BAA
Business Associate Agreement
The purpose of this HIPAA Business Associate Agreement (“Agreement”) is to implement the requirements of (i) the Health Insurance Portability and Accountability Act of 1996 and the rules and regulations thereunder (collectively “HIPAA”); (ii) Subtitle D of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), also known as Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (“ARRA”); and (iii) regulations promulgated thereunder by the U.S. Department of Health and Human Services, including the HIPAA Omnibus Final Rule (the “HIPAA Final Rule”), which amended the HIPAA Privacy and Security Rules pursuant to the HITECH Act, extending certain HIPAA obligations to business associates and their subcontractors. The purpose of this Agreement is to satisfy certain standards and requirements of HIPAA, the Privacy Rule and the Security Rule (as those terms are defined below), and the HIPAA Final Rule, including, but not limited to, Title 45, §§ 164.314(a)(2)(i), 164.502(e) and 164.504(e) of the Code of Federal Regulations (“C.F.R.”).
The Parties have entered into a agreement (the “Terms and Conditions”) pursuant to which Customer is authorized to provide Company’s online subscription Services (“Services”). As a result of the provision of the Services by Customer to its Members, pursuant to the Agreement, Customer may come to have access to information entered into the Services as User Data that constitutes “protected health information,” as defined in 45 CFR §164.501 (“PHI”). Accordingly, (i) Customer may, for certain purposes and under certain circumstances, be deemed the Customer’s “Business Associate,” as defined in 45 CFR §160.103, under HIPAA, and (ii) Customer and Company pursuant to 45 CFR §164.501 desire to establish an agreement setting forth Company’s obligations to Customer with respect to the User Data. The Parties hereby agree as follows:
1. Use and Disclosure of PHI by Company. Company shall not use or disclose PHI other than (i) to provide the Services and prevent or address service or technical problems, (ii) at Users request in connection with User support matter, (iii) to carry out legal responsibilities of Company, or (iv) as required by law. To the extent Company is carrying out any of Customer’s obligations under the Privacy Rule pursuant to the terms of the underlying Agreement or this Agreement, Company shall comply with the requirements of the Privacy Rule that apply to Customer in the performance of such obligation(s). If Company discloses PHI for such purposes and the disclosure is not required by law, Company shall obtain reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and will be used or further disclosed only as required by law or for the purpose for which it was disclosed to the person (which purpose must be consistent with the limitations imposed upon Company pursuant to this Agreement), and that the person agrees to notify Company of any instances of which it is aware in which the confidentiality of the information has been breached. Company shall use or disclose only the minimum necessary PHI to carry out the activities in accordance with HIPAA and HITECH. Company shall ensure that any agent, including a subcontractor, to whom Company provides PHI, agrees to the same restrictions and conditions that apply to Company through this Agreement with respect to such PHI. Company shall report to User any use or disclosure of PHI not provided for in this Agreement of which Company becomes aware. Company may use PHI to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. § 164.502(j)(1).
2. Data Aggregation. Except as otherwise limited in this Agreement, Company may use PHI to provide Data Aggregation services as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B), including use of PHI for statistical compilations, reports and all other purposes allowed under applicable law.
3. De-identified Data. Company may create de-identified PHI in accordance with the standards set forth in 45 C.F.R. § 164.514(b) and may use or disclose such de-identified data for any purpose.
4. Specific Use and Disclosure Restrictions. Company is specifically prohibited from (i) selling PHI or receiving any direct or indirect remuneration from a third-party in exchange for PHI of a User without Users prior written approval, and (ii) using or disclosing PHI in violation of the marketing prohibitions set forth in HIPAA.
5. Protection of PHI and Security Breach Notification. Company shall use appropriate safeguards and shall comply with the Security Rule with respect to Electronic PHI, to prevent use or disclosure of such information other than as provided for by the underlying Terms and Conditions and this Agreement. Company shall report to User any use or disclosure of PHI not permitted under this Agreement, Breach of Unsecured PHI or Security Incident, without unreasonable delay, and in any event no more than ten (10) business days following discovery; provided, however, that the Parties acknowledge and agree that this Section constitutes notice by Company to User of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which notice to User by Company shall be required only upon request. “Unsuccessful Security Incidents” shall include, but not be limited to, pings and other broadcast attacks on Company’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI. Company’s notification to User of a Breach shall include: (i) the identification of each User whose Unsecured PHI has been, or is reasonably believed by Company to have been, accessed, acquired or disclosed during the Breach; and (ii) any particulars regarding the Breach that User would need to include in its notification, as such particulars are identified in 45 C.F.R. § 164.404.
