Client (“Covered Entity”) and Mobile Heartbeat, LLC (“Business Associate”) on behalf of itself and any of its agents, employees, affiliates and subsidiaries providing services to Client or its clients agree to this Business Associate Agreement (“BAA”) which sets forth the parties’ agreement with respect to applicable provisions of the privacy and security requirements under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act as set forth in Title XIII of Division A of the American Recovery and Reinvestment Act of 2009 and the regulations promulgated by the U.S. Department of Health and Human Services from time to time under each of those acts. Any capitalized terms used in this Addendum that are not defined herein will have the meaning ascribed to them in HIPAA and HITECH.
W I T N E S S E T H:
WHEREAS, Covered Entity and Business Associate entered into or are entering one or more service agreements, for the Business Associate’s provision of services to Covered Entity (the “Services Agreement”); and
WHEREAS, to facilitate the disclosure of Protected Health Information by Covered Entity to Business Associate and in order to comply with HIPAA, Covered Entity and Business Associate desire to enter into this BAA.
NOW, THEREFORE, in consideration of the foregoing, the parties hereby agree:
1. Definitions
a. “EPHI” shall mean Electronic Protected Health Information as defined in HIPAA to the extent such information is created, received, transmitted, or maintained by Business Associate in its capacity as a business associate (as defined at 45 C.F.R. §160.103) of Covered Entity.
b. “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder, including those comprising 45 C.F.R. Parts 160 – 164, all as amended from time to time, including through the HITECH Act.
c. “HITECH Act” shall mean the Health Information Technology for Economic and Clinical Health Act and the regulations promulgated thereunder.
d. “PHI” shall mean Protected Health Information as defined in HIPAA to the extent such information is created, received, transmitted, or maintained by Business Associate in its capacity as a business associate of Covered Entity.
e. “Security Rule” means 45 C.F.R. Part 160 and Part 164, Subparts A and C.
f. All other capitalized terms used but not defined herein shall have the same meaning as defined in HIPAA.
2. Obligations of Business Associate.
a. Permitted Uses and Disclosures. Business Associate shall only use and disclose PHI as permitted or required by this BAA or as Required By Law. Business Associate may use and disclose PHI (i) as necessary to perform its services and obligations under the Services Agreement, provided that such uses or disclosures would be permissible under HIPAA if the PHI was used or disclosed by Covered Entity in the same manner, (ii) as necessary for the proper management and administration of Business Associate or to carry out its legal responsibilities, provided that Business Associate may only disclose PHI for such purposes if such disclosures are Required By Law or if Business Associate: (a) obtains reasonable assurances from any third party to whom the information is disclosed that it will be held confidentially and further used and disclosed only as Required By Law or for the purpose for which it was disclosed to the third party; and (b) requires the third party to agree to promptly notify Business Associate of any instances of which it is aware that the confidentiality of the information has been breached; and (iii) for Data Aggregation purposes, as permitted under HIPAA. Business Associate may also use PHI to create de-identified information and disclose de-identified information if the de-identification is in compliance with 45 C.F.R. § 164.502(d), and the de-identified information meets the standard and implementation specifications for de-identification under 45 C.F.R. §164.514
b. Minimum Necessary Standard. Business Associate shall comply with the minimum necessary requirements of HIPAA; provided further, Business Associate shall comply with Section 13405(b) of the HITECH Act, and any regulations or guidance issued by the Secretary regarding such provision, the minimum necessary standard and the use and disclosure (if applicable) of Limited Data Sets.
c. Safeguards. Business Associate shall use appropriate safeguards to prevent the use or disclosure of PHI other than as provided in this BAA and comply with applicable provisions of the Security Rule.
d. Required Reports. Business Associate shall notify Covered Entity of any use or disclosure of PHI not permitted by this BAA and of any Security Incident of which it becomes aware. Business Associate shall also notify Covered Entity of any Breach involving unsecured PHI in compliance with 45 C.F.R. § 164.410. Such notices shall be in writing and shall be provided without unreasonable delay not to exceed ten (10) business days after the date that Business Associate discovers the Breach, Security Incident or non-permitted use or disclosure of PHI, as applicable, unless Business Associate is prevented from doing so by 45 C.F.R. § 164.412 concerning law enforcement investigations. Notwithstanding the foregoing, Covered Entity shall be deemed to have received notice via this BAA from Business Associate of routine occurrences of: (i) unsuccessful attempts to penetrate computer networks or services maintained by Business Associate; and (ii) immaterial incidents such as “pinging” or “denial of services” attacks. Between Business Associate and Covered Entity, Covered Entity is responsible for providing any required notices to Individuals affected by a HIPAA Breach, unless otherwise agreed to by the parties.
e. Subcontractors. In accordance with 45 C.F.R. §§ 164.502(e)(1)(ii) and 164.308(b)(2), Business Associate shall require that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree in writing to the same restrictions and conditions that apply to Business Associate with respect to such information and in the case of EPHI, agree to comply with the applicable requirements of the Security Rule.
f. Access and Amendment. Business Associate shall provide access, within ten (10) business days of receipt of a request by Covered Entity, to PHI maintained by Business Associate in a Designated Record Set. Such access shall be given to Covered Entity or, as directed by Covered Entity, to the Individual or who may otherwise be entitled to review said information under HIPAA as reasonably determined by Covered Entity. Business Associate may charge a reasonable, cost-based fee for the Business Associate’s labor costs in copying the PHI requested, supplies for creating the paper or electronic copy and postage. Within ten (10) business days of receipt of a request by Covered Entity, Business Associate shall make any amendment(s) to PHI maintained by Business Associate in a Designated Record Set that the Covered Entity reasonably directs or agrees to pursuant to 45 C.F.R. § 164.526. Business Associate shall notify Covered Entity promptly following receipt by Business Associate of any request for access or amendment to PHI by an Individual. Covered Entity shall be responsible for determining whether to grant or deny any access or amendment requested by an Individual.
