Search
Close this search box.

Business Associate Agreement

This Business Associate Agreement (this “BAA” or “Agreement”) is incorporated into and made a part of the Terms and Conditions that govern the Master Agreement between HealthAware LLC (for purposes of this Agreement, the “Business Associate”) and Client (for purposes of this Agreement, the Covered Entity).

WHEREAS, in connection with the Master Agreement between Covered Entity and Business Associate, Business Associate provides goods or performs services for or on behalf of Covered Entity (“Services”) and in such capacity is acting as a “business associate” of Covered Entity (as such terms are defined under HIPAA) when Business Associate uses and discloses Protected Health Information (“PHI”) received from or on behalf of Covered Entity in connection with performing the Services for or on behalf of Covered Entity and

WHEREAS, the parties intend to protect the privacy and provide for the security of PHI disclosed to Business Associate as part of Business Associate’s performance of Services, in compliance with the Health Insurance Portability and Accountability Act of 1996, (“HIPAA”), the requirements of the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009 and the implementing regulations, as issued and amended by the Secretary (“HITECH”), and regulations promulgated thereunder by the U.S. Department of Health and Human Services including the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164 of the Code of Federal Regulations, Subpart A & E (“Privacy Rule”), the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A & C (“Security Rule”), and the Notification of Breach of Unsecured Protected Health Information requirements at 45 C.F.R. Part 164, Subpart D (the “Breach Notification Rule”) (the Privacy Rule, Security Rule, and the Breach Notification Rule are collectively referred to as the “HIPAA Rules”).

NOW, THEREFORE, for good and valuable consideration, the receipt and adequacy of which are hereby acknowledged, the parties hereto agree as follows:

