Business Associate Agreement


Business Associate Agreement

Whereas the Client, referred herein as “Covered Entity” and PRACTICESUITE, INC, a Delaware Corporation together with their designees, employees, associates, affiliates, successors, and assigns referred herein as “Business Associate”, intend to protect the privacy and provide for the security of certain Protected Health Information (PHI) to which Business Associate may have access in order to provide goods or services to or on behalf of Covered Entity under the “Underlying Agreement”. This agreement is effective the date of the Underlying Agreement, or first date of use of the PracticeSuite software and/or services, or the date of this Agreement whichever is earlier.

WHEREAS both parties are subject to Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (HIPAA), the HIPAA Privacy rule (Privacy rule), 45 CFR Parts 160 and 164, and the HIPAA Security Rule (Security Rule), 45 CFR Parts 160, 162 and 164 issued by the U.S. Department of Health and Human Services, as either have been amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), as Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111–5); the Office of Civil Rights’ certain rules regarding Business Associate Agreements (“Omnibus Rule”) released in January 2013 ( the “Final HITECH Rule”) relating to obligations of each in connection with the privacy and security of individually identifiable health information that is subject to protection under HIPAA for the privacy of PHI of patients of Covered Entity; and the provisions as declared by the Office of the National Coordinator for Health IT in the 21st Century Cures Act as they pertain to the secure access, exchange and use of electronic health information (the “Final Rule”).

WHEREAS Business Associate may receive PHI from Covered Entity or may create or obtain PHI from other parties for use on behalf of Covered Entity which must be handled in accordance with this Agreement and the standards established by the Privacy Rule and the Security Rule upon the effective date of the Underlying Agreement.

NOW, THEREFORE, Covered Entity and Business Associate agree as follows:

  1. Definitions.
  2. Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in 45 CFR Parts 160, 162 and 164.
    1. “Underlying Agreement” shall include Channel Partner Agreement or Value-Added Reseller Agreement and/or End-User Agreement and/or Non- Disclosure Agreement entered between Business Associate and Covered Entity and/or clients of Covered Entity. In lieu of the OMNIBUS Rule, the Underlying Agreement shall include any agreement entered between Business Associate and its Subcontractors or third- party entities wherein Business Associate shall make PHI of the Covered Entity available to meets its obligations of Covered Entity under Business Associate’s Underlying Agreement with Covered Entity.
    2. “Business Associate” shall have the meaning given to such term under the Privacy and Security Rules, including but not limited to 45 CFR §160.103.
    3. “Covered Entity” shall have the meaning given to such term under the Privacy and Security Rules, including, but not limited to 45 CFR §160.103.
    4. “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.
    5. “Privacy rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Parts 160 and 164, Subparts A and E, as amended by the HITECH Act and as may otherwise be amended from time to time.
    6. “Individual” shall have the same meaning as the term “individual” in 45 CFR §164.501 and shall include a person that qualifies as a personal representative in accordance with 45 CFR §164.502(g).
    7. “Protected Health Information” or “PHI” means any information, transmitted or recorded in any form or medium; (i) that relates to the past, present or future physical or mental condition of an individual; the provision of health care to an individual; or the past, present or future for the provision of health care to an individual, and (ii) that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual, and shall have the meaning given to such term under HIPAA and the HIPAA Regulations at 45 CFR Parts 160, 162 and 164, including, but not limited to 45 CFR §164.501.
    8. “Security Rule” shall mean the Security Standards at 45 CFR Parts 160, 162 and 164.
    9. “Required by Law” shall have the same meaning as the term “required by law” in 45 CFR §164.501.
    10. “Unsecured Protected Health Information” or “Unsecured PHI” shall mean PHI that is not secured using a technology or methodology that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as specified in guidance issued by the Secretary.
    11. “Breach” shall have the same meaning as the term “breach” in §13400 of the HITECH Act and shall include the unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of such information.
