Business Associate Agreement

Back to Legal
Pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), Customer (“Covered Entity”) and Heads Up and any of its corporate affiliates (“Business Associate”), enter into this Business Associate Agreement (“BAA”) as of the Effective Date of the Underlying Agreement. Covered Entity and Business Associate may be referred to individually as a “Party” and collectively as the “Parties.” Capitalized terms used but not defined herein shall have the meaning given to them in the Underlying Agreement, which is incorporated herein by reference.
This BAA addresses the HIPAA requirements with respect to “business associates,” as defined under the privacy, security, breach notification, and enforcement rules at 45 C.F.R. Part 160 and Part 164 (“HIPAA Rules”). A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.

1. BACKGROUND.

1.1. Purpose of BAA. This BAA is intended to ensure that Business Associate will establish and implement appropriate safeguards for the Protected Health Information (“PHI”) (as defined under the HIPAA Rules) that Business Associate may receive, create, maintain, use, or disclose in connection with the functions, activities, and services that Business Associate performs for Covered Entity. The functions, activities, and services that Business Associate performs for Covered Entity are defined in the Master Software Subscription Agreement (the “Underlying Agreement”). 

1.2. Breach Notification Overview. Pursuant to changes required under the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”) and under the American Recovery and Reinvestment Act of 2009 (“ARRA”), this BAA also reflects federal breach notification requirements imposed on Business Associate when “Unsecured PHI” (as defined under the HIPAA Rules) is acquired by an unauthorized party and the expanded privacy and security provisions imposed on business associates.

2. DEFINITIONS.

2.1. Terms Defined in the HIPAA Rules. Defined terms used in this Agreement are denoted with initial capital letters. Unless the context clearly indicates otherwise, the following terms in this BAA shall have the same meaning as those terms in the HIPAA Rules: Administrative Safeguards, Availability, Breach, Confidentiality, Data Aggregation, Designated Record Set, Disclosure, Electronic Media, Electronic Protected Health Information (“ePHI”), Healthcare Operations, Individual, Individually Identifiable Health Information, Integrity, Minimum Necessary, Notice of Privacy Practices, Physical Safeguards, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Technical Safeguards, Unsecured PHI, Uses and Disclosures, and Workforce. A change to the HIPAA Rules which modifies any defined term, or which alters the regulatory citation for a definition will be deemed incorporated into this BAA

2.2. Specific HIPAA Rules.

a. Breach Notification Rule. A reference in this BAA to the Breach Notification Rule means Part 2, Subtitle D of the HITECH Act and Notification in the Case of Breach of Unsecured Protected Health Information at 45 C.F.R. Part 164 Subpart D.

b. Privacy Rule. A reference in this BAA to the Privacy Rule means the standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Subparts A and E of Part 164.

c. Security Rule. A reference in this BAA to the Security Rule means the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and Subparts A and C of Part 164.

3. USES AND DISCLOSURES OF PHI BY BUSINESS ASSOCIATE.

3.1. General Uses and Disclosures of PHI Pursuant to the Underlying Agreement. Except as otherwise limited in this BAA, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity, as specified in the Underlying Agreement, provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity. 

3.2. Additional Permitted Uses of PHI by Business Associate. Except as otherwise limited in this BAA, Business Associate may use PHI for the following purposes: (i) the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate; (ii) as Required by Law; (iii) to de-identify PHI in accordance with 45 C.F.R. § 164.514(b) and use such de-identified data for any reason not prohibited by applicable law; and (iv) provide Data Aggregation services relating to the Healthcare Operations of the Covered Entity. 

3.3. Additional Permitted Disclosures of PHI by Business Associate. Except as otherwise limited in this BAA, Business Associate may disclose PHI for the following purposes: (i) the proper management and administration of Business Associate, provided that the disclosures are Required by Law or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to such person, and that person agrees to notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; and (ii) to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. § 164.502(j)(l). 

3.4. Prohibited Uses and Disclosures of PHI by Business Associate. Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by the Covered Entity; provided, further, that Business Associate may not use or disclose PHI for the purpose of marketing, as such term is defined at 45 C.F.R. § 164.501, unless the Business Associate has obtained an authorization from the Individual in accordance with 45 C.F.R. § 164.508(a)(3).

