BUSINESS ASSOCIATE AGREEMENT
Business Associate Agreement
This Business Associate Agreement (“Agreement”), entered into by_____________with offices located at_____________and its subsidiaries (“Covered Entity”) and CommuniCare Technology, Inc. d/b/a Pulsara (“Business Associate”), a Delaware corporation, with an address of 1627 West Main Street, Suite #229, Bozeman, MT 59715, is effective as of_____________.
RECITALS
A. Covered Entity possesses Protected Health Information (“PHI”) that is protected under HIPAA Rules (as defined below), and wishes to ensure that Business Associate will appropriately safeguard such information; and
B. Business Associate is licensing certain software and related technology to Covered Entity.
Based upon the above recitals and the mutual covenants in this Agreement, Covered Entity and Business Associate agree as follows:
1. Definitions
The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Disclosure, Health Care Operations, Individual, Notice of Privacy Practices, Protected Health Information (PHI), Required by Law, Secretary, Security Incident, Subcontractor, Unsecured and Use.
a. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this Agreement, shall mean Pulsara.
b. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean the Covered Entity first written above.
c. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
d. “Part 2” shall mean the Confidentiality of Alcohol and Drug Abuse Patient Records under 42 CFR Part 2.
2. Permitted Uses and Disclosures
a. Performance of Services. Business Associate may use and disclose PHI in connection with the performance of the services as described in the Terms of Use(“Services”) if such use or disclosure of PHI would not violate HIPAA Rules, or such use or disclosure is expressly permitted hereunder.
b. Proper Management and Administration. Business Associate may use PHI for the proper management and administration of Business Associate in connection with the performance of Services described in the Terms of Use. Business Associate may disclose PHI for such proper management and administration of Business Associate. Any such disclosure of PHI shall only be made if the disclosure is required by law or Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that: (1) the PHI will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person; and (2) Business Associate will be notified by such person of any instances of which it becomes aware in which the confidentiality of the PHI has been breached.
c. Other Permitted Uses. Unless otherwise limited herein, the Business Associate may also: (1) perform Data Aggregation for the health care operations of Covered Entity; (2) may use, analyze, and disclose the PHI in its possession for the public health activities and purposes set forth at C.F.R. § 164.512(b); (3) de-identify any and all PHI provided that Business Associate implements de-identification criteria in accord with 45 C.F.R. §164.514(b); and (4) may otherwise use and disclose the PHI as authorized by Covered Entity pursuant to the Terms of Use.
d. Minimum Necessary. Covered Entity shall provide, and Business Associate shall request, Use and Disclose, only the minimum amount of PHI necessary to accomplish the purpose of the request, Use or Disclosure. The Parties acknowledge that the Secretary may issue guidance with respect to the definition of “minimum necessary” from time to time, and agree to stay informed of any relevant changes to the definition.
3. Nondisclosure
As Provided In Agreement. Business Associate shall not use or further disclose PHI except as permitted or required by this Agreement or as required by law.
4. Responsibilities of Business Associate
a. Safeguards. Business Associate shall use appropriate safeguards to protect PHI, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of PHI not provided for by this Agreement.
b. Business Associate’s Agents. Business Associate shall ensure that any agents, including subcontractors, to whom it provides PHI agree in writing to be bound by the same restrictions and conditions that apply to Business Associate with respect to such PHI.
c. Reporting. Business Associate shall promptly report to Covered Entity any use or disclosure of PHI in violation of this Agreement or applicable law of which it becomes actually aware. Business Associate further agrees to promptly report to Covered Entity any Security Incident of which it becomes actually aware. In addition, Business Associate shall promptly report to Covered Entity any Breach of Unsecured PHI.
d. Mitigation. Business Associate shall have procedures in place to mitigate any deleterious effect from any use or disclosure of PHI in violation of this Agreement or applicable law.
e. Cost Reimbursement. In the event of a Breach involving PHI maintained, used, or disclosed by Business Associate that is the fault of Business Associate, Business Associate shall reimburse Covered Entity for the reasonable cost of providing any legally required notice to affected individuals and the cost of credit monitoring for such individuals to the extent deemed necessary by Covered Entity in its reasonable discretion.
f. Sanctions. Business Associate shall have and apply appropriate sanctions against any employee, subcontractor or agent who uses or discloses PHI in violation of this Agreement or applicable law.
g. United States Department of Health and Human Services. Business Associate shall make its internal practices, books and records relating to the use and disclosure of PHI available to the Secretary for purposes of determining Covered Entity’s compliance with the HIPAA Rules; provided, however, that Business Associate shall promptly notify Covered Entity upon receipt by Business Associate of any such request for access by the Secretary, and shall provide Covered Entity with a copy thereof as well as a copy of all materials disclosed pursuant thereto. The parties’ respective rights and obligations under this Section shall survive termination of this Agreement.
