HIPAA Compliance
Business Associate Agreement
This BUSINESS ASSOCIATE AGREEMENT (this “BAA”) is made by
and between Magnadoctors inc., a Delaware
limited liability company, and any of its subsidiaries, divisions and
affiliates (“Business Associate”), and Network Partner (Covered Entity”), and
is effective as of the effective date appearing on the Network Partner
agreement.(the “Effective Date”). Business Associate and Covered Entity are
referred to herein collectively, as the “Parties” and individually, as a
“Party.” Capitalized terms used in this BAA without definition shall have the
respective meanings assigned to such terms in the Administrative Simplification
section of the Health Insurance Portability and Accountability Act of 1996, the
Health Information Technology for Economic and Clinical Health Act and their implementing
regulations as amended from time to time (collectively, “HIPAA”).
RECITALS
1. WHEREAS,
Business Associate provides certain products and services as further described
in the Network Partner Subscription Agreement (the “Underlying Agreement”) (the
“Services”) between the Parties, which may involve the creation, receipt,
maintenance, access, transmission, Use, or Disclosure of PHI (as defined below)
by Business Associate.
2. WHEREAS,
Covered Entity and Business Associate agree to protect the privacy and provide
for the security of PHI disclosed to Business Associate pursuant to the
Underlying Agreement in accordance with applicable federal and state laws, to
the extent that state laws are more restrictive, including, the Health
Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by
the Health Information Technology for Economic and Clinical Health Act
(“HITECH”) provisions of the American Recovery and Reinvestment Act of 2009,
and Title I of the Genetic Information Nondiscrimination Act of 2008, and any
regulations promulgated thereunder, including the Privacy Rule, Security Rule,
and Breach Notification Rule, as such laws and regulations may be amended from
time to time (collectively, the “HIPAA Rules”).
3. WHEREAS,
to comply with the HIPAA Rules, the Parties must enter into an agreement that
governs the creation, receipt, maintenance, access, transmission, Use, and
Disclosure of the PHI by Business Associate in the course of performing the
Services in connection with the Underlying Agreement.
4. NOW
THEREFORE, in consideration of the mutual promises and covenants contained
herein and other good and valuable consideration, the receipt and sufficiency
of which are hereby acknowledged, Covered Entity and Business Associate agree
as follows:
SECTION 1: DEFINITIONS
General Statement: The following terms used in this BAA will
have the same meaning as those terms in the HIPAA Rules: Administrative
Safeguards, Availability, Breach, Business Associate, Confidentiality, Covered
Entity, Data Aggregation, Designated Record Set, Disclosure, Electronic
Protected Health Information (“EPHI”), Health Care Operations, Individual,
Individually Identifiable Health Information, Integrity, Minimum Necessary,
Physical Safeguards, Protected Health Information (“PHI”), Required by Law,
Secretary, Security Incident, Subcontractor, Technical Safeguards, Unsecured
PHI, Uses and Disclosures, and Workforce. A change to the HIPAA Rules which
modifies any defined term, or which alters the regulatory citation for the
definition will be deemed incorporated into this BAA.
“Breach Notification Rule”means Part 2, Subtitle D of HITECH
and Notification in the Case of Breach of Unsecured Protected Health
Information at 45 C.F.R. Part 164 Subpart D.
“Privacy Rule”means the standards for Privacy of
Individually Identifiable Health Information at 45 C.F.R. Part 160 and Subparts
A and E of Part 164.
“Security Rule”means the Security Standards for the
Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and
Subparts A and C of Part 164.
SECTION 2: SCOPE
This BAA is an addendum to, and is hereby incorporated into,
the Underlying Agreement between Business Associate and Covered Entity,
including any exhibits, addenda, or attachments incorporated therein (collectively,
the “Underlying Agreement”) that provide for Business Associate’s creation,
receipt, maintenance, access, transmission, Use, or Disclosure of PHI, in any
form or medium, including EPHI. Capitalized terms used in this BAA that are not
otherwise defined in this BAA have the meaning set forth in the Underlying
Agreement.