4. OBLIGATIONS OF BUSINESS ASSOCIATE

4.1. Appropriate Safeguards. 

a. Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI to prevent the use or disclosure of PHI other than as provided for by the Underlying Agreement and this BAA. 

b. To the extent applicable, Business Associate will implement the Administrative Safeguards (45 C.F.R. § 164.308), Physical Safeguards (45 C.F.R. § 164.310), and Technical Safeguards (45 C.F.R. § 164.312) to reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of Covered Entity as required by the Security Rule. 

4.2. Privacy Rule Requirements. Except as expressly provided in the Underlying Agreement or this BAA, Business Associate will not assume any obligations of Covered Entity under the Privacy Rule. To the extent that Business Associate is to carry out any of Covered Entity’s obligations under the Privacy Rule as expressly provided in the Underlying Agreement or this BAA, Business Associate will comply with the requirements of the Privacy Rule that apply to Covered Entity in the performance of such obligations. 

4.3. Reporting of Improper Use or Disclosure, Security Incident, or Breach. 

a. Business Associate will report to Covered Entity any use or disclosure of PHI not permitted under this BAA, Breach of Unsecured PHI, or any Security Incident, without unreasonable delay, and in any event no more than ten (10) business days following discovery; provided, however, that the Parties acknowledge and agree that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below). “Unsuccessful Security Incidents” will include, but not be limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service, and any combination of the above, so long as no such incident results in unauthorized access, use, or disclosure of PHI.

b. Business Associate’s notification to Covered Entity of a Breach will include: (i) the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during the Breach; and (ii) any particulars regarding the Breach that Covered Entity would need to include in its notification, as such particulars are identified in 45 C.F.R. § 164.404. 

c. A Security Incident, for the purpose of this Section 4.3, does not include attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with Business Associate’s corporate information system (“non-PHI Information System”), as defined by Business Associate’s internal policies and procedures.

4.4. Subcontractors. In accordance with 45 C.F.R. § 164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), as applicable, Business Associate will enter into a written agreement with any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of Business Associate for services provided to Covered Entity, providing that the Subcontractor agrees to restrictions and conditions that are substantially similar to those that apply through this BAA to Business Associate with respect to such PHI. As part of this agreement, Business Associate will require any Subcontractor to whom it provides PHI to implement reasonable and appropriate safeguards to protect the PHI.

4.5. Access to PHI.  To the extent Business Associate possesses PHI in a Designated Record Set, Business Associate agrees to make such information available to Covered Entity pursuant to 45 C.F.R. § 164.524 and 42 U.S.C. § 17935(e) within ten (10) business days of Business Associate’s receipt of a written request from Covered Entity; provided, however, that Business Associate is not required to provide such access where the PHI contained in a Designated Record Set is duplicative of the PHI contained in a Designated Record Set possessed by Covered Entity. If an Individual makes a request for access pursuant to 45 C.F.R. § 164.524 directly to Business Associate, or inquiries about his or her right to access, Business Associate will either forward such request to Covered Entity or direct the Individual to Covered Entity.

4.6. Amendment of PHI. To the extent Business Associate possesses PHI in a Designated Record Set, Business Associate agrees to make such information available to Covered Entity for amendment pursuant to 45 C.F.R. § 164.526 within twenty (20) business days of Business Associate’s receipt of a written request from Covered Entity. If an Individual submits a written request for amendment pursuant to 45 C.F.R. § 164.526 directly to Business Associate, or inquiries about his or her right to amendment, Business Associate will either forward such request to Covered Entity or direct the Individual to Covered Entity.

4.7. Documentation of Disclosures of PHI. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. Business Associate will document, at a minimum, the following information (“Disclosure Information”): (i) the date of the disclosure; (ii) the name and, if known, the address of the recipient of the PHI; (iii) a brief description of the PHI disclosed; (iv) the purpose of the disclosure that includes an explanation of the basis for such disclosure; and (v) any additional information required under the HITECH Act and any implementing regulations.

4.8. Accounting of Disclosures of PHI. Business Associate agrees to provide to Covered Entity, within ten (10) business days of Business Associate’s receipt of a written request from Covered Entity, information collected in accordance with Section 4.6 (Amendment of PHI) of this BAA, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and 42 U.S.C. § 17935(c). If the Individual submits a written request for an accounting of disclosures of PHI pursuant to 45 C.F.R. § 164.528 directly to Business Associate, or inquiries about his or her right to an accounting, Business Associate will direct the Individual to Covered Entity.

