BUSINESS ASSOCIATE AGREEMENT
as of 12/21/2016
This Business Associate Agreement (the “Agreement”) is made as of date agreed to below (the “Effective Date”), by and between Care3, Inc. (“Business Associate”) and the Company (“Covered Entity”) (each a “Party” and collectively the “Parties”) to comply with the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), and their implementing regulations, including the Privacy Standards adopted by the U.S. Department of Health and Human Services as they may be amended from time to time, 45 C.F.R. parts 160 and 164, subparts A and E (the “Privacy Rule”), the Security Standards adopted by the U.S. Department of Health and Human Services as they may be amended from time to time, 45 C.F.R. parts 160, 162 and 164, subpart C (the “Security Rule”), the Breach Notification Standards adopted by the U.S. Department of Health and Human Services, as they may be amended from time to time, at 45 C.F.R. part 164, subpart D (the “Breach Notification Rule”), as well as related state laws and/or regulations (collectively, the “HIPAA Rules”).
WHEREAS, in connection with these Services, Covered Entity may disclose to Business Associate certain Protected Health Information (“PHI”) (as defined below) that is subject to protection under the HIPAA Rules;
WHEREAS, if Business Associate performs or assists in performing certain functions or activities for or on behalf of Covered Entity that involve the use or disclosure of PHI, the HIPAA Rules require that Covered Entity receive adequate assurances that Business Associate will comply with certain obligations with respect to the PHI received in the course of providing services to or on behalf of Covered Entity; and
WHEREAS, the Parties agree that the terms of this Agreement will have no effect unless and until Business Associate performs or assists in performing certain functions or activities for or on behalf of Covered Entity that involve the use or disclosure of PHI.
NOW THEREFORE, in consideration of the mutual promises and covenants herein, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows:
- Unless otherwise provided, all capitalized terms in the Agreement will have the same meaning as provided under the HIPAA Rules.
- Protected Health Information or PHI: Protected Health Information or PHI, as defined by the Privacy Rule, for this Agreement means PHI that is created, received, maintained, or transmitted on behalf of Covered Entity by Business Associate pursuant to the Agreement.
B. Purposes for which PHI May Be Disclosed to Business Associate.
In connection with the Services provided by Business Associate to or on behalf of Covered Entity, Covered Entity may disclose PHI to Business Associate during the performance of service and support activities in compliance with HIPAA.
C. Obligations of Business Associate.
- Compliance with Laws. Business Associate agrees to comply with the provisions of the HIPAA Rules that are applicable to Business Associate.
- Use and Disclosure of PHI. Business Associate may use or disclose PHI as Required by Law. Business Associate shall not use or further disclose PHI other than as permitted or required by this Agreement or as Required by Law. Business Associate shall not use or disclose PHI in a manner that would violate the HIPAA Rules if used or disclosed by Covered Entity, provided, however, that Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate, for the specific uses and disclosures set forth herein, and to carry out its legal responsibilities. Business Associate agrees, to the extent that Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 C.F.R. Part 164, to comply with the requirements of Subpart E of 45 C.F.R. Part 164 that apply to Covered Entity in the performance of such obligation(s).
- Safeguards. Business Associate shall maintain appropriate safeguards to ensure that PHI is not used or disclosed in violation of this Agreement or applicable law. Business Associate shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of any electronic PHI it creates, receives, maintains, or transmits on behalf of Covered Entity and shall comply, where applicable, with Subpart C of 45 C.F.R. Part 164 with respect to such electronic PHI to prevent use or disclosure of such electronic PHI other than as provided for by this Agreement.
- Disclosure to Agents and Subcontractors. If Business Associate discloses PHI received from Covered Entity, or created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity, to agents, including a subcontractor, Business Associate shall, in accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any agents or subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate under this Agreement with respect to such information. Business Associate shall ensure that any such agent, including a subcontractor, agrees to implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains, or transmits on behalf of Business Associate or Covered Entity.
- Minimum Necessary. Business Associate agrees to make reasonable efforts to limit use and disclosure of PHI to the minimum necessary to accomplish the intended purposes, consistent with Business Associate’s policies and procedures.
- Individual Rights. Business Associate agrees as follows:
- (a) Individual Right to Copy or Inspection. To the extent Business Associate or its agents or subcontractors maintains PHI in a Designated Record Set, if an Individual makes a request for access directly to Business Associate, Business Associate will within fifteen (15) business days forward such request in writing to Covered Entity. Covered Entity will be responsible for making all determinations regarding the grant or denial of an Individual’s request for PHI and Business Associate will make no such determinations. Except as Required by Law, only Covered Entity will release and be responsible for releasing PHI to an Individual pursuant to such a request.
