associate on behalf of OCI,
agrees to the same restrictions and conditions that apply through this Agreement to Business
Associate with respect to such information.
G. To the extent applicable, Business Associate shall provide access to PHI in a Designated
Record Set at reasonable times, at the request of OCI or, as directed by OCI to an Individual
in order to meet the requirements under 45 CFR 164.524.
H. To the extent applicable, Business Associate shall make any amendment(s) to PHI in a
Designated Record Set that OCI directs or agrees to pursuant to 45 CFR 164.526 at the
request of OCI or an Individual.
I. Business Associate shall, upon request with reasonable notice, provide OCI access to its
premises for a review and demonstration of its internal practices and procedures for
safeguarding PHI.
J. Business Associate agrees to document such disclosures of PHI and information related to
such disclosures as would be required for OCI to respond to a request by an individual for an
accounting of disclosures of PHI in accordance with 45 CFR 164.528. Should an Individual
make a request to OCI for an accounting of disclosures of his or her PHI pursuant to 45 CFR
164.528, Business Associate agrees to promptly provide OCI with information in a format and
manner sufficient to respond to the individual’s request.
K. Business Associate shall upon request with reasonable notice, provide OCI with an
accounting of uses and disclosures of PHI provided to it by OCI.
L. Business Associate shall make its internal practices, books, records, and any other material
request by the Secretary relating to the use, disclosure, and safeguarding of PHI received
from OCI available to the Secretary for the purpose of determining compliance with the
Privacy Rule. The aforementioned information shall be made available to the Secretary in the
manner and place as designated by the Secretary or the Secretary’s duly appointed delegate.
Under this Agreement, Business Associate shall comply and cooperate with any request for
documents or other information from the Secretary directed to OCI that seeks documents or
other information held by Business Associate.
M. Business Associate may use Protected Health Information to report violations of law to
appropriate Federal and State authorities, consistent with 42 CFR 164.502(j)(I).
N. Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the
proper management and administration of Business Associate, provided that disclosures are
Required By Law, or Business Associate obtains reasonable assurances from the person to
whom the information is disclosed that it will remain confidential and used or further disclosed
only as Required By Law or for the purpose for which it was disclosed to the person, and the
person notifies Business Associate of any instances of which it is aware in which the
confidentiality of the information has been breached.
IV. TERM AND TERMINATION
A. Term. The Term of this Agreement shall be effective as of the date first above written and
shall terminate when all of the PHI provided by OCI to Business Associate, or created or
received by Business Associate on behalf of OCI, is destroyed or returned to OCI, or, if it is
infeasible to return or destroy PHI, protections are extended to such information, in
accordance with the termination provisions in this Section IV.
B. Termination for Cause. Upon OCI’s knowledge of a material breach by Business Associate,
OCI shall:
1. Provide an opportunity for Business Associate to cure the breach or end the violation
and, if Business Associate does not cure the breach or end the violation within the
time specified by OCI, terminate this Agreement:
2. Immediately terminate this Agreement if Business Associate has breached a material
term of this Agreement and cure is not possible; or
3. If neither termination nor cure is feasible, report the violation to the Secretary.
C. Effect of Termination.
1. Except as provided in paragraph C(2) of this section, upon termination of this
Agreement, for any reason, Business Associate shall return or destroy all PHI
received from OCI, or created or received by Business Associate on behalf of OCI.
This provision shall apply to PHI that is in the possession of subcontractors or agents
of Business Associate. Business Associate shall not retain any copies of the PHI.
2. In the event that Business Associate determines that returning or destroying the PHI
is infeasible, Business Associate shall provide to OCI written notification of the
conditions that make return or destruction infeasible. After written notification that
return or destruction of PHI is infeasible, Business Associate shall extend the
protections of this Agreement to such PHI and limit further uses and disclosures of
such PHI to those purposes that make the return or destruction infeasible, for so long
as Business Associate maintains such PHI.
3. Should Business Associate make a disclosure of PHI in violation of this Agreement,
OCI shall have the right to immediately terminate any contract other than this
Agreement, then in force between the Parties.
V. CONSIDERATION
Business Associate recognizes that the promises it has made in this Agreement shall, henceforth, be
detrimentally relied upon by OCI in choosing to continue or commence a business relationship with
Business Associate.
VI. REMEDIES IN EVENT OF BREACH
Business Associate hereby recognizes that irreparable harm will result to OCI, and to the business of
OCI, in the event of breach by Business Associate of any of the covenants and assurances contained
in this Agreement. As such, in the event of breach of any of the covenants and assurances contained
in Section II or III above, OCI shall be entitled to restrain Business Associate from any continued
violation of Sections II or III. Furthermore, in the event of breach of Sections II or III by Business
Associate, OCI is entitled to reimbursement and indemnification from Business Associate for OCI’s
reasonable attorneys’ fees and expenses and costs that were reasonably incurred as a proximate
result of Business Associates breach. The remedies contained in this Section VI shall be in addition to
(and not supersede) any action for damages and/or any other remedy OCI may have for breach of any
part of this Agreement.
VII. MODIFICATION
This Agreement may only be modified through a written document signed by the Parties and, thus, no
oral modification hereof shall be permitted. The Parties agree to take such action as is necessary to
amend this Agreement from time to time as is necessary for OCI to comply with the requirements of
the Privacy Rule and HIPAA.
VIII. INTERPRETATION OF THIS CONTRACT IN RELATION TO OTHER CONTRACTS BETWEEN
THE PARTIES
Should there be any conflict between the language of this contract and any other contract entered into
between the Parties (either previous or subsequent to the date of this Agreement), the language and
provisions of this Agreement shall control and prevail unless the Parties specifically refer in a
subsequent written agreement to this Agreement by its title and date and specifically state that the
provisions of the later written agreement shall control over this Agreement.
IX. COMPLIANCE WITH STATE LAW
The Business Associate acknowledges that by accepting the PHI from OCI, it becomes a holder of
health records information and is subject to the provisions of Arizona law. If the HIPAA Privacy or
Security Rules and the laws of Nebraska conflict regarding the degree of protection provided for PHI,
Business Associate shall comply with the more restrictive protection requirement.
X. MISCELLANEOUS
A. Ambiguity. Any ambiguity in this Agreement shall be resolved to permit OCI to comply with
the Privacy Rule.
B. Regulatory Reference. A reference in this Agreement to a section in the Privacy Rule means
the section as in effect or as amended.
C. Notice to OCI. Any notice required under this Agreement to be given to OCI shall be made in
writing to:
4221 N 203rd Street
Suite 200 Elkhorn, NE 68022
Attention: Privacy Officer
402-330-8700
D. Notice to Business Associate. Any notice required under this Agreement to Business
Associate shall be made in writing to Business Associate’s address on file with OCI at the
time said Notice is required.
IN WITNESS WHEREOF and acknowledging acceptance and agreement of the foregoing, the Parties
affix their signatures hereto.