Business Associate Agreement
This HIPAA BAA defines the rights and responsibilities of each of us with respect to Protected Health Information as defined in the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder, including the HITECH Act and Omnibus Rule, as each may be amended from time to time (collectively, “HIPAA”).
1. Defined Terms.For the purposes of this HIPAA BAA, capitalized terms shall have the following meanings:
- “Business Associate”shall generally have the same meaning as the term “business associate” at 45 CFR § 160.103 of HIPPA and in reference to the party to this HIPAA BAA, shall mean HIPAAtizer, HIPAAtizer.com and Cappers Applications Inc. (collectively “HIPAAtizer”).
- “CFR”shall mean the Code of Federal Regulations.
- “You”, “Your” or “Covered Entity”shall generally have the same meaning as the term “covered entity” at 45 CFR § 160.103, and in reference to the party to this HIPAA BAA shall mean You or the entity that You have the legal authority to bind.
- “Individual”shall have the same meaning as the term “individual” in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
- “HIPAA Rules”shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR § 160 and § 164
- “Protected Health Information”or “PHI” shall have the same meaning as the term “protected health information” in 45 CFR § 160.103, limited to the information received by Business Associate from or on behalf of You.
- “Required By Law”shall have the same meaning as the term “required by law” in 45 CFR § 164.103.
- “Secretary”shall mean the Secretary of the U.S. Department of Health and Human Services (“HHS”) or his or her designee.
2. Obligations and Activities of Business Associate.
- (a) Business Associate shall not use or disclose PHI other than as permitted or required by this HIPAA BAA or as permitted or Required By Law.
- (b) Business Associate shall use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of PHI other than as provided for in this HIPAA BAA
- (c) Business Associate agrees to report to Covered Entity any use or disclosure of or PHI not provided for by the HIPAA BAA of which it becomes aware, including any breaches of unsecured PHI as required at 45 C.F.R. §164.410, and any security incident of which it becomes aware.
- Both parties acknowledge that there are likely to be a significant number of meaningless or unsuccessful attempts to access the HIPAAtizer Services, which make a real-time reporting requirement impractical for both parties. The parties acknowledge that Business Associate’s ability to report on system activity, including Security Incidents, is limited by, and to, the Services which You have purchased (and does not extend to networks or systems operated by third parties as part of general internet connectivity).
- Business Associate undertakes no obligation to report network security related incidents which occur on the HIPAAtizer managed network but do not directly involve Your Customer Data. The parties agree that the following are illustrative examples of unsuccessful security incidents which, when they do not result in the unauthorized access, use, disclosure, modification or destruction of PHI need not be reported by Business Associate: pings against network devices, port scans, attempts to log on to a system or database with an invalid password or username, detection of malware.
- (d) Business Associate agrees that In accordance with 45 C.F.R. §164.502(e)(1)(ii) and 164.308(b)(2), if applicable, it will ensure that any subcontractors that create, receive, maintain, or transmit PHI on of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information.
- (e) Business Associate agrees to make available PHI in a designated record set to the Covered Entity as necessary to satisfy the Covered Entity’s obligations under 45 §CFR 164.524. Business Associate shall not be obligated to provide any such information directly to any Individual or person other than You.
- (f) Business Associate agrees to make any amendment(s) to PHI in a designated record set as directed or agreed to by the Covered Entity pursuant to 45 §CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 §CFR 164.526.
- (g) Business Associate agrees to maintain and make available the information required to provide an accounting of disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.528.
- (h) Business Associate agrees to the extent that it is to carry out one or more of the Covered Entity’s obligation(s) under Subpart E of 45 CFR § 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s);
- (i) Business Associate agrees to make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.
3. Permitted Uses and Disclosures by Business Associate.
- (a) Business Associate may only use or disclose PHI to perform functions, activities, or services for, or on behalf of, You as specified in the Agreement, provided that such use or disclosure would not violate the HIPAA Rules if done by You.
- (b) Business Associate may use or disclose PHI as Required by Law.