g. Accounting of Disclosures. Business Associate shall document such disclosures by Business Associate required to be accounted for under 45 CFR § 164.528 and provide documentation of such disclosures to Covered Entity within thirty (30) days of receiving a written request from Covered Entity (or such shorter period required by law), to permit Covered Entity to respond to a request for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528 and any applicable requirements of the HITECH Act or the regulations issued thereunder. Such accounting must be provided without cost to the Individual or to Covered Entity if it is the first accounting requested by such Individual within any twelve (12) month period. For subsequent accountings within a twelve (12) month period, Business Associate may charge a reasonable, cost-based fee so long as Business Associate informs the Covered Entity in advance of the fee, and the Individual is afforded an opportunity to withdraw or modify the request. Such accounting obligations shall survive termination of this Agreement and shall continue as long as Business Associate maintains PHI.
h. Access by Secretary. Business Associate shall provide to the Secretary access to its internal practices, books, and records relating to the use and disclosure of PHI for the purposes of the Secretary determining Covered Entity’s compliance with HIPAA.
i. Other. Business Associate agrees to train its Workforce on its obligations under HIPAA. Business Associate agrees to mitigate, to the extent practicable, any potential harmful effect of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement. To the extent Business Associate is to carry out Covered Entity’s obligations under 45 C.F.R. Part 164, Subpart E, Business Associate shall comply with the requirements of 45 C.F.R. Part 164, Subpart E that apply to Covered Entity in the performance of such obligations.
3. Obligations of Covered Entity. Covered Entity shall: (i) provide Business Associate with a copy of the notices of privacy practices that Covered Entity produces in accordance with 45 C.F.R. § 164.520 as well as any changes to such notices, to the extent that it effects Business Associate’s use or disclosure of PHI; (ii) notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR §164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI pursuant to the terms of this BAA; (iii) notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI; (iv) obtain all consents and authorizations, if any, necessary for any use or disclosure of any PHI as contemplated under the Services Agreement; and (v) only disclose to Business Associate the minimum Protected Health Information necessary to allow Business Associate to perform its obligations under the Services Agreement.
4. Termination of this BAA.
a. Term. This BAA shall commence on the Effective Date and shall remain in effect until termination or expiration of the Services Agreement or until terminated as set forth below, whichever is earlier.
b. Termination for Breach. Either party may terminate this BAA upon becoming aware of a material breach of this BAA if the allegedly breaching party fails to cure such breach within thirty (30) days following receipt of written notice to describing such breach.
c. Effect of Termination. Except as provided below, upon termination of this BAA, for any reason, Business Associate shall return to Covered Entity or destroy all PHI in its possession. Business Associate shall require its Subcontractors to do the same. To the extent that Business Associate determines that returning or destroying PHI is infeasible, Business Associate may continue to maintain such PHI, provided that Business Associate shall extend the protections of this BAA to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
5. Entire Agreement. This BAA constitutes the complete agreement between Business Associate and Covered Entity relating to the matters specified in this BAA, and supersedes all prior representations or agreements, whether oral or written, with respect to such matters. Where this BAA is silent on any term, including, but not limited to the provision of notices, governing law or dispute resolution, said term shall be supplied, if included, by the Services Agreement. Notwithstanding Section 7.18 of the Services Agreement, in the event of any conflict between the terms of this BAA and the terms of the Services Agreement, the terms of this BAA shall control with respect to the subject matter of this BAA unless the parties specifically otherwise agree in writing. NOTWITHSTANDING THE FOREGOING, THIS BAA SHALL BE SUBJECT TO THE LIMITATIONS OF LIABILITY IN THE SERVICES AGREEMENT GOVERNING BUSINESS ASSOCIATE’S SERVICES. No oral modification or waiver of any of the provisions of this BAA shall be binding on either party. This BAA is for the benefit of, and shall be binding upon the parties, their affiliates and respective successors and assigns. No third party shall be considered a third-party beneficiary under this BAA, nor shall any third party have any rights as a result of this BAA.
6. This BAA may not be modified or amended, except in writing as agreed to by each party. The parties agree to take such action as is necessary to amend this BAA from time to time as is necessary for the parties to comply with the requirements of HIPAA. Any ambiguity in this Agreement shall be resolved to permit the parties to comply with HIPAA. This BAA shall be construed in accordance with the laws of the Commonwealth of Massachusetts. This BAA may be executed in one or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same document. In making proof of this BAA, it shall not be necessary to produce or account for more than one such counterpart executed by the party against whom enforcement of this BAA is sought. Nothing in this BAA shall be construed to create (i) a partnership, joint venture or other joint business relationship between the parties or any of their affiliates, or (ii) a relationship of employer and employee between the parties. Business Associate is an independent contractor, and not an agent of Covered Entity under this BAA.
INTENDING TO BE LEGALLY BOUND, the Parties hereto have duly executed this Agreement as of the Effective Date.
___________________________________ Mobile Heartbeat, LLC
Signed: ______________________________ Signed: _____________________________
Print Name: __________________________ Print Name: _________________________
Title: ________________________________ Title: _______________________________
Date: ________________________________ Date: _______________________________
