Business Associate Agreement
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“BAA”) is hereby entered between Leading Reach, Inc. (“Business Associate”) and the Customer of the LeadingReach Software and services (“Customer”). This BAA forms part of and is incorporated into the Software & Services Terms and Conditions, or other underlying agreement entered into by Business Associate and Customer (collectively, “Service Agreement(s)”). BY AGREEING TO THIS BAA EITHER VIA ELECTRONIC ACCEPTANCE OR THE SERVICE AGREEMENT, OR USING THE SOFTWARE AND SERVICES AS A CUSTOMER AS SET FORTH IN A SERVICE AGREEMENT WITHOUT A SEPARATE WRITTEN BUSINESS ASSOCIATE AGREEMENT SIGNED BY BUSINESS ASSOCIATE AND CUSTOMER, CUSTOMER AGREES TO THE TERMS OF THIS BAA WITH BUSINESS ASSOCIATE.
- STATEMENT OF PURPOSE. BUSINESS ASSOCIATE HAS BEEN ENGAGED TO PROVIDE CERTAIN SOFTWARE AND SERVICES TO CUSTOMER AS SET FORTH IN THE SERVICE AGREEMENT. CUSTOMER IS EITHER A COVERED ENTITY OR BUSINESS ASSOCIATE AND THE PARTIES ACKNOWLEDGE THAT BUSINESS ASSOCIATE MAY BE EXPOSED TO, OR BECOME AWARE OF PROTECTED HEALTH INFORMATION (ALSO REFERRED TO HEREIN AS “PHI”) IN THE PERFORMANCE OF THE SERVICE AGREEMENT. THE PARTIES WISH TO ENTER INTO THIS BAA TO PROVIDE CUSTOMER WITH THE WRITTEN ASSURANCES REQUIRED BY THE PRIVACY RULE AND THE SECURITY RULE ESTABLISHED PURSUANT TO THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 AND THE HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT (“HITECH ACT” AND TOGETHER, “HIPAA”) AND TO ADDRESS THE USE AND DISCLOSURE OF PHI.
- Definitions. Terms used, but not otherwise defined in this BAA, shall have the same meaning as those terms in the Privacy Rule and the Security Rule, unless inappropriate by context, or the Services Agreement.
- a) “Business Associate” shall have the meaning set forth in 45 C.F.R. Section 160.103, and with reference to the party of this BAA, shall mean Leading Reach, Inc.
- b) “Covered Entity” shall have the meaning set forth in 45 C.F.R. Section 160.103, and with reference to the party of this BAA.
- c) “Designated Record Set” shall have the meaning set forth in 45 C.F.R. Section 164.501.
- d) “Disclose” and “Disclosure” mean, with respect to Protected Health Information, the release, transfer, provision of access to, or divulging in any other manner of Protected Health Information outside the organization’s internal operations or to individuals other than its workforce.
- e) “Electronic Protected Health Information” or “EPHI” shall have the same meaning as the term “Electronic Protected Health Information” in 45 C.F.R. § 160.103, and, in this BAA, shall mean more than Incidental information received by Business Associate or made accessible to Business Associate by Customer in the course of Business Associate’s performing the Service BAA.
- f) “Incidental” shall refer to those uses and disclosures covered in 45 C.F.R. 164.502 (a) (1) (iii) which do not rise to the level where a business associate BAA is required and that occur as a by-product of another permissible or required use under HIPAA and that cannot be reasonably prevented and are limited in nature.
- g) “Individual” shall have the same meaning as the term “individual” in 45 CFR § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g).
- h) “Privacy Rule” shall mean the standards, requirements and specifications promulgated by the Secretary of Health and Human Services at 45 C.F.R. Section 160 subparts A and E promulgated under HIPAA.
- i) “Protected Health Information” or “PHI” shall have the same meaning as the term “Protected Health Information” in 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of Customer and, in this BAA, shall mean more than Incidental information received by Business Associate or made accessible to Business Associate by Customer in the course of Business Associate performing the Service BAA.
