Business Associate Agreement
Revised: May 31, 2024
Pursuant to the arrangement(s) between Covered Entity and Business Associate (the “Service Order”), Business Associate may receive access to use or disclose Protected Health Information to provide services to Covered Entity. Thus, to the extent Business Associate receives, uses, discloses, or creates Protected Health Information in connection with services provided to Covered Entity and is deemed a “Business Associate” pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended, and its implementing regulations, Business Associate agrees to comply with the provisions of this Business Associate Agreement, as well as all requirements in the applicable Terms of Service.
NOW, THEREFORE, the Parties, in consideration of the mutual agreements contained herein and in the Service Order and for other good and valuable consideration, the receipt and adequacy of which are hereby acknowledged, do hereby agree as follows:
HIPAA BUSINESS ASSOCIATE AGREEMENT
- Definitions. Unless otherwise provided in this Agreement, capitalized terms shall have the same meanings set forth in the Privacy Standards, Security Standards or HITECH, as applicable.
- “Business Associate” means us, as that term is defined in the Service Order and/or Terms of Service.
- “Covered Entity” means you, as that term is used in the Terms of Service.
- “Designated Record Set” or “DRS” as defined in the Privacy Rule, including but not limited to 45 C.F.R. Section 164.501.
- “Electronic Protected Health Information” or “ePHI” as defined in the HIPAA Rule, including but not limited to 45 C.F.R. Parts 160, 162, and 164, and under HITECH.
- “HIPAA” means HIPAA, the HITECH Act, and the Privacy and Security Rules unless otherwise indicated in this Agreement.
- “HITECH” means the Health Information Technology for Economic and Clinical Health Act, (Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5).
- “Individual” as defined in the Privacy Rule, including but not limited to 45 C.F.R. Sections 164.501 and 160.103, including a person who qualifies as a personal representative in accordance with 45 C.F.R. Section 164.502(g).
- “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E, as amended from time to time.
- “Protected Health Information” (“PHI” and “ePHI”) is information defined in 45 C.F.R. Section 160.103 that is created or received by Business Associate from or on behalf of Covered Entity.
- “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
- “Security Rule” means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and C, as amended from time to time.
- “Subcontractor” means a person (or entity) to whom Business Associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such Business Associate.
- Obligations of Business Associate
- Business Associate warrants that Business Associate shall:
- Use or disclose PHI only in connection with fulfilling duties and obligations under this Agreement and the Service Order;
- Not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law;
- Not use or disclose PHI in any manner that violates applicable federal and state laws or would violate such laws if used or disclosed in such manner by Covered Entity;
- Limit its use, disclosure, or request of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request when using or disclosing PHI as set forth in 45 CFR Section 164.502(b);
- When carrying out a Covered Entity’s obligation under HIPAA, comply with requirements of HIPAA in the same manner that such requirements apply to Covered Entity in performance of such obligation; and
- Make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary, for purposes of the Secretary ascertaining compliance with HIPAA as requested by the Secretary.
- To the extent Business Associate maintains a Designated Record Set Business Associate shall:
- Provide Access to PHI maintained in such Designated Record Set upon receipt of a written request from Covered Entity to allow Covered Entity to respond to an Individual’s request for access pursuant to 45 C.F.R. Section 164.524, in the time and manner required by 45 C.F.R. Section 164.524, for as long as such information is maintained in the DRS. Any denial of access to PHI shall be the sole responsibility of Covered Entity, including resolution or reporting of all appeals and/or complaints arising from denials.
- Assist Covered Entity in responding to an Individual’s request for amendment of PHI pursuant to 45 C.F.R. Section 164.526 by, in the time required by 45 C.F.R. Section 164.526, amending PHI about an Individual and making available to Covered Entity such PHI as long as such information is maintained in the DRS.
- In the event an Individual requests amendment of PHI directly from Business Associate, forward such request to Covered Entity pursuant to 45 C.F.R. Section 164.526. Any denial of amendment of PHI determined by Covered Entity pursuant to 45 C.F.R. Section 164.526 and conveyed to Business Associate, shall be the sole responsibility of Covered Entity, including resolution or reporting of all appeals and/or complaints arising from denials.
- Accounting of Disclosures.
- Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity, to respond to a request for an accounting of disclosures of PHI under 45 C.F.R. § 164.528, the HITECH Act guidance, and any regulations regarding accounting for disclosures in effect at the time of the request.
- Business Associate agrees to provide Covered Entity: (1) the date of the disclosure; (2) the name of the entity or person who received the PHI, and if known, the address of such entity or person; (3) a brief description of the PHI disclosed; and (4) a brief statement of the purpose of such disclosure that reasonably informs the Individual of the basis for the disclosure or, in lieu of such statement, a copy of a written request for a disclosure that conforms to 45 C.F.R. Sections 164.502(a)(2)(ii) or 164.512.
- If an Individual requests an accounting of disclosure of PHI directly from Business Associate/Subcontractor, the request shall be forwarded to Covered Entity within fifteen (15) days.
- Disclosure to Third Parties.
- In the event that any Subcontractor(s) provides services to Business Associate in which any such Subcontractor shall create, receive or access PHI, Business Associate shall enter into a signed written agreement with Subcontractor(s)that requires Subcontractor(s) to comply with the restrictions and conditions (or substantially similar restrictions and conditions) that apply through this Agreement to Business Associate with respect to such information, including the safeguards contained in this Agreement.
- Business Associate shall take appropriate disciplinary action against any Workforce member who uses or discloses PHI in contravention of this Agreement.
- Business Associate shall mitigate, to the extent practicable, any harmful effect known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this Agreement.
- Business Associate shall implement appropriate and reasonable administrative, technical and physical safeguards consistent with the size and complexity of its operations, to protect the confidentiality of PHI and to prevent use or disclosure of PHI other than as provided for by this Agreement.
- Business Associate shall implement (and ensure Subcontractor(s) agree to implement) reasonable administrative, physical, and technical safeguards for ePHI that Business Associate (or Subcontractor(s)) creates, receives, maintains, or transmits on behalf of Covered Entity to comply with the HITECH Act and the HIPAA Security Rule.
- Reporting of Breaches and Improper Disclosures
- Business Associate shall, following the discovery of a Breach of Unsecured Protected Health Information, as defined in HIPAA, notify Covered Entity of such Breach pursuant to the terms of 45 CFR § 164.410 and reasonably cooperate in Covered Entity’s breach analysis procedures, including risk assessment, if requested. A Breach shall be treated as discovered by Business Associate as of the first day on which such Breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. Business Associate will provide such notification to Covered Entity without unreasonable delay and in no event later than fifteen (15) days after discovery of the Breach. Such notification will be in writing and will contain the elements required in 45 CFR § 164.410. If, following the Breach notification, Business Associate learns additional details about the Breach, Business Associate shall notify Covered Entity as promptly as such information becomes available.
- Business Associate shall report to Covered Entity any Security Incident (other than an Unsuccessful Security Incident, as defined below) of which Business Associate becomes aware. The report shall be made as soon as practical, and in any event within twenty (20) days of Business Associate’s discovery of the Security Incident. Notwithstanding the foregoing, Covered Entity and Business Associate agree that certain Security Incidents, limited to certain unsuccessful attempts at unauthorized access to Business Associate’s system, including, but not limited to, pings; port scans; malware, such as viruses and worms that are detected and eradicated prior to having any effect on Business Associate’s system; attempts to log on to a system or enter a database with an invalid password or username; and denial-of-service attacks that do not result in a server being taken off-line (collectively, the “Unsuccessful Security Incidents”), do not pose a threat to the confidentiality, integrity or availability of any Electronic PHI in the possession of Business Associate and do not result in unauthorized access, use, disclosure, modification, or destruction of Electronic PHI or interference with an information system. The parties acknowledge that this Agreement constitutes notice of such Unsuccessful Security Incidents.
- Obligations of Covered Entity
- Covered Entity shall notify Business Associate in writing of any changes in, or revocation of, permission or authorization provided by Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
- Covered Entity shall notify Business Associate in writing of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR Section 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
- Covered Entity shall provide Business Associate with notice of any restrictions on the use or disclosure of PHI provided in the Covered Entity’s Notice of Privacy Practices, as such may be amended from time to time and provide Business Associate a copy of the Notice of Privacy Practices currently in use.