SECTION 3: PERMITTED USES AND DISCLOSURES OF PHI
3.1 Uses and Disclosures of PHI Pursuant to the Underlying
Agreement. Except as otherwise limited in this BAA, Business Associate may use
or disclose PHI to perform functions, activities or services for, or on behalf
of, Covered Entity, as specified in the Underlying Agreement, provided that
such use or disclosure would not violate the Privacy Rule if done by Covered
Entity.
3.2 Permitted Uses of PHI by Business Associate. Except as
otherwise limited in this BAA, Business Associate may use PHI for the proper
management and administration of Business Associate or to carry out the legal
responsibilities of Business Associate. Business Associates’ management and
administrative services includes performing data analyses on Covered Entity PHI
and/or, aggregated data that includes or is derived from Covered Entity PHI.
3.3 Permitted Disclosures of PHI by Business Associate.
Except as otherwise limited in this BAA, Business Associate may disclose PHI
for the proper management and administration of Business Associate, provided
that the disclosures are Required by Law, or Business Associate obtains
reasonable assurances from the person to whom the information is disclosed that
it will remain confidential and will be used or further disclosed only as
Required by Law or for the purpose for which it was disclosed to such person
(which purpose must be consistent with the limitations imposed upon Business
Associate pursuant to this BAA), and that the person agrees to notify Business
Associate of any instances of which it is aware in which the confidentiality of
the information has been breached. Business Associate may disclose PHI to
report violations of law to appropriate federal and state authorities,
consistent with 45 C.F.R. § 164.502(j)(l).
3.4 Data Aggregation. Except as otherwise limited in this
BAA, Business Associate may use PHI to provide Data Aggregation services for
the Health Care Operation of the Covered Entity as permitted by 45 C.F.R. §
164.504(e)(2)(i)(B).
3.5 De-identified Data. Business Associate may de-identify
PHI in accordance with the standards set forth in 45 C.F.R. § 164.514(b) and
may use or disclose such de-identified data for any reason not prohibited by
applicable law. Business Associate shall use a HIPAA-secure vendor who applies
tokenization to de-identify data, and shall not obtain or otherwise have access
to the codes or tokens that could re-identify such PHI.
SECTION 4: OBLIGATIONS OF BUSINESS ASSOCIATE
4.1 Appropriate Safeguards. Business Associate will use
appropriate safeguards and will comply with the Security Rule with respect to
Electronic PHI, to prevent use or disclosure of such information other than as
provided for by the Underlying Agreement and this BAA. Except as expressly provided in the
Underlying Agreement or this BAA, Business Associate will not assume any
obligations of Covered Entity under the Privacy Rule. To the extent that
Business Associate is to carry out any of Covered Entity’s obligations under
the Privacy Rule as expressly provided in the Underlying Agreement or this BAA,
Business Associate will comply with the requirements of the Privacy Rule that
apply to Covered Entity in the performance of such obligations.
4.2 Reporting of Improper Use or Disclosure, Security
Incident or Breach. Business Associate will report to Covered Entity any use or
disclosure of PHI not permitted under this BAA, Breach of Unsecured PHI or any
Security Incident, without unreasonable delay, and in any event no more than
thirty (30) days following discovery; provided, however, that the Parties
acknowledge and agree that this Section constitutes notice by Business
Associate to Covered Entity of the ongoing existence and occurrence of
attempted but Unsuccessful Security Incidents (as defined below).“Unsuccessful
Security Incidents” will include, but not be limited to, pings and other
broadcast attacks on Business Associate’s firewall, port scans, unsuccessful
log-on attempts, denials of service and any combination of the above, so long
as no such incident results in unauthorized access, use or disclosure of PHI.
