Business Associate Agreement
Whereas _______________ referred herein as “Covered Entity” and PRACTICESUITE, INC, a Delaware Corporation together with their designees, employees, associates, affiliates, successors, and assigns referred herein as “Business Associate”, intend to protect the privacy and provide for the security of certain Protected Health Information (“PHI”) to which Business Associate may have access in order to provide goods or services to or on behalf of Covered Entity under the “Underlying Agreement”. This agreement is effective the date of the Underlying Agreement, or first date of use of the PracticeSuite software and/or services, or the date of this Agreement whichever is earlier.
WHEREAS both parties are subject to Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (“HIPAA”), the HIPAA Privacy rule (“Privacy Rule”), 45 CFR §160 and §164, and the HIPAA Security Rule (“Security Rule”), 45 CFR §160, §162 and §164 issued by the U.S. Department of Health and Human Services, as either have been amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), as Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111–5); the Office for Civil Rights’ rules and guidance regarding Business Associate Agreements; and the Omnibus Rule released in January 2013 ( the “Final HITECH Rule”). As used herein, the laws and regulations stated above shall be collectively referred to as the “HIPAA Rules.”
WHEREAS Business Associate may receive PHI from Covered Entity or may create or obtain PHI from other parties for use on behalf of Covered Entity which must be handled in accordance with this Agreement and the standards established by the Privacy Rule and the Security Rule upon the effective date of the Underlying Agreement.
NOW, THEREFORE, in consideration of the foregoing recitals, the mutual promises and covenants set forth herein and other good and valuable consideration, the receipt and sufficiency of which hereby are acknowledged, the parties agree as follows.
Capitalized terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in 45 CFR §160, §162 and §164.
- “Underlying Agreement” shall include Channel Partner Agreement or Value-Added Reseller Agreement, Professional Service Agreement and/or End-User Agreement and/or Non- Disclosure Agreement entered between Business Associate and Covered Entity and/or clients of Covered Entity.
- “Business Associate” shall have the meaning given to such term under the Privacy and Security Rules, including but not limited to 45 CFR §160.103.
- “Covered Entity” shall have the meaning given to such term under the Privacy and Security Rules, including, but not limited to 45 CFR §160.103.
- “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.
- “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR §160 and §164, Subparts A and E, as amended by the HITECH Act and as may otherwise be amended from time to time.
- “Individual” shall have the same meaning as the term “individual” in 45 CFR §164.501 and shall include a person that qualifies as a Personal Representative in accordance with 45 CFR §164.502(g).
- “Protected Health Information” or “PHI” means any information, transmitted or recorded in any form or medium; (i) that relates to the past, present or future physical or mental condition of an individual; the provision of health care to an individual; or the past, present or future for the provision of health care to an individual, and (ii) that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual, and shall have the meaning given to such term under HIPAA and the HIPAA Regulations at 45 CFR Parts 160, 162 and 164, including, but not limited to 45 CFR §164.501.
- “Security Rule” shall mean the Security Standards at 45 CFR Parts 160, 162 and 164.
- “Required by Law” shall have the same meaning as the term “required by law” in 45 CFR §164.501.
- “Unsecured Protected Health Information” or “Unsecured PHI” shall mean PHI that is not secured using a technology or methodology that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as specified in guidance issued by the Secretary.
- “Breach” shall have the same meaning as the term “breach” in §13400 of the HITECH Act and shall include the unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of such information.
- Stated Purposes for Which Business Associate May Use or Disclose PHI.
- The Parties hereby agree that Business Associate shall be permitted to use and/or disclose PHI provided by or obtained on behalf of Covered Entity for the purpose of fulfilling obligations under the Underlying Agreement, including without limitation, installation, setup, implementation, support, electronic claims management, follow-up with Insurance companies and patients and day-to-day operational purposes for data maintenance and support.
- Except as otherwise limited in this Agreement, Business Associate shall be permitted to use or disclose PHI provided by or obtained on behalf of Covered Entity to perform those functions, activities, or services for, or on behalf of, Covered Entity that are specified in the Underlying Agreement, provided that such use or disclosure would not violate the Privacy Rule and Security Rule if performed by Covered Entity.
- Additional Purposes for Which Business Associate May Use or Disclose Information.
In addition to the Stated Purposes, Business Associate may use or disclose PHI provided by, created or obtained on behalf of Covered Entity as follows:
- Use of PHI for Management, Administration and Legal Responsibilities. Business Associate may use PHI for the proper management and administration of Business Associate or to carry out legal responsibilities of Business Associate.
- Disclosure of PHI for Management, Administration and Legal Responsibilities. Business Associate may disclose PHI provided by, or created or obtained on behalf of, Covered Entity for the proper management and administration of Business Associate or to carry out legal responsibilities of Business Associate, provided:
- The disclosure is required by law: or
- Business Associate obtains reasonable assurances from any third party to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the third party, the third party will use appropriate safeguards to prevent other use or disclosure of the information, and the third party agrees to immediately notify the Business Associate of any instance of which it is aware in which the confidentiality of the information has been breached.
