Business Associate Agreement.
HIPAA Subcontractor
Business Associate Agreement
This HIPAA Subcontractor Agreement ("Agreement" or “BAA”) is entered into as of the date listed on the applicable Order Form that is part of a Services Agreement, as defined below (the "Effective Date") pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"), by and between the party named on the applicable Order Form/Services Agreement ("Business Associate") and IntelAgree, LLC together with its affiliates, "Subcontractor").
ARTICLE I
PREAMBLE AND DEFINITIONS.
Section 1.01 Subcontractor provides services to Business Associate in connection with which the Business Associate may disclose Protected Health Information (“PHI”) to Subcontractor in order to enable Subcontractor to perform one or more functions for the Business Associate (the “Services”). The agreement under which the Subcontractor performs the Services for the Business Associate is referred to herein as the “Services Agreement”.
Section 1.02 The parties desire to comply with HIPAA and the Final Rule for Standards for Privacy of Individually Identifiable Health Information adopted by the United States Department of Health and Human Services (“HHS”) and codified at 45 C.F.R. part 160 and part 164, subparts A & E (the “Privacy Rule”), the HIPAA Security Rule (the “Security Rule”; together with the Privacy Rule, the “HIPAA Rules”), codified at 45 C.F.R. Part 164 Subpart C, and Subtitle D and the Health Information Technology for Economic and Clinical Health Act (“HITECH”), including C.F.R. Sections 164.308, 164.310, 164.312, 164.316, and 164.402. Pursuant to changes required under the Health Information Technology for Economic and Clinical Health Act of 2009 (the "HITECH Act") and under the American Recovery and Reinvestment Act of 2009 ("ARRA"), this Agreement also reflects federal breach notification requirements imposed on Subcontractor when "Unsecured PHI" (as defined under the HIPAA Rules) is acquired by an unauthorized party and the expanded privacy and security provisions imposed on business associates and subcontractors. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.
Section 1.03 Unless the context clearly indicates otherwise, the following terms in this BAA shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Electronic Media, Electronic Protected Health Information (ePHI), Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured PHI and Use.
Section 1.04 A reference in this Agreement to the Privacy Rule means the Privacy Rule, in conformity with the regulations at 45 C.F.R. Parts 160-164 as interpreted under applicable regulations and guidance of general application published by the HHS, including all amendments thereto for which compliance is required, as amended by the HITECH Act, ARRA and the HIPAA Rules.
ARTICLE II
GENERAL OBLIGATIONS OF SUBCONTRACTOR.
Section 2.01 Subcontractor agrees not to use or disclose PHI, other than as permitted or required by this Agreement or as Required By Law, or if such use or disclosure does not otherwise cause a Breach of Unsecured PHI.
Section 2.02 Subcontractor agrees to use reasonable and appropriate safeguards, and comply with Subpart C of 45 C.F.R. Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this Agreement.
Section 2.03 Subcontractor agrees to mitigate, to the extent practicable, any harmful effect that is known to Subcontractor as a result of a use or disclosure of PHI by Subcontractor in breach of the requirements of this Agreement or that would otherwise cause a Breach of Unsecured PHI.
Section 2.04 The Subcontractor agrees to the following breach notification requirements:
- Subcontractor agrees to report to Business Associate any use or disclosure of PHI not provided for in connection with this Agreement or the performance of the Services, of which it becomes aware within five (5) business days of discovery, including Breaches of Unsecured PHI as required by 45 CFR 164.410. For purposes of this Section, a breach shall be treated as “discovered” as of the first day on which such breachis known to Subcontractor (including any person, other than the individual committing the breach, that is an employee, officer, or other agent of Subcontractor) to have occurred; provided, that, notice is hereby deemed given for Unsuccessful Security Incidents, defined as a security incident that does not result in: (1) the unauthorized access, use, disclosure, modification or destruction of PHI; or (2) material interferencewith system operations in an information system, including, without limitation, activity such as pings and other broadcast attacks on Subcontractor’s firewall, port scans, unsuccessful log-on attempts, interception of encrypted information where the key is not compromised, denial of service attacks and/or anycombination of the above, as long as no such incident results in unauthorized access, use, disclosure, modification or destruction of PHI. This section shall satisfy any notices to Business Associate required of Subcontractor of the occurrence and ongoing existence of Unsuccessful Security Incidents, for which no additional notice to Business Associate shall be given or required.
- Notification of a Breach of Unsecured PHI under 45 CFR 164.410 will be made without unreasonabledelay, but in no event more than five (5) business days after Subcontractor’s discovery (as defined above) of such a Breach and will be delivered to Business Associate by means selected by Subcontractor, including via email. Subcontractor’s obligation to report under this Section shall not be construed as an acknowledgment by Subcontractor of any fault or liability with respect to any use or disclosure of PHI, or security incident or breach related thereto.