Business Associate’s notification to Covered Entity of a Breach will include:
(i) the identification of each individual whose Unsecured PHI has been, or is
reasonably believed by Business Associate to have been, accessed, acquired or
disclosed during the Breach; and (ii) any particulars regarding the Breach that
Covered Entity would need to include in its notification, as such particulars
are identified in 45 C.F.R. § 164.404. A Security Incident, for the purpose of
this Section 4.2, does not include attempted or successful unauthorized access,
use, disclosure, modification, or destruction of information or interference
with Business Associate’s corporate information system (“non-PHI Information
System”), as defined by Business Associate’s internal policies and procedures.
4.3 Subcontractors. In accordance with 45 C.F.R. §
164.502(e)(1)(ii) and 45 C.F.R. § 164.308(b)(2), as applicable, Business
Associate will enter into a written agreement with any Subcontractor that
creates, receives, maintains or transmits PHI on behalf of Business Associate
for services provided to Covered Entity, providing that the Subcontractor
agrees to restrictions and conditions that are substantially similar to those
that apply through this BAA to Business Associate with respect to such PHI.
4.4 Access to PHI. The Parties do not intend for Business
Associate to maintain any PHI in a Designated Record Set for Covered Entity. To
the extent Business Associate possesses PHI in a Designated Record Set,
Business Associate agrees to make such information available to Covered Entity
pursuant to 45 C.F.R. § 164.524 and 42 U.S.C. § 17935(e) within ten (10)
business days of Business Associate’s receipt of a written request from Covered
Entity; provided, however, that Business Associate is not required to provide
such access where the PHI contained in a Designated Record Set is duplicative
of the PHI contained in a Designated Record Set possessed by Covered Entity. If
an Individual makes a request for access pursuant to 45 C.F.R. § 164.524
directly to Business Associate, or inquiries about his or her right to access,
Business Associate will either forward such request to Covered Entity or direct
the Individual to Covered Entity.
4.5 Amendment of PHI. The Parties do not intend for Business
Associate to maintain any PHI in a Designated Record Set for Covered Entity. To
the extent Business Associate possesses PHI in a Designated Record Set,
Business Associate agrees to make such information available to Covered Entity
for amendment pursuant to 45 C.F.R. § 164.526 within twenty (20) business days of
Business Associate’s receipt of a written request from Covered Entity. If an
Individual submits a written request for amendment pursuant to 45 C.F.R. §
164.526 directly to Business Associate, or inquiries about his or her right to
amendment, Business Associate will either forward such request to Covered
Entity or direct the Individual to Covered Entity.
4.6 Documentation of Disclosures. Business Associate agrees
to document such disclosures of PHI and information related to such disclosures
as would be required for Covered Entity to respond to a request by an
Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R.
§ 164.528. Business Associate will document, at a minimum, the following
information (“Disclosure Information”): (a) the date of the disclosure; (b) the
name and, if known, the address of the recipient of the PHI; (c) a brief
description of the PHI disclosed; (d) the purpose of the disclosure that
includes an explanation of the basis for such disclosure; and (e) any additional
information required under the HITECH Act and any implementing regulations
4.7 Accounting of Disclosures. Business Associate agrees to
provide to Covered Entity, within twenty (20) business days of Business
Associate’s receipt of a written request from Covered Entity, information
collected in accordance with Section 4.6 of this BAA, to permit Covered Entity
to respond to a request by an Individual for an accounting of disclosures of
PHI in accordance with 45 C.F.R. § 164.528 and 42 U.S.C. § 17935(c). If the
Individual submits a written request for an accounting of disclosures of PHI
pursuant to 45 C.F.R. § 164.528 directly to Business Associate, or inquiries
about his or her right to an accounting, Business Associate will direct the
Individual to Covered Entity.
4.8 Government Access to Records. Business Associate will
make its internal practices, books and records relating to the use and
disclosure of PHI received from or created or received by Business Associate on
behalf of, Covered Entity available to the Secretary for purposes of the
Secretary determining Covered Entity’s compliance with the Privacy Rule and the
Security Rule.
