Business Associate Agreement
Effective as of May 25, 2018
This Agreement “Agreement” is made and entered into at the date and time your Healthie account is created as in between you (“Covered Entity”) and Healthie Inc (“Business Associate”), (individually a “Party,” and collectively the “Parties”), to define their respective rights and responsibilities with respect to the privacy and security of certain health information in connection with certain federal laws.
The Covered Entity desires, and the Business Associate agrees to perform certain covered business functions that involve the disclosure of Protected Health Information from the Covered Entity to the Business Associate. In signing this Agreement, all Business Associates intend to protect the privacy and provide for the security of Protected Health Information disclosed to Business Associate in compliance with the HIPAA Statute and the HITECH Act. NOW THEREFORE, in consideration of the mutual promises and covenants, herein, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows:
For purposes of this Agreement, each of the following capitalized terms shall have the meaning set forth in this Section. Except as the context of a provision dictates otherwise, a term used in this Agreement that is not defined in this Section shall have the meaning accorded to it under HIPAA or HITECH, as applicable.
(a) Breach. “Breach” shall have the same meaning as the term “breach” in 45 CFR § 164.402.
(b) Business Associate. “Business Associate” shall have the same meaning as the term “business associate” in 45 CFR § 160.103.
(c) Covered Entity. “Covered Entity” shall have the same meaning as the term “Covered Entity” in 45 CFR § 160.103.
(d) Data Aggregation. “Data Aggregation” shall have the same meaning as the term “data aggregation” in 45 CFR § 164.501.
(e) Designated Record Set. “Designated Record Set” shall mean a group of records maintained by or for a Covered Entity that is (i) the medical records and billing records about individuals maintained by or for a covered health care Covered Entity; (ii) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) used, in whole or in part, by or for the Covered Entity to make decisions about individuals. As used herein, the term “Record” means any item, collection or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a Covered Entity as defined in 45 CFR § 164.501.
(f) HIPAA. “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder relating to the privacy and security of Protected Health Information, as such statute and regulations may be amended from time to time.
(g) HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
(h) HITECH. “HITECH” shall mean the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the regulations promulgated thereunder relating to the privacy and security of Protected Health Information, as such statute and regulations may be amended from time to time.
(i) Individual. “Individual” shall have the same meaning as the term “individual” in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
(j) Protected Health Information/Electronic Protected Health Information. “Protected Health Information” (or “PHI”) and “Electronic Protected Health Information” (or “Electronic PHI”) shall have the same meaning as the terms “protected health information” and “electronic protected health information,” respectively, in 45 CFR § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
(k) Public Health Activity. “Public Health Activity” shall mean the activities described in 45 CFR § 164.512(b).
(l) Public Health Authority. “Public Health Authority” shall have the same meaning as the term “public health authority” in 45 CFR § 164.103.
(m) Required By Law. “Required By Law” shall have the same meaning as the term “required by law” in 45 CFR § 164.103.
(n) Secretary. “Secretary” shall mean the Secretary of the Department of Health and Human Services or his or her designee.
(o) Subcontractor. “Subcontractor” shall have the same meaning as the term “subcontractor” in 45 CFR § 164.103.
2. Obligations And Activities Of Business Associate
(a) Business Associate will not use or disclose Protected Health Information other than as permitted or required by this Agreement or as Required By Law.
(b) Business Associate will develop, implement, maintain and use appropriate safeguards to prevent the use or disclosure of PHI other than as permitted or required by this Agreement or as Required by Law. Business Associate will develop, implement, maintain and use appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the HIPAA Security Standards, the HITECH Act, and all other applicable laws, regulations and requirements published by a federal agency authorized to issue guidance under HIPAA or HITECH applicable to Business Associate.
(c) Business Associate agrees to ensure, through written agreements, that any Subcontractor to whom it provides PHI agrees to substantially the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
(d) Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by Covered Entity pursuant to 45 CFR § 164.526 or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.526.
(e) Business Associate agrees to make internal practices, books and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining Covered Entity’s compliance with the Privacy Rule.
(f) Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.528.
