BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“BAA”) is entered into between the Client (the “Covered Entity”) that executes the Order Form (Exhibit A) as its acceptance to the Software as a Service (SaaS) Agreement (“SaaS Agreement”) to which this BAA is attached and incorporated into, and DocResponse (the “Business Associate”), with an effective date equal to the Effective Date of the SaaS Agreement. This BAA sets out the responsibilities and obligations of Business Associate as a business associate of Covered Entity under the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).
A. Covered Entity and Business Associate are Parties to the SaaS Agreement, pursuant to which Business Associate provides the Service to Covered Entity.
B. In conjunction with Service, Covered Entity may make available to Business Associate Protected Health Information of Individuals, which Business Associate may only Use or Disclose in accordance with the SaaS agreement, this BAA and as Required by Law.
Business Associate and Covered Entity agree to the terms and conditions of this BAA in order to comply with the rules on handling of Protected Health Information under the HIPAA Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Part 160 and Part 164, Subpart E (“Privacy Rule”), the HIPAA Security Standards, 45 C.F.R. Part 160 and Part 164, Subpart C (“Security Rule”), and the HIPAA Breach Notification Regulations, 45 C.F.R. Part 164, Subpart D (“Breach Notification Rule”), all as amended from time to time.
a. Terms Defined in Regulation: Unless otherwise provided in this BAA or the SaaS Agreement, all capitalized terms in this BAA will have the same meaning as provided under the Privacy Rule, the Security Rule and the Breach Notification Rule.
b. Protected Health Information or PHI: Protected Health Information (“PHI”) means PHI that is received from Covered Entity, or created, maintained or transmitted on behalf of Covered Entity, by Business Associate.
2. USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION
a. Provision of Service: Business Associate may Use or Disclose PHI as needed or required to provide the Service under the SaaS Agreement, as otherwise expressly permitted in this BAA, or as Required by Law.
b. Subcontractors: Business Associate agrees that, in accordance with 45 C.F.R. § 164.502(e)(1), if Business Associate’s Subcontractor creates, receives, maintains or transmits PHI on behalf of Business Associate, Business Associate will enter into an agreement with such Subcontractor that contains substantially the same restrictions and conditions on the Use and Disclosure of PHI as contained in this BAA.
c. Business Associate Management, Administration and Legal Responsibilities: Business Associate may Use PHI for Business Associate’s management and administration, or to carry out Business Associate’s legal responsibilities. Business Associate may Disclose PHI to a third party for such purposes only if: (1) the Disclosure is Required by Law; or (2) Business Associate secures written assurance from the receiving party that the receiving party will: (i) hold the PHI confidentially; (ii) Use or Disclose the PHI only as Required by Law or for the purposes for which it was Disclosed to the recipient; and (iii) notify the Business Associate of any other Use or Disclosure of PHI.
d. Data Aggregation and
De-Identification: Business Associate may Use PHI to perform data aggregation services as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B). Business Associate may also de-identify PHI in accordance with 45 C.F.R. § 164.514.
e. Covered Entity Responsibilities: To the extent Business Associate is to carry out Covered Entity’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to Covered Entity’s compliance with such obligations.
3. SAFEGUARDS FOR PROTECTED HEALTH INFORMATION
a. Adequate Safeguards: Business Associate will implement and maintain appropriate safeguards to prevent any Use or Disclosure of PHI for purposes other than those permitted by this BAA, including administrative, physical and technical safeguards to protect the confidentiality, integrity, and availability of any electronic protected health information (“ePHI”), if any, that Business Associate creates, receives, maintains, and transmits on behalf of Covered Entity.
b. Compliance with HIPAA Security Rule: Business Associate will comply with the applicable requirements of the HIPAA Security Rule.
