This BUSINESS ASSOCIATE AGREEMENT ("BAA") is made in connection with the access to and use of the services of COMPLIANT INNOVATIONS, INC, a California limited liability company dba DOCSPERA ("Business Associate," or "us" or similar words), including our various websites, applications, SMS, APIs, eMail notifications, applications, buttons, and widgets, (the "Services"), and any information, text, graphics, photos or other materials uploaded, downloaded or appearing on the Services (collectively referred to as "Content"), by you ("Covered Entity," or "youquot; or similar words). Your access to and use of the Services are conditioned on your acceptance of and compliance with this BAA. By accessing or using the Services you agree to be bound by this BAA.
You are a "covered entity" under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 ("HIPAA") and, as such, must enter into so-called "business associate" contracts with certain contractors that may have access to certain patient medical information.
Pursuant to the terms of one or more agreements between the parties, whether oral or in writing (collectively, the "Agreement"), we shall provide certain services to you. To facilitate our provision of such services, you wish to disclose certain information to us, some of which may constitute Protected Health Information ("PHI") (defined below).
You and we intend to protect the privacy and provide for the security of PHI disclosed to us pursuant to the Agreement in compliance with HIPAA, the Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 ("HITECH Act"), and regulations promulgated thereunder by the U.S. Department of Health and Human Services ("HIPAA Regulations") and other applicable laws, including without limitation state patient privacy laws, as such laws may be amended from time to time.
HIPAA requires you to enter into a contract containing specific requirements with us prior to the disclosure of PHI, as set forth in, but not limited to, 45 C.F.R. §§ 164.314(a), 164.502(e) and 164.504(e) and contained in this BAA.
Definitions.Capitalized terms not otherwise defined herein shall have the meaning assigned to them under HIPAA or the HITECH Act, as applicable.
Electronic Protected Health Information or EPHI means Protected Health Information that is maintained in or transmitted by electronic media.
Privacy Rule means the HIPAA Regulation that is codified at 45 C.F.R. Parts 160 and 164, Subparts A and E.
Protected Health Information or PHI means any information, whether oral or recorded in any form or medium: (i) that relates to the past, present or future physical or mental condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and (ii) that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual, and shall have the meaning given to such term under 45 C.F.R. § 160.103. Protected Health Information includes Electronic Protected Health Information.
Protected Informationmeans PHI provided by you to us, or created or received by us on your behalf.
Security Rule means the HIPAA Regulation that is codified at 45 C.F.R. Parts 160 and 164, Subparts A and C.
Unsecured PHI shall have the meaning given to such term under 42 U.S.C. 17932(h), 45 C.F.R. § 164.402 and guidance issued pursuant to the HITECH Act including, but not limited to that issued on April 17, 2009 and published in 74 Federal Register 19006 (April 27, 2009), by the Secretary of the U.S. Department of Health and Human Services ("Secretary").
Obligations of Business Associate.
Permitted Access, Use or Disclosure. We shall neither permit the unauthorized or unlawful access to, nor use or disclose, PHI other than as permitted or required by the Agreement, this BAA, or as permitted or required by law. Except as otherwise limited in the Agreement or this BAA, we may access, use, or disclose PHI (i) to perform its services as specified in the Agreement; and (ii) for the proper administration of our business, provided that such access, use, or disclosure would not violate HIPAA, the HITECH Act, the HIPAA Regulations, or applicable state law if done or maintained by you. If we disclose Protected Information to a third party, we must obtain, prior to making any such disclosure, (i) reasonable assurances from such third party that such Protected Information will be held confidential as provided pursuant to this BAA and only disclosed as required by law or for the purposes for which it was disclosed to such third party, and (ii) agreement from such third party to promptly notify us of any Breaches of confidentiality of the Protected Information, to the extent it has obtained knowledge of such Breach.
Prohibited Uses and Disclosures Under HITECH. Notwithstanding any other provision in this BAA, we shall comply with the following requirements: (i) we shall not use or disclose Protected Information for fundraising or marketing purposes, except as provided under the Agreement and consistent with the requirements of 42 U.S.C. § 17936; (ii) we shall not disclose Protected Information to a health plan for payment or health care operations purposes if the patient has requested this special restriction, and has paid out of pocket in full for the health care item or service to which the PHI solely relates, 42 U.S.C. § 17935(a); (iii) we shall not directly or indirectly receive remuneration in exchange for Protected Information, except with your prior written consent and as permitted by the HITECH Act, 42 U.S.C. § 17935(d)(2); however, this prohibition shall not affect payment by you to us for services provided pursuant to the Agreement.
Appropriate Safeguards. We shall implement appropriate safeguards designed to prevent the access, use or disclosure of Protected Information other than as permitted by the Agreement or this BAA. We shall use administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of EPHI. We shall comply with each of its obligations under the applicable requirements of 45 C.F.R. §§ 164.308, 164.310, and 164.312 and the policies and procedures and documentation requirements of the HIPAA Security Rule set forth in 45 C.F.R. § 164.316.
Reporting of Improper Access, Use, or Disclosure.
