HIPAA Business Associate Agreement
Last Updated: April 11, 2022
1. Definitions.
- “Capitalized Terms” mean any other capitalized term not defined in this Section 1 and have the meanings set forth in the Privacy Standards, Security Standards or HITECH, as applicable.
- “Designated Record Set” or “DRS” as defined in the Privacy Rule, including but not limited to 45 C.F.R. Section 164.501.
- “Electronic Protected Health Information” or “ePHI” as defined in the HIPAA Rule, including but not limited to 45 C.F.R. Parts 160, 162, and 164, and under HITECH.
- “HIPAA” means HIPAA, the HITECH Act, and the Privacy and Security Rules unless otherwise indicated in this Agreement.
- “HITECH” means the Health Information Technology for Economic and Clinical Health Act, (Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5)), and implementing regulations and guidance.
- “Individual” as defined in the Privacy Rule, including but not limited to 45 C.F.R. Sections 164.501 and 160.103, including a person who qualifies as a personal representative in accordance with 45 C.F.R. Section 164.502(g). For the purposes of this Agreement, Individual means a consumer who has contracted with Lumistry for Lumistry Software and Services.
- “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E.
- “Protected Health Information” (“PHI” and “ePHI”) as defined in 45 C.F.R. and is information created or received by Business Associate from or on behalf of Covered Entity.
- “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
- “Security Rule” means the HIPAA regulation codified at 45 C.F.R. Part 164.
- “Subcontractor” means a person (or entity) to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate. For purposes of this Agreement, “Subcontractor” includes the downstream subcontractors of a Subcontractor (“Downstream Subcontractor”).
- “Lumistry Software and Services” means Lumistry’s website, mobile application, tablet application, sms text, interactive voice and any other multimedia channel using or displaying content or applications.
2. Confidentiality and Security.
- The Parties shall comply with more stringent state laws and implementing regulations, including the Texas Medical Records Privacy Act, Chapters 181 and 182 of the Texas Health & Safety Code, and Chapter 521.053 as amended.
3. Obligations of Business Associate and Business Associate Subcontractors.
1. Business Associate warrants that Business Associate, its directors, officers, Subcontractors, employees, affiliates, agents, and representatives shall:
- Use or disclose PHI only in connection with fulfilling duties and obligations under this Agreement and the Service Agreement; (ii) not use or disclose PHI other than as permitted or required by this Agreement, as required by law, and (iii) not use or disclose PHI in any manner that violates applicable federal and state laws or would violate such laws if used or disclosed in such manner by Covered Entity.
- Not violate the Texas Health Safety Code, Chapters 181 or 182 by (i) selling PHI as prohibited in Section 181.153, using PHI for marketing purposes except as permitted by Section 181.152, attempting to re-identify any de-identified information as prohibited by Section 181.151, or use or disclose PHI for a marketing purposes without the individual’s prior written authorization in violation of Section 181.154.
- Provide adequate training to employees and Subcontractors under Section 181.101, and HIPAA.
- Make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request when using or disclosing PHI.
- When carrying out a Covered Entity’s obligation under HIPAA, comply with requirements of HIPAA that apply to Covered Entity in performance of such obligation.
- Provide Records and Compliance Reports. Business Associate/ Subcontractor must keep such records and submit such compliance reports as the Secretary may determine necessary to determine compliance with applicable HIPAA provisions.
- Cooperate with Complaint Investigations and Compliance Reviews. Business Associate/Subcontractor must cooperate with the Secretary if the Secretary undertakes an investigation or compliance review of the policies, procedures, or practices of Covered Entity, Business Associate, or Subcontractor to determine compliance with HIPAA.
- Permit Access to Information. Business Associate/Subcontractor must permit access by the Secretary to its facilities, books, records, accounts and other sources of information, including PHI, for ascertaining compliance as requested by the Secretary. If the information required of Business Associate/Subcontractor is under the exclusive possession of any other agency, institution, or person and the other agency, institution, or person fails to furnish the information, Business Associate/Subcontractor must so certify and explain efforts made to obtain the information.
b. To the extent Business Associate/Subcontractor maintain a Designated Record Set (“DRS”) they shall:
- Provide Access to PHI to allow Covered Entity to respond to an Individual’s request for access pursuant to 45 C.F.R. Section 164.524, in the time and manner requested by Covered Entity, for as long as such information is maintained in the DRS.
- In the event any Individual requests access to PHI directly from Business Associate/Subcontractor, forward the request to Covered Entity within five (5) business days.
- Process PHI subject to access in electronic form or format requested by Covered Entity, unless a readable hard copy or other format is requested by Covered Entity.
- Any denial of access to PHI shall be the sole responsibility of Covered Entity, including resolution or reporting of all appeals and/or complaints arising from denials.