- Data Aggregation Services. Business Associate may use or disclose PHI to provide data aggregation services, as set forth in 45 CFR §164.501 and § CFR 164.504(e)(2)(i)(B).
- De-Identification. Business Associate may de-identify PHI created or received by Business Associate pursuant to this Agreement provided that the de-identification conforms to the requirements of the Privacy Rule. The parties acknowledge that once PHI is de-identified by Business Associate, such de-identified data is not subject to the terms of this Business Associate Agreement and may be used by Business Associate for any purpose, without limitation, to the extent permissible by law.
- Business Associate Obligations.
- Limits on Use and Further Disclosure Established by This Agreement or Required By Law. Business Associate shall not use or disclose PHI other than as required or permitted by this Agreement, the Underlying Agreement or as required by law.
- Appropriate Safeguards. Business Associate shall establish and maintain appropriate safeguards to prevent any use or disclosure of PHI other than as provided for by this Agreement. Appropriate safeguards shall include implementing administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI that is created, received, maintained, or transmitted on behalf of the Covered Entity.
- Reports of improper Use or Disclosure. Business Associate hereby agrees that it shall report to the Covered Entity, within ten (10) days of discovery, any use or disclosure of PHI not provided for or allowed by this Agreement or as required by law, including Breaches of PHI.
- Reports of Security Incidents. Business Associate shall report to the Covered Entity within ten (10) days of discovery any Security Incident of which it becomes aware. Notwithstanding the foregoing, Covered Entity acknowledges that this Agreement constitutes notice of all Unsuccessful Security Incidents and additional notice of Unsuccessful Security Incidents will not be required. For purposes of this Business Associate Agreement, “Unsuccessful Security Incidents” include without limitation: (i) “pings” (a request-response utility used to determine whether a specific Internet Protocol (IP) address, or host, exists or is accessible); (ii) port scans; (iii) malware (such as viruses and worms) that is detected and eradicated prior to having any effect on the relevant information system; (iv) attempts to log on to the information system or enter a database containing Protected Health Information with an invalid password or username; and (v) denial-of-service attacks that do not result in an information system server being taken off-line; so long as no such incident results in a potential unauthorized access, Use, Disclosure, modification, or destruction of Protected Health Information or interference with an information system.
- Compliance with the Privacy Rule. To the extent the Business Associate has been engaged to perform any obligation described in the Privacy Rule on behalf of Covered Entity, Business Associate agrees to comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations.
- Subcontractors and Agents. Business Associate agrees to ensure that its agents and/or subcontractors that create, receive, maintain and/or transmit PHI agree to substantially the same restrictions and conditions that apply through this Agreement to Business Associate.
- Right of Access to PHI. Business Associate agrees to provide access to PHI in a Designated Record Set to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524, within 10 business days of receiving a written request from the Covered Entity. If Business Associate receives a request for access to PHI directly from an individual, Business Associate will notify Covered Entity of receipt of the same.
- Amendment and Incorporation of Amendments. Within 10 business days of receiving a request from Covered Entity for an amendment of PHI maintained in a Designated Record Set, Business Associate shall make the PHI available and incorporate the amendment to enable Covered Entity to comply with 45 CFR §164.526.
- Provide Accounting of Disclosures. Business Associate agrees to maintain a record of all disclosures of PHI in accordance with 45 CFR §164.528. Business Associate shall make such record available to the Individual or the Covered Entity within 30 days of a request for an accounting of disclosures.
- Access to Books and Records. Business Associate hereby agrees to make its internal practices, books, and records relating to the use or disclosure of PHI received from or created or received by Business Associate on behalf of the Covered Entity, available to the Secretary of Health and Human Services or designee for purposes of determining compliance with Security and Privacy Regulations.
- Return or Destruction of PHI. At termination of this Agreement, if feasible, Business Associate hereby agrees to return or destroy all PHI provided by or obtained on behalf of Covered Entity and not retain any copies of the PHI after termination of this Agreement. If return or destruction of the PHI is not feasible, Business Associate agrees to extend the protections of this Agreement to limit any further use or disclosure until such time as the PHI may be returned or destroyed.
- Mitigation Procedures. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of PHI by the Business Associate in violation of the requirements of this Business Associate Agreement.
- Reporting Violations of Law. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 42 CFR §164.502(j)(1).
- Obligations of Covered Entity.
- Provision of Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitation(s) in Covered Entity’s Notice of Privacy Practices that the Covered Entity produces in accordance with 45 CFR §164.520, as well as changes to such limitation(s).
- Permissions. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by individual to use or disclose PHI of which Covered Entity is aware, if such changes affect Business Associate’s permitted or required uses and disclosures.
