Business Associate Agreement
This Agreement (“Agreement”) is made and entered into at the date and time your Carepatron account is created and is between you (“Covered Entity”) and Care Patron LTD (“Business Associate”), a limited liability company.
RECITALS
WHEREAS, Business Associate 1 is a “Business Associate ” as that term is defined under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-91), as amended, (“HIPAA”), and the regulations promulgated thereunder by the Secretary of the U.S. Department of Health and Human Services (“Secretary”), including, without limitation, the regulations codified at 45 C.F.R. Parts 160 and 164 (“HIPAA Regulations”);
WHEREAS, Business Associate 2 seeks to perform Services for or on behalf of Business Associate 1, and in performing said Services; Business Associate 2 will create, receive, maintain, or transmit Protected Health Information (“PHI”) or Electronic Protected Health Information (“ePHI”);
WHEREAS, the parties intend to protect the privacy and provide for the security of PHI and ePHI disclosed by Business Associate 1 to Business Associate 2, or received or created by Business Associate 2, when providing Services in compliance with the HIPAA Act, regulations issued thereunder, applicable guidance issued by the Secretary of the Department of Health and Human Services (HHS), the Health Information Technology for Economic and Clinical Health Act (“the HITECH Act”) and other applicable state and federal laws, all as amended from time to time; and
WHEREAS, as a Business Associate, Business Associate 1 is required under HIPAA to enter into a Business Associate Agreement (BAA) with Business Associate 2 that meets certain requirements with respect to the use and disclosure of PHI.
AGREEMENT
In consideration of above the recitals and for other good and valuable consideration, the receipt and adequacy of which is hereby acknowledged, the Parties agree as follows:
ARTICLE IDEFINITIONS
The following terms shall have the meaning set forth below. Capitalized terms used in this BAA and not otherwise defined shall have the meanings ascribed to them in HIPAA, the HIPAA Regulations, or the HITECH Act, as applicable.
1.1. “Breach” shall have the meaning given under 42 U.S.C. § 17921(1) and 45 C.F.R. § 164.402.
1.2. “Data Aggregation” shall have the meaning given under 45 CFR § 164.501.
1.3. “Designated Record Set” shall have the meaning given such term under 45 C.F.R. § 164.501.
1.4. “Disclose” and “Disclosure” mean, with respect to PHI, the release, transfer, provision of access to, or divulging in any other manner of PHI outside of Business Associate 2 or to other than members of its Workforce, as set forth in 45 C.F.R. § 160.103.
1.5. “Electronic PHI” or “ePHI” means PHI that is transmitted or maintained in electronic media, as set forth in 45 C.F.R. § 160.103.
1.6. “Protected Health Information” and “PHI” mean any information, whether oral or recorded in any form or medium, that: (a) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual; and (b) identifies the individual, or for which there is a reasonable basis for believing that the information can be used to identify the individual. "Protected Health Information" shall have the meaning given to such term under 45 C.F.R. § 160.103. Protected Health Information includes ePHI.
1.7. “Security Incident” shall have the meaning given to such term under 45 C.F.R. § 164.304.
1.8. “Services” shall mean the services for or functions on behalf of Business Associate 1 performed by Business Associate 2 pursuant to any service agreement(s) between Business Associate 1 and Business Associate 2(s) which may be in effect now or from time to time (“Underlying Agreement”), or, if no such agreement is in effect, the services or functions performed by Business Associate 2 that constitute a Business Associate relationship, as set forth in 45 C.F.R. § 160.103, Definition of "Business Associate."
1.9. “Subcontractor” means a person to whom a Business Associate delegates a function, activity, or service, other than in the capacity of a member of the Workforce of such Business Associate.
1.10. “Unsecured PHI” shall have the meaning given to such term under 42 U.S.C. § 17932(h), 45 C.F.R. § 164.402, and Federal Register documents, including, but not limited to, Federal Register document 74; Federal Register 19006 (April 27, 2009); and 78 Federal Register 5565 (January 25, 2013).
1.11. “Use” or “Uses” mean, with respect to PHI, the sharing, employment, application, utilization, examination, or analysis of such PHI within Business Associate 2’s internal operations, as set forth in 45 C.F.R. § 160.103.
1.12. “Workforce” shall have the meaning given to such term under 45 C.F.R. § 160.103.
