This Business Associate Agreement (the “Agreement”) is effective upon download, and is made by and between PracticeMojo customer (“Covered Entity”) and PRACTICE MOJO (Business Associate).“Covered Entity” and “Business Associate” are, at times, hereinafter referred to jointly as the “Parties”).
WHEREAS, Covered Entity and Business Associate are required to comply with the HIPAA Privacy Rule, the HIPAA Security Rule, the HITECH Act and its implementing regulations (collectively, the “HIPAA Regulations”);
WHEREAS, Business Associate provides certain services to Covered Entity pursuant to the service agreement between the Parties (the “Service Agreement”);
WHEREAS, in connection with Business Associate’s performance of services for Covered Entity, Business Associate will create and/or receive health information related to an Individual that constitutes Protected Health Information within the meaning of the HIPAA Regulations;
WHEREAS, this Agreement is intended to ensure that Business Associate will establish and implement safeguards for such PHI consistent with the HIPAA Regulations;
NOW THEREFORE, in consideration of the mutual promises and obligations set forth below, the adequacy and sufficiency of which hereby are acknowledged, the Parties agree as follows:
C.F.R. means the Code of Federal Regulations. A reference to a C.F.R. section means that section as amended from time to time; provided that if future amendments change the designation of a section referred to herein, or transfer a substantive regulatory provision referred to herein to a different section, the section references herein shall be deemed to be amended accordingly.
Designated Record Set means records, if any, created, received, or maintained by Business Associate for Covered Entity which Business Associate or Covered Entity uses, in whole or in part, to make decisions about an Individual, including, but not limited to, records related to enrollment, contributions, claims processing, and claims payment.
Discover, with respect to a Security Breach, means knowledge by any member of Business Associate’s workforce (as defined in 45 C.F.R. 160.103) — other than the person responsible for the Security Breach — that the Security Breach has occurred.
HIPAA Privacy Rule means the Standards for Privacy of Individually Identifiable Health Information, codified at 45 C.F.R. Parts 160 and 164, Subparts A and E, as authorized by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
HIPAA Security Rule means the Security Standards for Protected Health Information, codified at 45 C.F.R. pts. 160, 162, and 164, as authorized by HIPAA.
HITECH Act means the Health Information Technology for Economic and Clinical Health Act, codified at 42 U.S.C. §§17931-17953.
Individual means a person who is the subject of Covered Entity’s protected health information.
Limited Data Set means PHI that excludes the following direct identifiers of the individual and of relatives, employers, or household members of the individual: (i) names; (ii) postal address information, other than town or city, State, and zip code; (iii) telephone numbers; (iv) fax numbers; (v) electronic mail addresses; (vi) Social Security numbers; (vii) medical record numbers; (viii) health plan beneficiary numbers; (ix) account numbers; (x) certificate/license numbers; (xi) vehicle identifiers and serial numbers, including license plate numbers; (xii) device identifiers and serial numbers; (xiii) web Universal Resource Locators (URLs); (xiv) Internet Protocol (IP) address numbers; (xv) biometric identifiers, including finger and voice prints; and (xvi) full face photographic images and any comparable images.
Protected Health Information or PHI means any information related to an Individual’s past, present, or future physical or mental health condition, any treatment for that condition, and any payment for that treatment which information identifies the Individual or could reasonably be used to identify the Individual.
Required By Law means that a mandate contained in law, including a statute, regulation, court order, or subpoena, and that is enforceable in a court of law compels the use or disclosure of PHI.
Secretary means the Secretary of the U.S. Department of Health and Human Services and his designees.
Security Breach means (i) the unauthorized access to, or acquisition, use, disclosure, modification or destruction, of Covered Entity’s unsecured PHI, whether in paper or electronic form; that compromises the or (ii) the successful interference with system operations in an information system containing Covered Entity’s PHI. The term does not include (1) disclosure of PHI to an unauthorized person in circumstances where that person would not reasonably have been able to retain the information; or (2) good faith unintentional access to, or acquisition or use of, PHI by Business Associate’s employees, agents or subcontractors in the course of such person’s performance of services authorized by the Service Agreement provided that such PHI is not further accessed, acquired, used, or disclosed by any person.
Unsecured PHI means all PHI except (1) PHI in electronic form that is encrypted consistent with regulations promulgated by HHS, or that has been subject to disposal in a manner that renders the information irretrievable, or (2) PHI in paper form that has been shredded, burned or otherwise rendered irrecoverable.
