Business Associate Agreement
This Business Associate Agreement (“Agreement”) by and between you, the Treatment Provider (as defined below) (“Covered Entity”), and Protocall Services, Inc. (“Business Associate”), is effective as of the date Covered Entity clicks “I Agree to Welltrack Connect’s Business Associate Agreement.” Covered Entity and Business Associate are each a “Party” and collectively, they are the “Parties.”
By clicking “I Agree to Welltrack Connect’s Business Associate Agreement”, you accept and agree to be bound and abide by this Agreement. Your access to and use of Welltrack Connect is conditioned upon your acceptance and compliance with this Agreement. If you do not agree to these terms of this Agreement, you may not access or use Welltrack Connect.
Recitals
WHEREAS, Covered Entity and Business Associate are subject to the requirements of Title II, Subtitle F (Administrative Simplification) of the Health Insurance Portability and Accountability Act of 1996, codified at 42 U.S.C.§§ 1320d et seq, as amended and Title XIII, Subtitle D (Privacy) of the Health Information Technology for Economic and Clinical Health Act, codified at 42 U.S.C §§ 17921 et seq, as amended (“HITECH”);
WHEREAS, pursuant to the agreement between the Parties (the “Services Agreement”), Business Associate shall provide certain services to Covered Entity whereby it may have access to Protected Health Information that is disclosed to Business Associate by Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity; and
WHEREAS, Covered Entity and Business Associate desire to maintain the privacy and security of Protected Health Information by entering into this Agreement in compliance with HIPAA, HITECH and their implementing regulations.
NOW, THEREFORE, for and in consideration of the mutual promises, covenants and agreements contained herein, and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties hereby agree as follows:
- Definitions
- The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
- “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean Welltrack Connect.
- “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean the Treatment Provider.
- “Electronic Protected Health Information” or “EPHI” shall have the meaning given to such term under 45 CFR § 160.103, limited to electronic PHI disclosed by Covered Entity to Business Associate, or created, maintained, or received by Business Associate on behalf of Covered Entity.
- “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
- “Protected Health Information” or “PHI” shall have the meaning given to such term under 45 CFR 160.103, limited to PHI disclosed by Covered Entity to Business Associate, or created, maintained, or received by Business Associate on behalf of Covered Entity.
- “Treatment Provider” means the healthcare professional or group of healthcare professionals that use the services provided by Business Associate.
- Obligations and Activities of Business Associate
- Uses and Disclosures of PHI. Business Associate agrees to not Use or Disclose PHI other than as permitted or required by this Agreement or as Required by Law.
- Appropriate Safeguards. Business Associate agrees to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to Electronic Protected Health Information, to prevent Use or Disclosure of PHI other than as provided for by this Agreement.
- Reporting Obligations. Business Associate shall report to Covered Entity any Use or Disclosure of PHI not provided for by this Agreement of which it becomes aware, including Breaches of Unsecured Protected Health Information as required at 45 CFR § 164.410, and any Security Incident of which it becomes aware. Such incidents shall be reported without unreasonable delay and in no case later than thirty (30) calendar days after discovery of the incident, unless a law enforcement delay applies pursuant to 45 CFR § 164.412. In the event of a law enforcement delay, Business Associate shall notify Covered Entity within the time frame required by such section.
- Disclosures to Subcontractors. In accordance with 45 CFR § 164.502(e)(1)(ii) and § 164.308(b)(2), if applicable, Business Associate shall ensure that any Subcontractors that create, receive, maintain, or transmit PHI on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such information.
- Access to PHI. Within fifteen (15) business days of a written request by Covered Entity, Business Associate agrees to make available PHI in a Designated Record Set to Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.524. If Business Associate receives a request for access to PHI directly from an Individual, Business Associate shall forward such request to Covered Entity within ten (10) business days. Covered Entity shall be responsible for deciding whether to grant Individual requests for access.
- Amendment of PHI. Within fifteen (15) business days of a written request by Covered Entity, Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by Covered Entity pursuant to 45 CFR § 164.526. If Business Associate receives a request for amendment directly from an Individual, Business Associate shall forward such request to Covered Entity within ten (10) business days. Covered Entity shall be responsible for deciding whether to grant Individual requests for amendment.
- Documentation and Accounting of Disclosures. Business Associate agrees to maintain and within fifteen (15) business days of a written request by Covered Entity, make available the information required to provide an accounting of Disclosures to the Covered Entity as necessary to satisfy Covered Entity’s obligations under 45 CFR § 164.528. If Business Associate receives a request for an accounting of disclosures directly from an Individual, Business Associate shall forward such request to Covered Entity within ten (10) business days. Covered Entity shall be responsible for deciding whether to grant Individual requests for accountings.
