U.S Users - Schedule 2
Business Associate Agreement
B. THE PARTIES ACKNOWLEDGE AND AGREE THAT SUCH PROTECTED HEALTH INFORMATION CAN BE USED OR DISCLOSED ONLY IN ACCORDANCE WITH THIS AGREEMENT, THE PRIVACY RULE, AND THE SECURITY RULE.
NOW, THEREFORE, for good and valuable consideration, the receipt and sufficiency of which are acknowledged, Covered Entity and Business Associate, intending to be legally bound, agree as follows:
Terms used, but not otherwise defined, in this Agreement have the same meaning as those ascribed to the terms in the Health Insurance Portability and Accountability Act of 1996 (as amended by the Health Information Technology for Economic and Clinical Health Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (the “HITECH Act”)) and the regulations promulgated thereunder as set forth in the Code of Federal Regulations (“C.F.R.”) at Title 45, Part 160, Part162 and Part 164, and other applicable laws (collectively, “HIPAA”). The following terms shall have the meaning ascribed to them in this Section. Other capitalized terms shall have the meaning ascribed to them in the context in which they first appear.
1.1 “Breach” means the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted by the Privacy Rule which compromises the security or privacy of the Protected Health Information, as described in 45 C.F.R. 164.402.
1.2 “Electronic Protected Health Information” means individually identifiable health information that is transmitted or maintained by electronic media as described in HIPAA.
1.3 “HHS” means the U.S. Department of Health and Human Services.
1.4 “Individual” means the person who is the subject of the Protected Health Information, has the same meaning as the term “individual” as defined in HIPAA, and includes a personal representative in accordance with 45 C.F.R. 164.502(g).
1.5 “Privacy Rule” means the Standards for Privacy of IndividuallyIdentifiable Health Information, C.F.R. at Title 45, Parts 160 and 164.
1.6 “Protected Health Information” has the same meaning as the term“protected health information” as described in HIPAA, limited to the information created or received by Business Associate from, or on behalf of, Covered Entity.
1.7 “Required by Law” has the same meaning as the term “required bylaw” as defined in HIPAA.
1.8 “Secretary” means the Secretary of HHS or his or her designee.
1.9 “Security Rule” means the Standards for the Security of Electronic Protected Health Information, C.F.R. at Title 45, Parts 160, 162, and 164.
1.10 “Unsecured Protected Health Information” has the same meaning as the term “Unsecured protected health information” as defined in 45 C.F.R. 164.402.
2.1 General Uses and Disclosures. Except as otherwise limited in thisAgreement, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity if such use or disclosure by Business Associate complies with the Privacy Rule’s minimum necessary policies and procedures required of Covered Entity, and if such use or disclosure of Protected Health Information would not violate the Privacy Rule or the Security Rule if done by Covered Entity.
2.2 Limits on Uses and Disclosures. Business Associate agrees that Business Associate shall be prohibited from using or disclosing the Protected Health Information provided or made available by Covered Entity for any purpose other than as expressly permitted or required by this Agreement, or as Required by Law.
2.3 Use for Management, Administration, and Legal Responsibilities. Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information for the proper management and administration of Business Associate or to carry out Business Associate’s legal responsibilities.
2.4 Disclosure for Management, Administration, and Legal Responsibilities. Except as otherwise limited in this Agreement, Business Associate may disclose Protected Health Information for the proper management and administration of Business Associate or to carry out Business Associate’s legal responsibilities, provided that:
(a) The disclosure is required by Law; or
(b) Business Associate obtains reasonable assurances from the person to whom the Protected Health Information is disclosed that the Protected HealthInformation will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person.
3.1 Appropriate Safeguards. Business Associate will establish and maintain reasonable and appropriate administrative, physical, and technical safeguards to:
(a) Prevent the use of disclosure of the Protected Health Information, other than as such use or disclosure is permitted by this Agreement; and
(b) Protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that Business Associate creates, receives, maintains, or transmits on behalf of Covered Entity.
