Business Associate Agreement
HIPAA BUSINESS ASSOCIATE AGREEMENT
- “Capitalized Terms” mean any other capitalized term not defined in this Section 1 and have the meanings set forth in the Privacy Standards, Security Standards or HITECH, as applicable.
- “Designated Record Set” or “DRS” as defined in the Privacy Rule, including but not limited to 45 C.F.R. Section 164.501.
- “Electronic Protected Health Information” or “ePHI” as defined in the HIPAA Rule, including but not limited to 45 C.F.R. Parts 160, 162, and 164, and under HITECH.
- “HIPAA” means HIPAA, the HITECH Act, and the Privacy and Security Rules unless otherwise indicated in this Agreement.
- “HITECH” means the Health Information Technology for Economic and Clinical Health Act, Division A, Title XIII of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5), 42 U.S.C. 83000 et seq., and implementation, regulations and guidance.
- “Individual” as defined in the Privacy Rule, including but not limited to 45 C.F.R. Sections 164.501 and 160.103, including a person who qualifies as a personal representative in accordance with 45 C.F.R. Section 164.502(g). For the purposes of this Agreement, Individual means a consumer who has contracted with Vow for Vow Software and Services.
- “Information” as defined in 45 C.F.R. Section 160.103.
- “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E.
- “Protected Health Information” (“PHI” and “ePHI”) as defined in 45 C.F.R. Sections 164.501 and 160.103, and is information created or received by Business Associate from or on behalf of Covered Entity.
- “Required by Law” as defined in 45 C.F.R. Sections 164.501 and 160.103.
- “Secretary” as defined in 45 C.F.R. Section 160.103.
- “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
- “Security Rule” means the HIPAA regulation codified at 45 C.F.R. Part 164.
- “Subcontractor” means a person (or entity) to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate. For purposes of this Agreement, “Subcontractor” includes the downstream subcontractors of a Subcontractor (“Downstream Subcontractor”).
- “Vow Software and Services” means Vow’s website, mobile application, tablet application, sms text, interactive voice and any other multimedia channel using or displaying content or applications.
- Confidentiality and Security.
- The Parties shall comply with more stringent state laws and implementing regulations, including the Texas Medical Records Privacy Act, Chapters 181 and 182 of the Texas Health & Safety Code, and Chapter 521.053 as amended
3. Obligations of Business Associate and Business Associate Subcontractors
- Business Associate warrants that Business Associate, its directors, officers, Subcontractors, employees, affiliates, agents, and representatives shall:
- use or disclose PHI only in connection with fulfilling duties and obligations under this Agreement and the Service Agreement; (ii) not use or disclose PHI other than as permitted or required by this Agreement, as required by law, and (iii) not use or disclose PHI in any manner that violates applicable federal and state laws or would violate such laws if used or disclosed in such manner by Covered Entity.
- Not violate the Texas Health Safety Code, Chapters 181 or 182 by (i) selling PHI as prohibited in Section 181.153, using PHI for marketing purposes except as permitted by Section 181.152, attempting to re-identify any de-identified information as prohibited by Section 181.151, or use or disclose PHI for a marketing purposes without the individual’s prior written authorization in violation of Section 181.154.
- Provide adequate training to employees and Subcontractors under Section 181.101, and HIPAA.
- Make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request when using or disclosing PHI.
- when carrying out a Covered Entity’s obligation under HIPAA, comply with requirements of HIPAA that apply to Covered Entity in performance of such obligation.
- Provide Records and Compliance Reports. Business Associate/ Subcontractor must keep such records and submit such compliance reports as the Secretary may determine necessary to determine compliance with applicable HIPAA provisions.
- Cooperate with Complaint Investigations and Compliance Reviews. Business Associate/Subcontractor must cooperate with the Secretary if the Secretary undertakes an investigation or compliance review of the policies, procedures, or practices of Covered Entity, Business Associate, or Subcontractor to determine compliance with HIPAA.
- Permit Access to Information. Business Associate/Subcontractor must permit access by the Secretary to its facilities, books, records, accounts and other sources of information, including PHI, for ascertaining compliance as requested by the Secretary. If the information required of Business Associate/Subcontractor is under the exclusive possession of any other agency, institution, or person and the other agency, institution, or person fails to furnish the information, Business Associate/Subcontractor must so certify and explain efforts made to obtain the information.
b. To the extent Business Associate/Subcontractor maintain a Designated Record Set (“DRS”) they shall:
- Provide Access to PHI to allow Covered Entity to respond to an Individual’s request for access pursuant to 45 C.F.R. Section 164.524, in the time and manner requested by Covered Entity, for as long as such information is maintained in the DRS.