  1. Definitions. Capitalized terms used herein without definition in this BAA shall have the respective meanings assigned to such terms by the HIPAA Rules.
  2. Effect. The provisions of this BAA shall apply and control with respect to all present and future contracts and relationships between Covered Entity and Business Associate, whether written or unwritten, formal or informal, pursuant to which Business Associate receives PHI from or on behalf of Covered Entity.
  3. Obligations of Business Associate: Business Associate shall maintain the confidentiality and security of such PHI as required of Business Associate by HIPAA. HITECH and the HIPAA Rules. Business Associate covenants and agrees to the following:
    1. Safeguards. Business Associate shall use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to Electronic PHI, to prevent the use or disclosure of PHI for purposes other than those permitted in Section 4 of this BAA.
    2. Minimum Necessary. Business Associate shall limit uses, disclosures, and requests for PHI to the minimum amount necessary to perform or fulfill a specific function required or permitted by this BAA in accordance with the HIPAA Rules.
    3. Mitigation. Business Associate shall mitigate to the extent reasonably practicable, any harmful effect that is known to Business Associate from a use or disclosure of PHI by Business Associate in violation of this BAA.
    4. Delegation. To the extent Business Associate is delegated to carry out any of Covered Entity’s obligations under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such delegated obligations.
    5. LIMITATATION. COVERED ENTITY AGREES THAT BUSINESS ASSOCIATE SHALL NOT BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES IN ANY WAY ARISING FROM OR RELATED TO THE SERVICES OR THIS AGREEMENT, INCLUDING BUT NOT LIMITED TO BUSINESS ASSOCIATE’S USE OR DISCLOSURE OF PHI IN VIOLATION OF THIS AGREEMENT, REGARDLESS OF THE THEORY ON WHICH DAMAGES ARE SOUGHT. BUSINESS ASSOCIATE’S AGGREGATE LIABILITY TO COVERED ENTITY OR ANY THIRD PARTY ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT SHALL NOT EXCEED THE FEES RECEIVED BY BUSINESS ASSOCIATE FROM COVERED ENTITY PURSUANT TO THE MASTER AGREEMENT DURING THE TWELVE MONTHS PRIOR TO THE TIME AT WHICH THE LOSS, COST, CLAIM OR DAMAGES AROSE.
    6. Reporting.
      1. If Business Associate becomes aware of a use or disclosure of PHI in violation of this BAA by Business Associate or by a third party to which Business Associate disclosed PHI, Business Associate shall report any such use or disclosure to Covered Entity without unreasonable delay.
      2. Business Associate shall report any successful Security Incident involving PHI of which it becomes aware to Covered Entity in writing without unreasonable delay and in no event later than thirty (30) business days. The parties acknowledge and agree that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in the unauthorized access, use or disclosure of PHI.
      3. Business Associate shall, following the discovery of a Breach of Unsecured PHI, notify the Covered Entity of such Breach in accordance with 45 C.F.R. § 164.410 without unreasonable delay, but in no case later than thirty (30) days after discovery of the Breach.
  4. Permissible Uses and Disclosures of PHI.
    1. Use and Disclosure by Business Associate Generally. Business Associate may use and/or disclose PHI received from or on behalf of Covered Entity, as permitted or required to perform the Services, by this BAA, and as Required by Law, but it shall not otherwise use or disclose any PHI. Business Associate shall not use or disclose PHI in a manner that would be in violation of the HIPAA Rules if done by Covered Entity. Business Associate is permitted to use or disclose PHI as set forth below:
      1. Business Associate may use PHI internally for its proper management and administrative services or to carry out its legal responsibilities, and as authorized by this BAA to perform the Services;
      2. Business Associate may disclose PHI to a third party for Business Associate’s proper management and administration or to carry out its legal responsibilities, provided that the disclosure is Required by Law or Business Associate obtains reasonable assurances from the third party to whom the PHI is to be disclosed that the third party will (1) protect the confidentiality of the PHI, (2) only use or further disclose the PHI as Required by Law or for the purpose for which the PHI was disclosed to the third party and (3) notify Business Associate of any instances of which the person is aware in which the confidentiality of the PHI has been breached.
      3. Business Associate may use PHI to provide data aggregation services relating to the health care operations of Covered Entity; and
      4. Business Associate may de-identify PHI and use and disclose the de-identified information, provided that the de-identification conforms with the requirements of 45 C.F.R. § 164.514(b), and use the de-identified information for any purpose.
    2. Disclosure to Third Parties. Business Associate may disclose PHI of Covered Entity that is created or received by Business Associate on behalf of Covered Entity under this BAA to agents and subcontractors Business Associate retains to assist it in the performance of the Services to Covered Entity if and only if all such agents and subcontractors agree in writing to the same requirements and restrictions with respect to the PHI as are set forth in this BAA, including, without limitation, the reporting requirement set forth in Section 3.5 herein. Business Associate agrees to make such agreements available to Covered Entity for review upon request by Covered Entity. Business Associate shall ensure that any such agent or subcontractor to whom it provides Electronic PHI agrees to implement reasonable and appropriate safeguards to protect such information in compliance with HIPAA.
  5. Patient Rights With Respect To PHI.
    1. Access to Information. Business Associate will provide access to PHI in a Designated Record Set in the form designated by Covered Entity, either to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements of 45 CFR 164.524. If Business Associate receives a request for access to PHI directly from an Individual, Business Associate shall direct the Individual to contact Covered Entity directly.
    2. Availability of PHI for Amendment. Business Associate will make any amendment(s) to PHI in a Designated Record Set agreed to by Covered Entity at the request of an Individual pursuant to 45 CFR 164.526. If Business Associate receives a request for amendment to PHI directly from an Individual, Business Associate shall direct the Individual to contact Covered Entity directly.
    3. Accounting of Disclosures. Business Associate will make available the information required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI (other than disclosures to which an exception to the accounting requirement applies under HIPAA) in accordance with 45 CFR 164.528.
  6. Access for Audit. Business Associate shall make Business Associate’s internal practices, books and records relating to the use and disclosure of PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary of Health and Human Services for purposes of determining and facilitating Business Associate’s and Covered Entity’s compliance with HIPAA.
  7. Obligations of Covered Entity.
    1. Covered Entity agrees to timely notify Business Associate, in writing, of any arrangements between the Covered Entity and the Individual who is the subject of PHI that may impact in any manner the use and/or disclosure of that PHI by Business Associate under this BAA.
    2. Covered Entity shall not cause Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done directly by Covered Entity.
    3. Covered Entity represents that, to the extent Covered Entity provides PHI to Business Associate, such PHI is the minimum necessary PHI for the accomplishment of Business Associate’s purpose.
    4. Covered Entity represents that, to the extent Covered Entity provides PHI to Business Associate, Covered Entity has obtained the consents, authorizations and/or other forms of legal permission required under HIPAA and other applicable law.
    5. Covered Entity represents that it shall have entered into all business associate agreements as required by 45 C.F.R. § 164.502(e) with any third parties to which Covered Entity directs and authorizes Business Associate to disclose PHI.
    6. Covered Entity shall implement reasonable and appropriate measures to ensure that PHI and Electronic PHI are disclosed, provided or transmitted to Business Associate only in a secure manner including through the use of a technology or methodology standards that render PHI unusable, unreadable, or indecipherable to unauthorized individuals.
  8. Amendment. Upon enactment of any applicable law or regulation affecting the use or disclosure of PHI, or the publication of any decision of an applicable court of the State or the United States related to such law, or the publication of any interpretative policy or opinion of any government agency charged with the enforcement of any such law or regulation, Covered Entity, by written notice to Business Associate, may request amendment of this BAA in such manner as Covered Entity reasonably determines necessary to comply with such law or regulation to the extent such enactment is directly applicable and enforceable against Business Associate; provided, however, that to the extent such amendment causes Business Associate to incur a material increase in the costs associated with performance of the Services, the parties shall meet and negotiate in good faith to make any adjustments to the fees for the Services. In the event the parties, after good faith negotiations, cannot reach agreement regarding the amount of such adjustments, either party may terminate the Services by giving the other party at least seven (7) days prior written notice of its intent to terminate.
  9. Termination and Expiration of BAA.
    1. Return of PHI upon Termination or Expiration. Upon termination or expiration of this BAA, Business Associate shall return or destroy all PHI received from or created or received by Business Associate on behalf of, Covered Entity to Covered Entity. If Business Associate reasonably determines that such return or destruction is not feasible, Business Associate will extend the protections of this BAA to the PHI and limit further uses and disclosures to those purposes that make the return or destruction of such PHI infeasible.
    2. Termination for Failure to Comply. Covered Entity may terminate the Services immediately upon failure of Business Associate to cure a material breach of this BAA within thirty (30) days of receipt of written notice to Business Associate if Covered Entity determines that Business Associate has violated a material term of this BAA.
  10. Entire BAA. The Master Agreement and its attachments, including the Terms and Conditions and this Agreement, are the entire and sole understanding of the parties hereto with respect to the subject matter hereof, and supersedes all prior negotiations, understandings, transactions, or communication, whether oral, or written, including electronic form. If any provision or part thereof is found to be invalid, the remaining provisions shall remain in full force and effect.
  11. Successors and Assigns. This BAA will inure to the benefit of and be binding upon the successors and assigns of the parties. This BAA is not assignable by any party without the prior written consent of the other party. Notwithstanding the foregoing, Business Associate may assign this BAA in its entirety, without consent of the other party, to its affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets not involving a direct competitor of the other party.
  12. Independent Contractors. In the performance of the service and the obligations under this BAA, the parties acknowledge and agree that each party is at all times acting and performing as an independent contractor and at no time shall the relationship between the parties be construed as a partnership, joint venture, employment, principal/agent, or master/servant relationship.
  13. Counterparts; Facsimiles. This BAA may be executed in counterparts, each of which shall be deemed an original. Facsimile copies hereof shall be deemed to be originals.
  14. Interpretation. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits Covered Entity and Business Associate to comply with the HIPAA Rules. The provisions of this BAA shall prevail over any provisions in any underlying agreement between the parties that may conflict or appear inconsistent with any provision of this BAA.
  15. No Third Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate, and their respective successors and assigns, any rights, remedies, obligations, or liabilities whatsoever.