Section 2.05 Subcontractor agrees, in accordance with 45 C.F.R. 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, to require that any subcontractors that create, receive, maintain or transmit PHI on behalf of the Subcontractor agree to the restrictions, conditions and requirements that are the same as those that apply to the Subcontractor with respect to such PHI under this Agreement.
Section 2.06 In the event that Subcontractor maintains PHI in a Designated Record Set for Business Associate, at the request of Business Associate, Subcontractor shall either provide Business Associate with access to Business Associate’s portal via the Business Associate’s unique log-in credentials, in accordance with 45 CFR § 164.524 and 45 CFR § 164.526 of the Privacy Rule or make available PHI in a Designated Record Set to Business Associate as necessary to satisfy Business Associate’s obligations under 45 C.F.R. 164.524.
Section 2.07 Subcontractor agrees to maintain and, if requested, make available the information required to provide an accounting of disclosures to Business Associate as necessary to satisfy Business Associate’s obligations under 45 CFR 164.528.
Section 2.08 Subcontractor agrees to make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary, for purposes of determining Business Associate’s compliance with the HIPAA Rules. Nothing in this Section shall be deemed to be a waiver of any applicable privilege or protection, including with respect to trade secrets or confidential commercial information.
Section 2.09 To the extent that Subcontractor is to carry out one or more of Business Associate's obligations under Subpart E of 45 C.F.R. Part 164, Subcontractor agrees to comply with the requirements of Subpart E that apply to the Business Associate in the performance of such obligation(s).
Section 2.10 Subcontractor agrees to account for the following disclosures:
- Subcontractor agrees to maintain and document Breaches of Unsecured PHI and any information relating to the disclosure of PHI and Breach of Unsecured PHI in a manner as would be required for Business Associate to respond to a request by an Individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
- Subcontractor agrees to provide to Business Associate, or to an individual at Business Associate's written request, information collected in accordance with this Section 10 to permit Business Associate to respond to a request by an Individual or the Secretary for an accounting of PHI disclosures and Breaches of Unsecured PHI.
ARTICLE III
PERMITTED USES AND DISCLOSURES BY SUBCONTRACTOR.
Section 3.01 Subcontractor agrees to receive, create, use or disclose PHI only in a manner that is consistent with this Agreement, the Privacy Rule or Security Rule and only in connection with providing the Services to Business Associate or as otherwise authorized pursuant to the Services Agreement; provided, that the use or disclosure would not violate the Privacy Rule, including 45 C.F.R. 164.504(e), if the use or disclosure would be done by Business Associate.
Section 3.02 Subcontractor may use or disclose PHI as Required By Law and for the proper management and administration of its business and to carry out the Services; provided, that, the use or disclosure is Required by Law or Subcontractor obtains reasonable assurances from the recipient of the information that any PHI will remain confidential, be used or further disclosed only as Required by Law or for the purposes for which it was disclosed to them, and the recipient shall be required to notify Subcontractor of any instances of which it is aware in which the confidentiality of the PHI has been breached.
Section 3.03 Subcontractor may not use or disclose PHI in a manner that would violate Subpart E of 45 C.F.R. Part 164 if done by the Business Associate.
ARTICLE IV
OBLIGATIONS OF BUSINESS ASSOCIATE.
Section 4.01 Business Associate shall:
- notify Subcontractor of any restriction on the use or disclosure of PHI that Business Associate has agreed toor is required to abide by under 45 F.R. 164.522, to the extent that such restriction may affect Subcontractor's use or disclosure of PHI under this Agreement.
- notify Subcontractor of any changes in or revocation of permission by an Individual to use or disclose PHI, if such change or revocation may affect Subcontractor's permitted or required uses and disclosures of PHI under this Agreement.
- implement and maintain appropriate administrative, technical and physical safeguards to protect from unauthorized access and use (i) its PHI in compliance with HIPAA and (ii) all access credentials created, assignedand managed by Business Associate and used by Authorized Users (as defined in the Services Agreement) toaccess the Subcontractor’s software platform pursuant to the Services Agreement.
- report to the Subcontractor any Security Incident of which it becomes aware without unreasonable delay and in any event within five (5) business days of discovery.
- Business Associate acknowledges and agrees that it shall be granting its Authorized Users the right to access the Subcontractor’s software platform and Customer Data (as defined in the Services Agreement), and shall have the sole responsibility of controlling and managing all access credentials it creates for its Authorized Business Associate shall be responsible for any unauthorized use of, or access to, the software platform or any Subscriber Data, by Business Associate, Authorized Users or its agents. If Business Associate discovers any unauthorizedaccess to, or use of, Subcontractor’s software platform or Customer Data through any access credentials created by Business Associate, Business Associate shall immediately notify Subcontractor at security@intelagree.com.
