BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“Agreement”) between Inphonite, LLC (“Business Associate and you, as our Customer (“Covered Entity”) (each individually, a “Party,” and collectively, the “Parties”) takes effect today (“Effective Date”).
I. Purpose and Intent
1.1 Business Associate has agreed to perform certain services for or on behalf of Covered Entity, which services may involve the use or disclosure of Protected Health Information within the meaning of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as it may be amended from time to time and its implementing regulations, 45 CFR Parts 160 and 164 (“the Privacy Rule”) including those added by the Health Information Technology for Economic and Clinical Health Act included in the American Recovery and Reinvestment Act of 2009, (the “HITECH Act”). This Agreement supplements the Parties’ agreement(s) for services and is intended to satisfy the requirements for Business Associate Agreements as set forth in the Privacy Rule, including 45 CFR § 164.502(e) and 164.504(e) the HITECH Act. Business Associate hereby agrees to comply with applicable provisions of the Privacy Rule and the HITECH Act and to assist Covered Entity with its compliance as explained below.
1.2 The purpose of this Agreement is to satisfy certain standards and requirements of the Privacy Rule, including, but not limited to, Title 45 Sections 164.502(e) and 164.504(e) of the Code of Federal Regulations (“CFR”), the Security Rule, including but not limited to, 45 CFR §§ 164.308, 164.310, 164.312, and 164.316 (as required by HITECH), and the Breach Notification Rule, including but not limited to 45 CFR § 164.410, as the same may be amended from time to time, including as amended by the final rules published by HHS on January 25, 2013 titled “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAARules” (collectively “HIPAA Rules”).
II. Definitions
Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Rules. In the event of a conflict between the definitions in this Agreement and the definitions in the HIPAA Rules, the definitions in the HIPAA Rules shall be applied.
2.1 Electronic Health Record means an electronic record of health-related information on an Individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.
2.2 Electronic Protected Health Information (“e-PHI”) is a subset of Protected Health Information and means PHI that is transmitted by or maintained in any electronic media.
2.3 Individual means the person who is the subject of Protected Health Information, and any person who qualifies as a personal representative of such person in accordance with 45 CFR § 164.502(g). See 45 CFR § 164.501.
2.4 Protected Health Information (“PHI”) means any information which is created or received by Business Associate from or on behalf of Covered Entity, whether oral or recorded in any form or medium, that relates to the past, present, or future physical or mental health or condition of an Individual, the provision of health care to an Individual, or the past, present, or future payment for the provision of health care to an Individual. See 45 CFR § 160.103. PHI and e-PHI are collectively referred to as (“PHI”).
2.5 Required By Law means a mandate contained in law that compels a Covered Entity to make a Use or Disclosure of PHI and that is enforceable in a court of law.
III. Obligations of Business Associate
3.1 Business Associate shall make reasonable efforts to Use or further Disclose PHI in the minimum amount and to the minimum number of individuals necessary to achieve the purpose of the services being rendered to or on behalf of Covered Entity, except that Business Associate shall not be obligated to comply with this minimum necessary limitation if neither Business Associate nor Covered Entity is required to limit its Use or Disclosure to the minimumnecessary.
3.2 Business Associate agrees to not use or disclose PHI other than as permitted or required by the Agreement or as required by law.
3.3 Business Associate agrees to comply with the Privacy Rule and the Security Rule and to use appropriate safeguards to maintain the privacy and security of the PHI and to prevent use and/or disclosure of the PHI other than as provided for by this Agreement.
3.4 Business Associate agrees to mitigate, to the extent practicable, any harmful
effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
3.5 Business Associate agrees to immediately report to Covered Entity any use or disclosure of the PHI not provided for by this Agreement of which it becomes aware, including breaches of unsecured PHI as required at 45 CFR 164.410, and any security incident of which it becomes aware.