Services Provided. Business Associate agrees to create, use, maintain, receive and disclose PHI: (1) only to the minimum extent necessary to provide the services described in the Service Agreement; (2) only in a manner that is consistent with the HIPAA Privacy, the HIPAA Security Rules, the HITECH Act, and applicable state law (unless preempted by the HIPAA); and (3) consistent with the “minimum necessary” standard in 45 C.F.R. pt. 164.502(b). Business Associate agrees not to use or further disclose PHI other than as permitted or required by this Agreement or by applicable law.
Proper Management And Administration Of Business Associate.
Business Associate may use PHI for its own proper management and administration or to carry out its legal responsibilities.
Business Associate may disclose PHI for its own proper management and administration, or to carry out its legal responsibilities, if (a) the disclosure is Required By Law, or (b) Business Associate ensures that the person or entity to whom PHI is disclosed under this paragraph will (i) maintain the confidentiality of the information disclosed, (ii) use or further disclose such information only as Required By Law or for the purpose for which it was disclosed to such person, and (iii) immediately notify Business Associate of any compromise of the confidentiality of the information.
Data Aggregation Services. Service Provider may use PHI to provide Data Aggregation Services to Covered Entity as permitted by 45 C.F.R. pt. 164.504(e)(2)(i)(B).
De-Identification Of PHI. Service Provider may use PHI to de-identify that information in accordance with the HIPAA Privacy Rule. De-identified information is not PHI and is not subject to this Agreement. Service Provider, or a related entity, may use De-Identified Information for research, to create comparative databases, to conduct statistical analysis, and to perform other studies.
Minimum Necessary. Whenever practicable, Business Associate will limit its use or disclosure of, or requests for, PHI to the Limited Data Set. If such limitation is not practicable, Business Associate will limit its use or disclosure of, or its requests for, PHI to the minimum necessary to accomplish the purpose of such use, disclosure, or request. This provision does not apply to the following: (1) disclosures of PHI to the individual, (2) uses or disclosures of PHI pursuant to an authorization executed by the individual or the individual’s personal representative, (3) disclosures of PHI made to the Secretary, (4) uses or disclosures of PHI that are required by law, or (5) uses or disclosures of PHI that are required for compliance with HIPAA or its implementing regulations. In the event that the Secretary issues final regulations defining what constitutes “minimum necessary,” the definition of minimum necessary contained in such final regulations shall supersede and replace this provision.
Prohibited Conduct: Except as permitted by the HITECH Act (42 U.S.C. §17935(d)) or pursuant to a HIPAA-compliant authorization obtained by Covered Entity from the Indicial, Business Associate will not receive, directly or indirectly, any remuneration in exchange for any of the Individual’s PHI. Business Associate will not use any Individual’s PHI for marketing or research purposes (as those terms are defined by the HIPAA Privacy Rule) without Covered Entity’s prior, written approval and without obtaining all required authorizations from the Individual.
Genetic Information: Business Associate will not use or disclose PHI that is “genetic information” (as defined by 42 U.S.C. §300gg-91) for underwriting purposes in accordance with 42 U.S.C. §1320d-9(a)(2).
Requests By An Individual Directed To Business Associate. Business Associate shall refer to Covered Entity, within three business days of receipt, any request received by Business Associate directly from an Individual for access to PHI, to amend PHI, or for an accounting of disclosures of PHI. Business Associate shall await instructions from Covered Entity before acting upon any request received directly from an Individual.
Individual’s Access To PHI. Within ten business days of receiving a request from Covered Entity, Business Associate will make PHI maintained in a Designated Record Set available to, or as directed by, Covered Entity, to enable Covered Entity to comply with 45 C.F.R. pt. 164.524 in connection with an Individual’s request for access to PHI. In the event Business Associate maintains an Electronic Health Record (as defined in the HITECH Act) with respect to an individual’s PHI, Business Associate will comply, within ten business days, with (1) a request by Covered Entity or the Individual for a copy of such PHI in electronic form, and (2) a clear, conspicuous, and specific request by the Individual to transmit the PHI directly to a third party designated by the Individual. The charge for any such copy shall not exceed Business Associate’s labor costs in responding to the requests for the copy.
Amendment Of PHI. Within ten business days of receiving a request from Covered Entity, Business Associate will take all steps necessary to effectuate the amendment of PHI and as otherwise necessary to enable Covered Entity to comply with 45 C.F.R. pt. 164.526 in connection with an Individual’s request to amend PHI.
