Business Associate Agreement
Effective date: March 1, 2015
This BUSINESS ASSOCIATE Agreement (“Agreement” or “BA Agreement”) is entered into on [Date] by and between [Covered Entity] (“Covered Entity”) and Luma Health, Inc. (“Business Associate”).
RECITALS
A. Covered Entity is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
B. Business Associate is a “business associate” under HIPAA.
C. Business Associate provides certain services to or on behalf of Covered Entity; and
D. Covered Entity and Business Associate have entered into certain contract(s) existing as of the effective date of this BA Agreement and may enter into other future contracts (the “Underlying Agreements”); and
E. In connection with these services, Covered Entity discloses to Business Associate certain protected health information that is subject to protection under HIPAA and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act; and
F. HIPAA and the HITECH Act require that Covered Entity receive adequate assurances that Business Associate will comply with certain obligations with respect to the Personal Health Information received in the course of providing services to or on behalf of Covered Entity.
NOW, THEREFORE, in consideration of the foregoing and other good and valuable consideration, the parties agree as follows:
DEFINITIONS
The following terms are defined for purposes of this BA Agreement.
(a) Catch-All Definition: The following terms used in this Agreement (whether capitalized or not) shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. Terms used, but not otherwise defined in this BA Agreement shall have the same meaning as those terms in HIPAA and the HITECH Act.
(b) “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E.
(c) “Security Rule” shall mean the Standards for Security of Individually Identifiable Health Information at 45 CFR parts 160, 162 and 164.
(d) “Protected Health Information” (“PHI”) shall have the same meaning as the term “protected health information” in 45 CFR 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.
(e) “Electronic Protected Health Information” (“ePHI”) shall have the same meaning as the term “electronic protected health information” in 45 CFR 160.103, limited to information created, received, maintained, or transmitted by Business Associate on behalf of the Covered Entity.
OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE
(a) General Obligations: Business Associate agrees not to use or disclose PHI or ePHI (collectively, hereinafter, “PHI”, unless otherwise indicated) other than as permitted or required by the BA Agreement or as Required by Law. Business Associate shall not directly or indirectly receive remuneration in exchange for PHI, except with the prior written consent of Covered Entity and as permitted by the HITECH Act; however, this prohibition shall not affect payment by Covered Entity to Business Associate for services provided pursuant to the Underlying Agreements which is defined below in Section 2.0(b).
(b) Mitigation: Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BA Agreement.
(c) Reporting: Business Associate shall notify in writing Covered Entity of any access, use or disclosure of PHI for a purpose that is not provided for in this BA Agreement, and any Breach of Unsecured PHI or Security Incident, of which Business Associate becomes aware without unreasonable delay and in no case later than 15 calendar days after discovery. Reports must be made to Covered Entity’s Privacy Office in writing; Reports may also be made by telephone, provided Business Associate also provides a follow-up written report as described above.
(d) Disclosure to Agents and Subcontractors: Business Associate shall ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created on behalf of Covered Entity, agrees to the same restrictions and conditions that apply through this BA Agreement to Business Associate with respect to such information.
(e) Designated Record Set: As applicable, Business Associate shall provide access, at the request of Covered Entity to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR 164.524
(f) Amendments: Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526 in the time and manner as reasonably requested by Covered Entity or an Individual.
(g) Internal Practices, Policies and Procedures: Business Associate shall make available its internal practices, books, and records, including policies and procedures and PHI, relating to the use and disclosure of PHI received from Covered Entity or PHI created or received by Business Associate on behalf of Covered Entity available to the Secretary for purposes of the Secretary determining Covered Entity’s compliance with the Privacy Rule and the HITECH Act.
(h) Accounting for Disclosures: As applicable, Business Associate agrees to maintain the information required to provide an accounting of disclosures of PHI in accordance with 45 CFR 164.528 and to make this information available to Covered Entity upon Covered Entity’s request in order to allow Covered Entity to respond to an Individual’s request for accounting of disclosures. For PHI maintained as an Electronic Health Record, Business Associate shall, beginning at such time as the law requires, maintain such information necessary to provide an accounting of disclosures for treatment, payment or Health Care Operations for a period of three years after such PHI is made in accordance with 42 U.S.C. 13405(c).
(i) Security Obligations: Business Associate shall implement appropriate safeguards as are necessary to prevent the use or disclosure of PHI that is not permitted by the Underlying Agreements or this BA Agreement including, but not limited to, administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Covered Entity’s electronic PHI as required by 45 CFR 164. Subpart A and Subpart C, as amended from time to time, and in the same manner that such provisions apply to a HIPAA covered entity. Business Associate shall ensure that any agent, including a subcontractor, to whom it provides such electronic PHI, agrees to implement reasonable and appropriate safeguards to protect it.
