HIPAA BUSINESS ASSOCIATE AGREEMENT
Amended as of May 8, 2014.
Download PDF Version
This BUSINESS ASSOCIATE AGREEMENT (“Agreement”) is made and entered into by and between Customer (“Covered Entity”) and iSALUS, LLC d/b/a iSALUS Healthcare (“Business Associate”).
- Covered Entity and Business Associate have entered into an Application Terms of Service to which is this Agreement is attached thereto as Exhibit A (“Underlying Contract”) that will require Business Associate to perform, or assist in the performance of a function or activity, or otherwise provide services of a type for Covered Entity which qualifies Business Associate as a “Business Associate” as that term is defined by the Health Information Portability and Accountability Act of 1996 and all such regulations promulgated thereunder (“HIPAA”).
- Business Associate, in fulfilling its obligations for and on behalf of Covered Entity, shall be expected to create or receive and maintain certain individually identifiable health and other personal information (“PHI”) from time to time that is the property of Covered Entity.
- Covered Entity and Business Associate desire to enter into this Agreement which shall supplement the Underlying Contract, as required by HIPAA, in order to provide satisfactory assurances to Covered Entity that Business Associate shall maintain appropriate Administrative, Physical and Technical Safeguards to protect the Confidentiality, Integrity and Availability of all such PHI in accordance with HIPAA as amended, including but not limited to the statutory amendments to HIPAA that were enacted under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act (hereinafter collectively referred to as “HIPAA”) and other applicable requirements discussed herein. Except as supplemented, the terms of the Underlying Contract shall continue unchanged and shall apply with full force and effect as to the matters addressed therein.
NOW THEREFORE, Covered Entity and Business Associate agree as follows:
- Definitions. All capitalized terms and phrases in this Agreement shall have the same meanings as defined by HIPAA and if not otherwise defined therein, shall have their ordinary and customary meaning:
- Restriction on Use and Disclosure of Protected Health Information. Business Associate shall not access, create, Use or Disclose PHI except as permitted or required by an Underlying Contract, this Agreement, or as Required by Law.
- Authorized Uses and Disclosures. Business Associate is hereby authorized to Use and Disclose PHI on a “need to know” basis, but only in connection with the performance of the particular functions, activities or services set forth in the Underlying Contract or as otherwise required permitted by Covered Entity, in writing, from time to time. Business Associate may also Use and Disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate; provided (a) the Disclosure is Required by Law; or (b) Business Associate obtains reasonable assurances, in writing, from the third party to whom the PHI is Disclosed that the PHI will be held confidential and will be Used or further Disclosed only for authorized purposes or as otherwise Required by Law, and the third party agrees to immediately notify the Business Associate of any instances of which it is aware in which the Privacy or Security of the PHI has been violated.
- Business Associate Obligations.
- Compliance; Safeguards. Business Associate represents and warrants that Business Associate shall comply with the HITECH Act amendments to HIPAA on or before the applicable compliance dates established therein. Business Associate shall implement and document appropriate Administrative, Physical and Technical Safeguards in order to preserve the Confidentiality, Integrity and Availability of all PHI and to prevent any unauthorized Access, Use or Disclosure of PHI, or any other successful Security Incident or other Breach involving said PHI (hereinafter collectively referred to as “Incident”) and make all such documentation available to Covered Entity for review upon request.
- Reporting. Business Associate shall report to Covered Entity any Incident that Business Associate has reason to believe has violated the Confidentiality, Integrity or Availability of PHI. Business Associate shall report all Incidents to Covered Entity, not more than twenty-four (24) hours after Business Associate learns of the Incident. Said report shall identify: (i) the nature of the Incident; (ii) the PHI known to be the subject of the Incident; (iii) the person(s) known to have information about the Incident; and (iv) the corrective action that Business Associate took or will take to mitigate and/or correct any deleterious effects of the Incident and to prevent future Incidents. Business Associate shall submit a written report to Covered Entity for review upon request.
- Agents, Contractors, and Subcontractors. Business Associate shall ensure that any agent, contractor, or subcontractor, to whom it provides Protected Health Information, agrees, in writing, to the same restrictions and conditions that apply to Business Associate under this Agreement.
- Patient’s Access to PHI. Business Associate shall act in a manner that permits Covered Entity to permit Patient Access to PHI in accordance with HIPAA as amended.
- Restriction on Use and/or Disclosure. Business Associate shall comply with all granted restrictions on the use and/or disclosure of PHI, pursuant to 45 CFR 164.522(a), upon notice from Covered Entity. Business Associate shall forward to Covered Entity any requests for restriction on the use and/or disclosure of PHI within five (5) business days of receipt.
