BAA

BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement (the “BAA”) is agreed to and accepted by Secure Exchange Solutions, Inc., a Delaware corporation (“BA”) to govern the use of certain data and related information by BA provided by You under the certain End User License Agreement accepted by You for access to and use of certain programs and services of BA (the “EULA”) and is effective binding upon BA at all times for the duration of the EULA.

BACKGROUND

A.  You possesses IIHI that is protected under HIPAA and the HIPAA Regulations and is permitted to use or disclose such information only in accordance with such laws and regulations.

B.  BA may receive PHI from You, or create and receive such information on behalf of You, in order to perform certain of services or in the course of Your use of certain intellectual property of BA in accordance with the EULA; and

C.  BA is directly responsible for complying with certain provisions of HIPAA, including certain requirements of the HIPAA Regulations related to privacy and security made applicable to Business Associates pursuant to HITECH.

D.  You and BA wish to ensure that BA will comply with HIPAA and other federal and state laws with respect to any PHI it uses, discloses, or maintains on behalf of You;

 

AGREEMENT

  1.                   Definitions.   Capitalized terms in this BAA shall have the meaning subscribed to them in the definitions attached at Schedule 1, or as otherwise set forth or stated in this BAA of the EULA.   2.                   Status of Parties; BA Subject to HIPAA.  (a) BA hereby acknowledges and agrees that You are a Covered Entity or a Business Associate of a Covered Entity and that BA is a Business Associate of You. (b)  BA hereby acknowledges and agrees that in performing services or in the course of Your use of certain intellectual property of BA under the EULA, or both, under the terms of the EULA, BA is subject to the privacy, security, and breach notification provisions of HIPAA and the HIPAA Regulations, made directly applicable to Business Associates by HITECH, including, but not limited to, 45 C.F.R. Part 164, subparts A, C, D and E.  (c) BA warrants that it has a working knowledge of HIPAA and the HIPAA Regulations, including, but not limited to, its own direct obligations as a Business Associate under such law and regulations.  BA warrants that its employees, agents, representatives, and members of its workforce, whose services may be used to fulfill BA’s obligations under this BAA and/or the EULA, are or shall be appropriately informed of the terms of this BAA and able to comply with HIPAA and the HIPAA Regulations, including, but not limited to, BA’s obligations under this BAA.  BA warrants that it is capable of complying, and is in compliance, with the provisions of HIPAA and the HIPAA Regulations made applicable to Business Associates by HITECH.   3.                   Permitted Uses and Disclosures. (a) BA may use and disclose PHI in connection with the performance of the services for You under the EULA, only if, and in such manner that, such use or disclosure of PHI would not violate HIPAA or the HIPAA Regulations if done by a Business Associate or a Covered Entity, is expressly permitted under Section 3.b. of this BAA and would not violate Notice of Privacy Practices for PHI which You provide to individuals in order to comply with the HIPAA Regulations, 45 C.F.R. § 164.520, or which is similarly used by any Covered Entity for which You are a Business Associate.  (b) BA may use PHI for the proper management and administration of BA in connection with the performance of services under the EULA, only if, and in such manner that, such use would not violate HIPAA or the HIPAA Regulations if done by a Business Associate or a Covered Entity, and would not violate any applicable Notice of Privacy Practices for PHI.  BA may disclose PHI for such proper management and administration of BA only (i) if, and in such manner that, such disclosure would not violate HIPAA or the HIPAA Regulations if done by a Business Associate or a Covered Entity, and would not violate any applicable Notice of Privacy Practices for PHI, and (ii) with Your prior consent.  Any such disclosure of PHI shall only be made if BA obtains reasonable assurances from persons using, accessing, or receiving PHI in accordance with Section 5.c. hereof.  Nothing in this Section 3.b. shall limit the requirements of Section 3.a. or Section 5.c. hereof.   4.                   Nondisclosure.  (a) BA shall not use or further disclose PHI except as permitted or required by this BAA.   (b) BA shall not, without Your prior written consent, disclose any PHI on the basis that such disclosure is Required by Law without notifying You so that You shall have an opportunity to object to the disclosure and to seek appropriate relief.  If You object to such disclosure, BA shall refrain from disclosing the PHI until You exhaust all alternatives for relief.  BA shall require reasonable assurances from persons receiving PHI in accordance with Section 5.c. hereof that such persons will provide You with similar notice and opportunity to object before disclosing PHI on the basis that such disclosure is Required by Law.  