BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ("Agreement") is by and between the Customer ("Covered Entity" or "CE") who purchases Solutions (as defined in the Contract) from Asparia, Inc. ("Business Associate" or "BA").
- CE wishes to disclose certain Protected Health Information (defined below) to BA pursuant to the terms of a services contract between the parties ("Contract"), some of which may constitute Protected Health Information ("PHI") (defined below).
- CE and BA intend to protect the privacy and provide for the security of PHI disclosed to BA pursuant to the Contract in compliance with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 ( "HITECH"), and regulations promulgated thereunder by the U.S. Department of Health and Human Services (the "HIPAA Regulations") and other applicable state and federal laws and regulations.
- As part of the HIPAA Regulations, the Privacy Rule and the Security Rule (defined below) require CE to enter into a Business Associate Agreement, containing specific requirements, with BA prior to the disclosure of PHI, as set forth in, but not limited to, Title 45, Sections 164.314(a), 164.502(e) and 164.504(e) of the Code of Federal Regulations and contained in this Agreement.
In consideration of the mutual promises below and the exchange of information pursuant to this Agreement, the parties agree as follows:
Breach shall mean the acquisition, access, use or disclosure of unsecured PHI in a manner not permitted by the Privacy and Security Rules, which acquisition, access, use or disclosure compromises the privacy and security of the PHI. The parties agree that a five part analysis shall be used to determine whether or not PHI has been compromised, as follows: (1) the nature and extent of the PHI involved, including number of individuals affected, types of identifiers and likelihood of re-identification; (2) the identification of the unauthorized person who used the protected health information or to whom the disclosure was made; (3) whether the PHI was accessed, acquired or viewed; and (4) any mitigation including confidentially agreements or other assurances; and (5) any other relevant information that may help assess the risk of compromise.
Business Associate shall have the meaning given to such term under the Privacy Rule, including, but not limited to 45 C.F.R. Section 160.103.
Covered Entity shall have the meaning given to such term under the Privacy Rule, including, but not limited to, 45 C.F.R. Section 160.103.
Data Aggregation shall have the meaning given to such term under the Privacy Rule, including but not limited to, 45 C.F.R. Section 164.501.
Designated Record Set shall have the meaning given to such term under the Privacy Rule, including, but not limited to, 45 C.F.R. Section 164.501.
Electronic Protected Health Information means Protected Health Information that is maintained in or transmitted by electronic media.
Electronic Health Record shall have the meaning given to such term under the HITECH Act, including but not limited to 42 U.S.C. Section 17921.
Health Care Operations shall have the meaning given to such term under the Privacy Rule, including, but not limited to, 45 C.F.R. Section 164.501.
Privacy Rule means the HIPAA Regulation that is codified at 45 C.F.R. Parts 160 and 164, Subparts A and E.
Protected Health Information or PHI means any information provided by the CE to the BA or created or received by the BA on the CE's behalf, whether oral or recorded in any form or medium: (i) that relates to the past, present or future physical or mental condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and (ii) that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual, and shall have the meaning given to such term under the Privacy Rule, including, but not limited to, 45 C.F.R. Section 160.103. The term PHI includes electronic PHI.
Required by Law shall have the same meaning given to such term under the Privacy Rule, including, but not limited to, 45 C.F.R. Section 164.103.
Secretary means the Secretary of the U.S. Department of Health and Human Services, or his or her designee.
Security Incident shall have the meaning given to such term under the Security Rule, including, but not limited to, 45 C.F.R. §164.304.
Security Rule means PHI that is not secured by a technology standard approved by the Secretary of HHS that renders PHI unusable, unreadable, or indecipherable to unauthorized individuals.
Unsecured PHI shall mean Protected Health Information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary of Health and Human Services.
Other terms not defined in this Agreement shall have the same meaning as those terms are defined in the Privacy Rule and Security Rule.
- Obligations of Business Associate
- Permitted Uses. BA shall not use PHI except for the purpose of performing BA's obligations under the Contract and as permitted under the Contract and this Agreement. Further, BA shall not use PHI in any manner that is not required or permitted by HIPAA, HITECH or the Privacy or Security Rule. However, BA may use PHI (i) for the proper management and administration of BA, (ii) to carry out the legal responsibilities of BA, or (iii) for Data Aggregation and analysis purposes.