- In the event any Individual requests access to PHI directly from Business Associate/Subcontractor, forward the request to Covered Entity within two (2) business days.
- Process PHI subject to access in electronic form or format requested by Covered Entity, unless a readable hard copy or other format is requested by Covered Entity.
- Any denial of access to PHI shall be the sole responsibility of Covered Entity, including resolution or reporting of all appeals and/or complaints arising from denials.
- Amend PHI. To allow Covered Entity to respond to an Individual’s request for amendment of PHI pursuant to 45 C.F.R. Section 164.526, Business Associate/ Subcontractor shall, in the time requested by Covered Entity, amend PHI about an Individual, and make available to Covered Entity such PHI as long as such information is maintained in the DRS. Business Associate shall contractually obligate Subcontractor to forward such a request on the date of receipt by Subcontractor.
- In the event an Individual requests amendment of PHI directly from Business Associate/Subcontractor, shall PHI shall be forwarded to Covered Entity pursuant to 45 C.F.R. Section 164.526.
- Any denial of amendment of PHI determined by Covered Entity pursuant to 45 C.F.R. Section 164.526, and conveyed to Business Associate, shall be the sole responsibility of Covered Entity, including resolution or reporting of all appeals and/or complaints arising from denials.
- Within ten (10) business days of receipt of a request from Covered Entity to amend an Individual’s PHI in the DRS, Business Associate shall require Subcontractors to incorporate the amendment, statements of disagreement, and/or Individual rebuttals into its DRS as required by 45 C.F.R. Section 164.526.
4. Accounting of Disclosures.
- To allow Covered Entity to respond to an Individual’s request for an accounting pursuant to 45 C.F.R. Section 164.528, Business Associate/Subcontractor shall in the time requested make available to Covered Entity PHI in the format requested. Business Associate shall contractually obligate Subcontractor to forward such a request to Business Associate on the day of receipt of the request.
- Provide Covered Entity: (1) the date of the disclosure; (2) the name of the entity or person who received the PHI, and if known, the address of such entity or person; (3) a brief description of the PHI disclosed; and (4) a brief statement of the purpose of such disclosure.
- If an Individual requests an accounting of disclosure of PHI directly from Business Associate/Subcontractor, the request shall be forwarded to Covered Entity within five (5) business days.
5. Disclosure to Third Parties.
- Subject to any limitations in this Agreement and the Service Agreement, Business Associate may disclose PHI to Subcontractors necessary to perform its obligations under the Service Agreement and permitted or required by applicable federal or state law.
- Business Associate shall not [and shall provide that its directors, officers, employees, Subcontractors, and agents, do not] disclose PHI to any person (other than their Workforce) unless disclosure is required by law or authorized by the person whose PHI is to be disclosed. Business Associate shall enter into a signed written agreement with Subcontractor(s) that:
- Prohibits Subcontractor to use or further disclose PHI in a manner that would violate the Privacy Rule if done by Covered Entity, or this Agreement if done by Business Associate.
- Binds to the provisions, restrictions, and conditions of this Agreement pertaining to PHI and ePHI applicable to Business Associate for the express benefit of Covered Entity.
- Obligates Subcontractor to immediately notify Business Associate of any breaches (including breaches of unsecured PHI as required by 45 C.F.R. Section 164.410) of confidentiality of PHI and Security Incidents of which it becomes aware.
- Obligates Business Associate/Subcontractor to comply with the “minimum necessary use and disclosure” and regulations or guidance issued by HHS concerning the minimum necessary standard and the use and disclosure (if applicable) of Limited Data Sets.
- To the extent Subcontractor is to carry out Covered Entity’s obligations under HIPAA, obligate Subcontractor to comply with the HIPAA requirements applicable to Covered Entity.
- Business Associate/Subcontractor shall take appropriate disciplinary action against any Workforce member who uses or discloses PHI in contravention of this Agreement.
- Business Associate and Subcontractors shall mitigate, to the extent, any harmful effect known to them of a use or disclosure of PHI in violation of this Agreement.
- Safeguards Business Associate and Subcontractors shall:
- Employ appropriate administrative, technical and physical safeguards, consistent with the size and complexity of its operations, to protect the confidentiality of PHI and to prevent use or disclosure of PHI in any manner inconsistent with the terms of this Agreement.
- Comply with the HITECH Act and final Omnibus Rule 45 C.F.R. Sections 164.306, 164.308, 164.310, 164.312, 164.314, and 164.316 as well as the HIPAA Security Rule as if Business Associate (and Subcontractors) were a Covered Entity.