Nothing in this Section 4(b) shall limit the requirements of Section 3(a) or Section 5(c) hereof.   (c) If You notifiy BA that You agree, or is Required by Law, to be bound by additional restrictions on the uses or disclosures of PHI pursuant to HIPAA or the HIPAA Regulations, BA shall be bound by such additional restrictions and shall not disclose PHI in violation of such additional restrictions. (d) Notwithstanding the generality of this Section 4, BA shall have no obligations to notify You of any disclosure Required by Law, or to obtain reasonable assurance concerning the handling of such disclosed PHI if such disclosure is compelled by a law enforcement agency or other governmental regulatory entity of competent jurisdiction concerning an investigation of You.   5.                   Safeguards, Reporting, Mitigation and Enforcement.  (a) BA shall use any and all appropriate safeguards to prevent use or disclosure of PHI otherwise than as provided by this BAA.  BA further agrees to use appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of any Electronic PHI in such manner as if BA were a Covered Entity in accordance with HIPAA and the HIPAA Regulations.  BA warrants that it maintains and uses administrative, physical and technical safeguards in compliance with HIPAA, including HITECH.  (c) BA agrees that any Transaction conducted by BA with, or on behalf of, You shall be in full compliance with HIPAA and the HIPAA Regulations.  BA represents and warrants that it is capable of conducting Transactions with, or on behalf of, You, as applicable to the services performed or good provided, or both, under the EULA, in compliance with the applicable standard prescribed by HIPAA and the HIPAA Regulations.  (d) BA shall not disclose or provide access to PHI to any agent or subcontractor of BA, or any other third party, except with Your prior written consent.  Before disclosing PHI, BA shall ensure that any agent, subcontractor, or third party to whom it provides PHI provides in writing reasonable assurances that (i) it shall be bound by the same restrictions and conditions that apply to BA with respect to such PHI, (ii) BA shall not disclose or provide access to PHI to any subcontractor or agent without Your prior consent and PHI shall only be disclosed as Required by Law or for the purposes for which it was disclosed to such third party, and (iii) that any unauthorized use or disclosure, including, but not limited to, a Breach of Unsecured PHI, and any Security Incident, which becomes known to such third party will be immediately reported to BA.  Such reasonable assurances shall include that each such agent, subcontractor or other third party (i) shall enter into a business associate agreement with BA, pursuant to HIPAA and the HIPAA Regulations; and (ii) shall acknowledge that BA is a Business Associate subject to certain provisions of HIPAA and the HIPAA Regulations.  (e) BA shall notify You, within twenty-four (24) hours, of any use or disclosure of PHI in violation of this BAA or applicable law of which BA becomes aware.  BA further agrees to notify You, within twenty-four (24) hours, of any Security Incident of which it becomes aware.  BA shall make a detailed report to You within three (3) business days after BA learns of such unauthorized use or disclosure, or Security Incident.  BA’s report shall, at a minimum, (i) identify the nature of the unauthorized use or disclosure; (ii) identify the PHI to which the unauthorized use or disclosure relates; (iii) identify who made the unauthorized use or received the unauthorized disclosure; (iv) identify what BA has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure; (v) identify what corrective action BA has taken or shall take to prevent future similar unauthorized use or disclosure; and (vi) provide such other information, including a written report, as requested by You.  Nothing in this Section 5.d. shall limit BA’s obligations under Section 6 hereof.  (f)  BA shall have procedures in place to mitigate, to the maximum extent practicable, any deleterious effect from any use or disclosure of PHI, by BA or its agent, subcontractor, or any other third party, in violation of this BAA or applicable law.  BA shall mitigate, to the maximum extent practicable, any deleterious effect from such a use or disclosure. Nothing in this Section 5(e) shall limit BA’s obligations under Section 6 hereof.  (g) BA shall have and apply appropriate sanctions against any employee, subcontractor or agent who uses or discloses PHI in violation of this BAA or applicable law.   (h) Upon request, BA shall make its internal practices, books and records relating to the use and disclosure of PHI, and the security of Electronic PHI, available to the Secretary of the United States Department of Health and Human Services (“HHS”) for purposes of determining BA’s and Your compliance with HIPAA and the HIPAA Regulations; provided, however, that BA shall immediately notify You upon receipt by BA of any such request for access by the Secretary of HHS, and shall provide You with a copy thereof as well as a copy of all materials disclosed pursuant thereto.  