5. Obligation to Provide Access, Amendment and Accounting of PHI
a. Access to PHI. Business Associate shall make available to Covered Entity such information as Covered Entity may require to fulfill Covered Entity’s obligations to provide access to, and copies of, PHI in accordance with HIPAA Rules.
b. Amendment of PHI. Business Associate shall make available to Covered Entity such information as Covered Entity may require to fulfill Covered Entity’s obligations to amend PHI in accordance with HIPAA Rules.
c. Accounting of Disclosures of PHI. Business Associate shall make available to Covered Entity such information as Covered Entity may require to fulfill Covered Entity’s obligations to provide an accounting of disclosures with respect to PHI in accordance with HIPAA Rules. Business Associate shall make this information available to Covered Entity upon Covered Entity’s request.
d. Forwarding Requests From Individual. In the event that any individual requests access to, amendment of, or accounting of PHI directly from Business Associate, Business Associate shall forward such request to Covered Entity. Covered Entity shall have the responsibility of responding to forwarded requests. However, if forwarding the individual’s request to Covered Entity would cause Covered Entity or Business Associate to violate HIPAA Rules, Business Associate shall instead respond to the individual’s request as required by such law and notify Covered Entity of such response as soon as practicable.
6. Responsibilities of Covered Entity
Covered Entity will:
a. provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 C.F.R. § 164.520 as well as any changes to such notice;
b. provide Business Associate with any changes in, or revocation of, permission by Individual to the use and/or disclosure of PHI, if such changes affect Business Associate’s permitted or required uses and/or disclosures;
c. notify Business Associate of any restriction to the use and/or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. § 164.522.
7. Indemnification
Business Associate agrees to indemnify, defend, and hold harmless Covered Entity, its directors, officers, employees, contractors and agents, against, and in respect of, any and all claims, losses, expenses, costs, damages, obligations, penalties, and liabilities which Covered Entity may incur by reason of Business Associate’s breach of or failure to perform any of its obligations pursuant to this Agreement.
8. Term and Termination
a. Term. This Agreement shall be effective as of the Effective Date, and shall continue until the earlier of when this Agreement is terminated in accordance with the provisions of this Section or the underlying agreement terminates.
b. Termination.
1) If Covered Entity determines that Business Associate has breached or violated a material term of this Agreement, Covered Entity may, at its option, pursue any and all of the following remedies:
a) Take any reasonable steps that Covered Entity, in its sole discretion, shall deem necessary to cure such breach or end such violation; and/or
b) Covered Entity may terminate this Agreement in the event of Business Associate’s uncured material breach of this Agreement following 30 days’ notice and opportunity to cure, if curable.
2) If Business Associate determines that Covered Entity has breached or violated a material term of this Agreement, Business Associate may, at its option, pursue any and all of the following remedies:
a) take any reasonable steps that Business Associate, in its sole discretion, shall deem necessary to cure such breach or end such violation; and/or
b) terminate this Agreement in the event of Covered Entity’s uncured material breach of this Agreement following 30 days’ notice and opportunity to cure, if curable.
c. Return or Destruction of Records. Upon termination of this Agreement for any reason, Business Associate shall return or destroy, as specified by Covered Entity, all PHI that Business Associate still maintains in any media, and shall retain no copies of such PHI. If Covered Entity, in its sole discretion, requires that Business Associate destroy any or all PHI in its possession, Business Associate shall certify to Covered Entity that the PHI has been destroyed. If return or destruction is not feasible, Business Associate shall inform Covered Entity of the reason it is not feasible and shall continue to extend the protections of this Agreement to such information and limit further use and disclosure of such PHI to those purposes that make the return or destruction of such PHI infeasible. The foregoing will not apply, however, to any PHI for which Business Associate has received from the applicable individual (with respect to whom the PHI pertains) authorization in accordance with HIPAA that Business Associate may retain such PHI for the purposes authorized by the individual. Business Associate’s obligations with respect to such PHI will become outside the scope of this Agreement and will be governed by HIPAA and the agreement between Business Associate and the individual.
