Healigo Business Associate Agreement

To the extent that Covered Entity discloses Protected Health Information to Business Associate (or Business Associate handles Protected Health Information on Covered Entity's behalf) in connection with services or products provided to Covered Entity, or as otherwise required or allowed by the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996, codified at 42 U.S.C. §1320d through d-9, as amended, ("HIPAA"), Covered Entity and Business Associate agree to the following terms and conditions, which are intended to comply with HIPAA, the Health Information Technology for Economic and Clinical Health Act ("HITECH Act") and their implementing regulations. This BA Agreement shall be applicable only in the event and to the extent Business Associate meets, with respect to Covered Entity, the definition of a Business Associate set forth at 45 C.F.R. §160.103, or applicable successor provisions. Now, therefore, in consideration of the foregoing and other good and valuable consideration, the sufficiency and receipt of which are hereby acknowledged, the parties agree as follows:

1. General Terms and Conditions

  1. "BA Agreement" shall mean this HIPAA Business Associate Agreement.
  2. "Business Associate" shall generally have the same meaning as the term "business associate" at 45 C.F.R. §160.103, and in reference to the party to this BA Agreement, shall mean Healigo Inc.
  3. "Covered Entity" shall generally have the same meaning as the term "covered entity" at 45 C.F.R. §160.103, and in reference to the party to this BA Agreement, shall mean the individual or entity which is a party to this agreement.
  4. "HIPAA Rules" shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and Part 164.
  5. "Service Agreement" shall mean the separate agreement(s) between the parties in which Business Associate performs functions or activities on behalf of Covered Entity.
  6. Other definitions: The following terms used in this BA Agreement shall have the same meaning as those in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information (to the extent such Protected Health Information is created, transmitted, received, used, disclosed, accessed or maintained by Business Associate), Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. Other terms shall have the definitions set forth in this BA Agreement.

2. Obligations and Activities of Business Associate

  1. Business Associate agrees to not Use or Disclose Protected Health Information other than as permitted or required by this BA Agreement, as Required by Law, or as contemplated by the Service Agreement.
  2. Business Associate agrees to use appropriate safeguards, including compliance with Subpart C of 45 C.F.R. Part 164 with respect to electronic Protected Health Information, to prevent Use or Disclosure of the electronic Protected Health Information other than as permitted by this BA Agreement.
  3. Business Associate agrees to report to Covered Entity's Privacy Official any Use or Disclosure of Protected Health Information not provided for by this BA Agreement of which it becomes aware, including Breaches of Unsecured Protected Health Information as required by 45 C.F.R. §164.410, and any Security Incident of which it becomes aware. For reports of incidents constituting a Breach, the report shall include, to the extent available, the identification of each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or Disclosed during such Breach. Security Incidents that do not result in any unauthorized access, use, disclosure, modification, destruction of information or interference with system operations will be reported in the aggregate upon written request of Covered Entity in a manner and frequency mutually acceptable to the parties. Business Associate hereby reports to Covered Entity that incidents including, but not limited to, ping sweeps or other common network reconnaissance techniques, attempts to log on to a system with an invalid password or username, and denial of service attacks that do not result in a server being taken off line, may occur from time to time.
  4. In accordance with 45 C.F.R. §§164.502(e)(1)(ii) and 164.308(b)(2), if applicable, Business Associate agrees to ensure that subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of Business Associate agree to the same restrictions, conditions and requirements that apply through this BA Agreement to Business Associate with respect to such information.
  5. To the extent Business Associate has Protected Health Information in a Designated Record Set, and only to the extent required by HIPAA, Business Associate agrees to make available Protected Health Information in a Designated Record Set, to Covered Entity as necessary to satisfy Covered Entity's obligations under 45 C.F.R. §164.524. The Parties agree and acknowledge that it is Covered Entity's responsibility to respond to all such requests.
  6. Business Associate agrees to make Protected Health Information available for purposes of any amendments to Protected Health Information in its possession contained in a Designated Record Set as agreed to by Covered Entity pursuant to 45 C.F.R. §164.526 or take other measures as necessary to satisfy Covered Entity's obligations under 45 C.F.R. §164.526. The Parties agree and acknowledge that it is Covered Entity's responsibility to respond to all such requests.
  7. Business Associate agrees to maintain and make available to Covered Entity the information required to provide an accounting of disclosures by Business Associate as necessary to satisfy Covered Entity's obligations under 45 C.F.R. §164.528. The Parties agree and acknowledge that it is Covered Entity's responsibility to respond to all such requests.
  8. To the extent, under the terms of the Service Agreement, Business Associate is to carry out one or more of Covered Entity's obligations under Subpart E of 45 C.F.R. Part 164 of the HIPAA Rules, Business Associate agrees to comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s).
  9. Business Associate agrees to make its internal practices, books, and records related to Business Associate's use and disclosure of Protected Health Information received from Covered Entity available to the Secretary for purposes of determining compliance with the HIPAA Rules.