4. REPORTS OF IMPROPER USE OR DISCLOSURE OF PROTECTED HEALTH INFORMATION, SECURITY INCIDENTS AND BREACHES
a. Use or Disclosure Not Permitted by This BAA: Business Associate will report in writing to Covered Entity any Use or Disclosure of PHI for purposes other than those permitted by this BAA within five (5) business days of Business Associate’s learning of or should have know of such Use or Disclosure. b. Security Incidents: Business Associate will report in writing to Covered Entity any successful Security Incident of which Business Associate becomes aware. Specifically, Business Associate will report to Covered Entity any successful unauthorized access, Use, Disclosure, modification, or destruction of ePHI or interference with system operations in an information system containing ePHI of which Business Associate becomes aware within five (5) business days of Business Associate learning of or should have known about such successful Security Incident. Business Associate also will report the aggregate number of unsuccessful, unauthorized attempts to access, Use, Disclose, modify, or destroy ePHI or interfere with system operations in an information system containing ePHI, of which Business Associate becomes aware, provided that: (i) such reports will be provided only as frequently as the Parties mutually agree, but no more than once per month; and (ii) if the definition of “Security Incident” under the Security Standards is amended to remove the requirement for reporting “unsuccessful” attempts to Use, Disclose, modify or destroy ePHI, the portion of this Section 4 addressing the reporting of unsuccessful, unauthorized attempts will no longer apply as of the effective date of such amendment. c. Breaches of Unsecured PHI: Business Associate will report in writing to Covered Entity any Breach of Unsecured Protected Health Information, as defined in the Breach Notification Rule, within five (5) business days of the date Business Associate learns of the incident giving rise to the Breach. Business Associate will provide such information to Covered Entity as required in the Breach Notification Rule. Business Associate shall cooperate with Covered Entity on the investigation of such breach be responsible for any and all reasonable costs associated with the notification and mitigation of a data breach that has occurred.
5. ACCESS TO PROTECTED HEALTH INFORMATION
a. Covered Entity Access: To the extent Business Associate maintains PHI in a Designated Record Set that is not duplicative of a Designated Record Set maintained by Covered Entity, Business Associate will make such PHI available to Covered Entity within ten (10) business days of a request by Covered Entity for access to such PHI.
b. Individual Access: If an Individual makes a request for access directly to Business Associate, Business Associate will within ten (10) business days forward such request in writing to Covered Entity. Covered Entity will be responsible for making all determinations regarding the grant or denial of an Individual’s request for PHI and Business Associate will make no such determinations. Only Covered Entity will release PHI to an Individual pursuant to such a request, unless Covered Entity directs Business Associate to do so.
6. AMENDMENT OF PROTECTED HEALTH INFORMATION
a. Covered Entity Request: To the extent Business Associate maintains PHI in a Designated Record Set that is not duplicative of a Designated Record Set maintained by Covered Entity, Business Associate will provide such PHI to Covered Entity for amendment within ten (10) business days of receiving a request from Covered Entity to amend an Individual’s PHI. Alternatively, if Covered Entity’s request includes specific instructions on how to amend the PHI, Business Associate will incorporate such amendment into the PHI it holds in a Designated Record Set within ten (10) business days of receipt of the Covered Entity’s request.
b. Individual Request: If an Individual makes a request for amendment directly to Business Associate, Business Associate will within ten (10) business days forward such request in writing to Covered Entity. Covered Entity will be responsible for making all determinations regarding amendments to PHI and Business Associate will make no such determinations unless Covered Entity directs Business Associate to do so.
7. ACCOUNTING OF DISCLOSURES OF PROTECTED HEALTH INFORMATION
a. Disclosure Records: Business Associate will keep a record of any Disclosure of PHI that Business Associate makes, if Covered Entity would be required to provide an accounting to Individuals of such Disclosures under 45 C.F.R. § 164.528. Business Associate will maintain its record of such Disclosures for six (6) years from the date of the Disclosure.
b. Data Regarding Disclosures: For each Disclosure for which it is required to keep a record under paragraph 7(a), Business Associate will record and maintain the following information: (1) the date of Disclosure; (2) the name of the entity or person who received the PHI and the address of such entity or person, if known; (3) a description of the PHI Disclosed; and (4) a brief statement of the purpose of the Disclosure.
c. Provision to Covered Entity: Within ten (10) business days of receiving a notice from Covered Entity, Business Associate will provide to Covered Entity its records of Disclosures.
d. Request by Individual: If an Individual requests an accounting of Disclosures directly from Business Associate, Business Associate will forward the request and its record of Disclosures to Covered Entity within ten (10) business days of Business Associate’s receipt of the Individual’s request. Covered Entity will be responsible for preparing and delivering the accounting to the Individual. Business Associate will not provide an accounting of its Disclosures directly to any Individual, unless directed by Covered Entity to do so.