Generally. We shall promptly notify you of any Breach of security, intrusion or unauthorized access, use, or disclosure of PHI of which we become aware and/or any access, use, or disclosure of data in violation of the Agreement, this BAA, or any applicable federal or state laws or regulations. We shall take (i) prompt corrective action to cure any deficiencies in our policies and procedures that may have led to the incident, and (ii) any action pertaining to such unauthorized access, use, or disclosure required of us by applicable federal and state laws and regulations.
Breaches of Unsecured PHI. Without limiting the generality of the reporting requirements set forth in Section 2.4 (a), we also shall, following the discovery of any Breach of Unsecured PHI, notify you in writing of such Breach without unreasonable delay and in no case later than sixty (60) days after discovery. The notice shall include the following information if known (or can be reasonably obtained) by us: (i) contact information for the individuals who were or who may have been impacted by the Breach (e.g., first and last name, mailing address, street address, phone number, eMail address); (ii) a brief description of the circumstances of the Breach, including the date of the Breach and date of discovery (as defined in 42 U.S.C. § 17932(c)); (iii) a description of the types of Unsecured PHI involved in the Breach (e.g., names, social security numbers, date of birth, addresses, account numbers of any type, disability codes, diagnostic and/or billing codes and similar information); (iv) a brief description of what we have done or is doing to investigate the Breach and to mitigate harm to the individuals impacted by the Breach.
Mitigation. We shall establish and maintain safeguards to mitigate, to the extent practicable, any deleterious effects known to us of any unauthorized or unlawful access or use or disclosure of PHI not authorized by the Agreement, this BAA, or applicable federal or state laws or regulations; provided, however, that unless otherwise agreed in writing by the parties or required by applicable federal or state laws or regulations, such mitigation efforts by us shall not require us to bear the costs of notifying individuals impacted by such unauthorized or unlawful access, use, or disclosure of PHI; provided, further, however, that we shall remain fully responsible for all aspects of its reporting duties to you under Section 2.4 (a) and Section 2.4 (b).
Our Subcontractors and Agents. We shall ensure that any agents or subcontractors to whom we provide Protected Information agree to the same restrictions and conditions that apply to us with respect to such PHI. To the extent that we create, maintain, receive or transmit EPHI on your behalf, we shall ensure that any of our agents or subcontractors to whom we provide Protected Information agree to implement the safeguards required by Section 2.3 above with respect to such EPHI.
Access to Protected Information. To the extent we maintains a Designated Record Set on your behalf, we shall make Protected Information maintained by us or our agents or subcontractors in Designated Record Sets available to you for inspection and copying within ten (10) days of a request by you to enable you to fulfill your obligations under the Privacy Rule, including, but not limited to, 45 C.F.R. § 164.524. If we maintain an Electronic Health Record, we shall provide such information in electronic format to enable you to fulfill your obligations under the HITECH Act, including, but not limited to, 42 U.S.C. § 17935(e).
Amendment of PHI. To the extent we maintain a Designated Record Set on your behalf, within ten (10) days of receipt of a request from you for an amendment of Protected Information or a record about an individual contained in a Designated Record Set, we or our agents or subcontractors shall make PHI available to you so that you may make any amendments that you direct or agree to in accordance with the Privacy Rule.
Accounting Rights. Within ten (10) days of notice by you of a request for an accounting of disclosures of Protected Information, we and our agents or subcontractors shall make available to you the information required to provide an accounting of disclosures to enable you to fulfill your obligations under the Privacy Rule, including, but not limited to, 45 C.F.R. § 164.528, and your obligations under the HITECH Act, including but not limited to 42 U.S.C. § 17935(c). We agree to implement a process that allows for an accounting to be collected and maintained by us and our agents or subcontractors for at least six (6) years prior to the request. However, accounting of disclosures from an Electronic Health Record for treatment, payment, or health care operations purposes are required to be collected and maintained for only three (3) years prior to the request, and only to the extent we maintain an electronic health record and are subject to this requirement. At a minimum, the information collected and maintained shall include, to the extent known to us: (i) the date of the disclosure; (ii) the name of the entity or person who received PHI and, if known, the address of the entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure, or a copy of the individual’s authorization, or a copy of the written request for disclosure. The accounting must be provided without cost to the individual or the requesting party if it is the first accounting requested by such individual within any twelve (12) month period. For subsequent accountings within a twelve (12) month period, we may charge the individual or party requesting the accounting a reasonable fee based upon our labor costs in responding to the request and a cost-based fee for the production of non-electronic media copies, so long as we inform the individual or requesting party in advance of the fee and the individual or requesting party is afforded an opportunity to withdraw or modify the request. We shall notify you within five (5) business days of receipt of any request by an individual or other requesting party for an accounting of disclosures. The provisions of this Section 2.8 shall survive the termination of this BAA.
Governmental Access to Records. We shall make our internal practices, books and records relating to the use and disclosure of Protected Information available to you and to the Secretary for purposes of determining our compliance with the Privacy Rule.