3. Permitted Uses and Disclosures of Protected Health Information by Business Associate

  1. Business Associate may use or disclose Protected Health Information as necessary to perform the services set forth in the Service Agreement, as permitted in this BA Agreement and the Service Agreement, and as otherwise permitted by the HIPAA Rules.
  2. Business Associate may Use or Disclose Protected Health Information as Required By Law.
  3. Business Associate agrees to make uses and disclosures and requests for Protected Health Information consistent with the requirements in the HIPAA Rules regarding Minimum Necessary uses and disclosures. Covered Entity represents and warrants that its Minimum Necessary policies and procedures and the Notice of Privacy Practices are consistent with, and not more stringent than, the HIPAA Rules or, to the extent that Covered Entity's Notice of Privacy Practices or policies and procedures regarding the Minimum Necessary requirements of the HIPAA Rules impose additional particular restrictions on Business Associate, Covered Entity agrees to provide such policies to Business Associate in writing prior to requesting that Business Associate perform a particular function or activity on behalf of Covered Entity that would be affected by such policies and procedures.
  4. Business Associate may create de-identified information that may be used and disclosed by Business Associate as Business Associate deems appropriate, provided that the information is de-identified in accordance with the HIPAA Rules.
  5. Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity. Business Associate may also use Protected Health Information to create, use and disclose a Limited Data Set consistent with the HIPAA Rules.
  6. Business Associate may use and disclose Protected Health Information to report violations of law to appropriate Federal and State authorities, in a manner consistent with the HIPAA Rules.
  7. Business Associate may not use or disclose Protected Health Information in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by Covered Entity, except for the specific uses and disclosures set forth below.
  8. Business Associate may use Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.
  9. Business Associate may disclose Protected Health Information for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that the disclosures are Required By Law or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as Required By Law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

4. Obligations of Covered Entity

  1. Covered Entity shall notify Business Associate, in writing and in a timely manner, of any limitation(s) in the Notice of Privacy Practices of Covered Entity under 45 C.F.R. §164.520, and its policies regarding the "Minimum Necessary" requirements in 45 C.F.R. §164.502(b), to the extent that such limitation may affect Business Associate's Use or Disclosure of Protected Health Information, and shall notify Business Associate of any material changes thereof.
  2. Covered Entity shall notify Business Associate, in writing and in a timely manner, of any changes in, or revocation of, permission by Individual to Use or Disclose Protected Health Information, if such changes may affect Business Associate's Use or Disclosure of Protected Health Information.
  3. Covered Entity shall notify Business Associate, in writing and in a timely manner, of any restriction on the Use and/or Disclosure of Protected Health Information to which Covered Entity has agreed or is required to abide by, to the extent that such restriction may affect Business Associate's Use or Disclosure of Protected Health Information.
  4. Covered Entity agrees to comply with all applicable state and federal privacy and security laws and regulations, including the HIPAA Rules. Covered Entity agrees to obtain any patient authorizations or consents that may be required under state or federal law or regulation in order to transmit Protected Health Information to Business Associate and to enable Business Associate and its subcontractors to Use and Disclose Protected Health Information as contemplated by this BA Agreement and the Service Agreement.
  5. Covered Entity may not ask Business Associate to Use or Disclose Protected Health Information in any manner that would not be permissible under applicable laws and rules, including the HIPAA Rules, if done by Covered Entity, except that Business Associate may use or disclose Protected Health Information for its proper management and administration, data aggregation, and other activities permitted by this BA Agreement.