3.5.1 Business Associate agrees to notify Covered Entity of any Breach of Unsecured PHI without unreasonable delay, and in any event no later than ten (10) calendar days after discovery of the Breach. The notice will include, to the extent possible:
(i) A brief description of how the Breach occurred;
(ii) The date of the Breach;
(iii) The date of discovery of the Breach;
(iv) A description of the types of Unsecured PHI that were involved;
(v) Identification of each Individual whose Unsecured PHI has been,or is reasonably believed to have been, accessed, acquired or Disclosed;
(vi) A brief description of what Business Associate is doing to investigate the Breach, to mitigate harm to Individuals, and to
protect against further Breaches; and
(vii) Any other available information that Covered Entity is required to include in its notifications to affected Individuals.
3.5.2 Covered Entity will be responsible for providing notification to Individuals whose Unsecured PHI has been breached, as well as the Secretary and the media, as required by § 13402 of HITECH, 42 U.S.C. § 17932 and 164 CFR §§ 404, 406, and 408.
3.6 Business Associate agrees to ensure that any agent to whom it provides PHI, including a subcontractor, agrees to the same restrictions and conditions concerning the information that apply through this Agreement with Business Associate. Business Associate shall comply with this section by entering into a contract with such agent or subcontractor, which contract requires the agent or subcontractor to comply with the terms of the Agreement.
3.7 Upon a request by Covered Entity, Business Associate agrees to provide access to PHI maintained in a designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR § 164.524. Business Associate shall provide access to the PHI electronically and within 10 business days.
3.8 Upon a request by Covered Entity or an Individual and at Covered Entity’s direction or agreement, Business Associate agrees to make any amendment(s) to PHI maintained in a Designated Record Set in order to meet the requirements under 45 CFR § 164.526. Business Associate shall act on the amendments in a timely manner and not to exceed 10 business days.
3.9 Business Associate agrees to make internal practices, books, and records (including policies and procedures) relating to the use and disclosure of PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity, available to Covered Entity or to the Secretary for purposes of the Secretary determining Covered Entity’s or Business Associate’s compliance with the Privacy Rule, Security Rule, or HITECH Act. Business Associate shall make the documents available within a reasonable time frame.
3.10 Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.
3.11 Business Associate agrees to provide to Covered Entity or an Individual information collected in accordance with the section 3.9 of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528 and the HITECH Act. Business Associate shall act in a timely manner. Additionally, in accordance with the HITECH Act and as of the date specified by the Secretary, if the Business Associate holds PHI in an electronic health record (“EHR”), it will account for disclosure made through an EHR within the prior three (3) years, including disclosures for treatment, payment, and operations.
3.12 Business Associate shall notify Covered Entity of any change(s) in Business Associate’s internal practices and procedures, to the extent that such changes may affect Business Associate’s use and disclosure of PHI.
3.13 Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI of an Individual unless the Covered Entity or Business Associate obtained from the Individual, in accordance with 45 CFR § 164.508, a valid authorization that includes a specification of whether the PHI can be further exchanged for remuneration by the entity receiving PHI of that Individual.
IV. Permitted Uses and Disclosures by Business Associate
4.1 General Use and Disclosure Provisions. Except as otherwise limited in the Agreement, Business Associate may use or disclose PHI on behalf of Covered Entity to provide and perform automated messaging services, functions or activities including but not limited to importing and exporting the data necessary to provide such services as requested and directed by Covered Entity.
4.2 Specific Use and Disclosure Provisions
4.2.1 Except as otherwise limited in this Agreement, Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
4.2.2 Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration of the Business Associate’s business, provided that disclosures are required by law or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
4.2.3 Except as otherwise limited in this Agreement, Business Associate may use PHI to provide data aggregation services to Covered Entity as permitted by 45 CFR § 164.504(e)(2)(i)(B).
4.2.4 Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR § 164.502(j)(i).
4.2.5 In the event Business Associate receives a subpoena, court order or other legal process which mandates the disclosure of PHI, Business Associate agrees to promptly notify and allow the Covered Entity to respond to such legal process.