9. Part 2 Responsibilities
a. To the extent that in performing its services for Covered Entity, Business Associate uses, discloses, maintains, or transmits protected health information that is protected by Part 2, Business Associate: (1) will rely on Covered Entity to obtain necessary patient consent before Covered Entity transmits patient information subject to Part 2 through Business Associate’s Services; (2) acknowledges and agrees that in receiving, storing, processing or otherwise dealing with any such patient records, it must comply with the Part 2 regulations in connection with any requests for access by parties other than those with which Covered Entity communicates through Business Associate’s Service; and (3) if necessary, will resist in judicial proceedings any efforts to obtain access to patient information except as permitted by the Part 2 regulations.
b. Notwithstanding any other language in this Agreement, Business Associate acknowledges and agrees that any patient information it receives from Covered Entity that is protected by Part 2 is subject to protections that prohibit Business Associate from disclosing such information to agents or subcontractors without the specific written consent of the subject individual.
c. Business Associate acknowledges that any unauthorized disclosure of information under this section is a federal criminal offense.
10. General Provisions
a. State Law. Nothing in this Agreement shall be construed to require Business Associate to use or disclose PHI without a written authorization from an individual who is a subject of the PHI, or written authorization from any other person, where such authorization would be required under state law for such use or disclosure.
b. Amendment. Covered Entity and Business Associate agree that amendment of this Agreement may be required to ensure that Covered Entity and Business Associate comply with changes in state and federal laws and regulations relating to the privacy, security, and confidentiality of PHI, including, but not limited to, changes under the HIPAA Rules. This Agreement may not otherwise be amended except by written agreement between both parties.
c. Governing Law and Venue. This Agreement will be construed in accordance with and governed by the internal law of Covered Entity’s state, without regard to the choice or conflicts of law provisions of any jurisdiction. In the event that either party institutes any action or proceeding arising out of or relating to this Agreement, exclusive jurisdiction will be in the state or federal court in the county where Covered Entity is located.
d. Attorney’s Fees. The prevailing party in any action or proceeding to enforce any of the provisions of this Agreement shall be entitled to recover reasonable attorneys’ fees, costs and expenses incurred in connection with actions or proceedings.
e. Waiver. The failure of either party to enforce any right or provision in this Agreement shall not constitute a waiver of such right or provision unless acknowledged and agreed to by that party in writing.
f. Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, then such provision(s) shall be construed, as nearly as possible, to reflect the intentions of the invalid or unenforceable provision(s), with all other provisions remaining in full force and effect.
g. Assignment. The rights and/or obligations contained in this Agreement may not be assigned, delegated or otherwise transferred by either party (except to a direct or indirect parent or subsidiary) without the prior written approval of the other party, not to be unreasonably withheld, provided, however that either party may assign this agreement in connection with a merger, consolidation or acquisition of a party resulting in a change of control or a transfer or sale of all or substantially all of the assets of either party. No assignment or delegation shall relieve either party of liability for its obligations hereunder.
h. Counterparts. This Agreement may be executed in one or more counterparts, each of which may be deemed an original, but all of which constitute one and the same instrument. Delivery of an executed counterpart of a signature page of this Agreement by facsimile or other electronic transmission shall be effective as delivery of a manually executed counterpart of this Agreement.
i. Notices. All notices, requests, or consents required or permitted under this Agreement will be in writing (including electronic form) to each party or to such other party and/or address as any of such parties may designate in a written notice served upon the other party in the manner provided for below. Each notice, request, consent, or other communication will be given and will be effective: (1) if delivered by hand, when so delivered; (2) if delivered by nationally recognized overnight courier service or sent by United States Express Mail, upon confirmation of delivery; (3) if delivered by certified or registered mail, on the third following day after deposit with the United States Postal Service.
Version: 11/29/2022 - V3