- (b) Amendment of an Individual’s PHI or Record. To the extent Business Associate or its agents or subcontractors maintains PHI in a Designated Record Set, if an Individual makes a request for an amendment of his or her PHI or record directly to Business Associate, Business Associate will within fifteen (15) business days forward such request in writing to Covered Entity, and Business Associate will incorporate any such amendment upon written request from Covered Entity. Covered Entity will be responsible for making all determinations regarding the grant or denial of an Individual’s request for an amendment, and except as Required by Law Business Associate will make no such determinations.
- (c) Accounting of Disclosures. Business Associate agrees to maintain documentation of the information required to provide an Accounting of Disclosures of PHI in accordance with 45 C.F.R. § 164.528, and to make this information available to Covered Entity upon Covered Entity’s request, in order to allow Covered Entity to respond to an Individual’s request for Accounting of Disclosures. Such accounting is limited to disclosures that were made in the six (6) years prior to the request (not including disclosures prior to the compliance date of the Privacy Rule). Such accounting is further limited to disclosures that were made in the three (3) years prior to the request (not including disclosures prior to the compliance date of the Privacy Rule) to the extent that the purpose of such accounting is to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI through an Electronic Health Record, as the term is defined in section 13400 of HITECH, made to carry out Treatment, Payment and Health Care Operations as provided in 45 C.F.R. §164.506. Notwithstanding the above, any such accounting shall be provided only for as long as Business Associate maintains the PHI. If an Individual requests an Accounting of Disclosures directly from Business Associate, Business Associate will forward the request and its Disclosure record to Covered Entity within fifteen (15) business days of Business Associate’s receipt of the Individual’s request. Covered Entity will be responsible for preparing and delivering the Accounting to the Individual. Except as required by law, Business Associate will not provide an Accounting of its Disclosures directly to any Individual.
- Internal Practices, Policies and Procedures. Except as otherwise specified herein, Business Associate shall make available its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received on behalf of, Covered Entity to the Secretary or his or her agents or authorized designees for the purpose of determining Covered Entity’s compliance with the HIPAA Rules.
- Withdrawal of Authorization. If the use or disclosure of PHI in this Agreement is based upon an Individual’s specific authorization for the use or disclosure of his or her PHI, and the Individual revokes such authorization, the effective date of such authorization has expired, or such authorization is found to be defective in any manner that renders it invalid, Business Associate shall, if it has received notice from Covered Entity pursuant to Section E.1. herein of such revocation, expiration, or invalidity, cease the use and disclosure of the Individual’s PHI except to the extent it has relied on such use or disclosure, or if an exception under the HIPAA Rules expressly applies.
- Security Incident. Business Associate agrees to report to Covered Entity any Security Incident of which Business Associate becomes aware except that no report shall be required for unsuccessful attempts at unauthorized Access, Use, Disclosure, modification, or destruction of PHI or unsuccessful attempts at interference with systems operations in an information system, such as “pings” on a firewall.
- Use of Disclosure of PHI Not Provided for by this Agreement. Business Associate agrees to report to Covered Entity any use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware.
- Breaches of Unsecured PHI. Business Associate will report in writing to Covered Entity any Breach of Unsecured Protected Health Information, as required at 45 C.F.R. § 164.410 of which it becomes aware, within ten (10) business days of the date Business Associate learns of the incident giving rise to the Breach.
D. Rights of Business Associate.
- Management and Administration. Except as otherwise limited in this Agreement, Business Associate may use and disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
- Data Aggregation. Business Associate is permitted, for Data Aggregation purposes to the extent permitted under the HIPAA Rules, to use, disclose, and combine PHI created or received on behalf of Covered Entity by Business Associate pursuant to this Agreement with Protected Health Information, as defined by 45 C.F.R. 160.103, received by Business Associate in its capacity as a business associate of other covered entities, to permit data analyses that relate to the Health Care Operations of the respective covered entities, where “business associate” and “covered entities” have the meanings given to them in 45 C.F.R. 160.103.
- De-identified Information. Business Associate may de-identify any and all PHI created or received by Business Associate under this Agreement at any location and use all such de-identified data in accordance with the de-identification requirements of the HIPAA Rules.
- Reporting Violations of Law. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. 164.502(j)(1).
- Limited Data Set. Business Associate may create a Limited Data Set and use such Limited Data Set pursuant to a Data Use Agreement that meets the requirements of the Privacy Rule.
E. Obligations of Covered Entity.
- Changes in Authorization. Covered Entity shall inform Business Associate, in writing and in a timely manner, of any changes in, or withdrawal of, any authorization provided to Covered Entity by any Individual pursuant to 45 CFR § 164.508, to the extent that such changes or withdrawal may affect Business Associate’s use or disclosure of PHI. In addition, Covered Entity shall notify Business Associate, in writing and in a timely manner, of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI. Covered Entity shall provide Business Associate with its notice of privacy practices for PHI as identified in 45 CFR § 164.520, and Covered Entity shall notify Business Associate, in writing and in a timely manner, of any limitation(s) in its notice of privacy practices, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI. Covered Entity shall promptly notify Business Associate of any breach by Covered Entity of any obligation under the HIPAA Rules as such breach relates to PHI as defined herein. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity, and Business Associate is not required to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by Covered Entity.
