BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement ("BAA") is made and entered into as of the dates written below, effective as of the date that the Covered Entity creates an account for services registered with the Business Associate ("Effective Date") by and between Noveltor, LLC ("Business Associate"), a limited liability company organized under the laws of the State of Florida and the holder of the account registered with the Business Associate ("Covered Entity") (each a "Party" and collectively the "Parties").
Covered Entity is either a "covered entity" or "business associate" of a covered entity, as each are defined under the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended by the HITECH Act (as defined below) and the related regulations promulgated by HHS (as defined below) (collectively, "HIPAA") and, as such, is required to comply with HIPAA's provisions regarding the confidentiality and privacy of Protected Health Information;
The Parties have entered into or will enter into one or more agreements under which Business Associate provides or will provide certain specified services to Covered Entity (collectively, the "Services Agreement");
In providing services pursuant to the Services Agreement, Business Associate will have access to Protected Health Information;
By providing the services pursuant to the Services Agreement, Business Associate will become a "business associate" of the Covered Entity, as such term is defined under HIPAA;
Both Parties are committed to complying with all federal and state laws governing the confidentiality and privacy of health information, including but not limited to the Standards for Privacy of Individually Identifiable Health Information found at 45 CFR Part 160 and Part 164, Subparts A and E (collectively, the "Privacy Rule"); and
Both Parties intend to protect the privacy and provide for the security of Protected Health Information disclosed to Business Associate pursuant to the terms of the BAA, HIPAA, and other applicable laws.
In consideration of the mutual covenants and conditions contained herein the BAA, the Parties agree as follows:
1. Definitions. As used in the BAA:
A. "Affiliate" means a subsidiary or partner of Covered Entity that is, or has been, considered a covered entity, as defined by HIPAA.
B. "Breach" means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI, as defined in 45 CFR §164.402.
C. "Breach Notification Rule" means the portion of HIPAA set forth in Subpart D of 45 CFR Part 164.
D. "Business Associate" has the meaning given in 45 CFR § 160.103.
E. "Data Aggregation" means, with respect to PHI created or received by Business Associate in its capacity as the "business associate" under HIPAA of Covered Entity, the combining of such PHI by Business Associate with the PHI received by Business Associate in its capacity as a business associate of one or more other "covered entity" under HIPAA, to permit data analyses that relate to the Health Care Operations of the respective covered entities. The meaning of "data aggregation" in the BAA shall be consistent with the meaning given to that term in the Privacy Rule.
F. "Designated Record Set" has the meaning given in the Privacy Rule, including 45 CFR §164.501.B.
G. "De-Identify" means alter the PHI such that the resulting information meets the requirements described in 45 CFR §§164.514(a) and (b).
H. "Electronic PHI" means any PHI maintained in or transmitted by electronic media as defined in 45 CFR §160.103.
I. "Health Care Operations" has the meaning given in 45 CFR §164.501.
J. "HHS" means the U.S. Department of Health and Human Services.
K. "HITECH Act" means the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, Public Law 111-005.
L. "Individual" has the same meaning given to that term i in 45 CFR §§164.501 and 160.130 and includes a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).
M. "Privacy Rule" means that portion of HIPAA set forth in 45 CFR Part 160 and Part 164, Subparts A and E.
N. "Protected Health Information" or "PHI" has the meaning given to the term "protected health information" in 45 CFR §§164.501 and 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
O. "Security Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
P. "Security Rule" means the Security Standards for the Protection of Electronic Health Information provided in 45 CFR Part 160 & Part 164, Subparts A and C.