The parties’ respective rights and obligations under this Section 5(h) shall survive termination of the EULA and/or this BAA.   6.                   Breach of Unsecured PHI  (a) BA shall notify You within twenty-four (24) hours following BA’s discovery of a Breach of Unsecured PHI.  At the same time as BA notifies You of a Breach of Unsecured PHI, or promptly thereafter, BA shall collect and provide to You such information as may be required for You to comply with HIPAA and the HIPAA Regulations, including, but not limited to, such information as would be required by a Covered Entity to comply with HIPAA and the HIPAA Regulations, provided, however, that in no case shall BA delay notifying You of a Breach of Unsecured PHI where such information is not immediately available, and further provided, that BA shall provide such information without unreasonable delay, and in no case later than sixty (60) days after discovery of a Breach of Unsecured PHI, in compliance with HIPAA and the HIPAA Regulations.  (b) Unless otherwise directed by You, BA shall provide the notifications required by HIPAA and the HIPAA Regulations, as if BA were the Covered Entity to which such Breach of Unsecured PHI related, and in such time and manner as is necessary for such a Covered Entity to comply with HIPAA and the HIPAA Regulations, provided that BA shall, prior to making any such notification, obtain Your written consent to the form and content of such notification prior to distribution to any individual, the media, or the Secretary of HHS.  Without limiting the foregoing, where You direct BA not to provide such notification, You may, at Your sole discretion, provide such notification, in which case BA shall reimburse You within thirty (30) days of receipt of a written invoice, for any and all reasonable costs incurred by You in complying with the notification requirements under HIPAA and the HIPAA Regulations.  In the case of any Breaches of Unsecured PHI where the HIPAA Regulations do not require immediate notification to the Secretary of HHS, BA shall maintain a log of such breaches and such information as would be required for a Covered Entity to comply with the annual notification to the Secretary of HHS under HIPAA and the HIPAA Regulations, and BA shall provide such information to You no later than thirty (30) days after the last day of the calendar year for any year to which such breach relates.  (c) BA shall be solely responsible for all costs in connection with any unauthorized use or disclosure of PHI, Security Incident, and/or Breach of Unsecured PHI, by BA or BA’s agents, contractor, or other third party, including, but not limited to, providing notification of a Breach of Unsecured PHI to individuals, the media, and/or the Secretary of HHS, in compliance with HIPAA and the HIPAA Regulations.   7.                   Obligation to Provide Access, Amendment and Accounting of PHI.  (a) BA shall make available to You such information as You may require to fulfill Your obligations to provide access to, and copies of, PHI in accordance with HIPAA and the HIPAA Regulations.  (b) BA shall make available to You such information as You may require to fulfill Your obligations to amend PHI in accordance with HIPAA and the HIPAA Regulations.  In addition, BA shall, as directed by You, incorporate any amendments to Your  PHI into copies of such information maintained by BA.  (c) BA shall make available to You such information as You may require to fulfill Your obligations to provide an accounting of disclosures with respect to PHI in accordance with HIPAA and the HIPAA Regulations.  In addition, BA shall maintain a record of all disclosures of PHI, including the date of the disclosure, the name and, if known, the address of the recipient of the PHI, a brief description of the PHI disclosed, and the purpose of the disclosure which includes an explanation of the basis for such disclosure.  BA shall make this record available to You upon Your request.   (d) In the event that any individual requests access to, amendment of, or accounting of PHI directly from BA, BA shall within two (2) days forward such request to You.  You shall have the responsibility of responding to forwarded requests.  However, if forwarding the individual’s request to You would cause You or BA to violate HIPAA or the HIPAA Regulations, BA shall instead respond to the individual’s request directly as required by such law and regulations, and notify You of such response as soon as practicable.   8.                   Material Breach, Enforcement and Termination.  (a) This BAA shall be effective as of the effective date of the EULA and shall continue until the EULA and/or this BAA is terminated in accordance with the terms of each applicable agreement.  (b) You may terminate the EULA and/or this BAA: (i) immediately if BA is named as a defendant in a criminal proceeding for a violation of any state or federal privacy or security law, including, but not limited to, HIPAA or the HIPAA Regulations; (ii) immediately if a finding or stipulation that BA has violated any standard or requirement of HIPAA or other security or privacy laws is made in any administrative or civil proceeding in which BA has been joined; or (iii) pursuant to Sections 8(c) or 9(b). of this BAA.  (c)  If You determine that BA has breached or violated a material term of this BAA, You may, at Your option, pursue any and all of the following remedies:  (i) exercise any of its rights of access and inspection under this BAA, including, but not limited to, the rights enumerated in Section 5.g. and Section 7.a. hereof; (ii) take any other reasonable steps that You, in Your sole discretion, shall deem necessary to cure such breach or end such violation; and/or (iii) terminate the EULA and/or this BAA immediately.    (d) Any non-compliance by BA with this BAA or with HIPAA or the HIPAA Regulations automatically will be considered a breach or violation of a material term of this BAA subject to Section 8.c. hereof if BA knew or reasonably should have known of such non-compliance and failed to immediately take reasonable steps to cure the non-compliance.   (e) If Your efforts to cure any breach or end any violation are unsuccessful, and if termination of this BAA is not feasible, You shall report BA’s breach or violation to the Secretary of HHS, and BA agrees that it shall not have or make any claim(s), whether at law, in equity, or under this BAA, against You with respect to such report(s).  (f) Upon termination of the EULA and/or this BAA for any reason, BA shall return or destroy, as specified by You, all PHI that BA still maintains in any form, and shall retain no copies of such PHI.  If You, in Your sole discretion, requires that BA destroy any or all PHI, BA shall certify to You that the PHI has been destroyed.  If return or destruction is not feasible, BA shall inform You of the reason it is not feasible and shall continue to extend the protections of this BAA to such information and limit further use and disclosure of such PHI to those purposes that make the return or destruction of such PHI infeasible.  (g) You and BA agree that any violation of the provisions of this BAA may cause irreparable harm to You.  Accordingly, in addition to any other remedies available to You at law, in equity, or under this BAA, in the event of any violation by BA of any of the provisions of this BAA, or any explicit threat thereof, You shall be entitled to an injunction or other decree of specific performance with respect to such violation or explicit threat thereof, without any bond or other security being required and without the necessity of demonstrating actual damages.  The parties’ respective rights and obligations under this Section 8.g. shall survive termination of the EULA and/or this BAA. (h) BA shall indemnify, hold harmless and defend You from and against any and all claims, losses, liabilities, costs and other expenses resulting from, or relating to, the acts or omissions of BA in connection with the representations, duties and obligations of BA under this BAA, and in connection with BA’s duties and obligations under HIPAA, including, but not limited to, HITECH, as provided under the EULA.   9.                   Miscellaneous Terms.  (a) Nothing in this BAA shall be construed to require BA to use or disclose PHI without a written authorization from an individual who is a subject of the PHI, or written authorization from any other person, where such authorization would be required under state law for such use or disclosure.  (b)  Amendment of this BAA may be required to ensure compliance with changes in state and federal laws and regulations relating to the privacy, security, and confidentiality of PHI, including, but not limited to, HIPAA and the HIPAA Regulations.  You may terminate the EULA and/or this BAA upon fifteen days written notice in the event that BA does not promptly effect such amendment that You, in Your sole discretion, deems sufficient to ensure that You will be able to comply with such laws and regulations.  (c) Nothing express or implied in this BAA is intended or shall be deemed to confer upon any person other than You and BA, and their respective successors and assigns, any rights, obligations, remedies or liabilities.  (d) The parties agree that any ambiguity in this BAA shall be resolved in favor of a meaning that complies and is consistent with applicable law protecting the privacy, security and confidentiality of PHI, including, but not limited to, HIPAA and the HIPAA Regulations.  (e) A reference in this BAA to a section in the HIPAA Regulations means the section as in effect or as amended, as applicable.  (f) To the extent that any provisions of this BAA conflict with the provisions of the EULA or any other agreement or understanding between the parties, this BAA shall control with respect to the subject matter of this BAA.   (g) This BAA will be governed by, construed and enforced in accordance with the laws of the State of Maryland, without reference to choice of law principles.  (h) No waiver of a breach of any provision of this BAA shall be construed to be a waiver of any breach of any other provision of this BAA, or of any such succeeding breach of the same provision, or of a breach of any provision of the EULA.  No delay in action with regard to any breach of any provision of this BAA shall be construed to be a waiver of such breach.