3.2 Reports of Improper Use, Disclosure, or Security Incidents. BusinessAssociate agrees that it shall report to Covered Entity any:
(a) Use or disclosure of Protected Health Information not provided for, or allowed by, this Agreement; or
(b) Security incidents regarding the Electronic Protected Health Information of which Business Associate becomes aware.
3.3 Subcontractors and Agents. Business Associate will ensure that any agent, including a subcontractor, to whom Business Associate provides Protected HealthInformation, created or received by Business Associate on behalf of Covered Entity, agrees to:
(a) The same restrictions and conditions that apply to BusinessAssociate in this Agreement to such Protected Health Information; and
(b) Implement reasonable and appropriate safeguards to protect the Electronic Protected Health Information.
3.4 Right of Access to Protected Health Information. Except as otherwise limited in this Agreement, Business Associate agrees to provide access to Protected HealthInformation in a Designated Record Set (if applicable and as defined in HIPAA) to CoveredEntity or, as directed by Covered Entity, to an Individual in order to meet the requirements under45 C.F.R. 164.524, at the written request of Covered Entity.
3.5 Amendments to Protected Health Information. Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set, if applicable, that Covered Entity directs or agrees to pursuant to 45 C.F.R. 164.526, at the request of Covered Entity or an Individual, and in a reasonable time and manner.
3.6 Access to Books and Records. Except as otherwise limited in thisAgreement, Business Associate agrees to make Business Associate’s internal policies, procedures, practices, books, and records relating to the use, disclosure, and safeguarding of Protected Health Information received from, or created or received by, Business Associate on behalf of Covered Entity available to the Secretary or Covered Entity, in a reasonable time and manner, for purposes of the Secretary’s determining Covered Entity’s compliance with the Privacy Rule and the Security Rule.
3.7 Documentation of Disclosures. Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 C.F.R.164.528.
3.8 Provide Accounting. Except as otherwise limited in this Agreement, Business Associate agrees to provide to Covered Entity or an Individual, in a reasonable time and manner, information collected in accordance with Section 3.7, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected health information in accordance with 45 C.F.R. 164.528.
3.9 Mitigation Procedures. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement.
3.10 Notification of Breach. During the term of this Agreement, BusinessAssociate shall notify Covered Entity of any Breach of Unsecured Protected Health Information, not later than sixty (60) calendar days (except in the case of a delay by law enforcement in accordance with 45 C.F.R. 164.412) after Business Associate discovers such Breach. The notification will include, to the extent possible, the identification of each Individual whose Unsecured Protected Health Information has been, or is reasonably believed by BusinessAssociate to have been, accessed, acquired, used, or disclosed during the Breach, as well as any other information available to Business Associate that Covered Entity is required to include in a notification to the Individual(s) under 45 C.F.R. 164.404(c).
4.1 Provide Notice. Covered Entity shall provide Business Associate withthe notice of privacy practices that Covered Entity produces in accordance with 45 C.F.R.164.520, as well as any changes to such notice, in a reasonable time and manner, when suchcopy of the notice or amended notice is required for compliance with the Privacy Rule.
4.2 Provide Changes of Authorization or Permission. Covered Entity shallprovide, in writing and in a reasonable time and manner, Business Associate with any changesin, or revocation of, authorization or permission by an Individual to use or disclose ProtectedHealth Information, if such changes affect Business Associate’s permitted or required uses anddisclosures.
4.3 Provide Restrictions. Covered Entity shall notify Business Associate, inwriting and in a reasonable time and manner, of any restrictions to the use or disclosure ofProtected Health Information changing Business Associate’s obligations that Covered Entity hasagreed to in accordance with 45 C.F.R. 164.522.
4.4 Permissible Requests by Covered Entity. Covered Entity shall notrequest Business Associate to use or disclose Protected Health Information in any manner thatwould not be permissible under the Privacy Rule, the Security Rule, or this Agreement, if doneby Covered Entity.