(g) Business Associate shall not receive any remuneration in exchange for any PHI unless such remuneration is both: (i) permitted under HIPAA and HITECH; and (ii) authorized by Covered Entity in writing.
(h) Business Associate shall provide training to members of its workforce regarding the requirements in the Privacy and Security Standards. The training shall be updated periodically, as the laws and regulations evolve.
(i) Business Associate shall provide written notice to Covered Entity of any HIPAA Breach of unsecured PHI without unreasonable delay, but in any event, no more than five (5) business days after the discovery of such breach. Covered Entity, in its sole discretion, will determine which party shall be responsible for providing any notification to the patient, Secretary, or media that may be required under the HITECH Act. Business Associate shall be solely responsible for any costs and expenses incurred by Covered Entity and Business Associate related to a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA. To the extent known, Business Associate shall provide Covered Entity with the following information:
- the identification of each individual whose PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired or disclosed;
- what happened, including the date of the breach and the date of discovery of the breach, if known;
- the type of information involved;
- any steps the affected individuals should take to protect themselves;
- what the Business Associate is doing to investigate and mitigate the breach and protect against further breaches; and
- information on how the Covered Entity can contact the Business Associate for more information or questions.
3. Permitted Uses And Disclosures By Business Associate
Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information consistent with Covered Entity’s minimum necessary policies and procedures to:
(a) Perform services for, or on behalf of, the Individual, as specified in the services agreement between Covered Entity and Business Associate, except to the extent that such use or disclosure would violate the Privacy Rule if performed by Covered Entity;
(b) Perform its obligations under this Agreement, except to the extent that such use or disclosure would violate the Privacy Rule if performed by Covered Entity;
(c) Conduct activities for its own proper management and administration or carry out its own legal responsibilities, provided that any disclosure of PHI for such purpose shall be either: (i) Required By Law; or (ii) made after Business Associate obtains reasonable assurances from the recipient of the PHI that the PHI will be held confidentially and used and disclosed further only for the purpose for which it was disclosed to the recipient, and that the recipient will notify Business Associate of any instances of which it becomes aware that the confidentiality of the PHI has been breached. With regard to any such disclosure to a Subcontractor, Business Associate shall first enter into an agreement with the Subcontractor as described in Section 2(d) and, for a disclosure of Electronic PHI, require the a Subcontractor, to whom it provides the Electronic PHI to agree to implement reasonable and appropriate safeguards to protect such information;
(d) Provide data aggregation services, but only in order to analyze data for Covered Entity’s permitted health care operations, as permitted by 45 CFR § 164.504(e)(2)(i)(B); and
(e) Report violations of law in accordance with 45 CFR § 164.502(j)(1).
4. De Identified Information
Business Associate may create, use and disclose de-identified PHI if the de-identification is in compliance with 45 CFR §164.502(d), and any such de-identified PHI meets the standard and implementation specifications for de-identification under 45 CFR §164.514(a) and (b), as they may be amended from time to time.
5. Obligations Of Covered Entity
(a) Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions.
- Covered Entity shall furnish Business Associate with its notice of privacy practices prepared in accordance with 45 CFR § 164.520 and of any modifications thereto that affect Business Associate’s obligations.
- Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
- Covered Entity shall notify Business Associate of all types of accountings of disclosures that it may require Business Associate to provide under 45 CFR § 164.528 or Section 13405(c) of HITECH.
- Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522 or Section 13405(a) of HITECH to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
(b) Permissible Requests by Covered Entity. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA or HITECH if done by Covered Entity. Covered Entity shall not request Business Associate to use or disclose more than the minimum PHI necessary.
6. Term And Termination
(a) Term. The term of this Agreement shall begin on the Effective Date above and shall terminate as provided elsewhere in this Agreement or when all of the Protected Health Information is destroyed or returned to Covered Entity or its designee, or, if it is infeasible to return or destroy PHI, when protections are extended to such information, in accordance with the termination provisions in this Section.
(b) Termination for Cause.
- Business Associate authorizes termination of this Agreement by Covered Entity, if Covered Entity determines Business Associate has violated a material term of the Agreement and Business Associate has not cured the breach or ended the violation within the time specified by Covered Entity.