Q. "Unsecured Protected Health Information" or "Unsecured PHI" means any "protected health information" as defined in 45 CFR §§164.501 and 160.103 that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS Secretary in the guidance issued pursuant to the HITECH Act and codified at 42 USC §17932(h)
2. Use and Disclosure of PHI.
A. Except as otherwise provided in the BAA, Business Associate may use or disclose PHI as reasonably necessary to provide the services described in the BAA to Covered Entity and to undertake other activities of Business Associate permitted or required of Business Associate by the BAA or as required by law. B. Except as otherwise limited by the BAA or federal or state law, Covered Entity authorizes Business Associate to use the PHI in its possession for the proper management and administration of Business Associate's business and to carry out its legal responsibilities. Business Associate may disclose PHI for its proper management and administration, provided that (i) the disclosures are required by law; or (ii) Business Associate obtains, in writing, prior to making any disclosure to a third party (a) reasonable assurances from this third party that the PHI shall be held confidential as provided under the BAA and used or further disclosed only as required by law or for the purpose for which it was disclosed to this third party and (b) an agreement from the third party to notify Business Associate immediately of any known breaches of the confidentiality of the PHI.
C. Business Associate shall not use or disclose PHI in a manner other than as provided in the BAA, as permitted under the Privacy Rule, or as required by law. Business Associate shall use or disclose PHI, to the extent practicable, as a limited data set or limited to the minimum necessary amount of PHI to carry out the intended purpose of the use or disclosure, in accordance with Section 13405(b) of the HITECH Act (codified at 42 USC §17935(b)) and any of the act's implementing regulations adopted by HHS, for each use or disclosure of PHI.
D. Upon request, Business Associate shall make available to Covered Entity any of Covered Entity's PHI that Business Associate or any of its agents or subcontractors have in their possession.
E. Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1)
3. Safeguards Against Misuse of PHI.Business Associate shall use appropriate safeguards to prevent the use or disclosure of PHI other than as provided by the Services Agreement or the BAA, and Business Associate agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of Covered Entity. Business Associate agrees to take reasonable steps, including providing adequate training to its employees, to ensure compliance with the BAA and to ensure that the actions or omissions of its employees or agents do not cause Business Associate to breach the terms of the BAA.
4. Reporting Disclosures of PHI and Security Incidents. Business Associate shall report to Covered Entity in writing any use or disclosure of PHI not provided for by the BAA of which it becomes aware, and Business Associate shall report to Covered Entity any Security Incident affecting Electronic PHI of Covered Entity of which it becomes aware. Business Associate shall report any such event within five business days of becoming aware of the event.
5. Reporting Breaches of Unsecured PHI. Business Associate shall notify Covered Entity in writing promptly upon the discovery of any Breach of Unsecured PHI in accordance with the requirements set forth in 45 CFR §164.410, but in no case later than 30 calendar days after discovery of a Breach. Business Associate shall reimburse Covered Entity for any costs incurred by it in complying with the requirements of Subpart D of 45 CFR §164 that are imposed on Covered Entity as a result of a Breach committed by Business Associate.
6. Mitigation of Disclosures of PHI. Business Associate shall take reasonable measures to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of any use or disclosure of PHI by Business Associate or its agents or subcontractors in violation of the requirements of the BAA.
7. Agreements with Agents or Subcontractors. Business Associate shall ensure that any of its agents or subcontractors that have access to or to which Business Associate provides PHI agree in writing to the restrictions and conditions concerning uses and disclosures of PHI contained in the BAA and agree to implement reasonable and appropriate safeguards to protect any Electronic PHI that it creates, receives, maintains, or transmits on behalf of Business Associate or, through the Business Associate, Covered Entity. Business Associate shall notify Covered Entity or upstream Business Associate of all subcontracts and agreements relating to the Services Agreement, where the subcontractor or agent receives PHI as described in section 1.M. of the BAA. Such notification shall occur within 30 (thirty) calendar days of the execution of the subcontract by placement of such notice on the Business Associate's primary website. Business Associate shall ensure that all subcontracts and agreements provide the same level of privacy and security as required by the BAA.
8. Audit Report. Upon request, Business Associate shall provide Covered Entity or upstream Business Associate with a copy of its most recent independent HIPAA compliance report (AT-C 315), HITRUST certification, or proof of other mutually agreed upon independent standards based third party audit report. Covered entity agrees not to re-disclose Business Associate's audit report.