5.1 Term. The term of this Agreement shall commence when we firstprovide the Service, and shall terminate when all of the Protected Health Information providedby Covered Entity to Business Associate, or created or received by Business Associate onbehalf of Covered Entity, is destroyed or returned to Covered Entity in compliance with Section5.4.
5.2 Termination for Cause. Upon Covered Entity’s knowledge of a materialbreach of this Agreement by Business Associate, Covered Entity shall provide written notice ofsuch breach to Business Associate and provide an opportunity for Business Associate to curethe breach or end the violation, and if Business Associate does not cure the breach or end theviolation within 30 days following the date Business Associate receives such written notice fromCovered Entity, Covered Entity may immediately terminate this Agreement. Covered Entity mayterminate this Agreement immediately without opportunity for cure if Business Associate andCovered Entity agree that cure is not reasonably possible or if Covered Entity deems suchimmediate termination to be appropriate under the circumstances.
5.3 Special Termination. In the event that any federal, state, or local law orregulation currently existing or hereinafter enacted, or any final or non-appealable construction or interpretation of such law or regulation (whether federal, state, or local) or enforcement ofsuch laws or regulations hereinafter occurs that makes performance of this Agreementimpossible or illegal, the Parties mutually agree to enter into a modification of this Agreement tomake substantial performance of this Agreement possible. However, should the Parties beunable to agree upon an appropriate modification to comply with such requirements following 30days of good faith negotiations, either Party may give written notice to immediately terminatethis Agreement.
5.4 Effect of Termination.
(a) Except as otherwise limited in this Agreement, and except asprovided in Section 5.4(b), upon termination of this Agreement, for any reason, BusinessAssociate agrees to return all Protected Health Information received from Covered Entity, orcreated or received by Business Associate on behalf of Covered Entity, or, to the extentauthorized by Covered Entity, destroy such Protected Health Information. This provision shallapply to Protected Health Information that is in the possession of subcontractors or agents ofBusiness Associate. Business Associate shall retain no copies of the Protected HealthInformation.
(b) Except as otherwise limited in this Agreement, in the event thatBusiness Associate determines that returning, or as authorized by Covered Entity destroying,the Protected Health Information is not feasible, Business Associate shall provide to CoveredEntity notification of the conditions that make return or destruction of the Protected HealthInformation not feasible. Upon mutual agreement of the Parties that return or destruction ofProtected Health Information is not feasible, Business Associate shall extend the protections ofthis Agreement to such Protected Health Information and limit further uses and disclosures ofsuch Protected Health Information to those purposes that make the return or destruction notfeasible, for so long as Business Associate maintains such Protected Health Information.
(c) Except as otherwise limited in this Agreement, termination ofthis Agreement shall not relieve either Party from fulfilling any obligation under this Agreementthat, at the time of termination, has already accrued to the other Party or which thereafter mayaccrue with respect to any act or omission that occurred prior to such termination.
6.2 Binding Effect. This Agreement shall be binding upon, inure to thebenefit of, and be enforceable by, the Parties and the Parties’ respective successors andpermitted assigns.
6.3 Remedies Cumulative. All rights and remedies of the Parties under thisAgreement shall be cumulative, and no such right or remedy shall exclude any other right orremedy allowed by law or equity.
6.4 Severability. If any provision of this Agreement is held to be illegal,invalid, or unenforceable under present or future laws, such provision shall be fully severable,and this Agreement shall be construed and enforced as if such illegal, invalid, or unenforceableprovision never comprised a part of this Agreement; and the remaining provisions of thisAgreement shall remain in full force and effect and shall not be affected by the illegal, invalid, orunenforceable provision or by its severance from this Agreement. Furthermore, in lieu of suchillegal, invalid, or unenforceable provision, there shall be added automatically as part of this Agreement a provision as similar in its terms to such illegal, invalid, or unenforceable provisionas may be possible and be legal, valid, and enforceable.
