HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT
HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT
PRIVACY AND SECURITY BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (the “BA Agreement”) is entered into this , 20 between the (the “Covered Entity”) and SkyTherapist (“Business Associate”) for purposes of compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) 45 CFR Part 160, Part 162 and Part 164 subparts A through E (“Privacy and Security Rules”) and the Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 (the “HITECH Act”).
A. Business Associate provides certain services to or on behalf of Covered Entity; and
B. Covered Entity and Business Associate have entered into certain contract(s) existing as of the effective date of this BA Agreement and may enter into other future contracts (the “Underlying Agreements”), as more specifically defined at Section 3.0 below; and
C. In connection with these services, Covered Entity discloses to Business Associate certain protected health information that is subject to protection under the Privacy Rule and the HITECH Act; and
D. The Privacy Rule and the HITECH Act require that Covered Entity receive adequate assurances that Business Associate will comply with certain obligations with respect to the PHI received in the course of providing services to or on behalf of Covered Entity.
NOW THEREFORE, in consideration of the foregoing and other good and valuable consideration, the parties agree as follows:
The following terms are defined for purposes of this BA Agreement. Terms used, but not otherwise defined in this BA Agreement shall have the same meaning as those terms in the Privacy and Security Rule(s) and the HITECH Act
(a) “Individual” shall have the same meaning as the term “individual” in 45 CFR 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g).
(b) “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E.
(c) “Security Rule” shall mean the Standards for Security of Individually Identifiable Health Information at 45 CFR parts 160, 162 and 164.
(d) “Protected Health Information” shall have the same meaning as the term “protected health information” in 45 CFR 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
(e) “Electronic Protected Health Information” shall have the same meaning as the term “electronic protected health information” in 45 CFR 160.103, limited to information created, received, maintained, or transmitted by Business Associate on behalf of the Covered Entity.
(f) “Required By Law” shall have the same meaning as the term “required by law” in 45 CFR 160.103.
(g) “Secretary” shall mean the Secretary of the Department of Health and Human Services or his designee.
(h) “Breach”shall have the same meaning given to such term under 42 U.S.C 17921.
(i) “Electronic Health Record”shall have the same meaning given to such term under 42 U.S.C. 17921.
(j) “Unsecured PHI”shall have the same meaning given to such term under the HITECH Act and any guidance issued pursuant to this act.
- OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE.
(a) General Obligations: Business Associate agrees to not use or disclose Protected Health information other than as permitted or required by the BA Agreement or as Required by Law. Business Associate shall not directly or indirectly receive remuneration in exchange for PHI, except with the prior written consent of Covered Entity and as permitted by the HITECH Act; however, this prohibition shall not affect payment by Covered Entity to Business Associate for services provided pursuant to the Underlying Agreements which is defined below in Section 3.0(b).
(b) Mitigation: Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BA Agreement.
(c) Reporting: Business Associate shall notify in writing Covered Entity of any access, use or disclosure of PHI for a purpose that is not provided for in this BA Agreement, and any Breach of Unsecured PHI, of which Business Associate becomes aware without unreasonable delay and in no case later than 15 calendar days after discovery. Reports must be made to Covered Entity's Privacy Office in writing, via fax or via the web. Reports may also be made by telephone provided Business Associate also provides a follow-up written report as described above.
(d) Disclosure to Agents and Subcontractors: Business Associate shall ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created on behalf of Covered Entity, agrees to the same restrictions and conditions that apply through this BA Agreement to Business Associate with respect to such information. Business Associate shall be liable to Covered Entity for any acts, failures or omissions of the agent or subcontractor in providing the services as if they were Business Associate’s own acts, failures or omissions, to the extent permitted by law.
(e) Designated Record Set: As applicable, Business Associate shall provide access, at the request of Covered Entity to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR 164.524
(f) Amendments: Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526 in the time and manner as reasonably requested by Covered Entity or an Individual.
(g) Internal Practices, Policies and Procedures: Business Associate shall make available its internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from Covered Entity or PHI created or received by Business Associate on behalf of Covered Entity available to the Secretary for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule and the HITECH Act.
(h) Accounting for Disclosures. As applicable, Business Associate agrees to maintain the information required to provide an accounting of disclosures of PHI in accordance with 45 CFR 164.528 and to make this information available to Covered Entity upon Covered Entity’s request in order to allow Covered Entity to respond to an Individual’s request for accounting of disclosures. For PHI maintained as an Electronic Health Record, Business Associate shall, beginning at such time as the law requires, maintain such information necessary to provide an accounting of disclosures for treatment, payment or health care operations for a period of three years after such PHI is made in accordance with 42 U.S.C. 13405(c).
(i) Security Obligations. Business Associate shall implement appropriate safeguards as are necessary to prevent the use or disclosure of PHI otherwise than as permitted by the Underlying Agreements or this BA Agreement including, but not limited to, administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Covered Entity’s electronic PHI as required by 45 CFR 164.Subpart A and Subpart C, as amended from time to time; and in the same manner that such provisions apply to a HIPAA covered entity. Business Associate shall ensure that any agent, including a subcontractor, to whom it provides such electronic PHI, agrees to implement reasonable and appropriate safeguards to protect it.
(j) Breach Notification: In the event of a privacy or security Breach that triggers a breach notification requirement under HITECH, Business Associate shall inform Covered Entity of the following: the identification of each individual whose unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired or disclosed during the Breach; date of Breach, description of how the Breach occurred; description of types of information (SSN, DOB, etc.) compromised in the Breach; description of Business Associate’s efforts to mitigate potential damages; description of what the affected individual(s) can do to mitigate damages; and description of actions Business Associate shall reasonably ensure a similar breach does not occur in the future. Business Associate shall cooperate in covered entity’s risk assessment to determine whether individual notification is required under 45 CFR 164.404.