4.9 Mitigation. To the extent reasonable and practicable,
Business Associate will cooperate with Covered Entity’s efforts, at Business
Associate’s expense, to mitigate a harmful effect that is known to Business
Associate of a use of disclosure of PHI by Business Associate that is not
permitted by this BAA. Business Associate shall reasonably cooperate with
Covered Entity’s investigation, analysis, notification and mitigation
activities, at Covered Entity’s expense, if it is determined that the source of
the Breach or Security Incident is Covered Entity.
4.10 Minimum Necessary. Business Associate will request, use
and disclose the minimum amount of PHI necessary to accomplish the purpose of
the request, use or disclosure, in accordance with 45 C.F.R § 164.514(d), and
any amendments thereto.
SECTION 5: OBLIGATIONS OF COVERED ENTITY
5.1 Notice of Privacy Practices. Covered Entity will notify
Business Associate of any limitation(s) in its notice of privacy practices in
accordance with 45 C.F.R § 164.520, to the extent that such limitation may
affect Business Associate’s use or disclosure of PHI. Covered Entity will
provide such notice no later than fifteen (15) days prior to the effective date
of the limitation.
5.2 Notification of Changes Regarding Individual Permission.
Covered Entity will obtain any consent or authorization that may be required by
the Privacy Rule, or applicable state law, prior to furnishing Business
Associate with PHI. Covered Entity will notify Business Associate of any
changes in, or revocation of, permission by an Individual to use or disclose
PHI, to the extent that such changes may affect Business Associate’s use or
disclosure of PHI. Covered Entity will provide such notice no later than
fifteen (15) days prior to the effective date of the change.
5.3 Notification of Restrictions to Use or Disclosure of
PHI. Covered Entity will notify Business Associate of any restriction to the
use or disclosure of PHI that Covered Entity has agreed to in accordance with
45 C.F.R § 164.522, to the extent that such restriction may affect Business
Associate’s use or disclosure of PHI. Covered Entity will provide such notice
no later than (15) days prior to the effective date of the restriction. If
Business Associate reasonably believes that any restriction agreed to by
Covered Entity pursuant to this Section may materially impair Business
Associate’s ability to perform its obligations under the Underlying Agreement
of this BAA, the Parties will mutually agree upon any necessary modification of
Business Associate’s obligations under such agreements.
5.4 Permissible Requests by Covered Entity. Covered Entity
will not request Business Associate to use or disclose PHI in any manner that
would not be permissible under the Privacy Rule, the Security Rule or the
HITECH Act if done by Covered Entity, except as permitted pursuant to the
provisions of Sections 3.2, 3.3, 3.4 and 3.5 of this BAA.
5.5 Minimum Necessary Disclosure. The Covered Entity shall provide to Business
Associate only the “minimum necessary” PHI (as described in 45 C.F.R.
164.502(b)) required for Business Associate to perform its obligations under
the Underlying Agreement(s).
SECTION 6: TERM AND TERMINATION
6.1 Term. The term of this BAA will commence as of the
Effective Date and will terminate upon the effective date of termination of the
Underlying Agreement.
6.2 Termination for Cause. Upon either Party’s knowledge of
a material breach by the other Party of this BAA, such Party may terminate this
BAA immediately if cure is not possible. Otherwise, the non-breaching party
will provide written notice to the breaching Party detailing the nature of the
breach and providing an opportunity to cure the breach with thirty (30)
business days. Upon the expiration of such thirty (30) day cure period, the
non-breaching Party may terminate this BAA if the breaching party does not cure
the breach or if cure is not possible. A Party’s option to have cured a
material breach of this BAA will not be construed as a waiver of any other
rights such Party has under this BAA, by operation of law, or in equity.
6.3 Effect of Termination
6.3.1 Except
as provided in Section 6.3.2, upon termination of the Underlying Agreement or
this BAA for any reason, Business Associate will return or destroy all PHI
received from Covered Entity or created or received by Business Associate on
behalf of Covered Entity, at Covered Entity’s expense, and will retain no
copies of the PHI. This provision will apply to PHI that is in the possession
of Subcontractors or agents of Business Associate.