(j) Breach Notification: In the event of a privacy or security Breach that triggers a breach notification requirement under HITECH, Business Associate shall inform Covered Entity of the following: the identification of each individual whose unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired or disclosed during the Breach; date of Breach; description of how the Breach occurred; description of types of information (SSN, DOB, etc.) compromised in the Breach; description of Business Associate’s efforts to mitigate potential damages; description of what the affected individual(s) can do to mitigate damages; and description of actions Business Associate shall take to reasonably ensure a similar breach does not occur in the future. Business Associate shall cooperate in covered entity’s risk assessment to determine whether individual notification is required under 45 CFR 164.404.
PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
(a) Permitted Uses and Disclosures: Except as otherwise limited in this BA Agreement, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Underlying Agreements provided such use or disclosure would not violate the Privacy Rule or the HITECH Act if done by the Covered Entity.
(b) Inclusions: For purposes of this BA Agreement, the Underlying Agreements shall include all existing or future contracts between the parties. The Underlying Agreement or Services include a project to develop an application to improve patient scheduling.
(c) Uses for Management and Administration: Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate.
(d) Disclosure for Management and Administration: Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that disclosures are Required By Law, or the Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the recipient agrees to notify Business Associate of any uses or disclosures to the contrary.
(e) Minimum Necessary: Business Associate (and its agents or subcontractors) shall request, use, and disclose only the minimum amount of PHI necessary to accomplish the purpose of the request, use, or disclosure, in accordance with 42 USC 17935(b). Business Associate understands and agrees that the definition of “Minimum Necessary” is subject to change from time to time depending on governmental regulatory changes.
(f) Data Aggregation: Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 45 CFR 164.504(e)(2)(i)(B).
(g) Report Violations of Law: Business Associate may use Protected Health Information to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR 164.502(j).
OBLIGATIONS OF COVERED ENTITY
(a) Notice of Privacy Practices: Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
(b) Changes in Permission: Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of protected Health Information.
(c) Notification of Restrictions: Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
(d) Indemnification: Business Associate is in no way liable for any breach by Covered Entity of Covered Entity’s HIPAA or HITECH obligations. Covered Entity agrees to indemnify Business Associate if such a breach results in any damages to Business Associate, including but not limited to direct or indirect damages, settlements, legal fees, and loss of reputation.
PERMISSIBLE REQUESTS BY COVERED ENTITY
Permissible Requests by Covered Entity: Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule and the HITECH Act if done by Covered Entity.
TERM AND TERMINATION
(a) Term: The Term of this BA Agreement shall commence as of the effective date set forth above and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section, regardless of the termination date of any of the Underlying Agreements.
(b) Termination for Cause: Upon either party’s knowledge of a material breach by the other, the party with knowledge of the other’s material breach shall either:
(1) Provide written notice specifying the nature of the breach or violation to the other. The other party shall have 30 days from the receipt of the notice to remedy the breach or violation. If such corrective action is not taken within the time specified, this BA Agreement shall terminate at the end of the 30-day period without further notice or demand. Each party is required pursuant to the HITECH Act to report any known or suspected violations of the Privacy Rule and/or Security Rule by the other to the Secretary if, after notification, that party does not cure such violation within 30 days;
(2) Immediately terminate this BA Agreement; or
(3) If neither termination nor cure is feasible, the party shall report the violation to the Secretary.
(c) Effect of Termination:
(1) Except as provided in paragraph (c)(2) of this Section 5, upon termination for any reason of this BA Agreement, the Business Associate shall return or destroy all PHI received from Covered Entity, created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI.
(2) In the event that Business Associate in good faith determines that returning or destroying the PHI is not feasible, Business Associate shall extend the protections of this BA Agreement to such PHI and limit further uses and disclosures of such PHI to only those purposes that make the return or destruction feasible. Business Associate shall notify Covered Entity in writing of Business Associate’s compliance with this paragraph.
MISCELLANEOUS
(a) Regulatory References: Any reference in this BA Agreement to HIPAA or the Privacy or Security Rule shall mean the referenced section as is then in effect or as amended.
(b) Amendments: The Parties agree to take such action as is necessary to amend this BA Agreement from time to time for Covered Entity to comply with the requirements of the Privacy and Security Rule(s) and the HITECH Act.
(c) Survival: The respective rights and obligations of Business Associate under Section 5(c) of this BA Agreement shall survive the termination of this BA Agreement.
(d) Interpretation: Any ambiguity in this BA Agreement shall be resolved to permit Covered Entity to comply with HIPAA and the HITECH Act.