- Amend PHI. To allow Covered Entity to respond to an Individual’s request for amendment of PHI pursuant to 45 C.F.R. Section 164.526, Business Associate/ Subcontractor shall, in the time requested by Covered Entity, amend PHI about an Individual, and make available to Covered Entity such PHI as long as such information is maintained in the DRS. Business Associate shall contractually obligate Subcontractor to forward such a request on the date of receipt by Subcontractor.
- In the event an Individual requests amendment of PHI directly from Business Associate/Subcontractor, Business Associate shall forward such request to Covered Entity pursuant to 45 C.F.R. Section 164.526.
- Any denial of amendment of PHI determined by Covered Entity pursuant to 45 C.F.R. Section 164.526, and conveyed to Business Associate, shall be the sole responsibility of Covered Entity, including resolution or reporting of all appeals and/or complaints arising from denials.
- Within ten (10) business days of receipt of a request from Covered Entity to amend an Individual’s PHI in the DRS, Business Associate shall require Subcontractors to incorporate the amendment, statements of disagreement, and/or Individual rebuttals into its DRS as required by 45 C.F.R. Section 164.526.
4. Accounting of Disclosures.
- To allow Covered Entity to respond to an Individual’s request for an accounting pursuant to 45 C.F.R. Section 164.528, Business Associate/Subcontractor shall in the time requested make available to Covered Entity PHI in the format requested. Business Associate shall contractually obligate Subcontractor to forward such a request to Business Associate on the day of receipt of the request.
- Provide Covered Entity: (1) the date of the disclosure; (2) the name of the entity or person who received the PHI, and if known, the address of such entity or person; (3) a brief description of the PHI disclosed; and (4) a brief statement of the purpose of such disclosure.
- If an Individual requests an accounting of disclosure of PHI directly from Business Associate/Subcontractor, the request shall be forwarded to Covered Entity within five (5) business days.
5. Disclosure to Third Parties.
- Subject to any limitations in this Agreement and the Service Agreement, Business Associate may disclose PHI to Subcontractors necessary to perform its obligations under the Service Agreement and permitted or required by applicable federal or state law.
- Business Associate shall not [and shall provide that its directors, officers, employees, Subcontractors, and agents, do not] disclose PHI to any person (other than their Workforce) unless disclosure is required by law or authorized by the person whose PHI is to be disclosed. Business Associate shall enter into a signed written agreement with Subcontractor(s) that:
- Prohibits Subcontractor to use or further disclose PHI in a manner that would violate the Privacy Rule if done by Covered Entity, or this Agreement if done by Business Associate.
- Binds to the provisions, restrictions, and conditions of this Agreement pertaining to PHI and ePHI applicable to Business Associate for the express benefit of Covered Entity.
- Obligates Subcontractor to immediately notify Business Associate of any breaches (including breaches of unsecured PHI as required by 45 C.F.R. Section 164.410) of confidentiality of PHI and Security Incidents of which it becomes aware.
- Obligates Business Associate/Subcontractor to comply with the “minimum necessary use and disclosure” and regulations or guidance issued by HHS concerning the minimum necessary standard and the use and disclosure (if applicable) of Limited Data Sets.
- To the extent a Subcontractor is to carry out Covered Entity’s obligations under HIPAA, obligate Subcontractor to comply with the HIPAA requirements applicable to Covered Entity.
- Business Associate/Subcontractor shall take appropriate disciplinary action against any Workforce member who uses or discloses PHI in contravention of this Agreement.
- Business Associate and Subcontractors shall mitigate, to the extent, any harmful effect known to them of a use or disclosure of PHI in violation of this Agreement.
- Safeguards Business Associate and Subcontractors shall:
- Employ appropriate administrative, technical and physical safeguards, consistent with the size and complexity of its operations, to protect the confidentiality of PHI and to prevent use or disclosure of PHI in any manner inconsistent with the terms of this Agreement.
- Comply with the HITECH Act and final Omnibus Rule 45 C.F.R. Sections 164.306, 164.308, 164.310, 164.312, 164.314, and 164.316 as well as the HIPAA Security Rule as if Business Associate (and Subcontractors) were a Covered Entity.
6. Reporting of Breaches and Improper Disclosures.
- Business Associate shall, following the discovery of a Breach of Unsecured Protected Health Information, as defined in HIPAA, notify Covered Entity of such Breach pursuant to the terms of 45 CFR § 164.410 and cooperate in Covered Entity’s breach analysis procedures, including risk assessment, if requested. A Breach shall be treated as discovered by Business Associate as of the first day on which such Breach is known to Business Associate or, by exercising reasonable diligence, would have been known to Business Associate. Business Associate will provide such notification to Covered Entity without unreasonable delay and in no event later than fifteen (15) business days after discovery of the Breach. Such notification will contain the elements required in 45 CFR § 164.410. If, following the Breach notification, Business Associate learns additional details about the Breach, Business Associate shall notify Covered Entity promptly as such information becomes available. Covered Entity shall determine any required actions with respect to any such Breach, and Business Associate shall cooperate with Covered Entity and comply with such actions.
