Business Associate Agreement
Effective: April 18, 2017
Thanks for using PtEverywhere, a service provided by Inovaetion Inc. (“Inovaetion,” “we,” or “us”). This Business Associate Agreement (“BAA”) covers your use and access to the PtEverywhere services, software, applications, and websites (“Services”).
WITNESSETH:
WHEREAS, Covered Entity and Business Associate have entered into an agreement or agreements whereby Business Associate may perform functions or activities regulated by the Health Insurance Portability and Accountability Act (“HIPAA”) for or on behalf of Covered Entity (“Underlying Agreement”), the performance of which may require Business Associate to create, receive, transmit, or maintain Protected Health Information in a capacity other than part of Covered Entity’s Workforce (the “Services”) as a “business associate” (as defined at 45 C.F.R. § 160.103); and
WHEREAS, to the extent the Services require Business Associate to act as a business associate to Covered Entity, the Parties agree that this Agreement sets forth the Parties intentions to comply with HIPAA and will apply to the Services; and
THEREFORE, in consideration of the Parties’ continuing obligations under the Underlying Agreement, compliance with HIPAA, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, and intending to be legally bound, the Parties agree to the provisions of this Agreement.
I. DEFINITIONS
Except as otherwise defined herein, any and all capitalized terms in this Agreement shall have the meanings ascribed to those terms in the HIPAA Rules.
A. HIPAA Rules means the implementing regulations of HIPAA set forth at 45 C.F.R. Parts 160 and 164, Subpart A, C, D and E.
B. Security Rule means the Security Standards for the Protection of Electronic Protected Health Information set forth at 45 C.F.R. Parts 160 and 164, Subparts A and C.
C. Privacy Rule means the requirements for the Privacy of Individually Identifiable Health Information set forth at 45 C.F.R. Parts 160 and 164, Subparts A and E.
D. Protected Health Information or “PHI” shall have the same meaning as the term “protected health information” in 45 C.F.R. § 160.103 and shall include Electronic Protected Health Information (“ePHI”), except limited to the PHI Business Associate receives from or creates, receives, transmits, or maintains on behalf of Covered Entity.
II. BUSINESS ASSOCIATE OBLIGATIONS
A. Permitted Uses and Disclosures. Except as expressly provided herein or as otherwise Required by Law, Business Associate may only use or disclose PHI for the purpose of providing the Services. Business Associate expressly agrees that any and all uses or disclosures of PHI by Business Associate will be done in accordance with the terms of this Agreement and applicable provisions of the HIPAA Rules. Unless otherwise limited herein, Business Associate may:
1. Use PHI as necessary for the proper management and administration of Business Associate or to carry out its legal responsibilities.
2. Disclose PHI as necessary for the proper management and administration of Business Associate or to carry out its legal responsibilities, provided that as to any such disclosure, the following requirements are met:
a. The disclosure is Required by Law; or
b. Business Associate obtains satisfactory assurances through a written agreement with the other agents or parties to whom PHI is disclosed that it will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the recipient, and the recipient notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
B. Compliance with HIPAA. To the extent that Business Associate is to carry out any of Covered Entity’s obligations under the Privacy Rule, Business Associate shall comply with the applicable requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations.
C. Availability of Books and Records. Business Associate shall cooperate with and make available to the Secretary its internal practices, books, and records relating to the use and disclosure of PHI for purposes of determining the Parties’ compliance with HIPAA.
D. Subcontractors. Business Associate agrees to ensure that any subcontractors or agents to whom Business Associate provides PHI agree in writing to the same restrictions and conditions that apply to Business Associate with respect to such PHI through this Agreement, and pursuant to 45 C.F.R. Part 164, subpart C, agree to implement reasonable and appropriate administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, security and availability of electronic PHI.
E. Impermissible Uses and Disclosures. Business Associate shall promptly report to Covered Entity any use or disclosure of PHI of which Business Associate is aware and which is not in compliance with the terms of this Agreement. Business Associate shall report to Covered Entity any Security Incident of which it becomes aware. Notwithstanding the foregoing, the Parties acknowledge and agree that Business Associate shall not be required to report attempted but unsuccessful Security Incidents that do not result in actual unauthorized access, use or disclosure of Protected Health Information, and that this Agreement constitutes notice to Covered Entity that such unsuccessful Security Incidents (such as broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, or denial of service attacks) may occur periodically.