- Permitted Disclosures. BA shall not disclose PHI except for the purpose of performing BA's obligations under the Contract and as permitted under the Contract and the Agreement. BA shall not disclose PHI in any manner that would constitute a violation of the Privacy Rule or the HITECH Act if so disclosed by CE. However, BA may disclose PHI (i) for the proper management and administration of BA; (ii) to carry out the legal responsibilities of BA; (iii) as Required by Law; or (iv) for Data Aggregation purposes for the Health Care Operations of CE or BA. If BA discloses PHI to a third party, BA must obtain, prior to making any such disclosure, (i) reasonable written assurances from such third party that such PHI will be held confidential as provided pursuant to this Agreement and only disclosed as Required by Law or for the purposes for which it was disclosed to such third party, and (ii) a written agreement from such third party to immediately notify BA of any breaches of confidentiality of the PHI, to the extent it has obtained knowledge of such breach.
- Safeguards. Business Associate shall use any and all appropriate safeguards to prevent use or disclosure of PHI as provided by this Agreement. Business Associate further agrees to use appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of any PHI in accordance with the HIPAA Privacy and Security Regulations (after the compliance date of the HIPAA Security Regulations) and the HITECH Standards.
- Third Parties. Business Associate shall ensure that any third parties, including subcontractors, to whom it provides PHI agree in writing to be bound by the same restrictions and conditions that apply to Business Associate with respect to such PHI; provided, however, that Business Associate shall not disclose or provide access to PHI to any subcontractor or agent without the prior written consent of the other party.
- Reporting. Business Associate shall report immediately to the other party any use, disclosure, or risk of compromise of PHI in violation of this Agreement or applicable law of which it becomes aware. Business Associate further agrees to report immediately to the other party any security incident (as defined by the HIPAA Privacy and Security Regulations, as amended) or risk of compromise (as defined by HITECH) of which it becomes aware. In addition, Business Associate shall within ten (10) business days of discovery, report to the other party any Risk of Compromise, Security Incident or Breach consistent with the Privacy and Security Rules.
- Mitigation. Business Associate shall have procedures in place to mitigate, to the maximum extent practicable, any deleterious effect from any use or disclosure of PHI in violation of this Agreement or applicable law.
- Sanctions. Business Associate shall have and apply appropriate sanctions against any employee, subcontractor or agent who uses or discloses PHI in violation of this Agreement or applicable law.
- Access by Individuals. To the extent that BA uses or discloses PHI in a Designated Record Set under control of BA, BA shall provide access to PHI in the Designated Record Set, and copies thereof to CE in the reasonable time and manner requested in writing by CE, in order to meet the requirements under 45 C.F.R. Section 164.524. BA shall assist CE in compliance with additional requirements of 42 U.S.C. Section 17935(e)(1), to the extent applicable. Nothing herein shall obligate BA to accept or accommodate a subject individual on the premises of BA.
- Prohibited Uses and Disclosures Under HITECH. Notwithstanding any other provision in this Agreement, BA shall comply with the following requirements: (i) BA shall not use or disclose PHI for fundraising or marketing purposes, except as provided under the Contract and consistent with the requirements of 42 U.S.C. Section 17936; (ii) BA shall not disclose PHI to a health plan for payment or health care operations purposes if BA has received written notification that the patient has requested this special restriction and has paid out of pocket in full for the health care item or service to which the PHI solely relates, 42 U.S.C. Section 17935(a); (iii) BA shall not directly or indirectly receive remuneration in exchange for PHI, except for uses allowed by the Contract or with the prior written authorization of the CE. BA shall assist CE to fulfill its obligations under the Privacy Rule, including, but not limited to, 45 C.F.R. Section 164.524. If BA maintains an Electronic Health Record, BA shall provide such information in electronic format to enable CE to fulfill its obligations under the HITECH Act, including, but not limited to, 42 U.S.C. Section 17935(e).
- Amendment of PHI. To the extent BA maintains a Designated Record Set on behalf of CE, upon receipt of a written request from the CE or an individual for an amendment of PHI or a record about an individual contained in a Designated Record Set, BA or its agents or subcontractors shall make the Designated Record Set available to the CE for amendment and shall incorporate any amendments, in a reasonable time and manner, that CE has requested or agreed to in accordance with 45 C.F.R. Section 164.526.
- Accounting Rights. Upon receipt of a written request from the CE or an individual for an accounting of disclosures of PHI, BA shall make available the accounting of disclosures available to the CE in order for the CE to provide an accounting of disclosures to the individual.
- Governmental Access to Records. BA shall make its internal practices, books and records relating to the use and disclosure of PHI available to CE and to the Secretary for purposes of determining BA's compliance with the Privacy Rule.