- If Covered Entity knows of a pattern of activity or practice by Business Associate that constitutes a material breach or violation of Business Associate’s obligations under the Agreement, Covered Entity shall notify Business Associate of the breach and of the period during which Business Associate may take reasonable measures to cure the breach or end the violation. If Business Associate does not cure the breach or end the violation within that period, Covered Entity shall terminate this Agreement as soon as feasible.
(c) Obligations of Business Associate Upon Termination. Notwithstanding anything to the contrary contained herein, except as provided elsewhere in this Section 6(c), upon termination of this Agreement, for any reason, Business Associate will return or destroy all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity and will retain no copies of the PHI. This provision will apply to PHI that is in the possession of Subcontractors of Business Associate. If Business Associate determines that the return or destruction of PHI is not feasible, Business Associate shall so inform Covered Entity and Business Associate will extend the protections of this Agreement to the information and limit further uses and disclosures of the PHI to those purposes that make the return or destruction of the PHI infeasible, for so long as Business Associate maintains the PHI.
Each party (the “Indemnifying Party”) shall indemnify and hold the other party and its officers, directors, employees and agents (each an “Indemnified Party”) harmless from and against any claim, cause of action, liability, damage, cost or expense (“Liabilities”) to which the Indemnified Party becomes subject to as a result of third party claims (including reasonable attorneys’ fees and court or proceeding costs) brought against the Indemnified Party, and any costs or expenses (including reasonable attorneys’ and consulting fees) and penalties incurred by Indemnified Party in connection with any governmental investigation, audit, breach notification and remediation required by federal, state or local law, which arise as a result of: (i) the material breach of this Business Associate Agreement by the Indemnifying Party or its Subcontractors; or (ii) the gross negligence or willful misconduct of the Indemnifying Party, except to the extent such Liabilities were caused by the Indemnified Party. A party entitled to indemnification under this Section shall give prompt written notification to the Indemnifying Party of the commencement of any action, suit or proceeding relating to a third party claim or governmental investigation or audit for which Indemnification is sought, subject to applicable confidentiality constraints. This Section 7 shall survive termination of this Agreement.
(a) Regulatory References. A reference in this Agreement to a section in HIPAA or HITECH, as applicable, means the section as in effect or, as applicable, as it has been redesignated after execution of this Agreement.
(b) Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity and Business Associate to comply with the requirements of HIPAA or HITECH, as each may be amended or construed by courts of applicable jurisdiction or the Secretary from time to time. All amendments to this Agreement, except those occurring by operation of law, shall be in writing and signed by both Parties.
(c) Survival. Any provision of this Agreement which contemplates performance or observance subsequent to any termination or expiration hereof or by its sense or context is intended to survive the termination or expiration hereof, including without limitation, Sections 2, 6(c) and 7, and shall survive any such termination or expiration and shall continue in full force and effect.
(d) Governing Law. This Agreement shall be governed and construed in accordance with the laws of the __State of Delaware___________________, without regard to conflict of law principles. Any legal action, suit or proceeding arising out of or relating to this Agreement or the breach thereof will be instituted in a federal or state court of competent jurisdiction in the __State of Delaware_________ and each Party hereby consents and submits to the personal jurisdiction of such court, waives any objection to venue in such court including any defense of forum non conveniens
(e) Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity and Business Associate to comply with HIPAA and HITECH
(f) No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer upon any person or Individual, other than Covered Entity, Business Associate and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
(g) Assignment. No assignment of rights or obligations under this Agreement shall be made by either Party without the prior written consent of the other Party; provided however, that Business Associate may assign this Agreement to an affiliate.
(h) Effect on Agreement. Except as specifically required to implement the purposes of this Agreement, or to the extent inconsistent with this Agreement, all other terms of the underlying Services Agreement shall remain in force and effect.
(i) Headings/Counterparts. The descriptive headings of the sections of this Agreement are for convenience only and do not constitute a part of this Agreement. This Agreement may be executed in any number of counterparts, including facsimile or electronic copies, each of which shall be deemed to be an original and all such counterparts shall together constitute one and the same document.