Business Associate shall, following the discovery of a Breach of Unsecured Protected Health Information (“Breach”), notify Covered Entity of such Breach pursuant to 45 C.F.R. § 164.410. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Breach, Security Incident, or any use or disclosure of Protected Health Information by Business Associate or its agents or subcontractors in violation of the requirements of this Agreement.
F. Safeguards. Business Associate will implement reasonable and appropriate administrative, technical, and physical safeguards as required by the Security Rule designed to prevent the use or disclosure of PHI other than as permitted in this Agreement.
G. Access. To the extent Business Associate maintains a Designated Record Set, Business Associate agrees, upon written request from Covered Entity, to make such PHI available as required for Covered Entity to meet its obligations under 45 C.F.R. § 164.524. Business Associate will not respond directly to Individual requests for access to such information.
H. Amendment. To the extent Business Associate maintains a Designated Record Set, Business Associate agrees, upon written request from Covered Entity, to make such PHI available for amendment and incorporate any amendments to PHI as required for Covered Entity to meet its obligations under 45 C.F.R. § 164.526. Business Associate will not respond directly to Individual requests for amendments to such information.
I. Accounting of Disclosures. Business Associate agrees to document disclosures of PHI as required by HIPAA. Business Associate further agrees to provide access to such information, upon written request from Covered Entity, as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. Business Associate will not respond directly to Individual requests for such accountings of disclosures.
III. TERM AND TERMINATION
A. The term of this Agreement shall begin as of the Effective Date written above and shall terminate upon the termination or expiration of the Underlying Agreement.
B. Notwithstanding anything in this Agreement to the contrary, Covered Entity shall have the right to terminate this Agreement and the Underlying Agreement immediately if Covered Entity determines that Business Associate has violated any material term of this Agreement. If Covered Entity reasonably believes that Business Associate will violate a material term of this Agreement, Covered Entity shall give written notice to Business Associate. If Business Associate fails to provide adequate written assurances to Covered Entity within the timeline set forth by Covered Entity (not to be less than 90 days), Covered Entity shall have the right to terminate this Agreement and the Underlying Agreement immediately.
C. Upon termination, Business Associate will return or destroy all PHI that Business Associate still maintains in any form, inclusive of PHI in the possession of Business Associate’s agents or subcontractors, and retain no copies of such information to the extent feasible. If such return or destruction is infeasible, Business Associate will notify Covered Entity of the legal obligations that make return or destruction infeasible and Business Associate shall extend the protections of this Agreement to the information and limit further uses and disclosures to those purposes that make the return or destruction infeasible.
IV. MISCELLANEOUS
A. Third Party Beneficiaries. Nothing express or implied in this Agreement conveys or is intended to convey any rights, remedies, obligations, or liabilities to any party other than Covered Entity and Business Associate or their respective successors or assigns.
B. Amendment. This Agreement may be amended or modified only in a writing signed by the Parties. In addition, in the event a Party believes in good faith that any provision of this Agreement fails to comply with the then-current requirements of HIPAA, such Party shall notify the other Party in writing. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of HIPAA.
C. Independent Contractor Status. None of the provisions of this Agreement are intended to create, nor will they be deemed to create, any relationship between the Parties other than that of independent parties contracting with each other solely for the purposes of effecting the provisions of this Agreement and any other agreements between the Parties evidencing their business relationship.
D. Governing Law. This Agreement will be governed by the laws of the State of North Carolina, without regard to principles of conflicts of laws.
E. Waiver. No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation, on any other occasion.
F. Conflict. The Parties agree that, in the event of a conflict between the provisions of this Agreement and the Underlying Agreement or any other documentation of the arrangement(s) pursuant to which Business Associate provides Services to Covered Entity, the provisions of this Agreement will control to the extent necessary for the Parties to comply with HIPAA. The provisions of this Agreement will be interpreted to permit compliance by the Parties with HIPAA.
G. Survival. In the event that any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Agreement will remain in full force and effect.
H. Interpretation. In the event of an inconsistency between the provisions of this Agreement and mandatory provisions of the HIPAA Rules, the HIPAA Rules shall control.