Recording Disclosures Of PHI. For each of Business Associate’s disclosures of an Individual’s PHI, other than “excepted disclosures” (defined below), Business Associate shall maintain at least the following information:
Business Associate shall be responsible for implementing, at its sole expense, a system for recording the above-stated information for each disclosure and for maintaining that information for six years from the date of the disclosure. “Excepted disclosures” include the following: (1) disclosures for “treatment,” “payment,” or “health care operations” as those terms are defined in the HIPAA Privacy Rule (unless its business associate maintains an Electronic Health Record with respect to the Individual in which case documentation of such disclosures will be retained for three years from the date of disclosure); (2) incidental disclosures; (3) disclosures to an Individual of PHI about the Individual; (4) disclosures with an Individual’s authorization pursuant to 45 C.F.R. pt. 164.508; (5) disclosures for national security and intelligence purposes; and (6) disclosures made more than six years before the date of the request. In the event Business Associate uses or maintains an electronic health record with respect to an Individual’s PHI, “excepted disclosures” shall not include disclosures for treatment, payment or health care operations made less than three years before the date of the request for an accounting.
Accountings Of Disclosures Of PHI. Within ten business days of receiving a request from Covered Entity, Business Associate will provide Covered Entity with all information in Business Associate’s possession — including, but not necessarily limited to, the information described in paragraph III.E, above — necessary to enable Covered Entity to comply with 45 C.F.R. pt. 164.528 in connection with an Individual’s request for an accounting of disclosures of PHI. In the event Business Associate uses or maintains an Electronic Health Record with respect to an Individual’s PHI, any accounting provided pursuant to the Agreement shall include disclosures for “treatment,” “payment,” and “health care operations” (as defined in 45 C.F.R. pt. 164.501) made less than three years before the date of the request for an accounting.
Demands To Produce PHI Directed To Business Associate. Business Associate shall (1) immediately notify Covered Entity of any judicial or administrative order, subpoena, civil discovery request or other legal process requiring or requesting that Business Associate produce PHI, and (2) before responding to any such request, permit Covered Entity adequate time to exercise its legal options to prohibit or limit disclosure of PHI.
Safeguards. Business Associate shall implement technical, physical, and administrative safeguards for PHI — that are appropriate to Business Associates’ size, the complexity of its operations and the nature and scope of its activities — to protect against reasonably foreseeable risks to the security, confidentiality and integrity of PHI which risks could result in the unauthorized disclosure, use, alteration, destruction or other compromise of PHI. Business Associate represents and warrants that, with respect to electronic PHI, that it will fully comply with the requirements contained in parts 164.308 (Administrative Safeguards), 164.310 (Physical Safeguards), 164.312 (Technical Safeguards), and 164.316 (Policies and Procedures) of the HIPAA Security Rule.
Business Associate’s Agents And Subcontractors. Business Associate will not disclose PHI to any agent or subcontractor except as permitted by this Agreement. Business Associate shall obtain reasonable assurances in writing from any agent or subcontractor to whom Business Associate discloses PHI, or who creates or receives PHI on Business Associate’s behalf, that the agent or subcontractor (i) will comply with the restrictions and conditions on the use and disclosure of PHI which this Agreement imposes on Business Associate, (ii) will implement reasonable and appropriate safeguards to protect Covered Entity’s PHI received from Business Associate, and (iii) will promptly notify Business Associate of any Security Breach involving Covered Entity’s PHI.
Reporting A Security Breach. Business Associate shall report to Covered Entity any Security Breach, whether involving PHI in electronic or paper form, which Business Associate discovers, regardless of whether the Security Breach results from the acts or omissions of Business Associate or its agents or subcontractors. Business Associate will make such report orally to Covered Entity within five business days of Business Associate’s discovery of the Security Breach, or of any incident which might, upon further investigation, constitute a Security Breach, followed by a report in writing (facsimile or e-mail is acceptable) within ten business days of the initial oral report. The written report shall include, at a minimum subject to the availability of necessary information, the following: (1) a description of the incident, (2) the date the incident occurred, (3) the date the incident was discovered, (4) the identity and last known mailing address of affected Individuals, (5) the affected categories of information for each affected Individual, (6) a description of the steps taken to mitigate the incident, (7) an identification of any law enforcement agency that has been contacted about the incident and contact information for the relevant official, (8) a description of the steps that have been, or will be, taken to mitigate the incident, and (9) a description of the steps that have been, or will be, taken to prevent a recurrence . Business Associate will update the written report periodically as material, new information becomes available.
Except upon request of Covered Entity, Business Associate is not required to report to Covered Entity any unsuccessful interference with Business Associate’s information systems that affects Covered Entity’s electronic PHI, provided however, that Business Associate shall document and maintain records of such unsuccessful incidents so that Business Associate will be able to provide a report in response to Covered Entity’s request.