6. Mutual Indemnification. In the event of any unauthorized use or disclosure of PHI constituting a “Breach” as defined under 45 C.F.R. § 164.402 which is directly caused by the grossly negligent or willful act(s) or omission(s) of a Party (the “Indemnifying Party”), the Indemnifying Party agrees to indemnify the other Party (the “Indemnified Party”), to the extent the Indemnifying Party is responsible, from and against (i) any administrative fines or penalties assessed against the Indemnified Party by the Secretary or other regulatory authority having jurisdiction; (ii) any award which may be made pursuant to a state Attorney General action and levied against the Indemnified Party; and (iii) in the event of any such Breach requires the issuance of notice(s) to affected individuals pursuant to the relevant provisions of ARRA, all direct reasonable costs associated with production and delivery of such required notice(s). The indemnification obligations under this section are subject to the Indemnified Party (a) making written demand for Indemnification from the Indemnifying Party pursuant to the foregoing; (b) to the extent the Indemnified Party has notice of same, promptly notifying the Indemnifying Party of any investigation or the filing of any action by the Secretary, any State Attorney General, or other regulatory authority having jurisdiction; (c) granting to Indemnifying Party the right to determine the means and methods by which any required notices are delivered to affected individuals, and (d) granting to the Indemnifying Party the sole right to control any associated defense or negotiation for settlement or compromise. The Indemnifying Party agrees to work cooperatively with the Indemnified Party to ensure that liability is properly determined and assigned by the Secretary or other regulatory authority having jurisdiction with regard to any such Breach. In addition, all indemnity rights between the Parties, including those stated in other agreements between the Parties, shall permit only a single indemnity. Duplicative indemnity clauses in this or any other agreements between the Parties shall not result in any greater indemnity rights or double or more indemnity payments or coverage.
7. Access to PHI. To the extent Company has PHI contained in a Designated Record Set, it agrees to make such information available to User pursuant to 45 C.F.R. § 164.524 within ten (10) business days of Company’s receipt of a written request from User; provided, however, that Company is not required to provide such access where the PHI contained in a Designated Record Set is duplicative of the PHI contained in a Designated Record Set possessed by User. If a User makes a request for access pursuant to 45 C.F.R. § 164.524 directly to Company, or inquires about his or her right to access, Company shall direct the User to Customer.
8. Amendment of PHI. To the extent Company has PHI contained in a Designated Record Set, it agrees to make such information available to User for amendment pursuant to 45 C.F.R. § 164.526 within twenty (20) business days of Company’s receipt of a written request from User. If a User submits a written request for amendment pursuant to 45 C.F.R. § 164.526 directly to Company, or inquires about his or her right to amendment, Company shall direct the User to Customer.
9. Access by HHS. Company shall make its internal practices, books, records, policies and procedures relating to the use and disclosure of such PHI, available to the Secretary of the United States Department of Health and Human Services, for purposes of determining compliance with HIPAA.
10. Documentation of Disclosures. Company agrees to document such disclosures of PHI and information related to such disclosures as would be required for Customer to respond to a request by a User for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. Company shall document, at a minimum, the following information (“Disclosure Information”): (i) the date of the disclosure, (ii) the name and, if known, the address of the recipient of the PHI, (iii) a brief description of the PHI disclosed, (iv) the purpose of the disclosure that includes an explanation of the basis for such disclosure, and (v) any additional information required under the HITECH Act and any implementing regulations.
11. User Accounting Requests. Company agrees to provide to Customer, within twenty (20) business days of Company’s receipt of a written request from Customer, information collected in accordance with Section 3(f) of this Agreement, to permit Customer to respond to a request by a User for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. If a User makes a request for an accounting of disclosures of PHI pursuant to 45 C.F.R. § 164.528 directly to Company or inquiries about his or her right to an accounting of disclosures of PHI, Company shall direct the User to Customer.
12. HIPAA Final Rule Applicability. Company acknowledges that enactment of the HITECH Act, as implemented by the HIPAA Final Rule, amended certain provisions of HIPAA in ways that now directly regulate, or will on future dates directly regulate, Company under the Privacy Rule and the Security Rule. Company agrees to comply with applicable requirements imposed under the HIPAA Final Rule.
13. Term and Termination. Upon expiration or termination of any agreement between Customer and User, if feasible, Company shall, as promptly as reasonably practicable, return or destroy all PHI maintained for such User in any form in accordance with such agreement. If return or destruction of PHI is not feasible, Company shall limit further use and disclosures of PHI to those purposes that make the return or destruction of the PHI infeasible.
14. Non-Compliance. In the event that either Company or Customer becomes aware that the other Party has engaged in a pattern of activity or practice which constitutes a material breach or violation of HIPAA or the terms of this Agreement, the non-breaching Party may request in writing that the breaching Party cure the breach or violation. If the breach or violation is not cured within thirty (30) business days of the written notice, the non-breaching Party may terminate this Agreement.
15. Amendment. The Parties shall take such action as necessary to amend this Agreement from time to time as may be necessary to comply with changes to the rules and regulations under HIPAA.
16. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Company and or Customer to comply with HIPAA. This Agreement is part of and is governed by the Agreement. This Agreement is between Company and Customer; there are no third-party beneficiaries to this Agreement.