Business Associate Agreement
This Business Associate Agreement (this “Agreement”) is entered into by and among Client (herein “Covered Entity”) and Practis Inc. (herein “Business Associate”) in order to comply with 45 C.F.R. §164.502(e) and §164.504(e), governing protected health information (“PHI”) and also with respect to the American Recovery Investment Act of 2009 (“ARRA”) and business associates under the Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191), 42 U.S.C. Section 1320d, et. seq., and regulations promulgated thereunder, as amended from time to time (statute and regulations hereafter collectively referred to as “HIPAA”) [Covered Entity and Business Associate may be referred to herein individually as a “Party” or collectively as the “Parties”].Both parties agree that they will fully comply with ARRA and the regulations thereunder.
Obligations and Activities of Business Associate
Business Associate agrees to:
(a) Not use or disclose protected health information other than as permitted or required by the Agreement or as required by law;
(b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the Agreement;
(c) Report to covered entity any unauthorized use or disclosure of protected health information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware no later than 60 days from the discovery of the breach;
(d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information;
(e) Make any amendment(s) to protected health information in a designated record set as directed or agreed to by the covered entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy covered entity’s obligations under 45 CFR 164.526;
(f) Maintain and make available the information required to provide an accounting of disclosures to the “covered entity” as necessary to satisfy covered entity’s obligations under 45 CFR 164.528;
(g) To the extent the business associate is to carry out one or more of covered entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s); and
(h) Shall make available to DHHS its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of,
Covered Entity for purposes of determining the Covered Entity’s or Business Associate’s compliance with HIPAA.
Uses and Disclosures by Business Associate
Use and Disclosure; Rights. Business associate may not use or disclose protected health information in a manner that would violate Subpart E of 45 CFR Part 164. Business Associate acknowledges that this Agreement does not in any manner grant Business Associate any greater rights than Covered Entity enjoys, nor shall it be deemed to permit or authorize Business Associate to use or further disclose PHI in a manner that would otherwise violate the requirements of HIPAA if done by Covered Entity.
Required or Permitted Uses. Business Associate does not provide access to systems or data to any third party. The Covered Entity is also notified to not provide access to their systems or data via SFTP or installed administrative utilities to any third party.
Safeguards; Location. Business Associate agrees to develop and use appropriate procedural, physical, and electronic safeguards to prevent misuse of PHI other than as provided by this Agreement. Business Associate agrees to notify Covered Entity of the location of any PHI disclosed by Covered Entity or created by Business Associate on behalf of Covered Entity and held by or under the control of Business Associate or those to whom Business Associate has disclosed such PHI.
Minimum Necessary. Business Associate must limit any use, disclosure, or request for use or disclosure to the minimum amount necessary to accomplish the intended purpose of the use, disclosure, or request in accordance with the requirements of HIPAA. Business Associate represents that all uses, disclosures, and requests it will make shall be the minimum necessary in accordance with HIPAA requirements. Covered Entity may, pursuant to HIPAA, reasonably rely on any requested disclosure as the minimum necessary for the stated purpose when the information is requested by Business Associate.
Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions
Covered entity agrees to:
(a) Shall notify business associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her protected health information, to the extent that such changes may affect business associate’s use or disclosure of protected health information.
(b) Shall notify business associate of any restriction on the use or disclosure of protected health information that covered entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect business associate’s use or disclosure of protected health information.
Term and Termination
(a) Term. Business Associate acknowledges and agrees that Covered Entity shall have the right to immediately terminate this Agreement in the event Business Associate fails to comply with HIPAA requirements concerning PHI and the above requirements. This Agreement authorizes Covered Entity to terminate the Agreement, if Covered Entity determines, in its sole discretion, that Business Associate has violated a material term of the Agreement required by HIPAA.
(b) Termination for Cause. Business associate authorizes termination of this Agreement by covered entity, if covered entity determines business associate has violated a material term of the Agreement and business associate has not cured the breach or ended the violation within the time specified by covered entity.
(c) Obligations of Business Associate Upon Termination. Business Associate agrees that upon termination of this Agreement, and if feasible, Business Associate shall (a) return or destroy all PHI received from, or created or received by Business Associate on behalf of, Covered Entity that Business Associate still maintains in any form and retain no copies of such information or, (b) if such return or destruction is not feasible, extend the protection of this Agreement to such PHI and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.
Notices. All notices and other communications under this Agreement to any Party shall be in writing and shall be deemed given when delivered personally, telecopied (which is confirmed) to that Party at the telecopy number for that Party set forth at the end of this Agreement, mailed by certified mail (return receipt requested) to that Party at the address for that Party set forth at the end of this Agreement (or at such other address for such Party as such Party shall have specified in a notice to the other Parties), or delivered to Federal Express, UPS, or any similar express delivery service for delivery to that Party at that address.
Non-Waiver. No failure by any Party to insist upon strict compliance with any term or provision of this Agreement, to exercise any option, to enforce any right, or to seek any remedy upon any default of any other Party shall affect, or constitute a waiver of, any Party’s right to insist upon such strict compliance, exercise that option, enforce that right, or seek that remedy with respect to that default or any prior, contemporaneous, or subsequent default. No custom or practice of the Parties at variance with any provision of this Agreement shall affect or constitute a waiver of, any Party’s right to demand strict compliance with all provisions of this Agreement.
Entire Agreement. This Agreement constitutes the entire agreement and supersedes all prior agreements and understandings, written and oral, among the Parties with respect to the subject matter of this Agreement.
Binding Effect. This Agreement shall be binding upon, inure to the benefit of and be enforceable by and against the Parties and their respective heirs, personal representatives, successors, and assigns. Neither this Agreement nor any of the rights, interests or obligations under this Agreement shall be transferred or assigned by Business Associate without the prior written consent of Covered Entity.
Severability; Governing Law. With respect to any provision of this Agreement finally determined by a court of competent jurisdiction to be unenforceable, such court shall have jurisdiction to reform such provision so that it is enforceable to the maximum extent permitted by applicable law, and the Parties shall abide by such court’s determination. In the event that any provision of this Agreement cannot be reformed, such provision shall be deemed to be severed from this Agreement, but every other provision of this Agreement shall remain in full force and effect. This Agreement shall be governed by and construed in accordance with the laws of the State of North Carolina.
Survival. All representations, covenants, and agreements in or under this Agreement or any other documents executed in connection with the transactions contemplated by this Agreement, shall survive the execution, delivery, and performance of this Agreement and such other documents.
Further Assurances. Each Party shall execute, acknowledge or verify, and deliver any and all documents which may from time to time be reasonably requested by the other Party to carry out the purpose and intent of this Agreement.