- (c) Business Associate agrees to make uses and disclosures and requests for PHI consistent with Covered Entity’s minimum necessary policies and procedures.
- (d) Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 CFR § 164 if done by Covered Entity.
- (e) Business Associate may use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities.
- (f) Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that disclosures are (i) Required By Law, or (ii) Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person will notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
4. Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restriction.
- 4.1. Covered Entity shall notify Business Associate of:
- (a) any limitations(s) in Your notice of privacy practices in accordance with 45 CFR §164.520 to the extent that such changes may affect Business Associate’s use or disclosure of PHI;
- (b) ) any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI; and
- (c) any restriction to the use or disclosure of PHI that You have agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
- 4.2. You agree that You will not request Business Associate to use, transmit or disclose PHI in any manner that would not be permissible under the HIPAA Rules if done by You.
- 4.3. You agree as part of Your security obligations to implement and maintain appropriate safeguards as required for You to comply with the HIPAA Rules as applicable to You and Your use of the HIPAAtizer Services. This includes, without limitation: (i) implementing reasonable safeguards required by 45 CFR § 164.530(c), (ii) reasonably limiting the amount or type of information disclosed through the HIPAAtizer Services, (iii) permitting individuals to utilize alternative secure electronic methods to receive confidential communications from You, (iv)verifying the recipient’s email address, phone number, and that it is correctly entered into the HIPAAtizer Services prior to using the HIPAAtizer Services to transmit PHI, (v) including a privacy statement notifying the recipient of the insecure nature of email and text message and providing a contact to whom a recipient can report a misdirected message and (vi) encrypting PHI transmitted through the HIPAAtizer Services where appropriate or required by the HIPAA Rules (such as through the use of encrypted attachments, PGP toolsets, or S/MIME).
- 4.4. You are responsible for encrypting any sensitive data You have received in an encrypted state from the HIPAAtizer Services. Emails originating from the HIPAAtizer Services are sent using Amazon Simple Email Service. These emails notify You of the submission of personal information. This service supports both S/MIME and PGP protocols to encrypt messages for full end-to-end encryption and all communication with Amazon SES. You confirm that You have made these aspects of the HIPAAtizer Services clear to Your customers and end users as appropriate, and that they have provided full and adequate consent to the use of their PHI in the fashion in which You utilize the HIPAAtizer Services.
- 4.1. Covered Entity shall notify Business Associate of:
5. Term and Termination.
- (a) The term of this HIPAA BAA shall be effective as of the date You click the “Accept the HIPAAtizer BAA” button (or other electronic means made available by HIPAAtizer for such purpose), and shall terminate upon effective cancellation of the HIPAAtizer Services or on the date that Covered Entity terminates for cause as authorized in paragraph (b) of this Section, whichever is sooner.
- (b) Business Associate authorizes termination of this HIPAA BAA by Covered Entity, if Covered Entity determines Business Associate has violated a material term of the HIPAA BAA and Business Associate has not cured the breach or ended the violation within 10 days of having been notified by Covered Entity.
- (c) Unless instructed differently by Covered Entity, upon termination of this HIPAA BAA for any reason, Business Associate shall destroy all PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form. Business Associate shall retain no copies of the PHI. Covered Entity has 10 business days to request the return of PHI, instead of its destruction once this HIPAA BAA is terminated. Business Associate will continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI to prevent use or disclosure of the PHI during this 10 day period.
- (a) Amendment. Each of us agrees to take such action as is reasonably necessary to amend this HIPAA BAA from time to time as is necessary for You to comply with the requirements of HIPAA as they may be amended from time to time;
- (b) Survival. Our respective rights and obligations under this HIPAA BAA shall survive the termination of the Agreement.
- (c) Interpretation. Any ambiguity in this Business Associate BAA shall be resolved to permit You to comply with HIPAA and the HIPAA Rules.
7. This HIPAA BAA has been accepted by You and duly executed as of the date below.
- First Name
- Last Name