This Business Associate Agreement (the “BAA”) is made on the date of signature by Redstor below (the “Agreement Effective Date”) by and between the client/service provider named below (“Covered Entity”) and the Redstor entity named below (“Business Associate”).
1. Introduction
1.1 Covered Entity is either a “covered entity” or “business associate” of a covered entity as each are defined under the Health Insurance Portability and Accountability Act of 1986, Public Law 104-191, as amended by the HITECH ACT (as defined below) and the related regulations promulgated by HHS (as defined below) (collectively, “HIPAA”) and, as such, is required to comply with HIPAA’s provisions regarding the confidentiality and privacy of Protected Health Information (as defined below).
1.2 The Parties have entered into or will enter into one or more agreements under which Business Associate provides or will provide certain specified services to Covered Entity or Covered Entity’s customer (collectively, the “Underlying Agreement(s)”).
1.3 In providing services pursuant to the Underlying Agreement(s), Business Associate may have access to Protected Health Information;
1.4 By providing the services pursuant to the Underlying Agreement(s), Business Associate will become a “business associate” of the Covered Entity as such term is defined under HIPAA.
1.5 Both Parties are committed to complying with all federal and state laws governing confidentiality and privacy of health information, including, but not limited to, the Standards for Privacy of Individually Identifiable Health Information found at 45 CFR Part 160 and Part 164, Subparts A and E (collectively, the “Privacy Rule”); and
1.6 Both Parties intend to protect the privacy and provide for the security of Protected Health Information disclosed to Business Associate pursuant to this BAA, HIPAA and other applicable laws.
NOW, THEREFORE, in consideration of the mutual and conditions contained herein and the continued provision of PHI by Covered Entity to Business Associate under the Underlying Agreement(s) in reliance on this BAA, the Parties agree as follows:
2. Definitions
For the purposes of this BAA, the Parties give the following meaning to each of the terms in this Section below. Any capitalized term used in this BAA, but otherwise defined, has the meaning given to that term in the Privacy Rule or pertinent law.
2.1 “Affiliate” means a subsidiary or affiliate of Covered Entity that is, or has been, considered a covered entity, as defined by HIPAA.
2.2 “Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI, as defined in 45 CFR § 164.402.
2.3 “Breach Notification Rule” means the portion of HIPAA set forth in Subpart D of 45 CFR Part 164.
2.4 “Data Aggregation” means, with respect to PHI created or received by Business Associate in its capacity as the “business associate” under HIPAA of Covered Entity, the combining of such PHI by Business Associate with the PHI received by Business Associate in its capacity as a business associate of one or more other “covered entity” under HIPAA, to permit data analyses that relate to the Health Care Operations (defined below) of the respective covered entities. The meaning of “data aggregation” in this BAA shall be consistent with the meaning given to that term in the Privacy Rule.
2.5 “Designated Record Set” has the meaning given to such term under the Privacy Rule including 45 CFR § 164.501.B.
2.6 “De-Identify” means to alter the PHI such that the resulting information meets the requirements described in 45 CFR §§164.514(a) and (b).
2.7 “Electronic PHI” means any PHI maintained in or transmitted by electronic media as defined in 45 CFR § 160.103.
2.8 “Health Care Operations” has the meaning given to that term in 45 CFR § 164.501.
2.9 “HHS” means the U.S. Department of Health and Human Services.
2.10 “HITECH Act” means the Health Information Technology for Economic and Clinical Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005.
2.11 “Individual” has the same meaning given to that term in 45 CFR §§164.501 and 160.130 and includes a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
2.12 “Privacy Rule” means that portion of HIPAA set forth in 45 CFR Part 160 and Part 164, Subparts A and E.
2.13 “Protected Health Information” or “PHI” has the meaning given to the term “protected health information” in 45 CFR §§164.501 and 160.103, limited to the information created or received by Business Associate from or on behalf of the Covered Entity.
2.14 “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
2.15 “Security Rule” means the Security Standards for the Protection of Electronic Health Information provided in 45 CFR Part 160 & Part 164, Subparts A and C.
2.16 “Unsecured Protected Health Information” or “Unsecured PHI” means any “protected health information” as defined in 45 CFR §§164.501 and 160.103 that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary in the guidance issued pursuant to the HITECH Act and codified at 42 USC § 17932(h).
