THIS BUSINESS ASSOCIATE AGREEMENT (“Agreement”) is entered into by and between OA Consulting, LTD d/b/a Psyquel Solutions, (“Business Associate”) and the entity entering into this Agreement with Business Associate (“Covered Entity”) and (each a “Party” and collectively referred to as the “Parties”), on the effective date of the Service Agreement (“Effective Date”).
WHEREAS, Covered Entity and Business Associate are parties to that certain agreement (“Service Agreement”) incorporating this Agreement by reference;
WHEREAS, Covered Entity and Business Associate recognize that they are considered “Covered Entities” as that term is defined within the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and more specifically, the HIPAA privacy regulation, 45 C.F.R. Part 160 and Part 164, Subparts A and E, the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”);
WHEREAS, the Parties further recognize that they have entered into a separate relationship via the Service Agreement that also makes Business Associate a “Business Associate” of Covered Entity under the HIPAA Privacy Rule;
WHEREAS, pursuant to the Privacy Rule, all Business Associates and Covered Entities must agree, in writing, to certain mandatory provisions regarding the Use and Disclosure of Protected Health Information (“PHI”);
WHEREAS, the purpose of this Agreement is to comply with the requirements of the Privacy Rule, including, but not limited to, the Business Associate contract requirements of 45 C.F.R. § 164.504(e); and
WHEREAS, the Parties intend to be compliant with the mandates of the Privacy Rule on or before the applicable implementation deadline for Business Associate contracts under the Privacy Rule;
NOW THEREFORE, in consideration of the mutual promises and covenants contained herein, the Parties agree as follows:
- Catch-All Definition. Capitalized terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in 45 C.F.R. §§ 160.103 and 164.501.
- Specific Definitions.
- “Protected Health Information” shall have the same meaning as the term “protected health information” under the Privacy Rule, but shall be limited to PHI provided by Covered Entity to Business Associate or received by Business Associate on Covered Entity’s behalf, including electronic PHI.
- “Successful Security Incident” shall mean a Security Incident that actually results in the unauthorized access, Use, Disclosure, modification, or destruction of PHI or any interference with system operations in an Information System.
- “Unsuccessful Security Incident” shall mean any Security Incident that does not actually result in the unauthorized access, Use, Disclosure, modification, or destruction of PHI or interference with system operations in an Information System, such as pings or other broadcast attacks on a firewall, port scans, attempts to log onto any system or enter a database using an invalid username or password, denial-of-service attacks that do not result in the system being taken off-line, and malware (e.g., worms and viruses).
2. Obligations and Activities of Business Associate
- Permitted Uses. Business Associate agrees to not Use or further Disclose PHI other than as permitted or required by this Agreement or as Required by Law.
- Appropriate Safeguards. Business Associate agrees to use appropriate safeguards to prevent Use or Disclosure of the PHI other than as provided for by this Agreement.
- Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
- Business Associate agrees to report to Covered Entity any Use or Disclosure of the PHI not provided for by this Agreement or any Successful Security Incident of which it becomes aware. Upon discovery of a Breach of the security of PHI or a Successful Security Incident, Business Associate shall notify Covered Entity within fifteen (15) business days. Such notice shall be in writing and include, if known by Business Associate, the identification of each individual whose PHI has been or is reasonably believed to have been Breached, the types of PHI believed to be Disclosed, the mitigation actions taken by Business Associate to prevent future Breaches, and any other information necessary for the Covered Entity to comply with the notification requirements promulgated pursuant to HIPAA. The Parties acknowledge that this Agreement shall serve as notice of Unsuccessful Security Incidents and the notice requirements described herein shall exclude trivial attempts that do not result in unauthorized access, Use, Disclosure, modification or destruction of PHI that is electronic PHI, nor result in material interference with system operations in an information system, including without limitation, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, and denials of service, which were successfully defended by Business Associate and did not provide unauthorized access to the PHI or electronic PHI.
- Business Associate agrees to notify Covered Entity of any Breach of Unsecured PHI within fifteen (15) business days of the date Business Associate learns of the Breach. Business Associate shall provide such information to Covered Entity as required by 45 C.F.R. § 164.410(c).
- Agents and Subcontractors. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
- Access to PHI.Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner designated by Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524.
- Amendments of PHI.Business Associate agrees to make any amendment(s) to PHI maintained in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 C.F.R. § 164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity.
- Government Access to Records. Business Associate agrees to make internal practices, books, and records relating to the Use and Disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary, in a time and manner designated by the Secretary, for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule.
- Accounting of Disclosures. Business Associate agrees to document such Disclosures of PHI and information related to such Disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 C.F.R. § 164.528.
- Obligations of Covered Entity. Business Associate agrees that to the extent it performs one or more of the Covered Entity’s obligations under the Privacy Rule, Business Associate shall comply with the HIPAA Privacy Rule in the same manner that such Privacy Rule would apply to the Covered Entity in the performance of such obligation.
- Security Standards. Business Associate shall implement administrative, physical, and technical safeguards for Electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity, including without limitation, compliance with each of the Standards and Implementation Specifications of 45 C.F.R. § 164.308 (Administrative Safeguards), 45 C.F.R. § 164.310 (Physical Safeguards), 45 C.F.R. § 164.312 (Technical Safeguards) and 45 C.F.R. § 164.316 (Policies and Procedures and Documentation Requirements).