- Security Obligations. BA shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains, or transmits on behalf of the CE, in accordance with the standards specified by the Secretary of Health and Human Services regarding rendering PHI unusable, unreadable or indecipherable to unauthorized persons. BA will ensure that any agent, including a subcontractor, to whom it provides electronic PHI agrees to implement at least the equivalent reasonable and appropriate safeguards to protect it. BA shall report to CE any Breach of Unsecured PHI or Security Incident of which it becomes aware.
- Minimum Necessary. BA (and its agents or subcontractors) shall request, use and disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use or disclosure, in accordance with 42 U.S.C. Section 17935(b).
- Compliance with Laws. BA shall comply with all applicable state and federal privacy and security laws, including but not limited to HIPAA, the HIPAA Regulations, HITECH, and Cal. Civil Code 1798.82, as they may be amended from time to time.
- Obligations of Covered Entity
- CE shall notify BA of any limitation(s) in its notice of privacy regarding the access, use or disclosure of PHI to the extent that such limitation(s) may affect Business Associate's use or disclosure of PHI.
- CE shall notify BA of any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent that such changes may affect BA's use or disclosure of PHI.
- CE shall notify BA of any restriction to the use or disclosure of PHI that CE has agreed to in accordance with 45 C.F.R. Section 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.
- CE shall notify BA of any amendment required to be made in accordance with 45 C.F.R. Section164.526 to PHI the BA possesses in a Designated Record Set.
- CE shall not ask BA to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by CE, provided that, when the underlying Contract includes provisions for the use or disclosure of PHI for Data Aggregation or management and administrative activities of BA, BA may use or disclose PHI for such purposes.
- Term and Termination
- Term. The Term of this Agreement shall begin as of the Effective Date and shall terminate when all of the PHI is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy the PHI, the protections of this Agreement are extended to the PHI, indefinitely, for so long as BA or its agent maintains the PHI.
- Material Breach by BA. In the event of a breach by BA of any provision of this Agreement, the BA shall take reasonable steps to cure the breach or end the violation, as applicable, and, if such steps are unsuccessful, the CE shall terminate the Contract, any provision in the Contract to the contrary notwithstanding. If termination of the Contract is not feasible, CE will report the problem to the Secretary.
- Material Breach by CE. In the event BA knows of a pattern of activity or practice of the CE that constitutes a material breach or violation of the CE's obligations under this Agreement, CE shall take reasonable steps to cure the breach or end the violation. If the steps are unsuccessful, the BA shall terminate the Contract, any provision in the Contract to the contrary notwithstanding. If termination of the Contract is not feasible, CE will report the problem to the Secretary.
- Effect of Termination. Upon termination of the Contract for any reason, if feasible, BA shall return or destroy all PHI that BA or its agents or subcontractors received from, or created or received by the BA on behalf of, the CE that the BA still maintains in any formand shall retain no copies of such PHI. If return or destruction is not feasible, BA shall continue to extend the protections of this Agreement to the PHI, indefinitely, for so long as BA or its agent maintains the PHI and shall limit further use of such PHI to those purposes that make the return or destruction of such PHI infeasible.
- Amendment to Comply with Law. The parties agree to take such action as is necessary to amend this Agreement from time to time for the parties to remain in compliance with the standards and requirements of HIPAA, HITECH, the Privacy and Security Rules, and other applicable state and federal laws and regulations relating to the security or confidentiality of PHI.
- No Third-Party Beneficiaries. Nothing express or implied in the Contract or Agreement is intended to confer, nor shall anything herein confer upon any person other than CE, BA and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever
- Interpretation. The provisions of this Agreement shall prevail over any provisions in the Contract that may conflict or appear inconsistent with any provision in this Agreement. This Agreement and the Contract shall be interpreted as broadly as necessary to implement and comply with HIPAA, the HITECH Act, the Privacy Rule and the Security Rule. The parties agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies and is consistent with HIPAA, the HITECH Act, the Privacy Rule and the Security Rule. Except as specifically required to implement the purposes of this Agreement, or to the extent inconsistent with this Agreement, all other terms of the Contract shall remain in force and effect.
- Regulatory References. A reference in this Agreement to a section of regulations means the section as in effect or as amended, and for which compliance is required.
- Notice. Any notice required or permitted by this Agreement shall be in writing and delivered by first-class mail or overnight delivery service to the receiving part at the address set forth on the corresponding Order Form.
Updated February 15, 2021