HIPAA Statement
The Privacy Rule which implements the Health Insurance Portability and Accountability Act (HIPAA), found at 45 CFR Parts 160 and 164, requires health plans or providers covered by HIPAA have a business associate agreement in order to disclose protected health information. To qualify as a business associate under HIPAA, an entity must perform or assist in performing a function or activity which involves use or disclosure of individually identifiable health information and perform activities directly related to claims administration, data analysis, quality assurance, billing benefit or practice management. The California Department of Health Services (CDHS) HIPAA policy specifically allows plans and providers to disclose protected information to qualified business associates.

HIPAA Required Contract Terms and Conditions:
HIPAA requires that contracts establish the permitted uses and disclosures of protected health information by the business associate; not disclose further than permitted by contract or required by law; use safeguards to prevent unauthorized disclosures; report any known unauthorized disclosures; ensure that any agents or subcontractors agree to these restrictions; make protected information available to the individual and/or as required to provide an accounting of disclosures to the Department of Health and Human Services (DHHS) in compliance with the Privacy Rule; authorize termination of the contract for material violation; and, to the extent feasible, return or destroy all protected data at the termination of the contract.

FPI Policy Response is the following addendum to the SAFE® business registration agreement sets forth FPI’s compliance with all HIPAA Business Associate requirements using approved language provided by the CDHS.

HIPAA PRIVACY CONTRACT (Two Addendums to SAFE® Registration Agreement)