(a) Any notices or communications to be given under thisAgreement by either Party to the other Party shall be deemed to have been duly given if givenin writing and (i) personally delivered, (ii) sent by nationally recognized overnight courier, or (iii)sent by mail, certified, postage prepaid with return receipt requested, in each case, at theaddress for such other Party set forth below:
(A) If to Business Associate, addressed to:
Mr. Scott Pearson
93 Cuba Street
Telephone Number: (617) 939 9292
(B) If to Covered Entity, addressed to Covered Entity at the addressprovided by Covered Entity hereunder.
(b) Notices delivered personally, by courier, shall be deemedcommunicated as of actual receipt. Mailed notices shall be deemed communicated as of 10:00a.m. on the third business day after mailing. Any Party may change such Party’s address fornotice under this Agreement by giving prior written notice to the other Party of such change in the manner provided by this Section 6.6.
6.6 Cooperation. Both Business Associate and Covered Entityacknowledge that mutual cooperation and assistance is essential to each Party’s performanceunder this Agreement; therefore, it will be the duty of both Parties to make all good faith effortsto fully cooperate in the performance of this Agreement.
6.7 Governing Law. This Agreement shall be governed by, and construedand enforced in accordance with, the laws of the United States of America.
6.8 Assignment. Business Associate may assign this Agreement onaccount of a merger, acquisition or other similar transaction affecting the ownership of BusinessAssociate, without the Covered Entity’s prior, express, and written consent. Except as set forthin the preceding sentence, neither Party shall assign this Agreement without the other Party’sprior, express, and written consent, which consent shall not be unreasonably withheld, delayed,or conditioned.
6.9 Third Party Beneficiaries. Nothing in this Agreement shall be construedto create any third party beneficiary rights in any person or entity.
6.10 Waivers. The failure of a Party at any time or times to requireperformance of any provision of this Agreement shall in no manner affect such Party’s right at alater time to enforce such provision. No waiver by a Party of any provision or breach of thisAgreement shall be effective unless in writing, and no waiver in any one or more instances shallbe deemed to be a further or continuing waiver in other any instance.
6.11 Force Majeure. Neither Party shall be liable or be deemed in breach ofthis Agreement for any failure or delay of performance that results, directly or indirectly, fromacts of God, civil or military authority, public disturbance, acts of terrorism, accidents, fires, or any other cause beyond the reasonable control of either Party, and such non-performance shallnot be grounds for termination.
6.12 Attorneys’ Fees. Except as otherwise limited in this Agreement, if anylegal action or other proceeding is brought for the enforcement of this Agreement, or because ofan alleged dispute, breach, default, misrepresentation, or injunctive action in connection withany of the provisions of this Agreement, each Party shall bear their own legal expenses andother costs incurred in that action or proceeding.
6.13 Relationship. Business Associate is acting as an independentcontractor of Covered Entity with respect to this Agreement. Nothing in this Agreement shallcreate or be deemed to create the relationship of employer/employee, partners, joint ventures,or principal-agent between the Parties. Except as otherwise set forth in this Agreement, (i) noParty shall have any authority to assume or create any obligation or responsibility whatsoever,express or implied, on behalf or in the name of the other Party or to bind the other Party in anymanner whatsoever and (ii) no Party shall make any representation, warranty, covenant,agreement, or commitment on behalf of the other Party.
6.14 Regulatory References. A reference in this Agreement to a section inthe Privacy Rule or the Security Rule means the section as in effect or as amended, and forwhich compliance is required.
6.16 Interpretation. In the interpretation of this Agreement, except where thecontext otherwise requires, (a) “including” or “include” does not denote or imply any limitation,(b) “or” has the inclusive meaning “and/or,” (c) “and/or” means “or” and is used for emphasisonly, (d) the singular includes the plural, and vice versa, and each gender includes each othergender, (e) captions or headings are only for reference and are not to be considered ininterpreting this Agreement, (f) “Section” refers to a section of this Agreement, unless otherwisestated in this Agreement, and (g) “day” refers to a calendar day unless expressly identified as abusiness day. Any ambiguity in this Agreement shall be resolved in favor of a meaning thatpermits the Parties to comply with the Privacy Rule and the Security Rule.