(e) Compliance with Laws: In performing their respective obligations under this BA Agreement, Covered Entity and Business Associate shall at all times comply with all provisions of HIPAA and the HITECH Act.
(f) No Third Party Beneficiaries: Nothing in this BA Agreement shall be considered or construed as conferring any right or benefit on a person not party to this BA Agreement nor imposing any obligations on either Party hereto to persons not a party to this BA Agreement.
(g) Completeness: This Agreement, including any exhibits attached hereto, constitutes the entire Agreement among the parties with respect to the subject matter hereof, and supersedes any and all prior agreements or statements among the parties, both oral and written, concerning the subject matter hereof. This Agreement may not be amended or modified except by a writing signed by both parties. This Agreement may be executed in any number of counterparts, all of which together shall constitute one and the same instrument. This Agreement shall be binding upon and inure to the benefit of the parties and their respective successors and assigns. Neither party shall assign or delegate its rights, duties, or obligations under this Agreement, without the prior written consent of the other party.
(i) Dispute Resolution: Any dispute, claim, or controversy between the Parties arising under or related to this Agreement or the breach, termination, enforcement, interpretation or validity thereof, shall be resolved according to the laws of California and through the following procedures:
(1) The parties shall first attempt in good faith to resolve any dispute arising out of or relating to this Agreement promptly by negotiation between executives who have authority to settle the controversy and who are at a higher level of management than the persons with direct responsibility for administration of this Agreement. Any party may give the other party written notice of any dispute not resolved in the normal course of business. Within 15 days after delivery of the notice, the receiving party shall submit to the other a written response. The notice and response shall include with reasonable particularity (a) a statement of each party’s position and a summary of arguments supporting that position, and (b) the name and title of the executive who will represent that party and of any other person who will accompany the executive. Within 30 days after delivery of the notice, the executives of both parties shall meet at a mutually acceptable time and place; if no such place can be agreed upon, the parties shall meet via video-conference.
The above-described negotiation shall end at the close of the second meeting of executives described above. Such closure shall not preclude continuing or later negotiations, if desired.
All offers, promises, conduct and statements, whether oral or written, made in the course of the negotiation by any of the parties, their agents, employees, experts and attorneys are confidential, privileged and inadmissible for any purpose, including impeachment, in arbitration or other proceeding involving the parties, provided that evidence that is otherwise admissible or discoverable shall not be rendered inadmissible or non-discoverable as a result of its use in the negotiation.
(2) If the matter is not resolved by negotiation pursuant to the above paragraphs, only then will the matter proceed to non-binding mediation as set forth in this Subpart (2).
The parties agree that any and all disputes, claims or controversies arising out of or relating to this Agreement shall be submitted to JAMS, or its successor, for mediation. Either party may commence non-binding mediation by providing to JAMS and the other party a written request for mediation, setting forth the subject of the dispute and the relief requested.
The parties will cooperate with JAMS and with one another in selecting a mediator from the JAMS panel of neutrals and in scheduling the mediation proceedings. The parties agree that they will participate in the mediation in good faith and that they will share equally in its costs.
All offers, promises, conduct and statements, whether oral or written, made in the course of the mediation by any of the parties, their agents, employees, experts and attorneys, and by the mediator or any JAMS employees, are confidential, privileged and inadmissible for any purpose, including impeachment, in any arbitration or other proceeding involving the parties, provided that evidence that is otherwise admissible or discoverable shall not be rendered inadmissible or non-discoverable as a result of its use in the mediation.
All applicable statutes of limitation and defenses based upon the passage of time shall be tolled until 15 days after the Earliest Initiation Date. The parties will take such action, if any, required to effectuate such tolling.
(3) If the matter is not resolved by negotiation pursuant to the above paragraphs, only then will the matter proceed to binding arbitration as set forth in this Subpart (3).
Any dispute, claim or controversy arising out of or relating to this Agreement or the breach, termination, enforcement, interpretation or validity thereof, including the determination of the scope or applicability of this agreement to arbitrate, shall be determined by arbitration in San Francisco, CA before one arbitrator. The arbitration shall be administered by JAMS pursuant to its Streamlined Arbitration Rules and Procedures. Judgment on the Award may be entered in any court having jurisdiction. This clause shall not preclude parties from seeking provisional remedies in aid of arbitration from a court of appropriate jurisdiction.
(h) Notices: Any notices pertaining to this BA Agreement shall be addressed to the appropriate party as follows:
If to Covered Entity.
[Address on file of Covered Entity]
If to Business Associate:
Privacy Officer
Luma Health, Inc.
177 Post Street, Suite 920
San Francisco, CA 94108