9. Access to PHI by Individuals.
A. Upon request, Business Associate shall furnish Covered Entity with copies of the PHI maintained by Business Associate in a Designated Record Set in the time and manner designated by Covered Entity to enable Covered Entity to respond to an Individual's request for access to PHI under 45 CFR §164.524.
B. If any Individual or personal representative requests access to the Individual's PHI directly from Business Associate, Business Associate within ten business days, shall give written notice to Covered Entity. Any disclosure of or decision not to disclose the PHI requested by an Individual or a personal representative and compliance with the requirements applicable to an Individual's right to obtain access to PHI shall be the sole responsibility of Covered Entity.
10. Amendment of PHI.
A. Upon request and instruction from Covered Entity, Business Associate shall amend PHI or a record about an Individual in a Designated Record Set that is maintained by or otherwise within the possession of Business Associate as directed by Covered Entity, in accordance with procedures established by 45 CFR §164.526. Business Associate shall complete any amendment of such information within 15 business days of Covered Entity's request therefor.
B. If any Individual requests that Business Associate amend such Individual's PHI or record in a Designated Record Set, Business Associate within ten business days of such request shall forward this request to Covered Entity. Any amendment of or decision not to amend the PHI or record as requested by an Individual and compliance with the requirements applicable to an Individual's right to request an amendment of PHI shall be the sole responsibility of Covered Entity.
11. Accounting of Disclosures.
A. Business Associate shall document any disclosures of PHI made by it to account for such disclosures as required by 45 CFR §164.528(a). Business Associate shall make available information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosures in accordance with 45 CFR §164.528. At a minimum, Business Associate shall furnish Covered Entity the following with respect to any covered disclosures by Business Associate: (i) the date of disclosure of PHI; (ii) the name of the entity or person who received PHI, and, if known, the address of such entity or person; (iii) a brief description of the PHI disclosed; and (iv) a brief statement of the purpose of the disclosure that includes the basis for such disclosure.
B. Business Associate shall furnish to Covered Entity information collected in accordance with this Section 11 within ten business days after written request by Covered Entity, to permit Covered Entity to make an accounting of disclosures as required by 45 CFR §164.528. If that Covered Entity elects to provide an Individual with a list of its business associates, Business Associate shall provide an accounting of its disclosures of PHI upon request of the Individual, if and to the extent that such accounting is required under the HITECH Act or under HHS regulations adopted in connection with the HITECH Act.
C. In the event an Individual delivers the initial request for an accounting directly to Business Associate, Business Associate will within ten business days forward such request to Covered Entity.
12. Availability of Books and Records. Business Associate shall make available its internal practices, books, agreements, records, and policies and procedures relating to the use and disclosure of PHI, upon request, to the Secretary of HHS for purposes of determining Covered Entity's and Business Associate's compliance with HIPAA and the BAA.
13. Responsibilities of Covered Entity. With regard to the use and/or disclosure of Protected Health Information by Business Associate, Covered Entity shall:
A. Notify Business Associate of any limitation(s) in its notice of privacy practices in accordance with 45 CFR §164.520, to the extent that such limitation may affect Business Associate's use or disclosure of PHI;
B. Notify Business Associate of any changes in or revocation of permission by an Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate's use or disclosure of PHI;
C. Notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI;
D. Except for data aggregation or management and administrative activities of Business Associate, Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible for Covered entity to use or disclose under HIPAA.
14. Data Ownership. Business Associate's data stewardship shall not confer data ownership rights on Business Associate with respect to any data shared with it under the Services Agreement, including any and all forms thereof.
15. Term and Termination.
A. The BAA is effective as of the Effective Date and will continue in effect until all obligations of the Parties have been met under the Services Agreement and under the BAA.
