BUSINESS ASSOCIATE AGREEMENT
Last Updated: 01-26-21
This Business Associate Agreement (“Agreement”) is an addendum to the service agreement between the Parties (the “Service Agreement”) that includes a reference to where it is posted and is effective as of the effective date of the Service Agreement. This Agreement is entered into by and between AutoRABIT Holding, Inc. (the “Business Associate”) and the AutoRABIT customer that is the other party to the Service Agreement and is a Covered Entity, as that term is defined in HIPAA (“Covered Entity”) (each a “Party” and collectively the “Parties).
NOW, THEREFORE, for good and valuable consideration, the sufficiency of which is hereby acknowledged, the Parties agree as follows:
A. Capitalized terms used but not otherwise defined in this Agreement shall have the same meaning as the meaning ascribed to those terms in the Health Insurance Portability and Accountability Act of 1996, as codified at 42 U.S.C. § 1320d (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act of 2009, as codified at 42 U.S.C. § 17901 et seq. (“HITECH Act”), and any applicable current and future regulations promulgated under HIPAA or the HITECH Act (HIPAA, HITECH Act and any applicable current and future regulations promulgated under either are referred to as the “Regulations”).
B. Protected Health Information or PHI. “Protected Health Information” or “PHI” shall have the same meaning as the term “Protected Health Information” in 45 CFR § 160.103, limited to the information created, received, maintained or transmitted by Business Associate from or on behalf of Covered Entity, including but not limited to electronic PHI.
II. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE:
A. Business Associate may only use and disclose PHI as permitted by this Agreement or as Required by Law. Specifically, Business Associate may (1) use and disclose PHI to perform its obligations as set forth in the Service Agreement, provided that such use or disclosure would not violate HIPAA if done by Covered Entity; (2) use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities; (3) disclose PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities, if such disclosure is Required by Law or if Business Associate obtains reasonable assurances from the recipient that the recipient will keep the PHI confidential, use or further disclose the PHI only as Required by Law or for the purpose for which it was disclosed to the recipient, and notify Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached; (4) use PHI to provide Data Aggregation services relating to the Health Care Operations of Covered Entity at the request and direction of Covered Entity; and (5) use PHI to create de-identified information consistent with the standards set forth at 45 CFR §164.514. Business Associate will not sell PHI or use or disclose PHI for purposes of marketing, as defined and proscribed in the Regulations.
B. Business Associate will limit its uses and disclosures of, and requests for, PHI (1) when practical, to the information making up a Limited Data Set; and (2) in all other cases subject to the requirements of 45 CFR § 164.502(b), to the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure or request.
III. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE:
A. Business Associate agrees not to use or disclose PHI other than as permitted or required by the Service Agreement, this Agreement, or as Required by Law. Business Associate will comply with the provisions of this Agreement related to privacy and security of PHI and the Regulations, as they may be modified from time to time, and that are applicable to Business Associate. To the extent that Business Associate performs any of Covered Entity’s obligations under the Privacy Rule, Business Associate will comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligation.
B. Business Associate agrees to use appropriate administrative, physical and technical safeguards, and comply with the Security Rule with respect to electronic PHI, to prevent the use or disclosure of the PHI other than as provided for by this Agreement.
C. Business Associate shall ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of Business Associate agree to comply with no less restrictive restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. Business Associate shall enter into written agreements with any subcontractors, and the terms of such agreements shall incorporate the applicable requirements of, and otherwise comply with, the Regulations.
D. Business Associate will make available during normal business hours all records, books and internal practices relating to the use or disclosure of PHI to the Secretary, in a reasonable time and manner designated by the Secretary, for purposes of determining Covered Entity’s compliance with the Regulations, subject to attorney-client and other applicable legal privileges.
E. Business Associate will provide documentation regarding any disclosures by Business Associate that would be required for an accounting of disclosures to an Individual under 45 CFR § 164.528, within a reasonable amount of time of receipt of a request from Covered Entity. Any request under § 164.528 from an Individual made directly to Business Associate will be referred within five (5) business days to Covered Entity, to the extent the Individual identifies Covered Entity.
F. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate agrees to make PHI available for amendment and incorporate any amendments to PHI in accordance with the requirements of 45 C.F.R. § 164.526. Any request under § 164.526 from an Individual made directly to Business Associate will be referred within five (5) business days to Covered Entity, to the extent the Individual identifies Covered Entity.
G. To the extent Business Associate maintains PHI in a Designated Record Set, Business Associate agrees to make PHI available to the extent and in the manner required by 45 C.F.R. § 164.524. Any request under § 164.524 from an Individual made directly to Business Associate will be referred within five (5) business days to Covered Entity, to the extent the Individual identifies Covered Entity.
H. Business Associate agrees to comply with any requests for restrictions on certain disclosures of PHI to which Covered Entity has agreed in accordance with 45 C.F.R. § 164.522 and the Regulations and of which Business Associate has been notified in writing by Covered Entity.
I. Business Associate will mitigate, to the extent practicable, any harmful effects from any use or disclosure of PHI by Business Associate not permitted by this Agreement.