ARTICLE II
OBLIGATIONS OF BUSINESS ASSOCIATE
2.1. Permitted Uses and Disclosures of Protected Health Information: Business Associate 2 shall not use or disclose PHI other than performing the Services, as permitted or required by this BAA, or as required by law. Business Associate 2 shall not use or disclose PHI in any manner that would constitute a violation of Subpart E of 45 C.F.R. Part 164 if so used or disclosed by Business Associate 1. However, Business Associate 2 may use or disclose PHI (i) for the proper management and administration of Business Associate 2; (ii) to carry out the legal responsibilities of Business Associate 2, provided that with respect to any such disclosure either: (a) the disclosure is required by law; or (b) Business Associate 2 obtains a written agreement from the person to whom the PHI is to be disclosed that such person will hold the PHI in confidence and will not use or further disclose such PHI except as required by law and for the purpose(s) for which it was disclosed by Business Associate 2 to such person, and that such person will notify Business Associate 2 of any instances of which it is aware in which the confidentiality of the PHI has been breached; (iii) for Data Aggregation purposes for the healthcare operations of Business Associate 1. To the extent that Business Associate 2 carries out one or more of Business Associate 1’s obligations under Subpart E of 45 C.F.R. Part 164, Business Associate 2 must comply with the requirements of Subpart E that apply to Business Associate 1 in the performance of such obligations.
2.2. Prohibited Marketing and Sale of PHI: Notwithstanding any other provision in this BAA, Business Associate 2 shall comply with the following requirements: (i) Business Associate 2 shall not use or disclose PHI for fundraising or marketing purposes, except to the extent expressly authorized or permitted by this BAA and consistent with the requirements of 42 U.S.C. § 17936, 45 C.F.R. §164.514(f), and 45 C.F.R. § 164.508(a)(3); and (ii) Business Associate 2 shall not directly or indirectly receive remuneration in exchange for PHI, except with the prior written consent of Business Associate 1 and as permitted by the HITECH Act, 42 U.S.C. § 17935(d)(2), and 45 C.F.R. § 164.502(a)(5)(ii).
2.3. Adequate Safeguards of PHI: Business Associate 2 shall implement and maintain appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this BAA. Business Associate 2 shall reasonably and appropriately protect the confidentially, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Business Associate 1 in compliance with Subpart C of 45 C.F.R. Part 164 to prevent use or disclosure of PHI other than as provided for by this BAA.
2.4. Mitigation: Business Associate 2 agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate 2 of a use or disclosure of PHI by Business Associate 2 in violation of the requirements of this BAA.
2.5. Reporting Non-Permitted Use or Disclosure2.5.1. Reporting Security Incidents and Non-Permitted Use or Disclosure: Business Associate 2 shall report to Business Associate 1 in writing each security incident or use or disclosure that is made by Business Associate 2, members of its Workforce or Subcontractors that is not specifically permitted by this BAA, no later than three (3) business days after becoming aware of such security incident or non-permitted use or disclosure, in accordance with the notice provisions set forth herein. Business Associate 2 shall investigate each security incident or non-permitted use or disclosure of Business Associate 1’s PHI that it discovers to determine whether such security incident or non-permitted use or disclosure constitutes a reportable breach of unsecured PHI. Business Associate 2 shall document and retain records of its investigation of any breach, including its reports to Business Associate 1 under this Section
2.5.1. Upon request of Business Associate 1, Business Associate 2 shall furnish to Business Associate 1 the documentation of its investigation and an assessment of whether such security incident or non-permitted use or disclosure constitutes a reportable breach. If such security incident or non-permitted use or disclosure constitutes a reportable breach of unsecured PHI, then Business Associate 2 shall comply with the additional requirements of Section 2.5.2 below.
2.5.2. Breach of Unsecured PHI: If Business Associate 2 determines that a reportable breach of unsecured PHI has occurred, Business Associate 2 shall provide a written report to Business Associate 1 without unreasonable delay, but no later than thirty (30) calendar days after discovery of the breach. To the extent that information is available to Business Associate 2, Business Associate 2’s written report to Business Associate 1 shall be in accordance with 45 C.F.R. §164.410(c), as if “Business Associate 1” were the “Covered Entity,” and as if “Business Associate 2” were “Business Associate 1,” for purposes of that provision. Business Associate 2 shall cooperate with Business Associate 1 in meeting Business Associate 1’s obligations under the HITECH Act with respect to such breach. Business Associate 1 shall have sole control over the timing and method of providing notification of such breach to the affected individual(s), the Secretary and, if applicable, the media, as required by HIPAA and the HITECH Act. Business Associate 2 shall reimburse Business Associate 1 for its reasonable costs and expenses in providing the notification, including, but not limited to, any administrative costs associated with providing notice, printing and mailing costs, and costs of mitigating the harm (which may include the costs of obtaining credit monitoring services and identity theft insurance) for affected individuals whose PHI has or may have been compromised as a result of the breach.