  3. Stated Purposes for Which Business Associate May Use or Disclose PHI.
    1. The Parties hereby agree that Business Associate shall be permitted to use and/or disclose PHI provided by or obtained on behalf of Covered Entity for the purpose of installation, setup, implementation, support, electronic claims management, follow-up with Insurance companies and patients and day-to- day operational purpose for data maintenance and support.
    2. Except as otherwise limited in this Agreement, Business Associate shall be permitted to use or disclose PHI provided by or obtained on behalf of Covered Entity to perform those functions, activities, or services for, or on behalf of, Covered Entity that are specified in the underlying Agreement, provided that such use or disclosure would not violate the Privacy and Security Rule if performed by Covered Entity or are in compliance with the minimum necessary best practices policies and procedures of the Covered Entity(if there is one available by Covered Entity).
  4. Additional Purposes for Which Business Associate May Use or Disclose Information.
  5. In addition to the Stated Purposes, Business Associate may use or disclose PHI provided by, created or obtained on behalf of Covered Entity for the following additional purposes(s) (optional section):
    1. Use of Information for Management, Administration and Legal Responsibilities.
    2. Business Associate is permitted to use PHI, if necessary, for the proper management and administration of Business Associate or to carry out legal responsibilities of the Business Associate, except as otherwise limited in this Agreement.
    3. Disclosure of Information for Management, Administration and Legal Responsibilities. Business Associate is permitted to disclose PHI provided by, or created or obtained on behalf of Covered Entity for the proper management and administration of Business Associate or to carry out legal responsibilities of Business Associate, except as otherwise limited in this Agreement, provided:
    4. (1) The disclosure is required by law: or
      (2)The Business Associate obtains reasonable assurances in writing from any third party to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the third party, the third party will use appropriate safeguards to prevent other use or disclosure of the information, and the third party agrees to immediately notify the Business Associate of any instance of which it is aware in which the confidentiality of the information has been breached.
    5. Data Aggregation Services. Business Associate may also be permitted to use or disclose PHI to provide data aggregation services, as set forth in 45 CFR §164.501 and § CFR 164.504(e)(2)(i)(B).
  6. BUSINESS ASSOCIATE OBLIGATIONS:
    1. Limits on Use and Further Disclosure Established by This Agreement Or Required By Law. Business Associate hereby agrees that the PHI provided by or created or obtained on behalf of Covered Entity shall not be further used or disclosed other than as permitted or required by this Agreement or as required by law. This section complies with the requirements as set forth in Subpart C of 45 CFR Part 164.
    2. Appropriate Safeguards. To the extend Business Associate is to carry out one or more of Covered Entity’s obligation(s) under the Privacy Regulation (Subpart E of 45 CFR Part 164), beginning as soon as practicable but in no event later than the effective date of the Security Rule and Privacy Rule, Business Associate shall establish and maintain appropriate safeguards to prevent any use or disclosure of PHI other than as provided for by this Agreement. Appropriate safeguards shall include implementing administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that is created, received, maintained, or transmitted on behalf of the Covered Entity.
    3. Reports of improper Use or Disclosure. Business Associate hereby agrees that it shall report to the Covered Entity within ten (10) days of discovery any use or disclosure of PHI not provided for or allowed by this Agreement or as required by law.
    4. Reports of Security Incidents. Beginning as soon as practicable but in no event later than the effective date of the Security Rule, Business Associate shall report to the Covered Entity within ten (10) days of discovery any security incident of which it becomes aware. This section complies with the requirements as set forth in 45 CFR §164.410
    5. Subcontractors and Agents.
      i. Business Associate hereby agrees that any time PHI is provided or made available to any subcontractors or agents, Business Associate shall provide only the minimum necessary PHI for the purpose of the covered transaction and shall first enter into a subcontract or contract with the subcontractor or agent that contains the same terms, conditions and restrictions on the use and disclosure of PHI as contained in this Agreement including complying with the applicable Security Regulation requirements with respect to PHI. This section complies with the requirements as set forth in 45 CFR §164.502(e)(1)(ii) and 164.308(b)(2). ii. Business Associate shall assert good judgment to comply with this requirement with its subcontractor(s) or agent(s). Certain subcontractor(s) or agent(s) that provide services to Business Associate may not have direct or indirect access to PHI data at rest or PHI data in transit(transmit) PHI because of the security best practices including policies, procedures, segregation of duties, access controls and encryption technologies (for data at rest and data in transit) implemented by Business Associate; and therefore, the Underlying Agreement(s) between Business Associate and such subcontractor(s) or agent(s) may not be required to incorporate this requirement in such Underlying Agreement(s).