- j) “Security Rule” shall mean the standards, requirements and specifications promulgated by the Secretary of Health and Human Services at 45 C.F.R. Section 164 subpart C promulgated under HIPAA.
- k) “Use” or “Uses” shall have the meaning set forth in 45 C.F.R. Section 160.103.
- Obligations of Business Associate. Business Associate agrees:
- a) not to use or further disclose PHI created or received by Business Associate from, or on behalf of, Customer other than as required to carry out its Service Agreement obligations to Customer and as permitted or required by this BAA or applicable laws. Such use, disclosure or request of PHI shall utilize a limited data set if practicable or otherwise the minimum necessary PHI in accordance with HIPAA to accomplish the intended result of the use, disclosure or request;
- b) to use reasonable and appropriate safeguards designed to prevent the use or disclosure of Protected Health Information in any manner other than as permitted by this BAA;
- c) to report to Customer any use or disclosure of PHI not permitted by this BAA of which it becomes aware. In addition, Business Associate will report, following discovery and without unreasonable delay, any “Breach” of “Unsecured Protected Health Information” as defined by the HITECH Act and any implementing regulations. Any such report shall include the identification (if known) of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such Breach. Business Associate shall report Security Incidents to Customer with the exception of unsuccessful Security Incidents (such as pings, broadcast firewall attacks, port scans, and unsuccessful log-on attempts) which Customer hereby acknowledges occur regularly and no further notice is necessary. Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this BAA;
- d) ensure that any agents and subcontractors of Business Associate to whom Business Associate provides PHI received from, or created or received by Business Associate on behalf of Customer agree to substantially the same restrictions and conditions that apply to Business Associate with respect to such information;
- e) to the extent (if any) that Business Associate maintains a Designated Record Set for Customer, and is notified of such by Customer, to make available PHI maintained by Business Associate in a Designated Record Set to Customer as required for Covered Entity to comply with its obligation to give an individual the right of access to inspect and obtain a copy of their PHI as set forth in 45 C.F.R. 164.524. Consistent with 45 C.F.R. 164.524, Business Associate’s obligation will be limited to the extent such PHI is in the sole possession of Business Associate and is not duplicative of PHI held by Customer. The provision of the access to the individual’s PHI and any denials of access to the PHI shall be the responsibility of Customer;
- f) to the extent (if any) that Business Associate maintains a Designated Record Set for Customer, and is notified of such by Customer, to make available PHI maintained by Business Associate in a Designated Record Set to Customer as required for Covered Entity to comply with its obligation to amend PHI as set forth in 45 C.F.R. 164.526. The amendment of an individual’s PHI and all decisions related thereto shall be the responsibility of Customer;
- g) to make available to Customer information regarding disclosures by Business Associate to third parties for which an accounting is required under 45 C.F.R. Section 164.528 so Covered Entity can meet its requirements to provide an accounting of disclosures to individuals in accordance with 45 C.F.R. 164.528;
- h) to make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by Business Associate on behalf of Customer, available to the Secretary of Health and Human Services for purposes of determining Customer’s compliance with the Privacy and Security Rules;
- i) at termination of this BAA, if feasible, return or destroy all PHI received from, or created or received by Business Associate on behalf of Customer, that Business Associate still maintains in any form and to retain no copies of such information, or, if such return or destruction is not feasible in the sole discretion of Business Associate, extend the protections of this BAA to such PHI and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.
- j) with respect to Electronic Protected Health Information, Business Associate will (i) implement administrative, physical, and technical safeguards that are designed to reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of Company, as required by the Security Rule; (ii) ensure that any agent or subcontractor to whom it provides Electronic Protected Health Information agrees to implement reasonable and appropriate safeguards to protect it; and (iii) report to Customer any Security Incident of which it becomes aware in accordance with Section 3(c).