4.3 Ownership of Protected Health Information. Business Associate acknowledges and agrees that any and all PHI which Covered Entity provides to Business Associate is owned by Covered Entity.
V. Obligations of Covered Entity
5.1 Covered Entity shall notify Business Associate of any limitation(s) in Covered Entity’s Notice of Privacy Practices in accordance with 45 CFR § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
5.2 Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
5.3 Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI to which Covered Entity has agreed in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
5.4 Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule or HITECH Act if done by Covered Entity.
5.5 Covered Entity shall make reasonable efforts to Disclose PHI to Business Associate in the minimum amount and to the minimum number of individuals necessary to achieve the purpose of the services being rendered to or on behalf of Covered Entity, except that Covered Entity shall not be obligated to comply with this minimum necessary limitation ifneither Business Associate nor Covered Entity is required to limit its Use or Disclosure to the minimum necessary.
VI. Term and Termination
6.1 Term. The Term of this Agreement shall be effective as of the Effective Date identified below and shall terminate when the last of the Parties’ related agreements for Business Associate’s services terminate, or when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity or if it is not feasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provision in this section.
6.2 Termination for Cause. Upon Covered Entity’s knowledge of a material breach of the Agreement by Business Associate, Covered Entity may either:
6.2.1 Provide an opportunity for Business Associate to cure the breach or end the violation and, if Business Associate fails to cure the breach or end the violation within a reasonable time period, Covered Entity shall terminate this Agreement and all related agreements for Business Associate’s services involving the use or disclosure of PHI;
6.2.2 Immediately terminate this Agreement together with any related agreement for Business Associate’s services involving the use and disclosure of PHI.
6.3 Effect of Termination. Except as provided in subsection 6.3.1, upon termination of this Agreement for any reason, Business Associate shall return or destroy (at Business Associate’s election) all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI.
6.3.1 In the event that Business Associate determines that returning or destroying the PHI is not feasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon Covered Entity’s determination that return or destruction of PHI is not feasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
VII. Miscellaneous
7.1 Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended.
7.2 Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of Privacy Rule and Security Rule.
7.3 Survival. The respective rights and obligations of Business Associate under Section 6.3, “Effect of Termination,” of this Agreement shall survive the termination of the Agreement.
7.4 Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the Privacy Rule, Security Rule and applicable state laws.
7.5 Governing Law and Venue. The laws of the State of Arizona shall govern the validity, construction, interpretation, and effect of this Agreement, and any disputes pertaining hereto shall be adjudicated in the state courts of Arizona with venue being located in Tucson, Arizona.
7.6 No Third-Party Beneficiary Rights. This is not a third-party beneficiary contract. This is an Agreement between Covered Entity and Business Associate, and it can only be enforced by Covered Entity and Business Associate. Covered Entity and Business Associate do not intend to create in any third-party a right to enforce this Agreement or to claim losses or damages under this Agreement.
7.7 Entire Agreement; Effect on Services Agreement. This Business Associate Agreement embodies the entire understanding of the parties in relation to the subject matter hereof and supersedes any prior agreement between the parties in relation to the subject matter hereof. Except as specifically required to implement the purposes of this Business Associate Agreement, all terms of the Parties’ agreement(s) for services shall remain in full force and effect. To the extent that any provision of this Business Associate Agreement specifically conflicts with the terms of the Parties’ agreement(s) for services, the provisions of this Business Associate Agreement shall govern.
7.8 Notices. Any notices to be given hereunder to a Party will be made by U.S. Mail or express courier to Covered Entity’s address as maintained within our Customer database and to Business Associate at: Inphonite, 6367 E Tanque Verde Rd, #204, Tucson, AZ 85715.
VIII. Effective Date
8.1 By clicking the following link and logging onto the InphoniteVoice SaaS system, the Parties have executed this Agreement, which shall be effective as of the date of Sale represented by the date Inphonite received our first file containing either PHI or ePHI, at which time all contractual rights and obligations began.