    6. Right of Access to PHI. Business Associate hereby agrees to allow an individual who is the subject of PHI maintained in a designated record set, to have access to and copy that individual’s PHI within 10 business days of receiving a written request from the Covered Entity. Business Associate shall provide PHI in the format requested, unless it cannot readily be produced in such format, in which case it shall be provided in standard hard copy. If any individual requests from Business Associate or its agents or sub-contractors access to PHI, Business Associate shall notify Covered Entity of same within 5 business days. Business Associate shall further conform with and meet all the requirements of 45 CFR §164.524.
    7. Amendment and Incorporation of Amendments. Within 10 business days of receiving a request from Covered Entity for an amendment of PHI maintained in a designated record set, Business Associate shall make the PHI available and incorporate the amendment to enable Covered Entity to comply with 45 CFR §164.526. If any individual requests an amendment from Business Associate or its agents or subcontractors, Business Associate shall notify Covered Entity of same within 10 business days.
    8. Provide Accounting of Disclosures. Business Associate agrees to maintain a record of all disclosures of PHI in accordance with 45 CFR §164.528. Such records shall include, for each disclosure, the date of the disclosure, the name and address of the recipient of the PHI, a description of the PHI disclosed, the name of the individual who is the subject of the PHI disclosed, the purpose of the disclosure, and shall include disclosures made on or after the date which is 6 years prior to the request or April 14, 2003, whichever is later. Business Associate shall make such record available to the individual or the Covered Entity within 30 days of a request for an accounting of disclosures. This section complies with the requirements as set forth in 45 CFR §164.528 and as of the date of compliance is required by final regulations, 42 U.S.C. § 17935(c)
    9. Make Available PHI to Covered Entity: Within fifteen (15) days of receiving a written request from Covered Entity, make available Protected Health Information(PHI), in accordance with 45 CFR § 146.524, as necessary for the Covered Entity to respond to individuals’ or patients requests for access to PHI about them, including as of September 23,2013, providing or sending a copy to a designated third party and providing or sending a copy in electronic format, to the extent that the PHI in Business Associate’s possession constitutes a Designated Record Set.
    10. Access to Books and Records. Business Associate hereby agrees to make its internal practices, books, and records relating to the use or disclosure of PHI received from, or created or received by Business Associate on behalf of the Covered Entity, available to the Secretary of Health and Human Services or designee for purposes of determining compliance with Security and Privacy Regulations.
    11. Return or Destruction of PHI. At termination of this Agreement, Business Associate hereby agrees to return or destroy all PHI provided by or obtained on behalf of Covered Entity. Business Associate agrees not to retain any copies of the PHI after termination of this Agreement. If return or destruction of the PHI is not feasible due to other Legal or other requirements or reasons, Business Associate agrees to extend the protections of this Agreement to limit any further use or disclosure until such time as the PHI may be returned or destroyed.
    12. Maintenance of PHI. Notwithstanding Section 4(j) of this Agreement, Business Associate and its subcontractors or agents shall retain all PHI throughout the term of the Agreement and shall continue to maintain the information required under §4(h) of this Agreement for a period of six (6) years after termination of the Agreement, unless Covered Entity and Business Associate agree otherwise.
    13. Mitigation Procedures. Business Associate agrees to establish and to provide to Covered Entity upon request, procedures for mitigating, to the maximum extent practicable, any harmful effect from the use or disclosure of PHI in a manner contrary to this Agreement or the Privacy Rule. 45 CFR §164.530(f). Business Associate further agrees to mitigate any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this Agreement or the Privacy rule.