- Permitted Uses and Disclosures by Business Associate
- a) Except as otherwise limited by this BAA, Business Associate may make any uses or disclosures of PHI reasonably necessary to perform its services to Customer and otherwise to meet its obligations under this BAA and the Service Agreement. Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. Business Associate may disclose PHI for its proper management and administration or to carry out its legal responsibilities, if the disclosure is Required By Law or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
- b) Except as otherwise limited in this BAA, Business Associate may use PHI to provide Data Aggregation services as permitted by 45 C.F.R. Section 164.504(e)(2)(i)(B).
- c) Except as otherwise limited in this BAA, Business Associate may deidentify PHI in accordance with the HIPAA Safe Harbor principles.
- Customer obligations
- a) Customer shall use and disclose PHI only in accordance with the Privacy Rule, the Security Rule, and any other applicable law concerning PHI. Customer shall limit disclosures of PHI to Business Associate in accordance with minimum necessary practices. Customer shall follow all data security instructions communicated by Business Associate or set forth in the applicable Software or service documentation or statement of work. Customer shall not request Business Associate to use or disclose PHI in violation of HIPAA or any other applicable law.
- b) Customer shall be solely responsible for establishing the applicable HIPAA Security Rule safeguards and associated policies for protecting PHI in its facilities. Customer shall communicate the relevant safeguards and policies to Business Associate when Business Associate provides services at a Customer facility.
- c) Customer shall be responsible for ensuring PHI is secured through the use of a technology or methodology specified by the Secretary of Health and Human Services as rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals.
Customer shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under applicable laws concerning PHI. Customer shall notify Business Associate of any limitation(s), restriction or changes on the use or disclosure of PHI of which it becomes aware that may affect Business Associate’s use or disclosure of PHI.
- Miscellaneous
- a) Term and Termination. The term of this BAA shall be the same as the term of the Service Agreement. Upon Customer’s knowledge of a material breach of this BAA by Business Associate, Customer shall notify Business Associate of the breach in writing, and shall provide an opportunity for Business Associate to cure the breach or end the violation of thirty (30) business days after such notification; provided that if Business Associate fails to cure the breach or end the violation within such time period, Customer shall have the right to terminate this BAA upon written notice to Business Associate. In the event that termination of this BAA is not feasible as mutually agreed to by Business Associate and Customer, Business Associate hereby acknowledges that Customer shall have the right to report the breach to the Secretary of Health and Human Services. This BAA shall terminate immediately in the event that a HIPAA business associate agreement is no longer required under applicable laws.
- b) No Third Party Beneficiaries. No provision of this BAA is intended to benefit any person or entity not a party to this BAA, nor shall any person or entity not a party to this BAA have any right to seek to enforce or recover any right or remedy with respect hereto.
- c) Modification of BAA. No alteration, amendment, or modification of the terms of this BAA shall be valid or effective unless in writing and signed by Business Associate and Customer.
- d) Non-Waiver. A failure of any party to enforce at any time any term, provision or condition of this BAA, or to exercise any right or option herein, shall in no way operate as a waiver thereof, nor shall any single or partial exercise preclude any other right or option herein. In no way whatsoever shall a waiver of any term, provision or condition of this BAA be valid unless in writing, signed by the waiving party, and only to the extent set forth in such writing.
- e) Severability. If any provision of this BAA is found to be invalid or unenforceable by any court, such provision shall be ineffective only to the extent that it is in contravention of applicable laws without invalidating the remaining provisions hereof.
- f) Relationship to Services BAA Provisions. In the event that a provision of this BAA is contrary to a provision of the Service BAA, the provision of this BAA shall control. Otherwise, this BAA shall be construed under, and in accordance with, the terms of the Service Agreement.
- g) Independent Contractor. Nothing in this BAA shall be deemed to create an employment, agency or partner relationship between Business Associate and Customer.
- h) Assignment. Customer shall not assign this BAA without Business Associate’s prior written consent, which shall not be unreasonably withheld.