4.9. Government Access to Records. Business Associate will make its internal practices, books, and records relating to the use and disclosure of PHI received from or created or received by Business Associate on behalf of, Covered Entity available to the Secretary for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule and the Security Rule.

4.9. Mitigation. To the extent reasonable and practicable, Business Associate will cooperate with Covered Entity’s efforts, at Business Associate’s expense, to mitigate a harmful effect that is known to Business Associate of a use of disclosure of PHI by Business Associate that is not permitted by this BAA. Business Associate shall reasonably cooperate with Covered Entity’s investigation, analysis, notification, and mitigation activities, at Covered Entity’s expense, if it is determined that the source of the Breach or Security Incident is Covered Entity.

4.10. Minimum Necessary. Business Associate will request, use, and disclose the minimum amount of PHI necessary to accomplish the purpose of the request, use, or disclosure, in accordance with 45 C.F.R § 164.514(d), and any amendments thereto.

5. OBLIGATIONS OF COVERED ENTITY

5.1. Notice of Privacy Practices. Covered Entity will notify Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 C.F.R § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI. Covered Entity will provide such notice no later than fifteen (15) days prior to the effective date of the limitation.

5.2. Notification of Changes Regarding Individual Permission. Covered Entity will obtain any consent or authorization that may be required by the Privacy Rule, or applicable state law, prior to furnishing Business Associate with PHI. Covered Entity will notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI. Covered Entity will provide such notice no later than fifteen (15) days prior to the effective date of the change.

5.3. Notification of Restrictions to Use or Disclosure of PHI. Covered Entity will notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI. Covered Entity will provide such notice no later than (15) days prior to the effective date of the restriction. If Business Associate reasonably believes that any restriction agreed to by Covered Entity pursuant to this Section may materially impair Business Associate’s ability to perform its obligations under the Underlying Agreement of this BAA, the Parties will mutually agree upon any necessary modification of Business Associate’s obligations under such agreements.

5.4. Permissible Requests by Covered Entity. Covered Entity will not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule, the Security Rule, or the HITECH Act if done by Covered Entity, except as permitted pursuant to the provisions of Section 3.2 (Permitted Uses of PHI by Business Associate), Section 3.3 (Permitted Disclosures of PHI by Business Associate), and Section 3.4 (Prohibited Uses and Disclosures of PHI by Business Associate) of this BAA.

5.5. Minimum Necessary Disclosure.  The Covered Entity shall provide to Business Associate only the “minimum necessary” PHI (as described in 45 C.F.R. § 164.502(b)) required for Business Associate to perform its obligations under the Underlying Agreement.

6. TERM AND TERMINATION

6.1. Term. The term of this BAA will commence as of the Effective Date and will terminate upon the effective date of termination of the Underlying Agreement. 

6.2. Termination for Cause.Upon either Party’s knowledge of a material breach by the other Party of this BAA, such Party may terminate this BAA immediately if cure is not possible. Otherwise, the non-breaching Party will provide written notice to the breaching Party detailing the nature of the breach and providing an opportunity to cure the breach within thirty (30) business days. Upon the expiration of such thirty (30) day cure period, the non-breaching Party may terminate this BAA if the breaching party does not cure the breach or if cure is not possible. A Party’s option to have cured a material breach of this BAA will not be construed as a waiver of any other rights such Party has under this BAA, by operation of law or in equity. 

6.3. Effect of Termination. 

a. Return or Destruction of PHI. Except as provided in Section 6.3(b) (Protection of PHI that Cannot be Destroyed or Returned), upon termination of the Underlying Agreement or this BAA for any reason, Business Associate may destroy all PHI received from Covered Entity or created or received by Business Associate on behalf of Covered Entity within 30 days from termination, or export PHI to Covered Entity within such timeframe at Covered Entity’s expense, and will retain no copies of the PHI. In any event, Business Associate will securely destroy PHI promptly after receiving a written request from Covered Entity. This provision will apply to PHI that is in the possession of Subcontractors or agents of Business Associate.

b. Protection of PHI that Cannot be Destroyed or Returned. If it is not feasible for Business Associate to return or destroy the PHI upon termination of this BAA (e.g., because ePHI has been integrated into a database maintained by Business Associate and removal from the database is burdensome or impossible, or PHI has been aggregated with other PHI in a manner that makes it infeasible to extract PHI received from Covered Entity), Business Associate will: (i) extend the protections of this BAA to such PHI and (ii) limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.