2.6. Availability of Internal Practices, Books, and Records to Government: Business Associate 2 agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created, or received by the Business Associate 2 on behalf of Business Associate 1, available to the Secretary for purposes of determining Business Associate 1’s compliance with HIPAA, the HIPAA Regulations, and the HITECH Act. Except to the extent prohibited by law, Business Associate 2 shall notify Business Associate 1 of all requests served upon Business Associate 2 for information or documentation by or on behalf of the Secretary. Business Associate 2 agrees to provide to Business Associate 1 proof of its compliance with the HIPAA Security Standards.
2.7. Access to and Amendment of Protected Health Information: To the extent that Business Associate 2 maintains a Designated Record Set on behalf of Business Associate 1 and within fifteen (15) days of a request by Business Associate 1, Business Associate 2 shall (a) make the PHI it maintains (or which is maintained by its Subcontractors) in Designated Record Sets available to Business Associate 1 for inspection and copying, or to an individual to enable Business Associate 1 to fulfill its obligations under 45 C.F.R. § 164.524, or (b) amend the PHI it maintains (or which is maintained by its Subcontractors) in Designated Record Sets to enable Business Associate 1 to fulfill its obligations under 45 C.F.R. § 164.526. Business Associate 2 shall not disclose PHI to a health plan for payment or healthcare operations purposes if and to the extent that Business Associate 1 has informed Business Associate 2 that the patient has requested this special restriction, and has paid out of pocket in full for the health care item or service to which the PHI solely relates, consistent with 42 U.S.C. § 17935(a) and 42 C.F.R. § 164.522(a)(1)(vi). If Business Associate 2 maintains PHI in a Designated Record Set electronically, Business Associate 2 shall provide such information in the electronic form and format requested by Business Associate 1 if it is readily reproducible in such form and format, and, if not, in such other form and format agreed to by Business Associate 1 to enable Business Associate 1 to fulfill its obligations under 42 U.S.C. § 17935(e) and 45 C.F.R. § 164.524(c)(2). Business Associate 2 shall notify Business Associate 1 within fifteen (15) days of receipt of a request for access to PHI.
2.8. Accounting: To the extent that Business Associate 2 maintains a Designated Record Set on behalf of Business Associate 1, within thirty (30) days of receipt of a request from Business Associate 1 or an individual for an accounting of disclosures of PHI, Business Associate 2 and its Subcontractors shall make available to Business Associate 1 the information required to provide an accounting of disclosures to enable Business Associate 1 to fulfill its obligations under 45 C.F.R. § 164.528 and its obligations under 42 U.S.C. § 17935(c). Business Associate 2 shall notify Business Associate 1 within fifteen (15) days of receipt of a request by an individual or other requesting party for an accounting of disclosures of PHI.
2.9. Use of Subcontractors: Business Associate 2 shall require each of its Subcontractors that creates, maintains, receives, or transmits PHI on behalf of Business Associate 2, to execute a Business Associate Agreement that imposes on such Subcontractors the same restrictions, conditions, and requirements that apply to Business Associate 2 under this BAA with respect to PHI.
2.10. Minimum Necessary: Business Associate 2 (and its Subcontractors) shall, to the extent practicable, limit its request, use, or disclosure of PHI to the minimum amount of PHI necessary to accomplish the purpose of the request, Use or Disclosure, in accordance with 42 U.S.C. § 17935(b) and 45 C.F.R. § 164.502(b)(1) or any other guidance issued thereunder.
ARTICLE III
TERM AND TERMINATION
3.1. Term: The term of this Agreement shall be effective as of the Effective Date and shall terminate as of the date that all of the PHI provided by Business Associate 1 to Business Associate 2, or created or received by Business Associate 2 on behalf of Business Associate 1, is destroyed or returned to Business Associate 1, or, if it is infeasible to return or destroy the PHI, protections are extended to such information, in accordance with Section 3.3, or on the date that Business Associate 1 terminates for cause as authorized in Section 3.2, whichever is sooner.