- Minimum Necessary. Business Associate acknowledges that it shall limit the Use, Disclosure or request of PHI to perform or fulfill a specific function required or permitted hereunder to the Minimum Necessary information, to accomplish the purpose of such Use, Disclosure or request as set forth in 45 C.F.R. § 164.502(b).
- Agent Protection of Electronic PHI. Business Associate shall ensure that its subcontractors to whom it provides Electronic PHI, agrees to implement reasonable and appropriate administrative, physical and technical safeguards to protect that Electronic PHI, including compliance with each of the Standards and Implementation Specifications of 45 C.F.R. § 164.308 (Administrative Safeguards), 45 C.F.R. § 164.310 (Physical Safeguards), 45 C.F.R. § 164.312 (Technical Safeguards) and 45 C.F.R. § 164.316 (Policies and Procedures and Documentation Requirements.
3. Permitted Uses and Disclosures by Business Associate
- Service to Covered Entity. Except as otherwise limited in this Agreement, Business Associate may Use or Disclose PHI on behalf of, or to provide services to, Covered Entity for the purpose of facilitating the processing of administrative, clinical and financial healthcare transactions, if such Use or Disclosure would not violate the Privacy Rule if done by Covered Entity:
- Management and Administration. Except as otherwise limited in this Agreement, Business Associate may Use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. In the event of Disclosure of PHI to a third party for purposes described in this Section 3(b), Business Associate shall obtain satisfactory assurances from the receiving party that it shall maintain the privacy and security of the information, Use or further Disclose the information only as Required by Law or for the purposes for which the information was Disclosed to the third party, and notify Business Associate of any instances of a Breach of confidentiality of the information.
- De-Identification. In accordance with the applicable provisions of HIPAA, Business Associate may de-identify PHI received, created, maintained, or transmitted by or to Business Associate pursuant to this Agreement, and Use or Disclose such de-identified information for any purpose permitted by applicable law.
- Data Aggregation. Except as otherwise limited in this Agreement, Business Associate may Use PHI to provide Data Aggregation services to Covered Entity as permitted by 42 CFR § 164.504(e)(2)(i)(B).
4. Obligations of Covered Entity
- Permissible Requests by Covered Entity. Covered Entity shall not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity, except to the extent that Business Associate will Use or Disclose PHI for, and this Agreement includes provisions for, Data Aggregation or management and administrative activities of Business Associate.
- Revocation of Consent. Covered Entity shall notify Business Associate in writing of any changes in, or revocation of, permission or authorization provided by Individual to Use or Disclose PHI, to the extent that such changes may affect Business Associate’s Use or Disclosure of PHI.
- Restrictions on Use of PHI. Covered Entity shall notify Business Associate in writing of any restriction to the Use or Disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s Use or Disclosure of PHI.
- Notice of Privacy Practices. Covered Entity shall provide Business Associate with notice of any restrictions on the Use or Disclosure of PHI provided in the Covered Entity’s Notice of Privacy Practices, as such may be amended from time to time and provide Business Associate a copy of the Notice of Privacy Practices currently in use.
5. Term and Termination
- Term. This Agreement shall be effective as of the Effective Date, and shall terminate upon the termination or expiration of the Service Agreement, unless sooner terminated as provided in this Section 5. Notwithstanding the foregoing, certain provisions and requirements of this Agreement shall survive its expiration or other termination in accordance with Section 5(c) and as described throughout this Agreement.
- Termination for Cause. In the event of a material breach of this Agreement by either Party, the non-breaching Party shall:
- Provide the breaching Party an opportunity to cure the material breach within thirty (30) days; or
- Immediately terminate this Agreement.
- Effect of Termination. Except as provided below, upon termination or expiration of this Agreement, for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity that Business Associate maintains in any form and retain no copies of such information. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. The respective rights and obligations of Business Associate under Section 5(c) of this Agreement shall survive the termination of this Agreement.
- Regulatory References. A reference in this Agreement to a section in HIPAA means the section as in effect or as amended, and for which compliance is required.
- Amendment. This Agreement shall automatically be deemed amended and any conflicting terms shall be superseded by new laws and regulations in order to support compliance with HIPAA as amended through the regulatory process. Both Parties agree to comply with the applicable laws and regulations. Any other amendments or modifications shall only be amended through a written amendment by both Parties.
- No Third-Party Beneficiaries. Nothing express or implied in this Agreement or in the Service Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.
- Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits compliance with HIPAA.
- State Law. Where any provision of State law is more stringent or otherwise constitutes a basis upon which the Privacy Rule is preempted, state law controls and the Parties agree to comply fully therewith.
- Entire Agreement and Amendment. This Agreement is the entire agreement between the Parties in regard to its subject matter and shall supersede any prior agreements. This Agreement may not be amended or modified except by a written amendment signed by the parties, or as required by law or due to subsequent revisions to HIPAA.
- Limitation of Damages. Business Associate shall not be liable for any consequential, indirect, incidental, special, exemplary, or punitive damages arising out of or relating to this Agreement. To the extent the Service Agreement includes any clause or provision limiting the amount of damages or losses for which Business Associate will be liable, such clause or provision shall be applicable to this Agreement and is incorporated herein by reference. This provision shall survive expiration or termination of this Agreement.
- Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of Texas without regard to conflicts of law principles.
- Notice. All notices required or permitted to be given under this Agreement shall be in writing and shall be sufficient in all respects if delivered personally, by nationally recognized overnight delivery service, by registered or certified mail, postage prepaid, by confirmed fax, or by other electronic means, provided that delivery can be confirmed, addressed as contemplated in the Service Agreement.