    14. Sanction Procedures. Business Associate agrees that it shall develop and implement a system of sanctions for any employee, subcontractors or agents who violates this Agreement.
    15. Termination by Covered Entity. Business Associate authorizes termination of this Agreement by the Covered Entity if the Covered Entity determines, in its sole discretion that the Business Associate has violated a material term of this Agreement.
    16. Failure to Perform Obligations. In the event Business Associate fails to perform its obligations under this Agreement, Covered Entity may immediately discontinue providing PHI to Business Associate. Covered Entity may also, at its option, require Business Associate to submit to a plan of compliance, including monitoring by Covered Entity and reporting by Business Associate, as Covered Entity in its sole discretion determines to be necessary to maintain compliance with this Agreement and applicable law.
    17. Permitted Disclosure. Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration of Business Associate, provided that disclosures are required by Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 42 CFR §164.502(j)(1).
  7. OBLIGATIONS OF COVERED ENTITY:
    1. Provision of Notice of Privacy Practices. Covered Entity shall provide Business Associate of any limitation(s) in Notice of Privacy Practices that the Covered Entity produces in accordance with 45 CFR §164.520, as well as changes to such limitation(s) in the future to the extent that such limitation(s) may impact Business Associates Use or Disclosure of PHI.
    2. Permissions. Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by individual to use or disclose PHI of which Covered Entity is aware, if such changes affect Business Associate’s permitted or required uses and disclosures.
    3. Restrictions. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that the Covered Entity has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
    4. Safeguards for Protection of PHI. Covered Entity shall: (a) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, privacy and security of PHI that it creates, receives, maintains, or transmits to Business Associate; (b) protect and safeguard from any oral or written disclosure all PHI, in accordance with applicable statutes and regulations, including, but not limited to, HIPAA and the HITECH Act; (c) implement and maintain appropriate policies and procedures to protect and safeguard PHI; (d) use appropriate safeguards to prevent use or disclosure of PHI other than as permitted or Required by Law; and (e) otherwise comply with the standards and requirements of HIPAA and the HITECH Act. Covered Entity shall notify Business Associate of any material change to any aspect of its security safeguards.
    5. Interoperability and Transferability of Electronic PHI. Both the Covered Entity and the Business Associate agree not to engage in practices likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic PHI in accordance with 45 CFR §171 unless the event is consistent with one or more of the exceptions defined in 45 CFR §164.524(a)(1) and (2) of the HIPAA Privacy Rule and where neither applicable state or federal law is superseded.
  8. TERM AND TERMINATION:
    1. Term and Termination. This Agreement shall become effective on the Effective Date and remain in effect for the entire term of the Underlying Agreement, or until otherwise terminated as set forth herein.
    2. Termination for Cause. Upon the occurrence of a material breach of this Agreement by one of the parties (the “Breaching Party”), the other party shall: (a) provide opportunityfortheBreaching Partytocurethebreachorendtheviolation and,ifthe Breaching Party doesnotcurethe breach orendthe violation within the time specified, terminate this Agreement; (b) immediately terminate this Agreement if the Breaching Party has breached a material term of this Agreement and cure is not possible; or (c) if neither termination nor cure is feasible, report the violation to the Secretary.
    3. No Feasible Return/Destruction of PHI. Due to the nature of the services provided by Business Associate to or on behalf of Covered Entity and/or Covered Entity’s Client pursuant to the Underlying Agreement, Business Associate may be required to retain copies of information used by Business Associate on behalf of Covered Entity and/or Covered Entity’s Clients. Consequently, if the return or destruction of PHI held or received by Business Associate is not feasible; Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI. Business Associate shall remain bound by the provisions of this Agreement, even after termination of this Agreement and/or the Underlying Agreement, until such time as all PHI has been returned or otherwise destroyed as provided in this section.
    4. Effect of Termination. All rights, duties and obligations established in this Agreement shall survive termination of this Agreement.