6. Reporting of Breaches and Improper Disclosures
- A breach is the unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted by HIPAA which compromises the security or privacy of such information. In the event of a breach:
- Of “Unsecured PHI” (i.e., PHI not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in the guidance issued under section 1302(h)(2) of Pub.L. 111-5) Business Associate (or Subcontractor) accesses, creates, maintains, stores, transmits, modifies, destroys, or otherwise holds or uses on behalf of Covered Entity, Business Associate shall provide notice to Covered Entity, without unreasonable delay, but in no later than 30 days after discovering the Breach. The notice shall include (i) identification of each individual whose PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during the Breach; (ii) date of the Breach, if known; (iii) scope of the Breach; (iv) description of the Business Associate’s response to the Breach; and (v) any other reasonable information requested by Covered Entity.
- Business Associate (or Subcontractor as applicable) shall conduct a risk assessment of the Breach, and mitigate, to the extent practicable, any harmful effect of such Breach known to Business Associate. A Breach of Unsecured PHI is discovered as of the first day on which such breach is known to Business Associate (including any person other than the individual committing the breach who is an employee, officer, Subcontractor, or another agent of Business Associate, as determined in accordance with the federal common law of agency) or should reasonably have been known to Business Associate following exercise of reasonable diligence.
- Improper Disclosures Business Associate and Subcontractors agree to:
- Comply with 45 C.F.R. Sections 164.308, 164.310, 164.312 and 164.316 as if they were a Covered Entity.
- Use commercially reasonable efforts to secure PHI through technology safeguards that render such PHI unusable, unreadable and indecipherable to individuals unauthorized to acquire or otherwise have access to such PHI in accordance with HHS Guidance published at 74 Federal Register 19006 (April 17, 2009), or later regulations or guidance promulgated by HHS or issued by the National Institute for Standards and Technology (“NIST’) to protect PHI.
- Report to Covered Entity any Security Incident, unauthorized or improper use or disclosure of any PHI under this Agreement, as soon as practicable, upon becoming aware of such use or disclosure.
- Breach of System Security. “Breach of System Security” means an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including encrypted data if the person accessing the data has the key required to decrypt the data and includes any other definition promulgated by state law. Business Associate shall provide notice to Covered Entity of any breach of system security after discovering or receiving notification of the breach, and mitigate any known harm of the breach.
7. De-identified data. Business associate shall have the right to de-identify PHI subject to the Terms of Service and this Agreement in accordance with the requirements of 45 CFR Section 164.514, to anonymously aggregate and use such data for Business Associates purposes, in Business Associates sole discretion.
8. Term and Termination. The Parties agree that upon termination, transactional data (which does not include PHI) provided to the Individual by Covered Entity through Business Associate shall not be destroyed. Per the Terms of Service, Confidential information (including PHI, if any, contained within such Confidential Information) will be destroyed and will not be available to the Individual through the Vow App and/or Website. All other PHI provided by Covered Entity shall be returned or destroyed as required by the HIPAA regulations.
9. Amendment. If any rules or regulations promulgated under HIPAA or state law are amended or interpreted and render this Agreement inconsistent therewith, Covered Entity may, on thirty (30) days’ written notice to Business Associate, amend this Agreement as necessary to comply with such amendments or interpretations. Business Associate shall comply with all such amendments, amend this Agreement, and amend applicable Subcontractor agreements.
10. Conflicting Terms. In the event any terms of this Agreement conflict with any terms of the Service Agreement, the terms of this Agreement shall govern and control.
11. Notices. All notices, requests, approvals, demands and other communications required or permitted to be given under this Agreement shall be in writing and delivered either personally, or by certified mail with postage prepaid and return receipt requested, or by overnight courier to the party to be notified. Addresses in the signature line will be used for notifications purposes for either party unless updated with written notification to the other party.
12. Days. All references to “days” in this Agreement mean business days.
13. Independent Contractors. The parties are and shall be independent contractors to one another, and nothing in this Agreement shall be deemed to create an agency, partnership, or joint venture between the Parties.
14. Assignment. This Agreement shall be binding on the Parties and their successors and assigns. Neither party shall assign any of its rights under this Agreement to any other party without the prior written consent of the other party, provided that Covered Entity or Business Associate shall have the right to assign this Agreement to their respective affiliates.
15. Severability. In the event a court or any governmental authority or agency declares all or part of any section of this Agreement unlawful or invalid, such unlawfulness or invalidity shall not serve to invalidate any other section of this Agreement, and if only a portion of any section is declared to be unlawful or invalid, such unlawfulness or invalidity shall not invalidate the balance of such section.
16. Counterparts. This Agreement may be executed in two or more counterparts, each of which shall be deemed to be an original, but all of which shall constitute one and the same agreement.