3.2. Termination for Cause: Upon Business Associate 1’s knowledge of a material breach or violation of this BAA by Business Associate 2, Business Associate 1 shall either:
3.2.1. Notify Business Associate 2 of the breach in writing, and provide an opportunity for Business Associate 2 to cure the breach or end the violation within ten (10) business days of such notification; provided that if Business Associate 2 fails to cure the breach or end the violation within such time period to the satisfaction of Business Associate 1, Business Associate 1 may immediately terminate this BAA upon written notice to Business Associate 2; or
3.2.2. Upon written notice to Business Associate 2, immediately terminate this BAA if Business Associate 1 determines that such breach cannot be cured.
3.3. Disposition of Protected Health Information Upon Termination or Expiration
3.3.1. Upon termination or expiration of this BAA, Business Associate 2 shall either return or destroy all PHI received from, or created or received by Business Associate 2 on behalf of Business Associate 1, that Business Associate 2 still maintains in any form and retain no copies of such PHI. If Business Associate 1 requests that Business Associate 2 return PHI, PHI shall be returned in a mutually agreed upon format and timeframe, at no additional charge to Business Associate 1.
3.3.2. If return or destruction is not feasible, Business Associate 2 shall (a) retain only that PHI which is necessary for Business Associate 2 to continue its proper management and administration or to carry out its legal responsibilities; (b) return to Business Associate 1 the remaining PHI that Business Associate 2 still maintains in any form; (c) continue to extend the protections of this BAA to the PHI for as long as Business Associate 2 retains the PHI; (d) limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction of the PHI infeasible and subject to the same conditions set out in Section 2.1 and 2.2 above, which applied prior to termination; and (e) return to Business Associate 1 the PHI retained by Business Associate 2 when it is no longer needed by Business Associate 2 for its proper management and administration or to carry out its legal responsibilities.
ARTICLE IV
MISCELLANEOUS
4.1. Amendment to Comply with Law: This BAA shall be deemed amended to incorporate any mandatory obligations of Business Associate 1 or Business Associate 2 under the HITECH Act, the HIPAA Act, and HIPAA regulations. Additionally, the Parties agree to take such action as is necessary to amend this BAA from time to time as necessary for Business Associate 1 to implement its obligations pursuant to the HIPAA Act, the HIPAA Regulations, or the HITECH Act.
4.2. Indemnification: Both companies/organizations hereby agree to indemnify and hold harmless the other, its affiliates, and their respective officers, directors, managers, members, shareholders, employees, and agents from and against any and all fines, penalties, damage, claims, or causes of action and expenses (including, without limitation, court costs and attorney’s fees) the companies/organizations incur, arising from violations of the HIPAA Act, the HIPAA Regulations, the HITECH Act, or from any negligence or wrongful acts or omissions, including, but not limited to, failure to perform its obligations that results in a violation of the HIPAA Act , the HIPAA Regulations, or the HITECH Act, by either company/organization or its employees, directors, officers, subcontractors, agents, or members of its workforce.
4.3. Notices: Any notices required or permitted to be given hereunder by either Party to the other shall be given in writing: (1) by personal delivery; (2) by electronic mail or facsimile with confirmation sent by United States first class registered or certified mail, postage prepaid, return receipt requested; (3) by bonded courier or by a nationally recognized overnight delivery service; or (4) by United States first class registered or certified mail, postage prepaid, return receipt, in each case, addressed to a Party on the signature page(s) to this Agreement or to such other addresses as the Parties may request in writing by notice given pursuant to this Section 4.3. Notices shall be deemed received on the earliest of personal delivery; upon delivery by electronic facsimile with confirmation from the transmitting machine that the transmission was completed; twenty-four (24) hours following deposit with a bonded courier or overnight delivery service; or seventy-two (72) hours following deposit in the U.S. mail as required herein.
4.4. Relationship of Parties: Business Associate 2 is an independent contractor and not an agent of Business Associate 1 under this BAA. Business Associate 2 has the sole right and obligation to supervise, manage, contract, direct, procure, perform or cause to be performed all Business Associate 2 obligations under this BAA.
4.5. Survival: The respective rights and obligations of the Parties under Sections 3.3 and 4.2 of this BAA shall survive the termination of this BAA.
4.6. Applicable Law and Venue: This Agreement shall be governed by and construed in accordance with the laws of New Zealand (without regards to conflict of laws principles). The Parties agree that all actions or proceedings arising in connection with this BAA shall be tried and litigated exclusively in the State or federal (if permitted by law and if a Party elects to file an action in federal court) courts located in the county of New Zealand