BUSINESS ASSOCIATE AGREEMENT
Pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), Health Wealth Safe, Inc. and all corporate affiliates, (“Covered Entity”) and [ ], and any of its corporate affiliates (“Business Associate”), enter into this Business Associate Agreement (“BAA”) as of [ ] (the “Effective Date”). Covered Entity and Business Associate may be referred to collectively as the “Parties” and individually as a “Party.”
This BAA addresses the HIPAA requirements with respect to “business associates,” as defined under the privacy, security, breach notification, and enforcement rules at 45 C.F.R. Part 160 and Part 164 (“HIPAA Rules”). A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.
1. PREAMBLE AND DEFINITIONS
a. Purpose of BAA
1. This BAA is intended to ensure that Business Associate will establish and implement appropriate safeguards for the Protected Health Information (“PHI”) (as defined under the HIPAA Rules) that Business Associate may receive, create, maintain, use, or disclose in connection with the functions, activities, and services that Business Associate performs for Covered Entity. The functions, activities, and services that Business Associate performs for Covered Entity are defined in [Current 05/25/2023 Health Wealth Safe – Service and Software License Agreement] (the “Underlying Agreement”).
2. Pursuant to changes required under the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”) and under the American Recovery and Reinvestment Act of 2009 (“ARRA”), this BAA also reflects federal breach notification requirements imposed on Business Associate when “Unsecured PHI” (as defined under the HIPAA Rules) is acquired by an unauthorized party and the expanded privacy and security provisions imposed on business associates.
1.Terms Defined in the HIPAA Rules. Defined terms used in this Agreement are denoted with initial capital letters. Unless the context clearly indicates otherwise, the following terms in this BAA shall have the same meaning as those terms in the HIPAA Rules: Administrative Safeguards, Availability, Breach, Confidentiality, Data Aggregation, Designated Record Set, Disclosure, Electronic Media, Electronic Protected Health Information (“ePHI”), Healthcare Operations, Individual, Individually Identifiable Health Information, Integrity, Minimum Necessary, Notice of Privacy Practices, Physical Safeguards, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Technical Safeguards, Unsecured PHI, Uses and Disclosures, and Workforce. A change to the HIPAA Rules which modifies any defined term, or which alters the regulatory citation for a definition will be deemed incorporated into this BAA.
1.Breach Notification Rule. A reference in this BAA to the Breach Notification Rule means Part 2, Subtitle D of the HITECH Act and Notification in the Case of Breach of Unsecured Protected Health Information at 45 C.F.R. Part 164 Subpart D.
2.Privacy Rule. A reference in this BAA to the Privacy Rule means the standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Subparts A and E of Part 164.
3.Security Rule. A reference in this BAA to the Security Rule means the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and Subparts A and C of Part 164.
2. USES AND DISCLOSURES OF PHI BY BUSINESS ASSOCIATE
a. General Uses and Disclosures of PHI Pursuant to the Underlying Agreement. Except as otherwise limited in this BAA, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity, as specified in the Underlying Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity.
b. Permitted Uses of PHI by Business Associate. Except as otherwise limited in this BAA, Business Associate may use PHI for the following purposes: (i) the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate; and (ii) as Required by Law.
c. Permitted Disclosures of PHI by Business Associate. Except as otherwise limited in this BAA, Business Associate may disclose PHI for the following purposes: (i) the proper management and administration of Business Associate, provided that the disclosures are Required by Law or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to such person, and that person agrees to notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; and (ii) to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. § 164.502(j)(l).
d. Prohibited Uses and Disclosures of PHI by Business Associate. All other uses and disclosures of PHI not permitted in accordance with this BAA or the Underlying Agreement or Required by Law are prohibited.
3.OBLIGATIONS OF BUSINESS ASSOCIATE
a. Appropriate Safeguards.
1. Business Associate shall use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI to prevent use or disclosure of PHI other than as provided for by the Underlying Agreement and this BAA.
2. Business Associate will implement the Administrative Safeguards (45 C.F.R. § 164.308), Physical Safeguards (45 C.F.R. § 164.310), and Technical Safeguards (45 C.F.R. § 164.312) to reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the Security Rule.
Except as expressly provided in the Underlying Agreement or this BAA, Business Associate will not assume any obligations of Covered Entity under the Privacy Rule. To the extent that Business Associate is to carry out any of Covered Entity’s obligations under the Privacy Rule as expressly provided in the Underlying Agreement or this BAA, Business Associate will comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations.