  9. INDEMNIFICATION:
    1. Indemnification. Each party shall indemnify, hold harmless and defend the other party to this Agreement from and against any and all claims, losses, liabilities, costs and other expenses incurred as a result of, or arising directly or indirectly out of or in connection with: (i) any misrepresentation, breach of warranty or non- fulfillment of any undertaking on the part of the breaching party under this Agreement; and (ii) any claims, demands, awards, judgments, actions and proceedings made by any person or organization arising out of or in any way connected with the breaching party’s performance or non- performance, as applicable, of its obligations under this Agreement.
  10. OTHER PROVISIONS:
    1. Construction. This Agreement shall be construed as broadly as necessary to implement and comply with HIPAA and the HITECH regulations. The parties agree that any ambiguity in this Agreement shall be resolved in favor of a meaning that complies and is consistent with HIPAA and the HITECH regulations.
    2. Notice. All notices and other communications required or permitted pursuant to this Agreement shall be in writing, addressed to the party at the address set forth in the Underlying Agreement, or to such other address as either party may designate from time to time. All notices and other communications shall be mailed by registered or certified mail, return receipt requested, postage pre-paid, or transmitted by hand delivery or telegram. All notices shall be effective as of the date of delivery of personal notice or on the date of receipt, whichever is applicable.
    3. Amendment. This Agreement may only be amended through a writing signed by the parties and, thus, no oral modification hereof shall be permitted. The parties agree to take such action as is necessary to amend this Agreement from time to time to ensure consistency with amendments to and changes in applicable federal and state laws and regulations, including, but not limited to, HIPAA. This Agreement constitutes the entire agreement between the parties. No oral statement or prior written material not specifically mentioned herein shall be of any force or effect and no change in or addition to this Agreement shall be recognized unless evidenced by a writing executed by PRACTICESUITE and Business Associate, such amendment(s) to become effective on the date stipulated therein.
    4. Assignment. BUSINESS ASSOCIATE has entered into this Agreement in specific reliance on the expertise and qualifications of PRACTICESUITE. Consequently, Business Associate’s interest under this Agreement is entitled to terminate this Agreement if the Business Associate is not satisfied with the transferred or assigned or assumed entity.
    5. Governing Law and Venue. This Agreement has been executed and delivered in, and shall be interpreted, construed, and enforced pursuant to and in accordance with the laws of the State of Florida, without giving effect to the application of conflicts of laws.
    6. Dispute Resolution: The parties recognize that the problem resolution processes of mediation and arbitration are appropriate and preferable to resolve issues between the parties. If any party hereto wishes to resolve an issue under or relating to this Agreement, then such party must give notice of a request for mediation to the other parties, which notice shall set forth the names of not less than three (3) mediators from the panel of the American Arbitration Association or other mutually agreed upon alternative dispute resolution service. If Covered Entity sends the notice initiating mediation, the place of such mediation shall be in Hillsborough County, Florida. If Business Associate sends the notice initiating mediation, the place of mediation shall be the county of the primary business address of the Covered Entity.
    7. Headings. Headings contained in this Agreement are for reference purposes only and shall not affect in any way the meaning or interpretation of this Agreement.
    8. Binding Effect. This Agreement shall be binding upon, and shall inure to the benefit of, the parties hereto and their respective permitted successors and assigns.
    9. Counterparts. This Agreement may be executed in multiple counterparts, each of which shall constitute an original and all of which shall constitute but one Agreement.
    10. Gender and Number. The use of the masculine, feminine or neuter genders, and the use of the singular and plural, shall not be given an effect of any exclusion or limitation herein. The use of the word “person” or “party” shall mean and include any individual, trust, corporation, partnership, or other entity.
    11. Priority of Agreement. If any portion of this Agreement is inconsistent with the terms of the Underlying Agreement, the terms of this Agreement shall prevail. Except as set forth above, the remaining provisions of the Underlying Agreement are to be ratified in their entirety.
    12. No Construction Against Drafter. This Agreement is not to be construed against the drafting party.
    13. Authority to Contract. Each party represents and warrants that said party is authorized to enter into this Agreement and to be bound by its terms.