- it is Business Associate’s responsibility to ensure Business Associate has the appropriate business associate agreements in place.
Section 4.02 Business Associate shall not request Subcontractor to use or disclose PHI in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Business Associate.
ARTICLE V
COMPLIANCE WITH SECURITY RULE.
Section 5.01 Subcontractor shall comply with the HIPAA Security Rule, including the Standards for Security of Electronic Protected Health Information at 45 C.F.R. Part 160 and Subparts A and C of Part 164, as amended by ARRA and the HITECH Act.
Section 5.02 In accordance with the Security Rule, Subcontractor agrees to:
- implement the administrative safeguards set forth at 45 F.R. 164.308, the physical safeguards set forth at 45 C.F.R. 164.310, the technical safeguards set forth at 45 C.F.R. 164.312, and the policies and procedures setforth at 45 C.F.R. 164.316 to reasonably and appropriately protect the confidentiality, integrity and availability of the ePHI that it creates, receives, maintains or transmits on behalf of Business Associate as required by the Security Rule. Subcontractor acknowledges that, effective on the Effective Date of this Agreement the foregoingsafeguards, policies and procedures requirements shall apply to Subcontractor in the same manner that such requirements apply to Business Associate;
- require that any agent, including a business associate to whom it provides such PHI, agrees to implement reasonable and appropriate safeguards to protect the PHI; and
- report to the Business Associate any Security Incident of which it becomes aware in accordance with the terms hereof.
ARTICLE VI
TERM AND TERMINATION.
Section 6.01 This Agreement shall be in effect as of the Effective Date and shall terminate on the earlier of the date that:
- either party terminates for cause as authorized under Section 02.
- all of the PHI received from Business Associate, or created or received by Subcontractor on behalf of Business Associate, is destroyed or returned to Business Associate. If it is not feasible to return or destroy PHI, protections shall be extended in accordance with Section 6.03.
- if the Secretary provides guidance, clarification or interpretation of HIPAA or the HITECH Act or thereis a change in HIPAA or the HITECH Act such that the service relationship between Subcontractor and Business Associate is not considered a business associate relationship as defined in HIPAA, this Agreement shall terminate and be null and void.
Section 6.02 Upon either party's knowledge of material breach by the other party, the non-breaching party shall provide an opportunity for the breaching party to cure the breach or end the violation. If the breaching party does not cure the breach or end the violation within a reasonable timeframe not to exceed thirty (30) days from the notification of the breach, the non-breaching party may terminate this Agreement and the Services Agreement upon written notice to the other party.
Section 6.03 Upon termination of this Agreement for any reason, the parties agree that Subcontractor, with respectto PHI received from Business Associate, or created, maintained, or received by Subcontractor on behalf of Business Associate, shall:
- retain only that PHI that is necessary for Subcontractor to continue its proper management and administration or to carry out its legal responsibilities;
- return to Business Associate or, if agreed to by Business Associate, destroy the remaining PHI that the Subcontractor still maintains in any form;
- continue to use appropriate safeguards and comply with Subpart C of 45 F.R. Part 164 with respect to ePHI to prevent use or disclosure of the PHI, other than as provided for in this Section 6 , for as long as Subcontractor retains the PHI; and
- not use or disclose the PHI retained by Subcontractor other than for the purposes for which such PHI was retained and subject to the same conditions set forth in this Agreement that applied prior to termination.
ARTICLE VII
MISCELLANEOUS.
Section 7.01 The parties agree to take such action as is necessary to amend this Agreement to comply with the requirements of the Privacy Rule, the Security Rule, HIPAA, ARRA, the HITECH Act, the HIPAA Rules and any other applicable law.
Section 7.02 The obligations of Subcontractor under Article VI of this Agreement shall survive the termination of this Agreement.
Section 7.03 This Agreement shall be interpreted in the following manner:
- Any ambiguity shall be resolved in favor of a meaning that permits the parties to comply with the HIPAA
- Any inconsistency between the Agreement's provisions and the HIPAA Rules, including all amendments, as interpreted by the HHS, court or another regulatory agency with authority over the Parties, shall be interpreted according to the interpretation of the HHS, a court or the applicable regulatory agency.