2.17 “Underlying Agreement” means the agreement published on Redstor’s website at https://www.redstor.com/end-user-licence-agreement/
3. Obligations and Activities of Business Associate.
To the extent Business Associate uses, discloses or maintains PHI on behalf of Covered Entity or its customer(s) covered by HIPAA, Business Associate agrees as follows:
3.1Use or Disclosure. Business Associate agrees to not use or further disclose PHI other than as expressly permitted or required by this BAA, any other applicable Underlying Agreement(s) relating to the services being provided by Business Associate (each an “Underlying Agreement”) or as required by law, and only to the extent the use or disclosure would not violate the Privacy and Security Rules if done by the Covered Entity.
3.2 Safeguards. Business Associate agrees to implement and use appropriate administrative, physical, and technical safeguards to:
3.2.1 prevent any use or disclosure of PHI other than uses and disclosures expressly provided for by this Agreement;
3.2.2 reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that it creates, receives, maintains or transmits on behalf of Covered Entity, as applicable; and;
3.2.3 comply with the requirements of 45 C.F.R. §§ 164.308, 164.310, 164.312, and 164.316.
3.3Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
3.4Reporting. Business Associate agrees to report to Covered Entity any use or disclosure of PHI by Business Associate, its workforce or agents/subcontractors that is not provided for by this Agreement within ten (10) days of discovery of such use or disclosure. Business Associate also agrees to report to Covered Entity any remedial actions taken or proposed with respect to the unauthorized use or disclosure of PHI.
Business Associate shall report to Covered Entity any security incident of which it becomes aware within ten (10) days of discovery of such security incident. For purposes of this BAA, “security incident” means the attempted or successful unauthorized access use or disclosure, modification, or destruction of information or interference with the system operations in an information system. Business Associate shall provide in such notice the remedial or other actions undertaken to address such security incident.
4. The parties acknowledge and agree that this section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Electronic PHI.
5. Business Associate agrees to notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay and in no event later than thirty (30) days after discovery of such Breach. Such notice shall include to the extent possible (i) the identification of each individual whose Unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during such Breach, (ii) a description of what happened, including the date of the Breach and the date of the discovery of the Breach, and (iii) a description of the types of unsecured PHI that were involved in the Breach.A Breach will be treated as “discovered” by Business Associate as of the first day on which such Breach is known to Business Associate, or, by exercising reasonable diligence would have been known to Business Associate, or any of its employees, officers, or agents. Business Associate agrees to assist Covered Entity as necessary in facilitating the preparation and dissemination of a notice of the Breach, as required by the Privacy and Security Rules.
6. Subcontractors and Agents
Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides PHI agrees in writing to similar restrictions and conditions that apply through this BAA to Business Associate with respect to such information, including those provisions requiring notice to Covered Entity upon the discovery of any misuse or inappropriate disclosure of PHI or any Breach of Unsecured PHI.
7. Access. If Business Associate maintains any PHI in a Designated Record Set, then when requested by Covered Entity, Business Associate agrees to provide access to PHI in a Designated Record Set to Covered Entity or to an Individual in order to comply with the requirements under 45 C.F.R. § 164.524. Such access shall be provided by Business Associate in the time and manner reasonably designated by Covered Entity.
8.Amendment. If Business Associate maintains any PHI in a Designated Record Set, then when requested by Covered Entity or an Individual, Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526. Such amendments shall be made by Business Associate in the time and manner designated by Covered Entity.
9.Audit and Inspection. Business Associate agrees to make its internal practices, books, and records (including policies and procedures) that relate to the use and disclosure of PHI available to Covered Entity, or, at the request of Covered Entity, to the Secretary of DHHS (the “Secretary of DHHS”) or any officer or employee of DHHS to whom the Secretary of DHHS has delegated such authority for the purposes of the Secretary determining Covered Entity’s compliance with the Privacy and Security Rules. Such information shall be made available in a time and manner designated by the Secretary of DHHS or as reasonably requested by the Covered Entity.
10.Documentation of Disclosures. Business Associate agrees to document such disclosures of PHI, and such information related to such disclosures, as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. Business Associate understands that this requires Business Associate to maintain an audit trail of all such disclosures made within six (6) years of the Individual’s request but does not include disclosures made by Business Associate in connection with the treatment of the patient, the processing of payments for treatment or the operations of Covered Entity or Business Associate unless Business Associate maintains and EHR for Covered Entity. This audit trail shall include the date of any disclosure, the name of the recipient (and address where possible), a brief description of the PHI disclosed, and the purpose of the disclosure.