- Restrictions. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that the Covered Entity has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
- Safeguards for Protection of PHI. Covered Entity shall: (a) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, privacy and security of PHI that it creates, receives, maintains, or transmits to Business Associate; (b) protect and safeguard from any oral or written disclosure all PHI, in accordance with applicable statutes and regulations, including, but not limited to, HIPAA & HITECH and CURES Act; (c) implement and maintain appropriate policies and procedures to protect and safeguard PHI; (d) use appropriate safeguards to prevent use or disclosure of PHI other than as permitted or Required by Law; and (e) otherwise comply with the standards and requirements of HIPAA & HITECH and CURES Act. Covered Entity shall notify Business Associate of any material change to any aspect of its security safeguards.
- Interoperability and Transferability of Electronic PHI. Both the Covered Entity and the Business Associate agree not to engage in practices likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic PHI in violation of 45 C.F.R. Part 171.
- Term and Termination.
- Term and Termination. This Agreement shall become effective on the Effective Date and remain in effect for the entire term of the Underlying Agreement, or until otherwise terminated as set forth herein.
- Termination for Cause. Without limiting the termination rights of the parties pursuant to the Underlying Agreement, in the event of a material breach of the terms of this Business Associate Agreement, the non-breaching party shall provide notice of the breach and an opportunity for the breaching party to cure the breach as per the provisions of Underlying Agreement for such termination.
- Effect of Termination; Return/Destruction of PHI. Covered Entity acknowledges that due to the nature of the services provided by Business Associate, return or destruction of all PHI may not be feasible. Consequently, if the return or destruction of PHI held or received by Business Associate is not feasible; Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction of the PHI infeasible.
- Dispute Resolution and Arbitration. Any controversy or claim arising out of or relating to this Agreement, or the breach thereof, shall be settled by arbitration in accordance with the dispute resolution provisions of the underlying Agreement.
- Other Provisions.
- Construction. This Agreement shall be construed as broadly as necessary to implement and comply with HIPAA & HITECH and CURES regulations. The parties agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies and is consistent with HIPAA & HITECH and CURES regulations.
- Notice. All notices and other communications required or permitted pursuant to this Agreement shall be in writing, addressed to the party at the address set forth in the Underlying Agreement, or to such other address as either party may designate from time to time. All notices and other communications shall be mailed by registered or certified mail, return receipt requested, postage pre-paid, or transmitted by hand delivery or telegram with a courtesy copy e-mailed to email@example.com. All notices shall be effective as of the date of delivery of personal notice or on the date of receipt, whichever is applicable.
- Amendment. This Agreement may only be amended through a writing signed by the parties and, thus, no oral modification hereof shall be permitted. The parties agree to take such action as is necessary to amend this Agreement from time to time to ensure consistency with amendments to and changes in applicable federal and state laws and regulations, including, but not limited to, HIPAA. This Agreement constitutes the entire agreement between the parties. No oral statement or prior written material not specifically mentioned herein shall be of any force or effect and no change in or addition to this Agreement shall be recognized unless evidenced by a writing executed by Covered Entity and Business Associate, such amendment(s) to become effective on the date stipulated therein.
- Assignment. This Agreement shall follow any permitted assignment of one or more of the Underlying Agreements, and thereby shall be applicable to, and binding on, any permitted assignee of one or more of the Underlying Agreements.
- Governing Law and Venue. This Agreement has been executed and delivered in, and shall be interpreted, construed, and enforced pursuant to and in accordance with the laws of the State of Florida, without giving effect to the application of conflicts of laws.
- Headings. Headings contained in this Agreement are for reference purposes only and shall not affect in any way the meaning or interpretation of this Agreement.
- Binding Effect. This Agreement shall be binding upon, and shall inure to the benefit of, the parties hereto and their respective permitted successors and assigns.
- Counterparts. This Agreement may be executed in multiple counterparts, each of which shall constitute an original and all of which shall constitute but one Agreement.
- Gender and Number. The use of the masculine, feminine or neuter genders, and the use of the singular and plural, shall not be given an effect of any exclusion or limitation herein. The use of the word “person” or “party” shall mean and include any individual, trust, corporation, partnership, or other entity.
- Priority of Agreement. This Agreement shall supersede all prior Agreements entered between parties. If any portion of this Agreement is inconsistent with the terms of Underlying Agreement, the terms of this Agreement shall prevail. Except as set forth above, the remaining provisions of any underlying Agreement are to be ratified in their entirety.
- No Construction Against Drafter. This Agreement is not to be construed against the drafting party.
- Authority to Contract. Each party represents and warrants that said party is authorized to enter into this Agreement and to be bound by its terms.
- Electronic Signatures. This Agreement may be executed electronically by the parties. An electronic signature or mark by a party shall have the same legal validity and enforceability as a manually executed signature to the fullest extent permitted by applicable law, including the Federal Electronic Signatures in Global and National Commerce Act, or any similar state law and the parties hereby waive any objection to the contrary.