This Business Associate Agreement (this “BAA” or “Agreement”) is incorporated into and made a part of the Terms and Conditions that govern the Master Agreement between HealthAware LLC (for purposes of this Agreement, the “Business Associate”) and Client (for purposes of this Agreement, the Covered Entity).
WHEREAS, in connection with the Master Agreement between Covered Entity and Business Associate, Business Associate provides goods or performs services for or on behalf of Covered Entity (“Services”) and in such capacity is acting as a “business associate” of Covered Entity (as such terms are defined under HIPAA) when Business Associate uses and discloses Protected Health Information (“PHI”) received from or on behalf of Covered Entity in connection with performing the Services for or on behalf of Covered Entity and
WHEREAS, the parties intend to protect the privacy and provide for the security of PHI disclosed to Business Associate as part of Business Associate’s performance of Services, in compliance with the Health Insurance Portability and Accountability Act of 1996, (“HIPAA”), the requirements of the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009 and the implementing regulations, as issued and amended by the Secretary (“HITECH”), and regulations promulgated thereunder by the U.S. Department of Health and Human Services including the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164 of the Code of Federal Regulations, Subpart A & E (“Privacy Rule”), the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A & C (“Security Rule”), and the Notification of Breach of Unsecured Protected Health Information requirements at 45 C.F.R. Part 164, Subpart D (the “Breach Notification Rule”) (the Privacy Rule, Security Rule, and the Breach Notification Rule are collectively referred to as the “HIPAA Rules”).
NOW, THEREFORE, for good and valuable consideration, the receipt and adequacy of which are hereby acknowledged, the parties hereto agree as follows:
- Definitions. Capitalized terms used herein without definition in this BAA shall have the respective meanings assigned to such terms by the HIPAA Rules.
- Effect. The provisions of this BAA shall apply and control with respect to all present and future contracts and relationships between Covered Entity and Business Associate, whether written or unwritten, formal or informal, pursuant to which Business Associate receives PHI from or on behalf of Covered Entity.
- Obligations of Business Associate: Business Associate shall maintain the confidentiality and security of such PHI as required of Business Associate by HIPAA. HITECH and the HIPAA Rules. Business Associate covenants and agrees to the following:
- Safeguards. Business Associate shall use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to Electronic PHI, to prevent the use or disclosure of PHI for purposes other than those permitted in Section 4 of this BAA.
- Minimum Necessary. Business Associate shall limit uses, disclosures, and requests for PHI to the minimum amount necessary to perform or fulfill a specific function required or permitted by this BAA in accordance with the HIPAA Rules.
- Mitigation. Business Associate shall mitigate to the extent reasonably practicable, any harmful effect that is known to Business Associate from a use or disclosure of PHI by Business Associate in violation of this BAA.
- Delegation. To the extent Business Associate is delegated to carry out any of Covered Entity’s obligations under the Privacy Rule, Business Associate shall comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such delegated obligations.
- LIMITATATION. COVERED ENTITY AGREES THAT BUSINESS ASSOCIATE SHALL NOT BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES IN ANY WAY ARISING FROM OR RELATED TO THE SERVICES OR THIS AGREEMENT, INCLUDING BUT NOT LIMITED TO BUSINESS ASSOCIATE’S USE OR DISCLOSURE OF PHI IN VIOLATION OF THIS AGREEMENT, REGARDLESS OF THE THEORY ON WHICH DAMAGES ARE SOUGHT. BUSINESS ASSOCIATE’S AGGREGATE LIABILITY TO COVERED ENTITY OR ANY THIRD PARTY ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT SHALL NOT EXCEED THE FEES RECEIVED BY BUSINESS ASSOCIATE FROM COVERED ENTITY PURSUANT TO THE MASTER AGREEMENT DURING THE TWELVE MONTHS PRIOR TO THE TIME AT WHICH THE LOSS, COST, CLAIM OR DAMAGES AROSE.
- Reporting.
- If Business Associate becomes aware of a use or disclosure of PHI in violation of this BAA by Business Associate or by a third party to which Business Associate disclosed PHI, Business Associate shall report any such use or disclosure to Covered Entity without unreasonable delay.
- Business Associate shall report any successful Security Incident involving PHI of which it becomes aware to Covered Entity in writing without unreasonable delay and in no event later than thirty (30) business days. The parties acknowledge and agree that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in the unauthorized access, use or disclosure of PHI.
- Business Associate shall, following the discovery of a Breach of Unsecured PHI, notify the Covered Entity of such Breach in accordance with 45 C.F.R. § 164.410 without unreasonable delay, but in no case later than thirty (30) days after discovery of the Breach.
- Permissible Uses and Disclosures of PHI.
