HIPAA Business Associate Agreement
This Business Associate Agreement (“BAA” or “Agreement”) is between Reputation Minded and its customers which are Covered Entities (“Covered Entity or Entities”).
This BAA supplements and is incorporated into the Terms and Conditions between Reputation Minded and those Covered Entities (“Terms”).
This BAA allows Business Associate to create, receive, maintain, and transmit Protected Health Information (“PHI”) (including Electronic Protected Health Information (“e-PHI”)) for or on behalf of Covered Entity, so that Business Associate may provide services to Covered Entity under the Terms (“Services”).
The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
(a) Business Associate. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean Reputation Minded.
(b) Covered Entity. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean Reputation Minded’ customers which are Covered Entities.
(c) HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
Obligations and Activities of Business Associate
Business Associate agrees to:
(a) Not use or disclose PHI other than as permitted or required by the Agreement or as Required By Law;
(b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to e-PHI, to prevent use or disclosure of PHI other than as provided for by the Agreement;
(c) Report to Covered Entity, within a reasonable time-frame, any use or disclosure of PHI not provided for by the Agreement of which it becomes aware, including Breaches of Unsecured PHI as required at 45 CFR 164.410, and any security incident of which it becomes aware;
(d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information;
(e) Upon written request from the Covered Entity, Business Associate agrees to provide, within a reasonable time-frame, all PHI identified by Covered Entity as part of a Designated Record Set as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.524;
(f) Upon written request from Covered Entity, Business Associate agrees to incorporate any amendment(s) to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526;
(g) Maintain and make available, within a reasonable time-frame, the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.528, except Business Associate shall not be obligated to respond to an Individual’s request for an accounting of Disclosures of PHI made directly to Business Associate;
(h) To the extent the business associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the Covered Entity in the performance of such obligation(s); and
(i) Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.
Permitted Uses and Disclosures by Business Associate
(a) Business Associate may only use or disclose PHI as necessary to perform the Services set forth in the Terms.
(b) Business Associate may use or disclose PHI as Required By Law.
(c) Business Associate agrees to make uses and disclosures and requests for PHI consistent with Covered Entity’s Minimum Necessary policies and procedures.
(d) Business Associate may not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity.
(e) Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
(f) Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of the Business Associate, provided the Disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as Required By Law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions
(a) Covered Entity shall notify Business Associate of any limitation(s) in the Covered Entity’s Notice of Privacy Practices under 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s Use or Disclosure of PHI.
(b) Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to Use or Disclose his or her PHI, to the extent that such changes may affect Business Associate’s Use or Disclosure of PHI.
(c) Covered Entity shall notify Business Associate of any restriction on the Use or Disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s Use or Disclosure of PHI.
Permissible Requests by Covered Entity
Except as provided in Section III of this BAA, Covered Entity shall not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity.
Term and Termination
(a) Term. The Term of this BAA shall be effective as of the first day that the Covered Entity provides PHI to Business Associate and shall terminate when all of the PHI provided by the Covered Entity to Business Associate, or created or received by Business Associate on behalf of the Covered Entity, is destroyed or returned to the Covered Entity, or if it is infeasible to return or destroy PHI, protections are extended to such PHI in accordance with the termination provisions in this Section.
(b) Termination for Cause. Business Associate authorizes termination of this BAA by Covered Entity, if Covered Entity determines Business Associate has violated a material term of this BAA and Business Associate has not cured the breach or ended the violation within the time specified by Covered Entity, or Business Associate has breached a material term of this BAA and a cure is not possible.
(c) Obligations of Business Associate Upon Termination.
Upon termination of this BAA for any reason, Business Associate shall return to Covered Entity or, if agreed to by Covered Entity, destroy all PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, that the Business Associate still maintains in any form. Business Associate shall retain no copies of the PHI. If Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall notify Covered Entity of the reasons which make return or destruction infeasible and extend the protections of this BAA to such PHI and limit further Uses and Disclosures of such PHI to those purposes that make return or destruction infeasible, for so long as Business Associate retains such PHI.
(d) Survival. The obligations of Business Associate under this Section shall survive the termination of this Agreement.
(a) Regulatory References. A reference in this BAA to a section in the HIPAA Rules means the section as in effect or as amended.
(b) Amendment. The Parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.
(c) Interpretation. Any ambiguity in this BAA shall be interpreted to permit compliance with the HIPAA Rules.