5. Term and Termination

  1. Term
  2. Except as otherwise provided herein, the term of this BA Agreement shall coincide with the Service Agreement and shall be terminable in accordance with the termination provisions of the Service Agreement, or the date either party terminates for cause, as authorized in paragraph (b) of this Section, whichever is sooner.
  3. Termination for Cause
  4. Upon a party's knowledge of a material breach by the other, the non-breaching party shall provide written notice to the breaching party and may terminate this BA Agreement if the breaching party does not cure the breach or end the violation within 30 days of receipt of such notice.
  5. Effect of Termination
    1. Except as provided below in Subsection 5(c)(ii) of this BA Agreement, upon termination of this BA Agreement, for any reason, Business Associate shall return or destroy, at Covered Entity's expense, all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, that Business Associate still maintains in any form. Business Associate shall retain no copies of the Protected Health Information.
    2. In the event that Business Associate determines that it needs to retain Protected Health Information in order to Use or Disclose Protected Health Information for its own management and administration or to carry out its legal responsibilities, Business Associate may retain such Protected Health Information. Upon termination of this BA Agreement for any reason, Business Associate, with respect to Protected Health Information received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:
      1. Retain only that Protected Health Information which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities;
      2. Return or destroy the remaining Protected Health Information that Business Associate still maintains in any form;
      3. Continue to use appropriate safeguards to comply with Subpart C of 45 C.F.R. Part 164 with respect to electronic Protected Health Information to prevent Use or Disclosure of the Protected Health Information, other than as provided for in this Section, for as long as Business Associate retains the Protected Health Information;
      4. Not Use or Disclose the Protected Health Information retained by Business Associate other than for the purposes for which such Protected Health Information was retained and subject to the same conditions set out at Subsections 3(h)-(i) above which applied prior to termination; and
      5. Return to Covered Entity or destroy the Protected Health Information retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.
  6. Business Associate's rights and obligations under this Section 5 shall survive the termination of this BA Agreement and shall end when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity.

6. Interpretation and Amendment of this BA Agreement

A regulatory reference in this BA Agreement to a section of the HIPAA Rules means the section as in effect or as amended. Any ambiguity or inconsistency in this BA Agreement shall be interpreted to permit compliance with the HIPAA Rules. This BA Agreement supersedes any and all prior representations, understandings, or agreements, written or oral, concerning the subject matter herein, including conflicting provisions of the Service Agreement. The parties hereto agree to negotiate in good faith to amend this BA Agreement from time to time as is necessary for compliance with the requirements of HIPAA or any other applicable law and for Business Associate to provide services to Covered Entity. However, no change, amendment, or modification of this BA Agreement shall be valid unless it is set forth in writing and signed by both parties. When provisions of this BA Agreement are different than those in the HIPAA Rules, but are nonetheless permitted by the HIPAA Rules, the provisions of this BA Agreement shall control.

7. No Third Party Rights/Independent Contractors

The terms and conditions of this BA Agreement are intended for the sole benefit of Business Associate and Covered Entity and do not create any third party rights. The parties declare that they are independent contractors and not agents of each other, except as otherwise required by law or regulation.

8. Notices

Any notice required or permitted by this BA Agreement to be given or delivered shall be in writing and shall be deemed given or delivered if delivered in person, or delivered by courier or expedited delivery service, or delivered by registered or certified mail, postage prepaid, return receipt requested to the address set forth below. Each party may change its address for purposes of this BA Agreement by written notice to the other party.