- Minimum Necessary. Covered Entity shall disclose to Business Associate only the “Minimum Necessary” amount of PHI for Business Associate to perform the Services and its rights and obligations under this Agreement, and only in compliance with the HIPAA Rules.
F. Term and Termination.
- Term. The term of this Agreement shall be effective as of the date last executed below and shall continue until all PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or this Agreement is terminated pursuant to this Article F.
- Termination for Breach. Either party may terminate this Agreement upon written notice to the other party if the non-breaching party determines that the other party or its subcontractors or agents has breached a material term of this Agreement, provided that the non-breaching party will first provide the other party with written notice of the breach of this Agreement and afford the other party the opportunity to cure the breach within forty-five (45) days of the date of such notice. If the other party or any of its subcontractors or agents fails to timely cure the breach, the non-breaching party may terminate this Agreement.
- Effect of Termination. Upon termination of this Agreement for any reason, Business Associate agrees to return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, maintained by Business Associate in any form and to retain no copies. If Business Associate determines that the return or destruction of PHI is not feasible, Business Associate shall inform Covered Entity in writing of the reason thereof, and the Parties shall agree to extend the protections of this Agreement to such PHI and Business Associate shall limit further uses and disclosures of the PHI to those purposes that make the return or destruction of the PHI not feasible for so long as Business Associate retains the PHI.
- Survival. The respective rights and obligations of the Parties under Article G. of this Agreement shall survive the termination of this Agreement.
- Notices. Any notices pertaining to this Agreement shall be given in writing and shall be deemed duly given when personally delivered to a Party or a Party’s authorized representative as listed below or sent by means of a reputable overnight carrier, or sent by means of certified mail, return receipt requested, postage prepaid. A notice sent by certified mail shall be deemed given on the date of receipt or refusal of receipt.
- Amendments. This Agreement may not be changed or modified in any manner except by an instrument in writing signed by a duly authorized officer of each of the Parties hereto. The Parties, however, agree to amend this Agreement from time to time as necessary, in order to allow the Parties to comply with the requirements of the HIPAA Rules.
- Choice of Law. This Agreement and the rights and the obligations of the Parties hereunder shall be governed by and construed under the laws of the State of California without regard to applicable conflict of laws principles.
- Assignment of Rights and Delegation of Duties. This Agreement is binding upon and inures to the benefit of the Parties and their respective successors and permitted assigns.
- Nature of Agreement. Nothing in this Agreement shall be construed to create (i) a partnership, joint venture or other joint business relationship between the Parties or any of their affiliates, (ii) any fiduciary duty owed by one Party to another Party or any of its affiliates, or (iii) a relationship of employer and employee between the Parties.
- No Waiver. Failure or delay on the part of either Party to exercise any right, power, privilege or remedy hereunder shall not constitute a waiver thereof. No provision of this Agreement may be waived by either Party except by a writing signed by an authorized representative of the Party making the waiver.
- Severability. The provisions of this Agreement shall be severable, and if any provision of this Agreement shall be held or declared to be illegal, invalid or unenforceable, the remainder of this Agreement shall continue in full force and effect as though such illegal, invalid or unenforceable provision had not been contained herein.
- No Third Party Beneficiaries. Nothing in this Agreement shall be considered or construed as conferring any right or benefit on a person not party to this Agreement nor imposing any obligations on either Party hereto to persons not a party to this Agreement.
- Headings. The descriptive headings of the articles, sections, subsections, exhibits and schedules of this Agreement are inserted for convenience only, do not constitute a part of this Agreement and shall not affect in any way the meaning or interpretation of this Agreement.
- Entire Agreement. This Agreement, together with all exhibits, riders and amendments, if applicable, which are fully completed and signed by authorized persons on behalf of both Parties from time to time while this Agreement is in effect, constitutes the entire Agreement between the Parties hereto with respect to the subject matter hereof and supersedes all previous written or oral understandings, addendums, negotiations, commitments, and any other writing and communication by or between the Parties with respect to the subject matter hereof. In the event of any inconsistencies between any provisions of this Agreement and any provisions of any exhibits, riders, or amendments, the provisions of this Addendum shall control.
- Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits the Parties to comply with the HIPAA Rules. The provisions of this Agreement shall prevail over the provisions of any other prior agreement that exists between the Parties that may conflict with, or appear inconsistent with, any provision of this Agreement or the HIPAA Rules, unless otherwise explicitly set forth in such agreement.
- Regulatory References. A citation in this Agreement to the Code of Federal Regulations shall mean the cited section as that section may be amended from time to time.
IN WITNESS WHEREOF, the parties below have executed and delivered this Agreement as of the Effective Date. By signing up for service with Care3, Inc. as a HIPAA covered entity, you agree to the terms of this Business Associate Agreement.