(k) Covered Entity’s Electronic Media: If Business Associate is in possession of Covered Entity’s electronic media, as defined at 45 CFR 160.103, or electronic media storing Covered Entity’s PHI, Business Associate must return the electronic media (and any copies) to the Covered Entity or render the PHI secured. Secured for this purpose means PHI that has been rendered unusable, unreadable, or indecipherable to unauthorized individuals using one of the methods below:
- Encryption. The use of a National Institutes of Standards and Technology (“NIST”) approved algorithm and procedure is preferred.
- Destruction: paper, film, or other hard copy must be shredded or destroyed at endoflife or use such that the PHI cannot be read or otherwise reconstructed and is rendered unusable, unreadable, or indecipherable.
- Electronic media containing PHI must be cleared, purged, or destroyed consistent with approved NIST guidelines for media sanitization such that the PHI cannot be retrieved.
(4) Redaction of paper records is not an approved method of rendering PHI unusable, unreadable, or indecipherable.
- PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE.
(a) Permitted Uses and Disclosures: Except as otherwise limited in this BA Agreement, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Underlying Agreements provided such use or disclosure would not violate the Privacy Rule or the HITECH Act if done by the Covered Entity.
(b) Inclusions: For purposes of this BA Agreement, the Underlying Agreements shall include the contracts listed below and all other existing or future contracts between the parties. Failure to list any other contracts between the parties shall not limitthe application of this BA Agreement to any such other contracts. The Underlying Agreement or Services include: Hosting andProviding Software for Interactive Video.
(c) Uses for Management and Administration: Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
(d) Disclosure for Management and Administration: Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that disclosures are Required By Law, or the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the recipient agrees to notify Business Associate of any uses or disclosures to the contrary.
(e) Minimum Necessary. Business Associate (and its agents or subcontractors) shall request, use, and disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use, or disclosure, in accordance with 42 USC 17935(b). Business Associate understands and agrees that the definition of “minimum necessary” is subject to change from time to time depending on governmental regulatory changes.
(f) Data Aggregation: Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 45 CFR 164.504(e)(2)(i)(B).
(g) Report Violations of Law: Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR 164.502(j) (1).
- OBLIGATIONS OF COVERED ENTITY.
(a) Notice of Privacy Practices: Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of PHI.
(b) Changes in Permission: Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Business Associate's use or disclosure of protected Health Information.
(c) Notification of Restrictions: Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI.
- PERMISSIBLE REQUESTS BY COVERED ENTITY.
Permissible Requests by Covered Entity. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule and the HITECH Act if done by Covered Entity.
6.0 TERM AND TERMINATION.
(a) Term. The Term of this BA Agreement shall commence as of the effective date set forth above and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section, regardless of the termination date of any of the Underlying Agreements.
(b) Termination for Cause. Upon either party’s knowledge of a material breach by the other, the party with knowledge of the other’s material breach shall either:
(1) Provide written notice specifying the nature of the breach or violation to the other. The other party shall have30days from the receipt of the notice in which to remedy the breach or violation. If such corrective action is not taken within the time specified, this BA Agreement shall terminate at the end of the30day period without further notice or demand; Each party is required pursuant to the HITECH Act to report any known or suspected violations of the Privacy Rule and/or Security Rule by the other to the Secretary if, after notification, that party does not cure such violation within 30 days.
(2) Immediately terminate this BA Agreement; or
(3) If neither termination nor cure is feasible, the party shall report the violation to the Secretary.
(c) Effect of Termination.
(1) Except as provided in paragraph (c) (2) of this Section 6, upon termination of this BA Agreement, for any reason, the Business Associate shall return or destroy all PHI received from Covered Entity, created or received by Business Associate on behalf of Covered Entity. This provision shall apply PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI.
(2) In the event that Business Associate in good faith determines that returning or destroying the PHI is infeasible, Business Associate shall extend the protections of this BA Agreement to such Protected Health Information and limit further uses and disclosures of such PHI to only those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI; provided however that the Business Associate shall notify Covered Entity in writing of Business Associate’s compliance with this paragraph.
(a) Regulatory References. Any reference in this BA Agreement to HIPAA or the Privacy or Security Rule shall mean the referenced section as is then in effect or as amended.
(b) Amendments. The Parties agree to take such action as is necessary to amend this BA Agreement from time to time for Covered Entity to comply with the requirements of the Privacy and Security Rule(s) and the HITECH Act.
(c) Survival. The respective rights and obligations of Business Associate under Section 6(c) of this BA Agreement shall survive the termination of this BA Agreement.
(d) Interpretation. Any ambiguity in this BA Agreement shall be resolved to permit Covered Entity to comply with HIPAA and the HITECH Act.
(e) Compliance with Laws. In performing their respective obligations under this BA Agreement, Covered Entity and Business Associate shall at all times comply with all provisions of HIPAA and the HITECH Act.
(f) No Third Party Beneficiaries. Nothing in this BA Agreement shall be considered or construed as conferring any right or benefit on a person not party to this BA Agreement nor imposing any obligations on either Party hereto to persons not a party to this BA Agreement.
(g) Notices. Any notices pertaining to this BA Agreement shall be addressed to the appropriate party as follows:
If to Covered Entity:
If to Business Associate:
IN WITNESS WHEREOF, the parties have caused this BA Agreement to be executed by their duly authorized representatives effective as of the day and year set forth above.
SkyTherapist Inc. (COVERED ENTITY)
By: _______________________________________________ By: ______________________________________________
Name: ___________________________________________ Name:___________________________________________
Title: _____________________________________________ Title: ___________________________________________
Date: _____________________________________________ Date: ___________________________________________