Minimum Necessary. To the extent feasible in the performance of services under the Agreement, we (and our agents or subcontractors) shall request, use, and disclose only the minimum amount of Protected Information necessary to accomplish the purpose of the request, use, or disclosure. Notwithstanding the foregoing, the parties agree that based on the nature of the services provided to you by us under the Agreement, we may be unable to determine what constitutes "minimum necessary" under HIPAA, and thus we shall be entitled to rely on your direction as to what constitutes "minimum necessary" with respect to the access, use, or disclosure of Protected Information in our possession or under our control.
Permissible Requests by You. You shall not request that we to use or disclose PHI in any manner that would not be permissible under HIPAA or the HITECH Act if done by you or us. You shall not direct us to act in a manner that would not be compliant with the Security Rule, the Privacy Rule, or the HITECH Act.
Breach Pattern or Practice If either party knows of a pattern of activity or practice of the other party that constitutes a material breach or violation of such other party’s obligations under this BAA or other arrangement, the first party must take reasonable steps to cure the breach or end the violation. If the steps are unsuccessful, the first party must terminate the applicable Agreement to which the breach and/or violation relates if feasible, or if termination is not feasible, report the problem to the Secretary.
Term and Termination.
Term. The term of this BAA shall be effective as of the Effective Date and shall terminate when all of the PHI provided by you to us, or created or received by us on your behalf, is destroyed or returned to you.
Material Breach by Us. Upon any material breach of this BAA by us, you shall provide us with written notice of such breach and such breach shall be cured by us within thirty (30) business days of such notice. If such breach is not cured within such time period, you may immediately terminate this BAA and the applicable Agreement.
Effect of Termination. Upon termination of any of the agreements comprising the Agreement for any reason, we shall, if feasible, return or destroy all PHI relating to such agreements that we or our agents or subcontractors still maintain in any form, and shall retain no copies of such PHI. If return or destruction is not feasible, we shall continue to extend the protections of this BAA to such information, and limit further use of such PHI to those purposes that make the return or destruction of such PHI infeasible.
Compliance with State Law. Nothing in this BAA shall be construed to require us to use or disclose Protected Information without a written authorization from an individual who is a subject of the Protected Information, or without written authorization from any other person, where such authorization would be required under state law for such use or disclosure.
Amendment to Comply with Law. Because state and federal laws relating to data security and privacy are rapidly evolving, amendment of the Agreement or this BAA may be required to provide for procedures to ensure compliance with such developments. We and you shall take such action as is necessary to implement the standards and requirements of HIPAA, the HITECH Act, the Privacy Rule, the Security Rule and other applicable laws relating to the security or confidentiality of PHI. Upon the request of either party, the other party shall promptly enter into negotiations concerning the terms of an amendment to this BAA embodying written assurances consistent with the standards and requirements of HIPAA, the HITECH Act, the Privacy Rule, the Security Rule or other applicable laws. Either party may terminate the applicable Agreement upon thirty (30) days written notice in the event (i) the other party does not promptly enter into negotiations to amend the Agreement or this BAA when requested by the first party pursuant to this Section or (ii) the other party does not enter into an amendment to the Agreement or this BAA providing assurances regarding the safeguarding of PHI that the first party, in its reasonable discretion, deems sufficient to satisfy the standards and requirements of applicable laws, within thirty (30) days following receipt of a written request for such amendment from the first party.
No Third-Party Beneficiaries. Nothing express or implied in the Agreement or this BAA is intended to confer, nor shall anything herein confer upon any person other than you, us and our respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever.
Notices. All notices hereunder shall be in writing, delivered personally, by certified or registered mail, return receipt requested, or by overnight courier, and shall be deemed to have been duly given when delivered personally or when deposited in the United States mail, postage prepaid, or deposited with the overnight courier addressed as follows: (a) if to you, at the primary mailing address you provided when you created your account with us; (b) if to us, at the following address:
Attn: Security Officer
Compliant Innovations, Inc
150 West Iowa Ave
Sunnyvale, CA 94086
Or to such other persons or places as either party may from time to time designate by written notice to the other.
Interpretation. The provisions of this BAA shall prevail over any provisions in the Agreement that may conflict or appear inconsistent with any provision in this BAA. This BAA and the Agreement shall be interpreted as broadly as necessary to implement and comply with HIPAA, the HITECH Act, the Privacy Rule and the Security Rule. Any ambiguity in this BAA shall be resolved in favor of a meaning that complies and is consistent with HIPAA, the HITECH Act, the Privacy Rule and the Security Rule. Except as specifically required to implement the purposes of this BAA, or to the extent inconsistent with this BAA, all other terms of the Agreement shall remain in force and effect.
Entire Agreement of the Parties. This BAA supersedes any and all prior and contemporaneous business associate agreements or addenda between the parties and constitutes the final and entire agreement between the parties hereto with respect to the subject matter hereof. Each party to this BAA acknowledges that no representations, inducements, promises, or agreements, oral or otherwise, with respect to the subject matter hereof, have been made by either party, or by anyone acting on behalf of either party, which are not embodied herein. No other agreement, statement or promise, with respect to the subject matter hereof, not contained in this BAA shall be valid or binding.
Regulatory References. A reference in this BAA to a section of regulations means the section as in effect or as amended, and for which compliance is required.