9. Governing Law

To the extent not preempted by federal law, the BA Agreement shall be governed and construed in accordance with the state laws governing the Service Agreement, without regard to conflicts of law provisions that would require application of the law of another state.

10. Binding Nature and Benefits

This BA Agreement binds and benefits the parties, and their respective successors, and their permitted assigns.

11. Severability

Whenever possible, each provision of this BA Agreement shall be interpreted so as to be effective and valid under applicable law. If any provision of this BA Agreement should be prohibited or found invalid under applicable law, such provision shall be ineffective to the extent of such prohibition or invalidity without invalidating the other of such provision or the remaining provisions of this BA Agreement; provided, however, that if any such invalid provision is material to an extent that a party would not have entered into the BA Agreement absent such provision, then that party may terminate the BA Agreement upon ninety (90) calendar days' prior written notice to the other party.

12. Liability

  1. NOTWITHSTANDING ANY PROVISION IN THE SERVICE AGREEMENT TO THE CONTRARY, IN NO EVENT WILL EITHER PARTY BE LIABLE OR RESPONSIBLE TO THE OTHER FOR ANY TYPE OF INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, INDIRECT OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOST REVENUE, LOST PROFITS, LOSS OF DATA, OR CIVIL OR CRIMINAL PENALTIES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF LIABILITY IS INTENDED TO APPLY TO ANY CLAIM, INCLUDING WITHOUT LIMITATION CLAIMS BASED IN STATUTE, COMMON LAW, CONTRACT, WARRANTY, FIDUCIARY DUTY, NEGLIGENCE OR OTHER TORT, OR STRICT LIABILITY. THIS LIMITATION OF LIABILITY SHALL ALSO APPLY AFTER TERMINATION OF THIS BA AGREEMENT AND THE SERVICE AGREEMENT.
  2. NOTWITHSTANDING ANY PROVISION IN THE SERVICE AGREEMENT TO THE CONTRARY, BUSINESS ASSOCIATE'S AGGREGATE LIABILITY TO COVERED ENTITY UNDER THIS ADDENDUM SHALL NOT EXCEED THE AMOUNT ACTUALLY PAID TO BUSINESS ASSOCIATE FOR THE PORTION OF THE WORK GIVING RISE TO SUCH LIABILITY, AND A RETURN OF SUCH AMOUNTS PAID SHALL BE COVERED ENTITY’S EXCLUSIVE REMEDY FOR ANY DAMAGES. THIS LIMITATION OF LIABILITY IS INTENDED TO APPLY TO ANY CLAIM, INCLUDING WITHOUT LIMITATION CLAIMS BASED IN STATUTE, COMMON LAW, CONTRACT, WARRANTY, FIDUCIARY DUTY, NEGLIGENCE OR OTHER TORT, OR STRICT LIABILITY. THIS LIMITATION OF LIABILITY SHALL ALSO APPLY AFTER TERMINATION OF THIS BA AGREEMENT AND THE SERVICE AGREEMENT.

13. Counterparts

This BA Agreement may be executed in multiple counterparts, which shall constitute a single agreement, and by facsimile or electronic signatures, which shall be treated as originals.

14. Authority to Execute Agreement

The individuals signing this Agreement and the Parties represent and warrant that they have full and complete authority and authorization to execute and effect this Agreement and to take or cause to be taken all acts contemplated by this Agreement. IN WITNESS WHEREOF, the parties have executed this BA Agreement, effective as of the date of acknowledgement by the Parties.

Covered Entity:

By: [Electronic Signature] If signing on behalf of a practice: [Practice Name] [Practice Address]

Business Associate:

By: Nicholas Fontana, CEO Address: 175 Portland St, 6th Floor Boston, MA 02114

Version

This BAA was last edited on July 13, 2016.

COPYRIGHT AND LEGAL NOTICE.

Copyright ©2017 Healigo Inc. All Rights Reserved.