Schedule 1

Certain Definitions The parties agree that the following terms, when used in this BAA, shall have the following meanings, provided that the terms set forth below shall be deemed to be modified to reflect any changes made to such terms from time to time as defined by HIPAA and the HIPAA Regulations.   “Breach of Unsecured PHI” shall have the meaning given to the terms “breach” and “unsecured protected health information” under HIPAA and the HIPAA Regulations including, but not limited to, 45 C.F.R. § 164.402 and HITECH § 13402.  “Business Associate” shall mean, with respect to a Covered Entity, a person who:   (1)     on behalf of such Covered Entity or of an organized health care arrangement in which Covered Entity participates, but other than in the capacity of a member of the workforce of such Covered Entity or arrangement, performs, or assists in the performance of:   a)       a function or activity involving the use or disclosure of IIHI, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or   b)       any other function or activity regulated by the HIPAA Regulations; or   (2)     provides, other than in the capacity of a member of the workforce of such Covered Entity, legal, actuarial, accounting, consulting, Data Aggregation, management, administrative, accreditation, or financial services to or for such Covered Entity, or to or for an organized health care arrangement in which Covered Entity participates, where the provision of the service involves the disclosure of IIHI from such Covered Entity or arrangement, or from another Business Associate of such Covered Entity or arrangement, to the person.   “BAA” or “Business Associate Agreement” shall have the meaning given to the terms “business associate contracts or other arrangements” under HIPAA and the HIPAA Regulations, including, but not limited to 45 C.F.R. § 160.103.  “Covered Entity” shall mean a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA and the HIPAA Regulations, including, but not limited to, 45 C.F.R. § 160.103.  “Data Aggregation” shall mean, with respect to PHI created or received by a Business Associate in its capacity as the Business Associate of a Covered Entity, the combining of such PHI by the Business Associate with the PHI received by the Business Associate in its capacity as a Business Associate of another Covered Entity, to permit data analyses that relate to the health care operations of the respective Covered Entities.   “Electronic Protected Health Information” or “Electronic PHI” shall mean Protected Health Information that is transmitted by or maintained in electronic media as defined under HIPAA and the HIPAA Regulations, including, but not limited to, 45 C.F.R. § 160.103.  “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996, Public Law No. 104-191, as amended, including HITECH, and related regulations, including, but not limited to, 45 C.F.R. Parts 160 and 164, as such law and regulations may be amended from time to time.   “HIPAA Regulations” shall mean the regulations promulgated under HIPAA by the United States Department of Health and Human Services to protect the privacy and security of PHI, including, but not limited to, 45 C.F.R. Parts 160 and 164, and pursuant to any other applicable provision of HIPAA, or any amendment thereto, including HITECH.  “HITECH” shall mean the Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009, Public Law No. 111-5, and related regulations, including 45 C.F.R. Parts 160 and 164, as such law and regulations may be amended from time to time.  “IIHI” shall mean individually identifiable health information that is a subset of health information, including demographic information collected from an individual, and (1)                 is created or received by a health care provider, health plan, employer, or health care clearinghouse; and   (2)                 relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and   a) that identifies the individual; or b)    with respect to which there is a reasonable basis to believe the information can be used to identify the individual.   “PHI” shall mean IIHI transmitted or maintained in any form or medium that (i) is received by a Business Associate from a Covered Entity, (ii) a Business Associate creates for its own purposes from IIHI that a Business Associate received from a Covered Entity, or (iii) is created, received, transmitted or maintained by a Business Associate on behalf of a Covered Entity.  Protected Health Information excludes IIHI in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. § 1232g, records described at 20 U.S.C. § 1232g(a)(4)(B)(iv), and employment records held by a Covered Entity in its role as employer.

“Required by Law” shall mean a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.

“Security Incident” shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

“Transaction” shall mean the transmission of information between two parties to carry out clinical exchange, financial or administrative activities related to health care using the programs or services provided under the EULA.  

 

START TYPING AND PRESS ENTER TO SEARCH