- Business Associate shall report to Covered Entity any Security Incident (other than an Unsuccessful Security Incident, as defined below) that does not rise to the level of a Breach of Unsecured Protected Health Information of which Business Associate becomes aware. The report shall be made as soon as practical, and in any event within twenty (20) days of Business Associate’s discovery of the Security Incident. Notwithstanding the foregoing, Covered Entity and Business Associate agree that certain Security Incidents, limited to certain unsuccessful attempts at unauthorized access to Business Associate’s system, including, but not limited to, pings; port scans; malware, such as viruses and worms that are detected and eradicated prior to having any effect on Business Associate’s system; attempts to log on to a system or enter a database with an invalid password or username; and denial-of-service attacks that do not result in a server being taken off-line (collectively, the “Unsuccessful Security Incidents”), do not pose a threat to the confidentiality, integrity or availability of any Electronic PHI in the possession of Business Associate and do not result in unauthorized access, use, disclosure, modification, or destruction of Electronic PHI or interference with an information system. Covered Entity agrees that Business Associate will, to the extent that its computer system is capable of logging the Unsuccessful Security Incidents, report the Unsuccessful Security Incident in the aggregate upon Covered Entity’s reasonable written request. To the extent that Business Associate’s computer systems are not capable of logging Unsuccessful Security Incidents, this Agreement constitutes the report of such Unsuccessful Security Incidents.
7. De-identified data. Business associate shall have the right to de-identify PHI subject to the Terms of Service and this Agreement in accordance with the requirements of 45 CFR Section 164.514, to anonymously aggregate and use such data for Business Associates purposes, in Business Associates sole discretion.
8. Term and Termination. This Agreement shall be effective as of the Effective Date and shall terminate upon termination of the Services Agreement or this Agreement, whichever is sooner. The Parties agree that upon termination, transactional data (which does not include PHI) provided to the Individual by Covered Entity through Business Associate shall not be destroyed. Per the Terms of Service, Confidential information (including PHI, if any, contained within such Confidential Information) will be destroyed and will not be available to the Individual through the Lumistry App and/or Website. All other PHI provided by Covered Entity shall be returned or destroyed as required by the HIPAA regulations.
9. Amendment. If any rules or regulations promulgated under HIPAA or state law are amended or interpreted and render this Agreement inconsistent therewith, Covered Entity may, on thirty (30) days’ written notice to Business Associate, amend this Agreement as necessary to comply with such amendments or interpretations. Business Associate shall comply with all such amendments, amend this Agreement, and amend applicable Subcontractor agreements.
10. Conflicting Terms. In the event any terms of this Agreement conflict with any terms of the Service Agreement, the terms of this Agreement shall govern and control.
11. Notices. All notices, requests, approvals, demands and other communications required or permitted to be given under this Agreement shall be in writing and delivered either personally, or by certified mail with postage prepaid and return receipt requested, or by overnight courier to the party to be notified. Addresses in the signature line will be used for notifications purposes for either party unless updated with written notification to the other party.
12. Days. All references to “days” in this Agreement mean business days.
13. Independent Contractors. The parties are and shall be independent contractors to one another, and nothing in this Agreement shall be deemed to create an agency, partnership, or joint venture between the Parties.
14. Indemnification. Each party shall indemnify and hold the other harmless from and against all claims, liabilities, judgments, fines, assessments, penalties, awards, or other expenses, of any kind or nature whatsoever, including, without limitation, attorneys’ fees, expert witness fees, and costs of investigation, litigation or dispute resolution, relating to or arising out of any breach of this Agreement, or any Breach, by that Party or its subcontractors or agents.
16. Assignment. This Agreement shall be binding on the Parties and their successors and assigns. Neither party shall assign any of its rights under this Agreement to any other party without the prior written consent of the other party, provided that Covered Entity or Business Associate shall have the right to assign this Agreement to their respective affiliates.
17. Severability. In the event a court or any governmental authority or agency declares all or part of any section of this Agreement unlawful or invalid, such unlawfulness or invalidity shall not serve to invalidate any other section of this Agreement, and if only a portion of any section is declared to be unlawful or invalid, such unlawfulness or invalidity shall not invalidate the balance of such section.
18. Counterparts. This Agreement may be executed in two or more counterparts, each of which shall be deemed to be an original, but all of which shall constitute one and the same agreement.