- Amendment of PHI. Business Associate shall act in a manner that permits Covered Entity to make amendments to PHI in accordance with HIPAA, as amended.
- Access Reports; Accounting of Disclosures. Business Associate shall act in a manner that permits Covered Entity to provide any Access Report or Accounting of Disclosures in accordance with 42 CFR §164.528.
- Practices, Books and Records. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary for the purpose of determining Covered Entity’s compliance with the HIPAA, subject to the Business Associate’s professional obligations with respect to such practices, books and records. For purposes of clarity, this provision does not obligate Business Associate to provide any information unrelated to the services provided to Covered Entity by Business Associate pursuant to the Underlying Contract.
- Cure of Noncompliance. If Covered Entity notifies Business Associate of an Incident, or other pattern of activity or practice of Business Associate which constitutes a material breach of this Agreement or HIPAA, as amended, Business Associate shall immediately take all reasonable steps necessary to end or otherwise cure the Incident or other breach of this Agreement immediately, notwithstanding Covered Entity’s right to terminate the Underlying Contract(s) and this Agreement under Section 6(a) herein.
- Mitigation. Business Associate shall take reasonable steps to mitigate, to the extent practicable, any harmful effect to PHI that is known to Business Associate or communicated to Business Associate by Covered Entity of a use or disclosure of PHI in violation of Business Associate’s policies and procedures, this Agreement, or HIPAA; provided, however, that this provision shall not be deemed to permit or excuse any such violation.
- Legal Obligations. In the event Business Associate believes it has a legal obligation to further Disclose any PHI in Business Associate’s possession, including, but not limited to obligations that arise from the issuance of a third party discovery request, subpoena or court order, Business Associate shall notify Covered Entity as soon as reasonably practical after it learns of such obligation, and in any event within a time sufficiently in advance of the proposed release date such that Covered Entity’s rights and interests would not be prejudiced, as to the legal requirement pursuant to which Business Associate believes the PHI must be released. If Covered Entity objects to the release of such PHI, Business Associate shall allow Covered Entity to exercise any legal rights or remedies which either Covered Entity or Business Associate might have with respect to the further Disclosure of PHI, and Business Associate agrees to provide, such assistance to Covered Entity, at Covered Entity’s expense, as Covered Entity may reasonably request in connection therewith.
- Return or Destruction of the PHI. Upon the termination of the business relationship between Covered Entity and Business Associate, Business Associate shall return to Covered Entity, or, at Covered Entity’s direction, destroy, all PHI that Business Associate has created or received and maintained or stored in any form, recorded on any medium, or stored in any storage system. Business Associate shall complete such return or destruction of PHI as promptly as possible, but not later than thirty (30) days after the effective date of the termination, cancellation, expiration or other conclusion of the Underlying Contract. Business Associate shall identify any recorded PHI in Business Associate’s possession, that Business Associate created on behalf of Facility, or received in its role as Business Associate, that cannot feasibly be returned or destroyed to Covered Entity, and Business Associate shall limit any further Use of that PHI to those purposes that make return or destruction of said PHI infeasible. Within said thirty (30) days, Business Associate shall certify to Covered Entity, in writing and under oath, (i) that the return of all PHI has been completed; and (ii) that Business Associate will deliver to Covered Entity the identification of any PHI for which return is infeasible and, for that PHI, will certify that it will only Use or Disclose such PHI for those purposes which make return of the PHI infeasible. Business Associate shall remain bound by the provisions of this Agreement, even after termination of any Underlying Contract, until such time as all PHI has been (i) returned to Covered Entity; (ii) De-Identified; or (iii) otherwise destroyed as provided in this Section; provided that the parties understand and agree that certain unrecorded information cannot be returned, destroyed, or De-Identified, so the Business Associate shall remain bound by the provisions of this Agreement so long as Business Associate possesses the PHI.
- Term of this Agreement. This Agreement shall be effective when executed on behalf of both of the parties hereto and shall continue in full force and effect until the effective date of the termination, cancellation, expiration or other conclusion of all Underlying Contracts executed by and between the parties hereto.
- Termination. Covered Entity may terminate the business relationship between Covered Entity and Business Associate, including any Underlying Contract, agreements, arrangements or understandings, whether or not in writing, upon which the business relationship is based and such other agreements, arrangements or understandings are hereby amended to permit such termination, if Covered Entity determines that Business Associate has violated a material term of this Agreement or HIPAA that cannot otherwise be cured by Business Associate under Section 4(i) herein. Termination of the business relationship by Covered Entity shall be in addition to and not in place of any other remedies that may be available to Covered Entity.