B. Covered Entity may terminate the BAA, the Services Agreement, and any other related agreements if Covered Entity makes a determination that Business Associate has breached a material term of the BAA and Business Associate has failed to cure that material breach to Covered Entity's reasonable satisfaction within 30 days after written notice from Covered Entity to Business Associate of such breach. Covered Entity may report the problem to the Secretary of HHS if termination is not feasible.
C. Business Associate may terminate the BAA, the Services Agreement, and any other related agreements if Business Associate makes a determination that Covered Entity has breached a material term of the BAA and Covered Entity has failed to cure that material breach to Business Associate's reasonable satisfaction within 30 days after written notice from Business Associate to Covered Entity of such breach. Covered Entity may report the problem to the Secretary of HHS if termination is not feasible.
D. Upon termination of the BAA for any reason, Business Associate shall return or destroy all PHI maintained by Business Associate to Covered Entity, and Business Associate shall not retain any copies of such information. This provision shall apply to PHI in the possession of Business Associate's agents and subcontractors. If return or destruction of the PHI is not feasible in Business Associate's reasonable judgment, Business Associate shall furnish Covered Entity with written notification of the conditions that make return or destruction infeasible. In such event, Business Associate shall extend the protections of the BAA to such information for as long as Business Associate retains such information and shall limit further uses and disclosures to those purposes that make the return or destruction of the information not feasible. The Parties understand that this Section 14.D. survives any termination of the BAA.
16. Effect of BAA.
A. The BAA is a part of and subject to the terms of the Services Agreement, except that to the extent any terms of the BAA conflict with any term of the Services Agreement, the terms of the BAA will govern.
B. Except as expressly stated in the BAA or as provided by law, the BAA does not create any rights in favor of any third party.
17. Regulatory References. A reference in the BAA to a section in HIPAA means the section as in effect or as amended at the time.
18. Notices. All notices, requests, and demands or other communications to be given under the BAA to the Covered Entity will be made via either first class mail, registered or certified or express courier, or electronic mail to the Covered Entity's mailing or e-mail address provided within the Covered Entity's account registered with the Business Associate. All notices, requests, and demands or other communications to be given under the BAA to the Business Associate will be made via either first class mail, registered or certified or express courier, or electronic mail to email@example.com or 642 N Madison St, Bloomington, IN, 47404, USA. The Covered Entity shall maintain an accurate and functioning mailing and e-mail address either by updating their mailing and e-mail address within the Covered Entity's account registered with the Business Associate or by notifying the Business Associate directly.
E. Amendments and Waiver. The BAA may not be modified, nor will any provision be waived or amended, except in writing duly signed by the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events.
F. HITECH Act Compliance. The Parties acknowledge that the HITECH Act includes significant changes to the Privacy Rule and the Security Rule, that the privacy subtitle of the HITECH Act sets forth provisions that significantly change the requirements for business associates and the agreements between business associates and covered entities under HIPAA, and that these changes may be further clarified in forthcoming regulations and guidance. Each Party shall comply with the applicable provisions of the HITECH Act and any HHS regulations issued with respect to the HITECH Act. The Parties shall negotiate in good faith to modify the BAA as reasonably necessary to comply with the HITECH Act and its regulations as they become effective, but, if the Parties are unable to reach agreement on such a modification, either Party may terminate the BAA upon 30 days' written notice to the other Party.
G. Governing Law. The BAA, the Services Agreement, and any other related agreements shall be governed by and construed in accordance with the internal laws of the State of Indiana without giving effect to any choice or conflict of law provision or rule (whether of the state of Indiana or any other jurisdiction).
H. Alternative Dispute Resolution. The Parties shall submit any dispute arising out of or related to the BAA, the Services Agreement, or any other related agreements to the American Arbitration Association in accordance with its Commercial Arbitration Rules and proceed with mediation in a good faith effort to resolve the dispute prior to filing any litigation.
I. Forum Selection. Any litigation brought by a party arising out of or related to the BAA, the Services Agreement, or any other related agreements shall be brought in a court of competent jurisdiction in the United States District Court for the Southern District of Indiana.