11.Accounting. Business Associate agrees to provide to Covered Entity or an Individual information collected in accordance with Section 2.i. of this BAA, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. Such information shall be provided in a manner designated by Covered Entity and within the time frames prescribed by law.
12.Compliance with Notice of Privacy Practices When required, Business Associate’s use or disclosure of PHI also shall be accomplished in accordance with the limitations and restrictions set forth in Covered Entity’s Notice of Privacy Practices, as it may be amended from time to time. This section shall apply only if Covered Entity has furnished Business Associate with a copy of such Notice.
13.Notice of Request for PHI. Business Associate agrees to notify Covered Entity within five (5) business days of the receipt of any request or subpoena for PHI. Business Associate agrees to provide Covered Entity with the opportunity to challenge the validity of any such request.
14.Prohibition on Sale of PHI Without Authorization. Business Associate and its permitted agents, subcontractors and sub-Business Associates are prohibited from directly or indirectly receiving any remuneration in exchange for an individual’s protected health information unless the individual provides a valid authorization.
15. Permitted Uses and Disclosures by Business Associate
16General Use and Disclosure Provisions. Except as otherwise limited in this BAA, Business Associate may use or disclose PHI on behalf of, or to provide services to, Covered Entity in connection with the performance of the services if such use or disclosure of PHI would not violate HIPAA or the Privacy and Security Rules if done by Covered Entity or such use or disclosure is expressly permitted under this BAA.
17 Specific Use and Disclosure Provisions.
17.1 Except as otherwise limited in this BAA, Business Associate may access, use and disclose PHI for Business Associate’s proper management and administration or to meet its legal responsibilities; provided, however, that such PHI may only be disclosed for such purposes only if the disclosures are required by law or the Business Associate obtains the following reasonable assurances from the person or entity to whom the information is disclosed:
17.1.1 the information will remain confidential;
17.1.2 the information will be used or further disclosed only as required by law or for the purpose for which the information was disclosed to the person; and
17.1.3 the person will notify the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
17.2 Except as otherwise limited in this BAA, Business Associate may use PHI to provide data aggregation services to Covered Entity as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B). Data aggregation services involve the combining by the Business Associate of (a) protected health information created or received by a Business Associate in its capacity as the Business Associate of a Covered Entity with (b) protected health information received by the Business Associate in its capacity as a Business Associate of another Covered Entity, to permit data analyses that relate to the health care operations of the respective Covered Entities.
17.3 Business Associate may use and disclose PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).
17.4 Except as otherwise limited in this BAA, Business Associate may use PHI to de-identify such PHI in accordance with the requirements of HIPAA, including 45 C.F.R. § 164.514. Business Associate shall have the right to use and disclose such de-identified information without regard to any limitations on the use or disclosure of PHI contained in this BAA, HIPAA, or the Privacy and Security Rules. Business Associate will not disclose the identity of the source of the original data provided by Covered Entity unless authorized to do so by Covered Entity. Neither Covered Entity nor any third party shall be entitled to any revenue, royalties, of other compensation for Business Associate’s use of the de-identified information, nor shall Covered Entity use or disclose the de-identified information provided to Covered Entity by Business Associate for any purpose other than in the conduct of its own business.
18 Business Associate may only use and disclose PHI in accordance with the Minimum Necessary Standard under HIPAA and the Privacy and Security Rules to the extent that such standard would apply if the activities performed by Business Associate pursuant to this BAA were performed by Covered Entity.
19. Obligations of Covered Entity
19.1 Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA, the Privacy and Security Rules, or any other applicable federal or state law (per Section 6(e) of this Agreement), if done by Covered Entity or that is not otherwise expressly permitted under Section 3 of this BAA.
19.2 Covered Entity shall provide Business Associate with the notice of privacy practices for PHI that Covered Entity produces as required under HIPAA, as well as any changes to such notice.
19.3 Covered Entity shall inform Business Associate of any changes in, or the revocation of, permission by an Individual to use or disclose PHI about the Individual, if such changes, or revocation, affect Business Associate’s permitted or required uses and disclosures of PHI hereunder.
19.4 Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI to which the Covered Entity has agreed (in accordance with HIPAA).