8. ACCESS TO BOOKS AND RECORDS
Business Associate will make its internal practices, books and records on the Use and Disclosure of PHI available to the Secretary of Health and Human Services to the extent required for determining compliance with the Privacy Rule, the Security Rule, or the Breach Notification Rule. No attorney-client, accountant-client or other legal privilege will be deemed waived by Business Associate or Covered Entity as a result of this Section.
Covered Entity may terminate this BAA upon material breach of this BAA. Covered Entity will provide Business Associate with written notice in accordance with Section 10.4 of the SaaS Agreement of the breach of this BAA and afford Business Associate the opportunity to cure the breach to the satisfaction of Covered Entity within thirty (30) days of the date of such notice. If Business Associate fails to timely cure the breach, as determined by Covered Entity in its sole discretion, Covered Entity may terminate this BAA.
10. RETURN OR DESTRUCTION OF PROTECTED HEALTH INFORMATION
a. Return or Destruction of PHI: Within thirty (30) days of termination of this BAA, Business Associate will return to Covered Entity all PHI that Business Associate or its Subcontractors maintain in any form or format. Alternatively, Business Associate may, upon Covered Entity’s consent, destroy all such PHI and provide Covered Entity with written documentation of such destruction.
b. Retention of PHI if Return or Destruction is Infeasible: If Business Associate believes that returning or destroying PHI at the termination of this BAA is infeasible, it will provide written notice to Covered Entity within thirty (30)
days of the effective date of termination of this BAA. Such notice will set forth the circumstances that Business Associate believes makes the return or destruction of PHI infeasible and the measures that Business Associate will take for assuring the continued confidentiality and security of the PHI. Business Associate will extend all protections, limitations and restrictions of this BAA to Business Associate’s Use or Disclosure of the PHI retained after termination of this BAA and will limit further Uses or Disclosures of such PHI to those purposes that make the return or destruction of the PHI infeasible.
a. OBLIGATIONS OF COVERED ENTITY: Covered Entity shall: (1) notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity under 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s Use or Disclosure of PHI; (2) notify Business Associate of any changes in, or revocation of, the permission by an Individual to Use or Disclose his or her PHI, to the extent that such changes may affect Business Associate’s Use or Disclosure of PHI; (3) notify Business Associate of any restriction on the Use or Disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s Use or Disclosure of PHI; (4) not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity, except for in accordance with paragraphs 2(c)-(d) of this BAA; and (5) only disclose to Business Associate the minimum necessary PHI for Business Associate to provide Service to Covered Entity.
b. COMPLIANCE WITH LAWS: The Parties are required to comply with federal and state laws. If this BAA must be amended to secure such compliance, the Parties will meet in good faith to agree upon such amendments. If the Parties cannot agree upon such amendments, then either Party may terminate this BAA upon thirty (30) days’ written notice to the other Party.
c. CONSTRUCTION OF TERMS: The terms of this BAA will be construed in light of any applicable interpretation or guidance on the Privacy Rule, the Security Rule or the Breach Notification Rule issued by HHS.
d. NO THIRD PARTY BENEFICIARIES: Nothing in this BAA will confer upon any person other than the Parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
e. NOTICES: All notices required under the BAA will be given in writing and will be delivered by (1) personal service, (2) first class mail, or (3) messenger or courier. All notices shall be addressed and delivered to the contact designated in the signature block, or other address provided by the Party from time to time in writing to the other Party. Notices given by mail will be deemed for all purposes to have been given forty-eight hours after deposit with the United States Postal Service. Notices delivered by any other authorized means will be deemed to have been given upon actual delivery.
f. ENTIRE AGREEMENT: This BAA constitutes the entire agreement between the Parties with regard to the Privacy Rule, the Security Rule and the Breach Notification Rule, there are no understandings or agreements relating to this BAA that are not fully expressed in this BAA and no change, waiver or discharge of obligations arising under this BAA will be valid unless in writing and executed by the Party against whom such change, waiver or discharge is sought to be enforced.
g. WRITTEN AGREEMENT: This BAA will be considered an attachment to the underlying SaaS Agreement and is incorporated as though fully set forth within the SaaS Agreement. This BAA will govern in the event of conflict or inconsistency with any provision of the SaaS Agreement.
h. CHOICE OF LAW: The validity, construction and effect of this BAA will be governed by the laws of the State of Delaware, without giving effect to that state’s conflict of laws rules. Any Dispute will be resolved in a forum located in the State of Delaware.