6.3.2 If it
is not feasible for Business Associate to return or destroy the PHI upon
termination of this BAA (e.g., because Electronic PHI has been integrated into
a database maintained by Business Associate and removal from the database is
burdensome or impossible, or PHI has been aggregated with other PHI in a manner
that makes it infeasible to extract PHI received from Covered Entity), Business
Associate will: (a) extend the protections of this BAA to such PHI and (b)
limit further uses and disclosures of such PHI to those purposes that make the
return or destruction infeasible, for so long as Business Associate maintains
such PHI.
SECTION 7: COOPERATION IN INVESTIGATIONS
The Parties acknowledge that certain breaches or violations
of this BAA may result in litigation or investigations pursued by federal or
state governmental authorities of the United States resulting in civil
liability or criminal penalties. Each Party will cooperate in good faith in all
respects with the other Party in connection with any request by a federal or
state governmental authority for additional information and documents or any
governmental investigation, complaint, action or other inquiry.
SECTION 8: GENERAL TERMS
8.1 Regulatory References. A reference in this BAA to a
section of the HIPAA Rules, or the regulations issued thereunder, means the
section or regulation as in effect or as amended, and for which compliance is
required.
8.2 Amendment; Waiver. This BAA may be amended or
supplemented only by a writing that refers explicitly to this BAA and that is
signed by both Parties. The Parties agree to amend this BAA as required to
comply with any changes in laws, rules or regulations that affect the privacy
and security of PHI and the Business Associate’s duties under the Underlying
Agreement or this BAA. No delay or failure of either Party to exercise any
right or remedy available hereunder, at law or in equity, will act as a waiver
of such right or remedy, and any waiver will not waive any subsequent right,
obligation, or default.
8.3 Entire Agreement. This BAA, together with the Underlying
Agreement, contain the entire understanding between the Parties hereto and will
supersede any other oral or written agreements, discussions and understandings
of every kind and nature, with respect to the subject matter hereof.
8.4 Order of Precedence. Any ambiguity in this BAA will be
resolved to permit Business Associate to comply with the HIPAA Rules. If any
express term of this BAA conflicts with the Underlying Agreement, then this
BAA, if applicable, will control as to that term, but only to the extent of an
express ambiguity. The Underlying Agreement will control in all other
instances, including, without limitation, remedies, limitation of liability,
limitation of remedies, warranties, disclaimer of warranties, governing law,
venue, and relationship of the Parties.
8.5 No Third-Party Beneficiaries. Nothing express or implied
in this BAA is intended to confer, nor will anything herein confer, upon any
person other than Covered Entity, Business Associate, or their respective
successors or permitted assigns, any rights, remedies, obligations or
liabilities whatsoever.
8.6 Survival. The rights and obligations contained in
Sections 4.2 (Reporting of Improper Use or Disclosure, Security Incident or
Breach), 4.7 (Accounting of Disclosures), 4.8 (Government Access to Records),
4.9 (Mitigation), 6.3 (Effect of Termination), and 8 (General Terms) will
survive the termination of this BAA.
8.7 Notices. All notices that either Party may desire or be
required to give to the other will be in writing and will be delivered by
overnight courier or by priority mail by a recognized express mail vendor to
the other Party at the address set forth in the signature page or such other
address as a Party may provide. Notice delivered by facsimile or e-mail will be
confirmed by overnight courier or by priority mail.
8.8 Severability. If any provision of this BAA is determined
by a court of competent jurisdiction to be invalid, void, or unenforceable, the
remaining provisions hereof will continue in full force and effect.
8.9 Counterparts. This BAA may be executed in counterparts,
each of which will be deemed an original, and all of which will constitute one
binding agreement and may be delivered by electronic mail or fax.
8.10 Governing Law. This BAA is governed by, and will be
construed in accordance with, the laws of the State that govern the Underlying
Agreement. Any action relating to this BAA must be commenced within one year
after the date upon which the cause of action accrued.
8.11 Assignment. Neither Party will assign this BAA without
the prior written consent of the other Party, which will not be unreasonably
withheld.