1. Recitals: This Agreement, by and between the Provider and the FPI has been determined to constitute a business associate relationship under HIPAA and its implementing privacy and security regulations at 45 CFR Parts 160 and 164. The Provider wishes to disclose to FPI information pursuant to terms of this addendum. “Protected Health Information” or “PHI” means any information, whether oral or recorded in any form or medium that relates to the past, present, or future physical or mental condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. PHI shall have the meaning given to such term under HIPAA regulations, as amended. Under this Agreement, FPI is a Business Associate of the Provider and provides services, arranges, performs or assists in the performance of functions or activities on behalf of the Provider and uses or discloses PHI. The Provider and FPI desire to protect the privacy and provide for the security of PHI disclosed pursuant to this Agreement in compliance with HIPAA regulations. The Addendum purpose is to satisfy certain HIPPA standards and requirements. Terms used in this Addendum not otherwise defined shall have the same meanings as those terms in HIPAA regulations. In exchanging data pursuant to this Agreement, the parties agree as follows:
2. Permitted Uses and Disclosures of PHI - Except as otherwise indicated in this Addendum, FPI may use or disclose PHI only to perform services specified in this Agreement, for, or on behalf of the Provider, provided that such use or disclosure would not violate HIPAA regulations if done by the Provider. Specific Use and Disclosure Provisions. Except as otherwise indicated in this Addendum, FPI may (1) Use and disclose for management and administration. Use and disclose PHI for the proper management and administration of FPI or to carry out the legal responsibilities of FPI, provided that disclosures are required by law, or the FPI obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies FPI of any instances of which it is aware that the confidentiality of the information has been breached. (2) Provision of Data Aggregation Services. Use PHI to provide data aggregation services (combining of PHI created or received by FPI with PHI received by FPI in its capacity as a Business Associate of another covered entity) to permit data analyses that relate to provider health care operations.
3. FPI Responsibilities - To not use or disclose Protected Health Information (PHI) other than as permitted or required by this Agreement or as required by law; To protect data with needed administrative, physical, and technical safeguards to reasonably and appropriately protect the confidentiality, integrity, and availability of the health information, including electronic PHI, that it creates, receives, maintains or transmits on behalf of the Provider; and to prevent use or PHI disclosure other than as provided for by this Addendum; To mitigate, to the extent practicable, any harmful effect that is known to FPI of a use or disclosure in violation of the requirements of this Addendum; To report to the Provider within twenty-four (24) hours of discovery by FPI that PHI has been used or disclosed other than as provided for by this Addendum; To ensure that any agents to whom FPI provides PHI agree to the same restrictions and conditions and to incorporate relevant provisions of this Addendum into any agreements with agents or subcontractors; To provide access to the Provider and/or applicable PHI individual (upon reasonable notice and during FPI’s normal business hours) in accordance with 45 CFR Section 164.524 those designated records to include medical and billing records about the individual(s); To make any amendment(s) to PHI that the Provider directs or agrees to pursuant to 45 CFR Section 164.526; To make FPI’s internal practices, books and records relating to the use and disclosure of PHI received from the Provider or created or received on behalf of the Provider, available to the Provider or the CDHS DHHS for purposes of determining compliance; To document and make available to the Provider or an Individual such disclosures of PHI necessary to respond to a proper request by the subject Individual for an accounting of disclosures of PHI, in accordance with 45 CFR 164.528; To notify the Provider within twenty-four (24) hours of any suspected or actual breach of security, intrusion or unauthorized use or disclosure of PHI and/or any actual or suspected use or disclosure of PHI data in violation of applicable laws; To take (i) prompt corrective action to cure any deficiencies and other necessary action pertaining to such unauthorized disclosure required by applicable laws and regulations; To investigate unauthorized use or disclosure of PHI and provide a written report to the Provider within fifteen (15) working days of the discovery of any breach or unauthorized use; To train and use reasonable measures to ensure compliance with the requirements of this Addendum by employees or agents who assist in the performance of functions or activities on behalf of FPI under this Agreement and use or disclose PHI; and discipline such employees who intentionally violate any provisions.
4. Provider Duties - Provide FPI with the Notice of Privacy Practices that Provider produces in accordance with 45 CFR 164.520, as well as any changes to such notice. (An example of such notice used by the CDHS may be found at http://www.dhs.ca.gov/hipaa.); Provide the Business Associate with any changes in permission to use or disclose PHI, if such changes affect the Business Associate’s permitted or required uses and disclosures; Notify FPI of any restriction to the use or disclosure of PHI that the Provider has agreed to in accordance with 45 CFR 164.522, to the extent that such restriction may affect FPI’s use or disclosure of PHI; Not ask FPI to use or disclose PHI in any manner that would not be permissible under the HIPAA regulations if done by the Provider.
5. Audits, Inspection and Enforcement - CDHS or DHHS may inspect the facilities, systems, books and records of FPI to monitor compliance with this Addendum. FPI shall promptly remedy any violation of any provision of this Addendum and the fact that any such inspection fails to detect and/or fails to require correction does not constitute a waiver of enforcement rights.
6. Termination - Upon Provider knowledge of a material breach of this Addendum by FPI, the Provider shall either: (1) Provide an opportunity for FPI to cure the breach or end the violation and terminate this Agreement if FPI does not cure the breach within the time specified by the Provider; (2) Immediately terminate Agreement if FPI has breached a material term and cure is not possible; or (3) If neither cure nor termination are feasible, the Provider shall report the violation to the CDHS and DHHS. The Provider may terminate this Agreement, effective immediately, if (i) FPI is named as a defendant in a criminal proceeding for a violation of HIPAA or (ii) a finding or stipulation that FPI has violated any standard or requirement of HIPAA, or other security or privacy laws is made in any administrative or civil proceeding in which FPI has been joined. Upon termination or expiration of this Agreement for any reason, FPI shall return or destroy all PHI received from the Provider (or created or received by FPI on behalf of the Provider) that FPI still maintains in any form, and shall retain no copies of such PHI or, if return or destruction is not feasible, it shall continue to extend the protections of this Addendum to such information, and limit further use of such PHI to those purposes that make the return or destruction of such PHI infeasible. This provision shall apply to PHI that is in the possession of subcontractors or agents of FPI.
7. Miscellaneous Provisions - The Provider makes no warranty or representation that compliance by FPI with this Addendum or HIPAA regulations are adequate or satisfactory for FPI’s own purposes or that any information in its possession or control, or sent or received by FPI, is or will be secure from unauthorized use or disclosure. FPI is solely responsible for its decisions regarding the safeguarding of PHI; Parties acknowledge that laws relating to electronic data security and privacy are rapidly evolving and amendment of this Addendum may be required to provide for procedures to ensure continued compliance. Parties specifically agree to take such action as necessary to implement all HIPAA regulations and other applicable laws relating to the security or privacy of PHI. Upon the Provider’s request, FPI agrees to promptly enter into negotiations for an amendment to this Addendum consistent with the HIPAA regulations or other applicable laws. The Provider may terminate this Agreement upon thirty (30) days written notice in the event (i) FPI does not promptly enter into negotiations to amend this Addendum when requested pursuant to this Section or (ii) FPI does not agree to such amendments safeguarding PHI that the Provider in its sole discretion deems required to satisfy the HIPPA requirements; That FPI shall make itself, and any subcontractors, employees or agents assisting FPI in the performance of its obligations under this Agreement, available to the Provider at no cost to the Provider to testify in the event of litigation or administrative proceedings being commenced against the Provider based upon claimed violation of HIPAA or other laws relating to security and privacy, except where FPI or its subcontractor, employee or agent is a named adverse party; That nothing express or implied in the terms and conditions of this Addendum is intended to confer, nor shall anything herein confer, upon any person other than the Provider or FPI and their respective successors or assignees, any rights, remedies, obligations or liabilities whatsoever; that the terms and conditions in this Addendum shall be interpreted as broadly as necessary to implement and comply with HIPAA regulations and applicable privacy laws. The parties agree that any ambiguity in the terms and conditions of this Addendum shall be resolved in favor of a meaning that complies and is consistent with HIPAA regulations in effect or as amended; That the respective rights and obligations of FPI under Section 6.C of this Addendum shall survive the termination or expiration of this Agreement; That no change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing obligation, or shall prohibit enforcement of any obligation on any occasion.