- Use and Disclosure by Business Associate Generally. Business Associate may use and/or disclose PHI received from or on behalf of Covered Entity, as permitted or required to perform the Services, by this BAA, and as Required by Law, but it shall not otherwise use or disclose any PHI. Business Associate shall not use or disclose PHI in a manner that would be in violation of the HIPAA Rules if done by Covered Entity. Business Associate is permitted to use or disclose PHI as set forth below:
- Business Associate may use PHI internally for its proper management and administrative services or to carry out its legal responsibilities, and as authorized by this BAA to perform the Services;
- Business Associate may disclose PHI to a third party for Business Associate’s proper management and administration or to carry out its legal responsibilities, provided that the disclosure is Required by Law or Business Associate obtains reasonable assurances from the third party to whom the PHI is to be disclosed that the third party will (1) protect the confidentiality of the PHI, (2) only use or further disclose the PHI as Required by Law or for the purpose for which the PHI was disclosed to the third party and (3) notify Business Associate of any instances of which the person is aware in which the confidentiality of the PHI has been breached.
- Business Associate may use PHI to provide data aggregation services relating to the health care operations of Covered Entity; and
- Business Associate may de-identify PHI and use and disclose the de-identified information, provided that the de-identification conforms with the requirements of 45 C.F.R. § 164.514(b), and use the de-identified information for any purpose.
- Disclosure to Third Parties. Business Associate may disclose PHI of Covered Entity that is created or received by Business Associate on behalf of Covered Entity under this BAA to agents and subcontractors Business Associate retains to assist it in the performance of the Services to Covered Entity if and only if all such agents and subcontractors agree in writing to the same requirements and restrictions with respect to the PHI as are set forth in this BAA, including, without limitation, the reporting requirement set forth in Section 3.5 herein. Business Associate agrees to make such agreements available to Covered Entity for review upon request by Covered Entity. Business Associate shall ensure that any such agent or subcontractor to whom it provides Electronic PHI agrees to implement reasonable and appropriate safeguards to protect such information in compliance with HIPAA.
- Use and Disclosure by Business Associate Generally. Business Associate may use and/or disclose PHI received from or on behalf of Covered Entity, as permitted or required to perform the Services, by this BAA, and as Required by Law, but it shall not otherwise use or disclose any PHI. Business Associate shall not use or disclose PHI in a manner that would be in violation of the HIPAA Rules if done by Covered Entity. Business Associate is permitted to use or disclose PHI as set forth below:
- Access to Information. Business Associate will provide access to PHI in a Designated Record Set in the form designated by Covered Entity, either to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements of 45 CFR 164.524. If Business Associate receives a request for access to PHI directly from an Individual, Business Associate shall direct the Individual to contact Covered Entity directly.
- Availability of PHI for Amendment. Business Associate will make any amendment(s) to PHI in a Designated Record Set agreed to by Covered Entity at the request of an Individual pursuant to 45 CFR 164.526. If Business Associate receives a request for amendment to PHI directly from an Individual, Business Associate shall direct the Individual to contact Covered Entity directly.
- Accounting of Disclosures. Business Associate will make available the information required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI (other than disclosures to which an exception to the accounting requirement applies under HIPAA) in accordance with 45 CFR 164.528.
- Covered Entity agrees to timely notify Business Associate, in writing, of any arrangements between the Covered Entity and the Individual who is the subject of PHI that may impact in any manner the use and/or disclosure of that PHI by Business Associate under this BAA.
- Covered Entity shall not cause Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done directly by Covered Entity.
- Covered Entity represents that, to the extent Covered Entity provides PHI to Business Associate, such PHI is the minimum necessary PHI for the accomplishment of Business Associate’s purpose.
- Covered Entity represents that, to the extent Covered Entity provides PHI to Business Associate, Covered Entity has obtained the consents, authorizations and/or other forms of legal permission required under HIPAA and other applicable law.
- Covered Entity represents that it shall have entered into all business associate agreements as required by 45 C.F.R. § 164.502(e) with any third parties to which Covered Entity directs and authorizes Business Associate to disclose PHI.
- Covered Entity shall implement reasonable and appropriate measures to ensure that PHI and Electronic PHI are disclosed, provided or transmitted to Business Associate only in a secure manner including through the use of a technology or methodology standards that render PHI unusable, unreadable, or indecipherable to unauthorized individuals.
- Return of PHI upon Termination or Expiration. Upon termination or expiration of this BAA, Business Associate shall return or destroy all PHI received from or created or received by Business Associate on behalf of, Covered Entity to Covered Entity. If Business Associate reasonably determines that such return or destruction is not feasible, Business Associate will extend the protections of this BAA to the PHI and limit further uses and disclosures to those purposes that make the return or destruction of such PHI infeasible.
- Termination for Failure to Comply. Covered Entity may terminate the Services immediately upon failure of Business Associate to cure a material breach of this BAA within thirty (30) days of receipt of written notice to Business Associate if Covered Entity determines that Business Associate has violated a material term of this BAA.