7. MISCELLANEOUS TERMS

7.1. Cooperation in Investigations. The Parties acknowledge that certain breaches or violations of this BAA may result in litigation or investigations pursued by federal or state governmental authorities of the United States resulting in civil liability or criminal penalties. Each Party will cooperate in good faith in all respects with the other Party in connection with any request by a federal or state governmental authority for additional information and documents or any governmental investigation, complaint, action, or other inquiry.

7.2. Notices. Any notices, requests, consents, demands, or other communications required or permitted under this BAA must be in writing and will be deemed to have been duly given either: (i) when delivered by hand; (ii) when delivered by a nationally recognized overnight courier service; (iii) three (3) business days after being sent by registered or certified mail, return receipt requested, postage prepaid; or (iv) when sent by email, provided that the sender receives confirmation of receipt (such as a read receipt or a written reply acknowledging receipt). Notices to Covered Entity shall be sent to the address specified in the Order Form. Notices to Business Associate shall be sent to the address indicated below. The Parties may update their notice addresses, email, or other contact information by giving written notice of such change to the other Party.

Notice to Business Associate:

Attention: Legal, Heads Up Health

4400 N Scottsdale Rd., Suite 9445, Scottsdale, Arizona, 85251

Email: legal@headsuphealth.com

 

7.3. Governing Law. This BAA is governed by, and will be construed in accordance with, the laws of the State that govern the Underlying Agreement. Any action relating to this BAA must be commenced within one (1) year after the date upon which the cause of action accrued.

7.4. Amendment. Except as may otherwise be specified in this BAA, this BAA may be modified, changed, or amended only by a written amendment mutually agreed to and signed by both Parties. The Parties agree to amend this BAA as required to comply with any changes in laws, rules, or regulations that affect the privacy and security of PHI and the Business Associate’s duties under the Underlying Agreement or this BAA. 

7.5. Assignment. Neither Party may assign this BAA without the prior written consent of the other Party, which will not be unreasonably withheld.

7.6. Waiver. A Party’s right to enforce a provision of this BAA may only be waived in a writing that refers explicitly to this BAA and that is signed by the Party against whom enforcement of such waiver is sought. Failure to enforce any provision of this BAA in any one instance will not be construed as a waiver of future performance of that provision, and the Party’s obligations under that provision will continue in full force and effect.

7.7. Order of Precedence. Any ambiguity in this BAA will be resolved to permit Business Associate to comply with the HIPAA Rules. If any express term of this BAA conflicts with the Underlying Agreement, then this BAA, if applicable, will control as to that term, but only to the extent of an express ambiguity. The Underlying Agreement will control in all other instances, including, without limitation, remedies, limitation of liability, limitation of remedies, warranties, disclaimer of warranties, governing law, venue, and relationship of the Parties.

7.9. Severability. If any portion of this BAA is found invalid or unenforceable, that term, provision, or Section will be enforced to the maximum extent permitted by law and the remainder of the Agreement will remain in full force.

7.9. Survival. The termination or expiration of this Agreement will not relieve any Party of any previously accrued obligations or of any obligations which by their nature are intended to survive termination.

7.10. No Third-Party Beneficiaries. Nothing in this BAA shall be construed to give any person or entity other than the Parties any legal or equitable claim, right, or remedy. 

7.11. Section Headings. The Section headings contained in this BAA are provided for convenience of reference only and shall not be considered a part of this Agreement for purposes of interpreting or applying this Agreement and such Section headings do not define, limit, extend, explain, or describe the scope or extent of this Agreement or any of the terms or conditions.

7.12. Electronic Signatures. Electronic signatures or original signatures transmitted and received via facsimile or other electronic transmission of a scanned document (e.g., PDF or similar format) are true and valid signatures for all purposes under this Agreement and shall bind the Parties to the same extent as that of an original signature. By signing an Order Form or any other agreement that references, incorporates, or hyperlinks this BAA, signatures on such documents shall deem acceptance and signature on this BAA.