- De-identified data. Business Associate shall have the right to de-identify PHI in accordance with the requirements of 45 CFR Section 164.514.
- Data Aggregation. Business Associate may use PHI to provide data aggregation services relating to the health care operations of Covered Entity.
- Management and Administration. Except as otherwise limited in this Agreement or the Service Order, Business Associate may use or disclose PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of Business Associate. In the event of disclosure of PHI to a third party for purposes described herein, Business Associate shall obtain satisfactory assurances from the receiving party that it shall maintain the privacy and security of the information, use or further disclose the information only as Required by Law or for the purposes for which the information was disclosed to the third party, and notify Business Associate of any instances of a Breach of confidentiality of the information.
- Term and Termination.
- Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
- Return to Covered Entity or destroy the remaining PHI that the Business Associate still maintains in any form;
- Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI to prevent use or disclosure of the PHI, other than as provided for in this Section, for as long as Business Associate retains the PHI;
- Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions set out in this Agreement which applied prior to termination; and
- Return to Covered Entity or destroy the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.
- Amendment. If any rules or regulations promulgated under HIPAA or state law are amended or interpreted and render this Agreement inconsistent therewith, Business Associate may unilaterally amend this Agreement as necessary to comply with such amendments or interpretations.
- Conflicting Terms. In the event any terms of this Agreement conflict with any terms of the Service Order, the terms of this Agreement shall govern and control with respect to matters relating to PHI.
- Notices. All notices, requests, approvals, demands and other communications required or permitted to be given under this Agreement shall be in writing and delivered personally, by certified mail with postage prepaid and return receipt requested, by electronic mail, or by overnight courier to the party to be notified. Addresses in the signature line will be used for notifications purposes for either party unless updated with written notification to the other party.
- Days. All references to “days” in this Agreement mean business days.
- Independent Contractors. The parties are and shall be independent contractors to one another, and nothing in this Agreement shall be deemed to create an agency, partnership, or joint venture between the Parties.
- Indemnification. Subject at all times to Section 18 of this Agreement, each party shall indemnify and hold the other harmless from and against all claims, liabilities, judgments, fines, assessments, penalties, awards, or other expenses, of any kind or nature whatsoever, including, without limitation, attorneys’ fees, expert witness fees, and costs of investigation, litigation or dispute resolution, relating to or arising out of any breach of this Agreement, or any Breach, by that Party or its agents.
- Governing Law. This Agreement shall be governed by and construed in accordance with the laws that govern the Service Order.
- Limitation on Damages. Business Associate shall not be liable for any consequential, indirect, incidental, special, exemplary, or punitive damages arising out of or relating to this Agreement. To the extent the Service Order includes any clause or provision limiting the amount of damages or losses for which Business Associate will be liable, such clause or provision shall be applicable to this Agreement. This provision shall survive expiration or termination of this Agreement.
- Assignment. This Agreement shall be binding on the Parties and their successors and assigns. Covered Entity may not assign any of its rights or delegate any of its obligations under this Agreement without Business Associate’s prior written consent, except in connection with a change of control, merger, or by operation of law. Covered Entity’s assignment or delegation will not relieve it of its obligations under this Agreement nor release it of its liability under this Agreement. Business Associate may voluntarily, involuntarily, or by operation of law assign any of its rights or delegate any of its obligations under this Agreement without Covered Entity’s consent. Any purported assignment or delegation in violation of this Section 19 will be null and void.
- Severability. In the event a court or any governmental authority or agency declares all or part of any section of this Agreement unlawful or invalid, such unlawfulness or invalidity shall not serve to invalidate any other section of this Agreement, and if only a portion of any section is declared to be unlawful or invalid, such unlawfulness or invalidity shall not invalidate the balance of such section.
- Entire Agreement. This Agreement supersedes any and all other agreements, whether oral or in writing, between the Parties with respect to PHI, and this Agreement contains all of the covenants and agreements between the Parties with respect to PHI in any manner whatsoever. Each Party to this Agreement acknowledges that no representations, inducements, promises, or agreements, orally or otherwise, with respect to PHI have been made by any Party, or anyone acting on behalf of any Party, that are not embodied in this Agreement, and that no other agreement, statement, or promise with respect to PHI that is not contained in this Agreement shall be valid or binding.