J. Business Associate agrees to notify within five (5) business days the designated Privacy Official of the Covered Entity of any use or disclosure of PHI by Business Associate not permitted by this Agreement, any Security Incident, and any Breach of Unsecured Protected Health Information of which Business Associate becomes aware, provided, however, that the Parties acknowledge and agree that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence or attempts of Unsuccessful Security Incidents for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” means, without limitation, Internet Control Message Protocol (ICMP) traffic and other broadcast attacks on Business Associate’s firewall including but not limited to, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above so long as no such incident results in unauthorized access, use, disclosure, modification or destruction of electronic PHI.
1. If known to Business Associate, Business Associate shall provide the following information to Covered Entity within ten (10) business days of discovery of a breach of unsecured PHI except when despite all reasonable efforts by Business Associate to obtain the information required, circumstances beyond the control of the Business Associate necessitate additional time. Under such circumstances Business Associate shall provide to Covered Entity the following information as soon as possible and without unreasonable delay, but in no event later than thirty (30) calendar days from the date of discovery of a breach:
a. the date of the breach;
b. the date of the discovery of the breach;
c. a description of the types of unsecured PHI that were involved;
d. identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed; and
e. any other details reasonably necessary to complete a risk assessment in accordance with the Regulations.
2. Business Associate will reasonably cooperate with Covered Entity in providing notification to individuals whose unsecured PHI has been disclosed, as well as to the Secretary and the media, to the extent required by 45 C.F.R. 164.410 provided that Business Associate shall not provide any such notifications on behalf of Covered Entity without the express written consent of Covered Entity.
3. Business Associate agrees to pay actual reasonable costs of notification Required by Law incurred by Covered Entity in connection with a Breach of Unsecured PHI directly caused by Business Associate, including credit monitoring, if such measures are Required by Law.
4. Business Associate agrees to establish reasonable procedures to investigate the breach, mitigate losses, and protect against future similar breaches, and to provide a description of these procedures and the specific findings of the investigation to Covered Entity in the time and manner reasonably requested by Covered Entity.
III. TERM AND TERMINATION:
A. Term. This Agreement shall become effective on the date of execution of a Service Agreement, and shall terminate upon the later of the termination or expiration of all Service Agreement(s) or when all PHI has been destroyed or returned to Covered Entity or Business Associate extends the protection of this Agreement to PHI for which it is infeasible to return or destroy in accordance with Section III.C. Notwithstanding the foregoing, obligations imposed on either Party pursuant to the Regulations must be complied with only when the particular provisions referenced become effective or compliance becomes required, whichever is later.
B. Termination for Cause. Either Party may immediately terminate this Agreement and the Service Agreement(s) if such Party makes the determination that the other Party has breached a material term of this Agreement; provided, however, that the non-breaching Party may choose to provide the breaching Party with written notice of the existence of an alleged material breach and thirty (30) days opportunity to cure the breach.
C. Effect of Termination.
1. Upon termination or expiration of this Agreement, if feasible, Business Associate agrees to return to Covered Entity or destroy, within thirty (30) days of the termination or expiration of this Agreement, all PHI in the possession of Business Associate and/or in the possession of any subcontractor or agent of Business Associate (including without limitation destroying all backup tapes and permanently deleting all electronic PHI) and to retain no copies of the PHI.
2. In the event that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity a written statement that it is infeasible to return or destroy the PHI and describe the conditions that make return or destruction of the PHI infeasible. Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains the PHI.
The Parties’ respective liability under this Agreement is subject to the limitations of liability contained in the Service Agreement.
A. Amendments. This Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the Parties. In the event that any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, the remainder of the provisions of this Agreement will remain in full force and effect. The Parties agree to take such action to amend this Agreement from time to time as is necessary to achieve and maintain compliance with the requirements of the Regulations.
B. Survival. The respective rights and obligations of Business Associate and Covered Entity set forth in Section III.C. and Section IV shall survive termination of this Agreement.
C. Regulatory References. Any reference herein to a federal regulatory section within the Code of Federal Regulations shall be a reference to such section as it may be subsequently updated, amended or modified.
D. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with HIPAA. Furthermore, in case of any conflict between the terms and conditions of this Agreement and the Service Agreement, the terms and conditions of this Agreement shall prevail.
E. No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate, or their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
F. Assignment. No Party may assign its respective rights and obligations under this Agreement without the prior written consent of the other Party, except as set forth in the Service Agreement.
G. Independent Contractors. None of the provisions of this Agreement are intended to create, nor will they be deemed to create any relationship between the Parties other than that of independent parties contracting with each other solely for the purposes of effecting the provisions of this Agreement and any other agreements between the Parties evidencing their business relationship.
H. Non-Waiver. No change, waiver or discharge of any liability or obligation hereunder on any one or more occasions shall be deemed a waiver of performance of any continuing or other obligation, or shall prohibit enforcement of any obligation, on any other occasion.
I. Headings. The section headings contained in this Agreement are for reference purposes only and will not affect the meaning of this Agreement.
J. Notices. Any notices given hereunder shall be in writing and pursuant to the Notice provision in the Service Agreement and addressed as follows:
If to Covered Entity:
Attention: Privacy Official
If to Business Associate:
Attention: as set forth in the Service Agreement