- Injunction. Notwithstanding any other rights or remedies provided for in this Agreement, the parties agree that Covered Entity may seek injunctive relief to prevent or stop the unauthorized Use or Disclosure of PHI by Business Associate, or any agent, subcontractor or other third party that received PHI from Business Associate, without the necessity of proving actual damages or the occurrence of an unauthorized Use or Disclosure or other Security Incident.
- Business Associate shall indemnify and hold Covered Entity and each of its officers, employees, directors, agents and representatives (“Indemnified Persons”) harmless from and against any and all claims, losses, costs, damages, or expenses, including reasonable attorneys’ fees, that arise out of any actions or omissions by Business Associate, or any of its officers, employees, directors, agents or representatives which result in a breach or other violation by Business Associate of this Agreement or HIPAA as that term is defined herein without limiting the foregoing, Covered Entity shall give Business Associate prompt written notice of such claim, suit, or proceeding. The parties hereto agree that no provision in the Underlying Contract(s) shall, in any way, modify or nullify this Section 7 in any manner.
- Covered Entity shall indemnify and hold Business Associate and each of its officers, employees, directors, agents and representatives (“Indemnified Persons”) harmless from and against any and all claims, losses, costs, damages, or expenses, including reasonable attorneys’ fees, that arise out of any actions or omissions by Covered Entity, or any of its officers, employees, directors, agents or representatives which result in a breach or other violation by Covered Entity of this Agreement or HIPAA as that term is defined herein without limiting the foregoing, Business Associate shall give Covered Entity prompt written notice of such claim, suit, or proceeding. The parties hereto agree that no provision in the Underlying Contract shall, in any way, modify or nullify this Section 7 in any manner.
- Conflicting Laws and Obligations. If Business Associate believes that it is unable to comply with any of its obligations under this Agreement due to any conflicting laws, regulations, pronouncements, or ethical obligations, it may seek a determination, or judgment, from a court of competent jurisdiction regarding its ability to comply with such obligations, so long as such actions will not cause Covered Entity or Business Associate to be in violation of HIPAA.
- Notices. Any notices required or permitted to be given under this Agreement shall be in writing and shall be personally delivered or sent by facsimile or by certified or registered overnight mail, first class postage prepaid, return receipt requested, or by prepaid overnight delivery service such that proof of delivery will be obtained, and shall be addressed as set forth below or to such other address as may be specified in a prior written notice to the other party.
- If to Covered Entity:
212 W 10th Street Suite B120
Indianapolis IN 46202
- If to Business Associate:
Such notice shall be deemed to be given on the date it is hand delivered, faxed or deposited in the overnight mail as stated above. A notice shall be deemed to have been given personally to a party if it is handed to the representative of the party to whom the notice must be addressed or if left at his or her office located at the street address to which a notice would be mailed.
- Amendment. This Agreement may not be changed, modified, or amended except by a written agreement executed by an authorized representative acting on behalf of each of the parties.
- No Waiver. No waiver of one or more of the provisions of this Agreement or the failure to enforce any provision of this Agreement by either party shall be construed as a waiver of any subsequent breach of this Agreement, or a waiver of the right at any time thereafter to require strict compliance with all of its terms.
- Entire Agreement. This Agreement sets forth the entire agreement and understanding between the parties as to the matters contained in it, and supersedes all prior discussions, agreements, and understandings of every kind and nature between them.
- Headings. The headings placed before the various paragraphs and subparagraphs of this Agreement are inserted for each of reference only, do not constitute a part of this Agreement, and shall not be used in any way whatsoever in the construction or interpretation of this Agreement.
- Governing Law. This Agreement shall be construed and enforced in accordance with, and governed by, the laws of the state of Indiana without reference to the choice of laws principles thereof.
- Counterparts. This Agreement and any amendment hereto may be executed in multiple counterparts, each of which is an original and all of which constitute one agreement. The exchange of a fully executed Agreement, in counterparts or otherwise, by facsimile transmission, electronic mail, “portable document format” (“pdf”), or by any other electronic means intended to preserve the original graphic and pictorial appearance of a document, shall be sufficient to bind the parties to the terms and conditions of this Agreement.
- No Third Party Beneficiaries. This Agreement is to be effective only in regard to the rights and obligations of Covered Entity and Business Associate to one another hereunder. It is expressly not the intent of the parties hereto to create any independent rights in any third party or to make any third party beneficiary to this Agreement and no privity of contract shall exist between third parties and each party hereto.
IN WITNESS WHEREOF, the parties hereto have caused this Agreement to be executed by their duly authorized representatives on the dates set forth upon execution of business relationship with iSALUS Healthcare at www.isalushealthcare.com.
Download PDF Version