- Delegation of Obligations. To the extent Business Associate is to carry out one or more of Covered Entity’s obligation(s) under Subpart E of 45 CFR Part 164, Business Associate shall comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s).
- Governmental Access to Records. Business Associate shall make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.
- Permitted Uses and Disclosures by Business Associate
- Uses and Disclosures of PHI pursuant to the Underlying Arrangement. Business Associate may Use or Disclose PHI as necessary to perform the services set forth in the Services Agreement.
- De-Identified Data. Business Associate may Use PHI to de-identify the information in accordance with 45 CFR § 164.514(a)-(c). De-identified information is not considered PHI and Business Associate may further Use and Disclose such information for its own business purposes.
- Minimum Necessary. Business Associate agrees to make Uses and Disclosures and requests for PHI under this Agreement consistent with the minimum necessary requirements of 45 CFR § 164.502(b).
- Uses and Disclosures of PHI Required by Law. Business Associate may Use or Disclose PHI as Required by Law.
- Permitted Uses and Disclosures of PHI by Business Associate. Business Associate may not Use or Disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Covered Entity, except for the specific Uses and Disclosures set forth below:
- Business Associate may Use PHI for its proper management and administration or to carry out its legal responsibilities;
- Business Associate may Disclose protected health information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided the Disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
- Business Associate may provide Data Aggregation services relating to the Health Care Operations of Covered Entity.
- Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions
- Notice of Privacy Practices. Covered Entity shall notify Business Associate of any limitation(s) in the Notice of Privacy Practices of Covered Entity under 45 CFR § 164.520, to the extent that such limitation may affect Business Associate’s Use or Disclosure of PHI.
- Notification of Changes Regarding Individual Permission. Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to Use or Disclose his or her PHI, to the extent that such changes may affect Business Associate’s Use or Disclosure of PHI.
- Notification of Restrictions to Use or Disclose PHI. Covered Entity shall notify Business Associate of any restriction on the Use or Disclosure of PHI that Covered Entity has agreed to or is required to abide by under 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s Use or Disclosure of PHI.
- Authorizations. Covered Entity shall secure any Individual consents, permissions, agreements, or authorizations necessary to Disclose PHI to Business Associate or for Business Associate to Use or Disclose PHI to provide services under the Services Agreement.
- Permissible Requests by Covered Entity
- Indemnification and Limitation of Liability
- Term and Termination
- Term. The term of this Agreement shall commence on the Effective Date and shall terminate upon the earlier of (i) termination of the Services Agreement or this Agreement, or (ii) when all PHI is destroyed or returned to Covered Entity.
- Termination for Cause. Either Party may terminate this Agreement for cause if the other Party breaches a material term of this Agreement and the breaching Party has not cured the breach or ended the violation within thirty (30) calendar days of notice by the non-breaching party.
- Obligations of Business Associate Upon Termination. With respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, upon termination of this Agreement for any reason Business Associate shall:
- Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
- Return to Covered Entity or destroy the remaining PHI that Business Associate still maintains in any form;
- Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to EPHI to prevent Use or Disclosure of the PHI, other than as provided for in this section, for as long as Business Associate retains the PHI;
- Survival. The obligations of Business Associate under this section shall survive the termination of this Agreement.
- Miscellaneous
- Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.
- Amendment. This Agreement may not be modified, nor shall any provision hereof be waived or amended, except in a writing duly signed by authorized representatives of the Parties. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of any right or remedy as to subsequent events. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.
- Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.
- No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Parties and the respective successors or assigns of the Parties, any rights, remedies, obligations, or liabilities whatsoever.
- Assignment. This Agreement shall be binding upon and inure to the benefit of the Parties and their respective successors and assigns. It shall not be assignable by either Party, in whole or in part, to any third party, provided that it shall automatically be assigned in conjunction with the assignment of the Services Agreement.
- Conflict. In the event of a conflict between this Agreement and the Services Agreement, this Agreement shall govern.
Covered Entity shall not request that Business Associate Use or Disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity, provided that Business Associate may Use or Disclose PHI for Data Aggregation purposes, Business Associate’s proper management and administration and to carry out its legal responsibilities.
The Parties agree that the indemnification obligations and limitation of liability contained under the Services Agreement shall govern each Party’s performance under this Agreement.