Mitigation Of Damages By Business Associate And Cooperation In Investigation. Business Associate agrees to take measures reasonably necessary to mitigate any harmful effect of a Security Breach. Business Associate agrees to cooperate with Covered Entity in its investigation of any Security Breach.
Internal Practices. Business Associate agrees to make its internal practices, books, and records, including, but not limited to, policies and procedures and information relating to the use and disclosure of PHI, available in response to the Secretary’s written request or a subpoena so that the Secretary may evaluate Covered Entity’s compliance with the HIPAA Privacy Rule or the HIPAA Security Rule. Such access or production of information shall be made within the time frame established by the Secretary, or any agreed-to extension thereof. Business Associate shall notify Covered Entity of any such request by the Secretary within three business days of receiving the request.
Notice Of Privacy Practices. Covered Entity will, upon Business Associate’s request, provide Business Associate with the notice of privacy practices (“Notice”) applicable to Covered Entity under 45 C.F.R. pt. 164.520 and with any changes to the Notice that may affect Business Associate’s use or disclosure of PHI. Business Associate shall act promptly upon notification of such changes to ensure that its uses and disclosures of PHI comply with the Notice and that its own internal policies and procedures comply with the Notice as well.
Notice Of Changes In, Or Revocations Of, Authorizations. Covered Entity shall notify Business Associate of any changes in, or revocation of, an Individual’s authorization to use or disclose PHI to the extent the change may affect Business Associate’s use or disclosure of PHI. Business Associate shall act promptly upon notification of any such change to ensure that its uses and disclosures of PHI comply with the change.
Notice Of Restrictions. Covered Entity shall notify Business Associate of any restriction upon the use or disclosure of PHI to which Covered Entity has agreed in accordance with 45 C.F.R. pt. 164.522 to the extent the restriction may relate to PHI used or disclosed by Business Associate. Business Associate shall act promptly upon notification of any such restriction to ensure that its uses and disclosures of PHI comply with the restriction. If such restriction materially increases Business Associate’s costs of providing services under the Service Agreement, Covered Entity shall reimburse Business Associate for such increased costs.
Minimum Necessary: Covered Entity shall provide to Business Associate only the minimum PHI necessary for Business Associate to provides services under the Service Agreement.
Plan Amendments. Covered Entity represents and warrants that: (a) it has amended its plan documents, in accordance with 45 C.F.R. § 164.504(f), or otherwise included the provisions required by that regulation in the plan document so as to allow Covered Entity to receive PHI; (b) it has, in the case of a plan amendment, received a certification from Plan Sponsor in accordance with 45 C.F.R. § 164.504(f)(2)(ii); (d) it will provide a copy of such certification to Business Associate upon request; and (e) the amendments to the plan document, or the plan document itself, permit Covered Entity to receive PHI. Covered Entity shall ensure that only employees authorized to access PHI under the plan amendment or the plan document will have access to PHI disclosed by Business Associate to Plan Sponsor.
Term. This Agreement shall become effective on the effective date stated on page 1, above. This Agreement shall remain in effect until termination of the Service Agreement, unless terminated sooner pursuant to paragraph VI.B, below.
Termination. Notwithstanding anything in the Service Agreement to the contrary, upon becoming aware of a material breach of this Agreement , the non-breaching party may elect, in its sole and absolute discretion (1) to terminate this Agreement and the Service Agreement immediately, or (2) to provide the breaching party an opportunity to cure the breach. For purposes of this Agreement, “material breach” shall include, but is not limited to, the occurrence of any successful Security Breach. If the non-breaching party elects to provide the breaching party with an opportunity to cure and the breaching party fails to do so within the time specified by the non-breaching party, the Service Agreement and this Agreement shall terminate on the deadline for curing the breach. If neither termination nor cure is feasible, the non-breaching party will report the breach to the Secretary.
Return Or Destruction Of PHI. Within fifteen business days of the termination of this Agreement, Business Associate shall return to Covered Entity, or destroy, all PHI that is in Business Associate’s possession which PHI Business Associate created or received pursuant to the Service Agreement unless paragraph VI.D, below, applies. If Business Associate destroys PHI, it will do so in a manner which ensures that recovery of the PHI would be impracticable.