Patient Consent to Communication of Personal Health Information (PHI) through Standard SMS/Text Message and/or Email

Welcome! Your healthcare provider has partnered with HealthAware to help guide you through your care plan.

Who is HealthAware?
HealthAware provides health support programs (HSPs) delivered via standard SMS/text message and/or email. Your HSP is under the direction of your healthcare provider and is designed to support you in your health journey by providing education information related to:

  • Your health support program
  • Behavioral prompts/check-ins
  • Assessments/progress reports
  • Appointment reminders
  • Other health related messages or programs pertaining to my health support program

These HealthAware programs are for educational purposes only. They cannot provide, and are not intended as a substitute for medical care. The programs are automated, and therefore not actively monitored. In the event that medical care is needed, please call your healthcare provider or 911.

Why do I need to accept this patient consent?
HealthAware uses standard SMS/text messages and email messages that are not encrypted to communicate information with you about your HSP. Consequently, there is a risk that an unauthorized third party could view the information being transmitted.

To whom does HealthAware disclose my PHI (Personal Health Information)?
HealthAware only discloses PHI to you and your healthcare provider. HealthAware does not disclose PHI to any other party, such as marketing or sales organizations.

Consent
By clicking “accept” on a web page, clicking a link that is clearly labeled as a means of indicating consent, or replying “yes” to my consent prompt via text message, I agree to the following:

I hereby consent and state my preference for HealthAware to communicate with me via SMS/text message and/or email regarding various aspects of my health support program (HSP), which may include my PHI, behavioral prompts/check-ins, assessments and progress reports, appointment reminders, and other health related messages or programs pertaining to my health support program.

I understand that standard SMS/text messaging and email are not confidential methods of communication and may be insecure. I further understand that, because of this, there is a risk that standard SMS/text messaging and email regarding my medical care might be intercepted and read by a third party.

I may revoke this consent in writing except to the extent that HealthAware and/or my healthcare provider has already made disclosures in reliance upon my prior consent. If I do not accept this consent, or if I later revoke it, the commencement, continuation, or quality of my treatment will not be affected, but my enrollment with the HSP delivered by HealthAware will be terminated.