- This Agreement, together with the Services Agreement, constitutes the entire agreement between the parties related to the subject matter of this Agreement. This Agreement supersedes all prior negotiations, discussions, representations or proposals, whether oral or written. This Agreement may not be modified unless done so in writingand signed by a duly authorized representative of both If any provision of this Agreement, or part thereof, is found to be invalid, the remaining provisions shall remain in effect. FURTHER, NOTWITHSTANDING ANYTHING CONTAINED HEREIN OR IN THE SERVICES AGREEMENT TO THE CONTRARY, BUSINESS ASSOCIATE’S REMEDIES, AND SUBCONTRACTOR’S OBLIGATIONS, WITH RESPECT TO SUBCONTRACTOR’S BREACH OF THIS SUBCONTRACTOR AGREEMENT OR FAILURE TO COMPLY WITH HIPAA, AND THE OVERALL AGGREGATE LIABILITY OF SUBCONTRACTOR ARISING OUT OF, OR IN CONNECTION WITH, SUCH BREACHOR FAILURE WILL BE SUBJECT TO THE AGGREGATE LIMITATIONS OF LIABILITY THAT HAVE BEEN AGREED TO BETWEEN THE PARTIES UNDER SECTION 12 OF THE SERVICES AGREEMENT (THE “LIABILITY CAP”). FOR THE AVOIDANCE OF DOUBT, THE PARTIES INTEND AND AGREE THAT THE OVERALLAGGREGATE LIABILITY OF SUBCONTRACTOR ARISING OUT OF, OR IN CONNECTION WITH,SUBCONTRACTOR’S BREACH OF THIS HIPAA SUBCONTRACTOR AGREEMENT OR FAILURE TO COMPLY WITH HIPAA SHALL IN NO EVENT EXCEED THE LIABILITY CAP. NOTWITHSTANDING THE FOREGOING LIMITATION OF LIABILITY, IN THE EVENT THAT ANY UNAUTHORIZED ACCESS TO, OR ACQUISITION OF, PROTECTED HEALTH INFORMATION IS DIRECTLY CAUSED BY SUBCONTRACTOR’S BREACH OF THIS SUBCONTRACTOR AGREEMENT OR FAILURE TO COMPLY WITH HIPAA (A “DATA BREACH”), SUBCONTRACTOR SHALL PAY THE REASONABLE AND DOCUMENTED COSTS INCURRED BY BUSINESS ASSOCIATE COMPRISED OF: (A) COSTS OF ANY REQUIRED FORENSIC INVESTIGATION TO DETERMINE THE CAUSE OF THE DATA BREACH, (B) PROVIDING NOTIFICATION OF THE DATA BREACH TO APPLICABLE GOVERNMENT AGENCIES, AND TO INDIVIDUALS WHOSE PROTECTED HEALTH INFORMATION MAY HAVE BEEN SO ACCESSED OR ACQUIRED, (C) IF APPLICABLE, PROVIDING CREDIT MONITORING SERVICE TO INDIVIDUALS WHOSE PROTECTED HEALTH INFORMATION MAY HAVE BEEN SO ACCESSED OR ACQUIRED FOR A PERIOD OF ONE (1) YEAR AFTER THE DATE ON WHICH SUCH INDIVIDUALS WERE NOTIFIED OFTHE DATA BREACH FOR SUCH INDIVIDUALS WHO ELECTED SUCH CREDIT MONITORING SERVICE, AND (D)OPERATING A CALL CENTER TO RESPOND TO QUESTIONS FROM INDIVIDUALS WHOSE PROTECTEDHEALTH INFORMATION MAY HAVE BEEN SO ACCESSED OR ACQUIRED FOR A PERIOD OF ONE (1) YEARAFTER THE DATE ON WHICH SUCH INDIVIDUALS WERE NOTIFIED OF THE DATA BREACH. NOTWITHSTANDING THE FOREGOING, OR ANYTHING IN THE SERVICES AGREEMENT TO THE CONTRARY, SUBCONTRACTOR SHALL HAVE NO RESPONSIBILITY TO PAY SUCH COSTS THAT ARE DUE TO THE GROSS NEGLIGENCE, WILLFUL OR RECKLESS MISCONDUCT, OR FRAUD OF BUSINESS ASSOCIATE OR ITS EMPLOYEES, AGENTS AND CONTRACTORS.
Section 7.04 This Agreement will be binding on the respective successors and assigns of each of the Business Associate and the Subcontractor. However, this Agreement may not be assigned, in whole or in part, without the written consent of the other party, such consent not to be unreasonably withheld; provided that Subcontractor may assign this Agreement to a successor entity whether by merger, consolidation, sale of substantially all of its assets, license, operation of law or otherwise without Business Associate’s consent. Any attempted assignment in violation of this provision shall be null and void.
Section 7.05 This Agreement may be executed in two or more counterparts, each of which shall be deemed an original.
Section 7.06 Except to the extent preempted by federal law, this Agreement shall be governed by and construed in accordance with the law of the State of Florida.
IN WITNESS WHEREOF, the parties hereto have executed this Agreement as of the date first above written.