Business Associate’s Retention Of PHI. If Business Associate notifies Covered Entity of the conditions which make return or destruction of PHI as required by paragraph VI.C, above, infeasible, Business Associate agrees that, with respect to the PHI for which compliance with paragraph VI.C has been excused, Business Associate will extend the protections of this Agreement to the retained PHI and limit further uses and disclosures of the retained PHI to those purposes which make return or destruction commercially impracticable, for as long as Business Associate maintains such PHI.
Survival. Business Associate’s obligations and duties under this Agreement with respect to PHI received or created by Business Associate while performing under the Service Agreement, or on Business Associate’s behalf, shall survive the termination of the Service Agreement and of this Agreement and shall continue for as long as that PHI remains in the possession of Business Associate.
Except as otherwise stated in this Agreement, any notices or information required, or permitted to be provided, by this Agreement, including any notice concerning a Security Breach, shall be given in writing (except where oral notice is expressly permitted) as follows:
Construction. The Service Agreement and this Agreement shall be interpreted to permit the Parties to comply with HIPAA, the HIPAA Privacy Rule and the HIPAA Security Rule.
Cooperation. Business Associate shall make itself, and any employees, agents, or subcontractors assisting Business Associate in performing its obligations under this Agreement available to Covered Entity as witnesses, or otherwise, in the event civil litigation, administrative proceedings, or criminal prosecution are commenced against Covered Entity, its directors, officers, or employees based upon alleged violations of the HIPAA Privacy Rule, the HIPAA Security Rule, or other laws relating to privacy or security, except where Business Associate, its employees, agents, or subcontractors is an adverse party.
Relationship To Service Agreement. In the event of any inconsistency between the terms of this Agreement and the terms of the Service Agreement, the terms of this Agreement shall control any matter falling within the scope of this Agreement.
Indemnification. Business Associate shall defend and indemnify Covered Entity, its parent and subsidiary corporations, officers, directors, employees and agents for any and all claims, inquiries, investigations, costs, reasonable attorneys’ fees, monetary penalties, and damages incurred by them arising out of any material breach of this Agreement by Business Associate.
Covered Entity shall defend and indemnify Business Associate and its representatives for any and all claims, inquiries, investigations, costs, reasonable attorneys’ fees, monetary penalties, and damages incurred by Business Associate and its representatives as a result of any breach of this Agreement by Covered Entity.
This paragraph VIII.D shall survive the termination of this Agreement.
Modification. This Agreement may be modified only by a writing signed by the Parties. The Parties agree to amend this Agreement and/or the Service Agreement from time to time as may be necessary to permit Covered Entity to remain in compliance with the HIPAA Privacy Rule and the HIPAA Security Rule.
Waiver. No provision of this Agreement, or any breach thereof, shall be deemed waived unless such waiver is in writing and signed by the party claimed to have waived such provision or breach. No waiver of a breach shall waive or excuse any different or subsequent breach.
Assignment. This Agreement may not be assigned without the consent of all parties to this Agreement.
Severability. Any provision of this Agreement that is determined to be invalid or unenforceable will be ineffective to the extent of such determination without invalidating the remaining provisions of this Agreement or affecting the validity or enforceability of the Agreement’s remaining provisions.
No Third-Party Beneficiaries. No third parry shall be considered a third-party beneficiary under this Agreement, nor shall any third party have any rights as a result of this Agreement.
Governing Law, Jurisdiction And Venue. Any provision of this Agreement not governed by HIPAA or other federal law shall be governed by, and interpreted in accordance with, the laws of the State of Arizona, excluding its conflict of laws provisions. Jurisdiction for any dispute relating to this Agreement shall exclusively rest with the courts in the State of Arizona. Venue shall be proper only in the United States District Court for the District of Arizona or in the Maricopa County District Court
Nature Of Agreement. Nothing in this Agreement shall be construed to create (1) a partnership, joint venture or other joint business relationship between the Parties or any of their affiliates, or (2) a relationship of employer and employee between the Parties. This Agreement does not express or imply any commitment to purchase or sell goods or services.
Counterparts. This Agreement may be executed in one or more counterparts, each of which shall be deemed an original, and all of which together shall constitute one and the same document. In making proof of this Agreement, it shall not be necessary to produce or account for more than one such counterpart executed by the party against whom enforcement of this Agreement is sought.
BY CONSENT OF DOWNLOADING PRACTICEMOJO, the Parties agree.
BUSINESS ASSOCIATE: TINA STRICKLER DIRECTOR OF BUSINESS DEVELOPMENT JULY 1, 2010
COVERED ENTITY: Date captured at time of download and stored in PracticeMojo PRIMARY CONTACT FOR PRACTICEMOJO COMPANY NAME DATE CAPTURED FOR HIPAA AGREEMENT