19.5 Covered Entity shall notify Business Associate of any laws or regulations applicable to Covered Entity with which Business Associate must comply in fulfilling Business Associate’s obligations under this BAA.
19.6 Covered Entity shall disclose to Business Associate the minimum necessary amount of PHI necessary for the Business Associate to provide services to Covered Entity.
20. Term and Termination
21.Term. This BAA shall be effective as of the Agreement Effective Date and shall continue until all Underlying Agreement(s) between the parties terminate and the parties cease to have an ongoing business relationship.
22.Termination for Cause. Upon becoming aware of a material breach of this BAA or a pattern of non-compliance with the terms of this BAA by one party, the other party shall provide the non-compliant party with an opportunity to cure the breach or end the violation. If the breach is not cured or the violation is not otherwise ended within thirty (30) days of notice of the breach, the non-breaching party may terminate this BAA. In the event that a cure is not possible, either party may terminate this BAA immediately. The parties agree that each may have an obligation under the Privacy and Security Rules to notify the Secretary of DHHS, or his or her designee, of uncured breaches of this BAA or of the termination of this BAA as a result of such a breach.
23.Effect of Termination.
23.1 Upon termination of this BAA, for any reason, Business Associate shall return or destroy all PHI. This provision shall also apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI.
23.2 Notwithstanding the foregoing, in the event that Business Associate reasonably determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Business Associate shall then extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
24. Miscellaneous
25.Regulatory References. A reference in this BAA to a section in HIPAA, or the Privacy and Security Rules or applicable state data privacy and security laws means the section as in effect or as amended from time to time, and for which compliance is required.
26.Amendment. Covered Entity and Business Associate agree that amendment of this BAA may be required to ensure that Covered Entity and Business Associate comply with changes in state and federal laws and regulations relating to the privacy, security and confidentiality of PHI. Either party may terminate this BAA upon thirty (30) days written notice in the event that the parties do not enter into an amendment that both parties reasonably deem sufficient to ensure that both parties will be able to comply with such laws and regulations.
27.Effect of BAA. This BAA is a part of and subject to the terms of the Underlying Agreement(s), except that to the extent any terms of this BAA conflict with any term of the Underlying Agreement(s), the terms of this BAA will govern.
28.Interpretation. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits Covered Entity to comply with applicable law protecting the privacy, security and confidentiality of PHI, including, but not limited to, HIPAA, and the Privacy and Security Rules.
29.State Law.
29.1 Nothing in this BAA shall be construed to require Business Associate to use or disclose PHI without a written authorization from an individual who is a subject of the PHI, or written authorization from any other person, where such authorization would be required under state law for such use or disclosure.
29.2 Business Associate shall comply with all applicable state laws governing the privacy and security of Personal Information. “Personal Information” means information protected by state data privacy and security laws, as they be amended from time to time, and includes a first initial and last name or first and last name in combination with any of the following: Social Security Numbers, driver’s license or other state identification number, and financial account or credit/debit card numbers.
30.No Third Party Beneficiaries. Nothing express or implied in this BAA is intended to nor shall confer upon any person other than Covered Entity, Business Associate, and their respective successors and permitted assigns, any rights, obligations, remedies or liabilities.
31.Primacy. To the extent that any provisions of this BAA conflict with the provisions of any other agreement or understanding between the parties, this BAA shall control with respect to the subject matter of this Agreement.
32.HITECH ACT Compliance. The Parties acknowledge that the HITECH Act includes significant changes to the Privacy Rule and the Security Rule. The privacy subtitle of the HITECH Act sets forth provisions that significantly change the requirements for business associates and the agreements between business associates and covered entities under HIPAA and these changes may be further clarified in forthcoming regulations and guidance. Each Party agrees to comply with the applicable provisions of the HITECH Act and any HHS regulations issued with respect to the HITECH Act. The Parties also agree to negotiate in good faith to modify this BAA as reasonably necessary to comply with the HITECH Act and its regulations as they become effective but, in the event that the Parties are unable to reach an agreement on such a modification, either Party will have the right to terminate this BAA upon 30 days’ prior written notice to the other Party.
33.Waiver. Neither the waiver of a breach of any provision of this BAA, nor a failure to enforce, on one or more occasions, a provision of this BAA (or exercise any right or privilege thereunder) shall constitute a waiver of the provision itself, a waiver of any breach thereafter, or a waiver of any other provision herein.