1. Business Associate will report to Covered Entity any use or disclosure of PHI not permitted under this BAA, Breach of Unsecured PHI, or any Security Incident, without unreasonable delay, and in any event no more than twenty-four (24) hours following discovery; provided, however, that the Parties acknowledge and agree that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below). “Unsuccessful Security Incidents” will include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service, and any combination of the above, so long as no such incident results in unauthorized access, use, or disclosure of PHI.
2. Business Associate’s notification to Covered Entity of a Breach will include: (i) the identification of each individual whose Unsecured PHI has been or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during the Breach; and (ii) any particulars regarding the Breach that Covered Entity would need to include in its notification, as such particulars are identified in 45 C.F.R. § 164.404.
3. A Security Incident, for the purpose of this Section 3(c), does not include attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with Business Associate’s corporate information system (“non-PHI Information System”), as defined by Business Associate’s internal policies and procedures.
In accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), as applicable, Business Associate will enter into a written agreement with any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate for services provided to Covered Entity, providing that the Subcontractor agrees to restrictions and conditions that are substantially similar to those that apply through this BAA to Business Associate with respect to such PHI. As part of this agreement, Business Associate will require any Subcontractor to whom it provides PHI to implement reasonable and appropriate safeguards to protect the PHI.
e. Access to PHI. The Parties do not intend for Business Associate to maintain any PHI in a Designated Record Set for Covered Entity. To the extent Business Associate possesses PHI in a Designated Record Set, Business Associate agrees to make such information available to Covered Entity pursuant to 45 C.F.R. § 164.524 and 42 U.S.C. § 17935(e) within ten (10) business days of Business Associate’s receipt of a written request from Covered Entity; provided, however, that Business Associate is not required to provide such access where the PHI contained in a Designated Record Set is duplicative of the PHI contained in a Designated Record Set possessed by Covered Entity. If an Individual makes a request for access pursuant to 45 C.F.R. § 164.524 directly to Business Associate, or inquiries about their right to access, Business Associate will either forward such request to Covered Entity or direct the Individual to Covered Entity.
f. Amendment of PHI. The Parties do not intend for Business Associate to maintain any PHI in a Designated Record Set for Covered Entity. To the extent Business Associate possesses PHI in a Designated Record Set, Business Associate agrees to make such information available to Covered Entity for amendment pursuant to 45 C.F.R. § 164.526 within twenty (20) business days of Business Associate’s receipt of a written request from Covered Entity. If an Individual submits a written request for amendment pursuant to 45 C.F.R. § 164.526 directly to Business Associate, or inquiries about their right to amendment, Business Associate will either forward such request to Covered Entity or direct the Individual to Covered Entity.
g. Documentation of Disclosures of PHI. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. Business Associate will document, at a minimum, the following information (“Disclosure Information”): (a) the date of the disclosure; (b) the name and, if known, the address of the recipient of the PHI; (c) a brief description of the PHI disclosed; (d) the purpose of the disclosure that includes an explanation of the basis for such disclosure; and (e) any additional information required under the HITECH Act and any implementing regulations.
h. Accounting of Disclosures of PHI. Business Associate agrees to provide to Covered Entity, within five (5) business days of Business Associate’s receipt of a written request from Covered Entity, information collected in accordance with Section 3(e) of this BAA, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and 42 U.S.C. § 17935(c). If the Individual submits a written request for an accounting of disclosures of PHI pursuant to 45 C.F.R. § 164.528 directly to Business Associate, or inquiries about their right to an accounting, Business Associate will direct the Individual to Covered Entity.
i. Government Access to Records. Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI received from or created or received by Business Associate on behalf of, Covered Entity available to the Secretary for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule and the Security Rule.
j. Mitigation. To the extent reasonable and practicable, Business Associate will cooperate with Covered Entity’s efforts, at Business Associate’s expense, to mitigate a harmful effect that is known to Business Associate of a use of disclosure of PHI by Business Associate that is not permitted by this BAA. Business Associate shall reasonably cooperate with Covered Entity’s investigation,analysis, notification, and mitigation activities, at Covered Entity’s expense, if it is determined that the source of the Breach or Security Incident is Covered Entity.
k. Minimum Necessary. Business Associate will request, use, and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use, or disclosure, in accordance with 45 C.F.R § 164.514(d), and any amendments thereto.
