Business Associate Agreement
This Business Associates Agreement (“Agreement”) is between Customer (“Covered Entity”) and EngagedMD, Inc, a Delaware corporation (“Business Associate”) on the Order Effective Date.
- Covered Entity and Business Associate have entered into various arrangements and may in the future enter into additional arrangements (collectively, the “Underlying Contracts”) pursuant to which Business Associate provides various items and/or services to Covered Entity or Covered Entity’s patients and may create, receive, maintain, or transmit Protected Health Information on behalf of Covered Entity.
- Covered Entity and Business Associate are committed to complying with the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively “HIPAA”).
In consideration of the promises contained in this Agreement and the Underlying Contracts and for other good and valuable consideration, the delivery and sufficiency of which is acknowledged, the parties agree as follows:
All capitalized terms used but not otherwise defined in this Agreement shall have the same meaning as in HIPAA. “Protected Health Information” shall have the same meaning as the term “protected health information” in 45 C.F.R. § 160.103 that is received, created, maintained, or transmitted by Business Associate on behalf of Covered Entity. “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
Permitted Uses and Disclosures by Business Associate
Except as otherwise limited in this Agreement, Business Associate may: (i) Use or Disclose Protected Health Information in its possession to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Underlying Contracts, provided that such Use or Disclosure would not violate HIPAA if done by Covered Entity.
Except as otherwise limited in this Agreement, Business Associate may Use Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
Except as otherwise limited in this Agreement, Business Associate may Disclose the Protected Health Information in its possession to a third party for the proper management and administration or to fulfill any legal responsibilities of Business Associate, provided that:
- The Disclosure is Required by Law; or
Business Associate has received from the third party reasonable written assurances that: (1) the information will remain confidential and will be Used or further Disclosed only as Required by Law or for the purpose for which it was Disclosed to the party; and (2) the third party will notify Business Associate of any instances of which it becomes aware in which the confidentiality of the information has been breached.
Business Associate may Use Protected Health Information to create de-identified Health Information in accordance with 45 C.F.R. § 164.514(b).
Business Associate may Use Protected Health Information for Data Aggregation services related to the Health Care Operations of Covered Entity and its other covered entity customers.
Obligations and Activities of Business Associate
Business Associate shall not Use or Disclose Protected Health Information other than as permitted or required by this Agreement or as Required by Law.
Business Associate agrees to use appropriate administrative, physical, and technical safeguards and comply, where applicable, with the Security Standards for Protection of Electronic Protected Health Information, 45 C.F.R. Part 164 Subpart C (the “Security Rule”) with respect to Electronic Protected Health Information, to: (i) prevent Use or Disclosure of the Protected Health Information other than as provided for by this Agreement.
Business Associate agrees to otherwise comply with the applicable requirements of the Security Rule.
Business Associate agrees to promptly report to Covered Entity:
- Any Use or Disclosure of Protected Health Information not provided for by this Agreement, including Breaches of Unsecured Protected Health Information; and/or
Any Security Incident, provided that this section shall hereby serve as notice, and no additional reporting shall be required, of any unsuccessful attempts at unauthorized Access, Use, Disclosure, modification, or destruction of information or unsuccessful interference with system operations in an information system.
For any Breach of Unsecured Protected Health Information, Business Associate agrees to supplement the above report with the information required by 45 C.F.R. § 164.410 without unreasonable delay and in no case later than 60 calendar days after discovery of the Breach.
Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on Business Associate’s behalf agree in writing to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such Protected Health Information, including complying with the applicable requirements of the Security Rule.
Business Associate agrees to make its internal practices, books, and records relating to the Use and Disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary of the Department of Health and Human Services (“Secretary”) for the purposes of the Secretary determining compliance with HIPAA. Nothing in this section shall be construed as a waiver of any legal privilege or of any protections for trade secrets or confidential commercial information.
Business Associate, upon request by Covered Entity, will make Protected Health Information in a Designated Record Set available to Covered Entity as necessary to allow Covered Entity to comply with its obligations to provide access to Individuals of their health information as required by 45 C.F.R. § 164.524.
Business Associate, upon request by Covered Entity, will make Protected Health Information in a Designated Record Set available to Covered Entity and will incorporate any amendments to such information as instructed by Covered Entity as necessary to allow Covered Entity to comply with its amendment obligations as required by 45 C.F.R. § 164.526.
Business Associate will maintain and, upon request by Covered Entity, provide Covered Entity with the information necessary for Covered Entity to provide an Individual with an accounting of Disclosures as required by 45 C.F.R. § 164.528.
To the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Part 164 Subpart E, including but not limited to the provision of a notice of privacy practices on behalf of Covered Entity, Business Associate shall comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations.
Business Associate shall not directly or indirectly receive remuneration in exchange for Protected Health Information unless such remuneration is permissible under HIPAA.
Business Associate (or its agents or subcontractors) will use reasonable efforts to request, Use and Disclose only the minimum amount of Protected Health Information necessary in accordance with 45 C.F.R. §§ 164.502(b) and 164.514(d).
Obligations of Covered Entity
Covered Entity shall notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity under 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s Use or Disclosure of Protected Health Information.
Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to Use or Disclose his or her Protected Health Information, to the extent that such changes may affect Business Associate’s Use or Disclosure of Protected Health Information.
Covered Entity shall notify Business Associate of any restriction on the Use or Disclosure of Protected Health Information that Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s Use or Disclosure of Protected Health Information.
Covered Entity shall not request Business Associate to Use or Disclose Protected Health Information in any manner that would not be permissible under the Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Part 164 Subpart E, if done by Covered Entity, except for Uses or Disclosures set forth in Sections 2(b) and 2(c) and 2(e) above.
Term and Termination
Term. The term of this Agreement shall commence as of the Effective Date and shall terminate when all Underlying Contracts have terminated.
Termination. Upon Covered Entity’s knowledge of a breach of this Agreement by Business Associate or its agents or subcontractors, Covered Entity may terminate the Underlying Contracts: (i) immediately if Covered Entity determines that there is a continuing risk to the confidentiality, integrity, or availability of Protected Health Information that cannot be immediately cured; or (ii) after Covered Entity has notified Business Associate of the breach and provided at least 30 calendar days for Business Associate to cure the breach if Business Associate has not cured the breach in such period of time.
Effect of Termination.
- Except as provided in paragraph (ii) of this section, upon termination of this Agreement or the Underlying Contracts for any reason, Business Associate shall return or destroy all Protected Health Information. Business Associate shall retain no copies of the Protected Health Information.
In the event that Business Associate determines that returning or destroying the Protected Health Information obtained by Business Associate is infeasible, then Business Associate shall extend the protections of this Agreement to such Protected Health Information and limit further Uses and Disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for as long as Business Associate maintains such Protected Health Information. Further, Business Associate may retain a copy of PHI received from, or created or received by Business Associate for or on behalf of Covered Entity which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities, provided that Business Associate extend the protections of this Agreement to such information. This Section shall survive the termination of this Agreement for any reason.
No Third Party Beneficiaries. Nothing in this Agreement shall confer upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
Amendment; Waiver. This Agreement may be modified only in writing, executed by both parties. The waiver by either party of a breach or violation of any provision of this Agreement shall not be construed to be a continuing waiver or a waiver of any subsequent breach of either the same or any other provision of this Agreement.
Effect on Agreement. Except as specifically required to implement the purposes of this Agreement, or to the extent inconsistent with this Agreement, all other terms of the Underlying Contracts shall remain in force and effect.