4.INDEMNIFICATION
a. Indemnification. Business Associate agrees to indemnify, defend, and hold harmless Covered Entity and its officers, directors, employees, affiliates, agents, licensors, and business partners, from and against any and all claims, costs, damages, liabilities, expenses, fines, and penalties (including legal fees and costs) arising from or relating to the creation, use, receipt, storage, and/or transmission of PHI by Business Associate under HIPAA, the HIPAA Rules, state privacy laws, and/or any other foreign or domestic, federal, state, or local law or regulation. Business Associate will retain a professional liability insurance policy that will cover indemnification costs.
b. Indemnification Procedure. Covered Entity shall promptly notify Business Associate in writing and in reasonable detail of any claim subject to indemnification pursuant to Section 4(a). Business Associate shall have sole authority to control the defense and settlement of each such claim and Covered Entity will give reasonable assistance to Business Associate to enable Business Associate to defend such claim. For the avoidance of doubt, in no event may Covered Entity settle or compromise any claim subject to indemnification pursuant to Section 4(a) for which it intends to seek indemnification from Business Associate.
5.TERM AND TERMINATION
a. Term. The term of this BAA will commence as of the Effective Date and will terminate upon the effective date of termination of the Underlying Agreement.
b. Termination for Cause. Upon either Party’s knowledge of a material breach by the other Party of this BAA, such Party may terminate this BAA immediately.
i. Except as provided in Section 5(c), upon termination of the Underlying Agreement or this BAA for any reason, Business Associate will return or destroy all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity, at Covered Entity’s expense, and will retain no copies of the PHI. This provision will apply to PHI that is in the possession of Subcontractors or agents of Business Associate.
ii. If it is not feasible for Business Associate to return or destroy the PHI upon termination of this BAA (e.g., because ePHI has been integrated into a database maintained by Business Associate and removal from the database is burdensome or impossible, or PHI has been aggregated with other PHI in a manner that makes it infeasible to extract PHI received from Covered Entity), Business Associate will: (i) extend the protections of this BAA to such PHI and (ii) limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
6. GENERAL TERMS
a. Cooperation in Investigations. The Parties acknowledge that certain breaches or violations of this BAA may result in litigation or investigations pursued by federal or state governmental authorities of the United States resulting in civil liability or criminal penalties. Each Party will cooperate in good faith in all respects with the other Party in connection with any request by a federal or state governmental authority for additional information and documents or any governmental investigation, complaint, action, or other inquiry.
b. Notices. All notices that either Party may desire or be required to give to the other will be in writing and will be delivered by overnight courier or by priority mail by a recognized express mail vendor to the other Party at the address set forth in the signature page or such other address as a Party may provide. Notice delivered by facsimile or e-mail will be confirmed by overnight courier or by priority mail.
c. Governing Law. This BAA is governed by, and will be construed in accordance with, the laws of the State that govern the Underlying Agreement. Any action relating to this BAA must be commenced within one (1) year after the date upon which the cause of action accrued.
d. Amendment. This BAA may be amended or supplemented only by a writing that refers explicitly to this BAA and that is signed by both Parties. The Parties agree to amend this BAA as required to comply with any changes in laws, rules, or regulations that affect the privacy and security of PHI and the Business Associate’s duties under the Underlying Agreement or this BAA.
e. Assignment. Neither Party will assign this BAA without the prior written consent of the other Party, which will not be unreasonably withheld.
f. Waiver. No delay or failure of either Party to exercise any right or remedy available under this BAA, at law, or in equity will act as a waiver of such right or remedy, and any waiver will not waive any subsequent right, obligation, or default.
g. Order of Precedence. Any ambiguity in this BAA will be resolved to permit Business Associate to comply with the HIPAA Rules. If any express term of this BAA conflicts with the Underlying Agreement, then this BAA, if applicable, will control as to that term, but only to the extent of an express ambiguity. The Underlying Agreement will control in all other instances, including, without limitation, remedies, limitation of liability, limitation of remedies, warranties, disclaimer of warranties, governing law, venue, and relationship of the Parties.
h. Severability. If any provision of this BAA is determined by a court of competent jurisdiction to be invalid, void, or unenforceable, the remaining provisions of this BAA will continue in full force and effect.
i. Survival. The rights and obligations contained in Sections 3(c) (Reporting of Improper Use or Disclosure, Security Incident, or Breach), 3(h) (Accounting of Disclosures of PHI), 3(i) (Government Access to Records), 3(j) (Mitigation), 5(c) (Effect of Termination), and 6 (General Terms) will survive the termination of this BAA.
j. No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor will anything in this BAA confer, upon any person other than Covered Entity, Business Associate, or their respective successors or permitted assigns, any rights, remedies, obligations, or liabilities whatsoever.
k. Counterparts. This BAA may be executed in counterparts, each of which will be deemed an original, and all of which will constitute one binding agreement and may be delivered by electronic mail or fax.
Become a Partner
Support
Portals