BUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“Agreement”) is entered into on [INSERT DATE] (the “Effective Date”) by and between _____________, a ____________, with its principal place of business at ______________ (“Covered Entity”) and Ennovationz Inc, dba WattzOn and Glynt, a Delaware corporation, with a principal place of business at 705 N. Shoreline Blvd. Mountain View, CA 94043 (“Business Associate”).
WHEREAS, pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended under the Health Information Technology for Economic and Clinical Health Act (“HITECH”), (HIPAA and HITECH are collectively referred to herein as “HIPAA”), the U.S. Department of Health and Human Services (“HHS”) has promulgated regulations concerning the privacy and security of Protected Health Information (“PHI”);
WHEREAS, Covered Entity is subject to the HIPAA Privacy and Security Rules and desires Business Associate to provide certain services to and on behalf of Covered Entity pursuant to the following agreement: Glynt Terms of Service, as posted on Glynt.ai (“Underlying Agreement”);
WHEREAS, in the course of providing such services, Covered Entity may disclose to Business Associate certain PHI in the custody and control of Covered Entity, and Business Associate may receive, maintain, or transmit such PHI, or create additional PHI, in the performance of its services on behalf of Covered Entity;
WHEREAS, Business Associate and Covered Entity desire to set forth their respective rights and obligations with respect to the use and disclosure of PHI in order to comply with the requirements of HIPAA and its regulations (collectively, the “Regulations”) regarding contracts between Covered Entities and Business Associates and any subcontracts Business Associate enters into with other entities to facilitate the performance of services related to this Agreement (“Subcontractor Agreements”).
NOW, THEREFORE, Business Associate and Covered Entity agree as follows:
1. Applicability. This Agreement relates to the use or disclosure of PHI in connection with the Underlying Agreement between Covered Entity and Business Associate. This Agreement shall apply only in the event that Business Associate meets the definition of “Business Associate” under 45 CFR §160.103 (or successor provisions).
2. Definitions. Capitalized terms used, but not otherwise defined in this Agreement shall have the same meaning as those terms in the HIPAA Regulations.
3. Permitted Uses and Disclosures by Business Associate. Except as otherwise limited in this Agreement, Business Associate may use or disclose PHI to perform functions, activities or services for, or on behalf of, Covered Entity as specified in the Underlying Agreement, provided that such use or disclosure would not violate the HIPAA Privacy or Security Rules if done by Covered Entity. In addition:
A. Except as otherwise limited in this Agreement, Business Associate may use PHI for the proper management and administration of Business Associate, and to carry out any present or future legal responsibilities of Business Associate.
B. Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration of Business Associate, and to fulfill the legal responsibilities of Business Associate, provided that disclosures are Required by Law as provided for in 45 CFR §164.501 or permissible pursuant to a Subcontractor Agreement, and Business Associate obtains satisfactory assurances from the person to whom the information is disclosed that (i) the information will remain confidential and be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and (ii) the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached, as required under 45 CFR §164.504(e)(4).
C. Except as otherwise limited in this Agreement, Business Associate may use PHI to provide Data Aggregation services to Covered Entity as permitted by 45 CFR §164.504 (e)(2)(i)(B)
D. Subject to the confidentiality provisions of this Agreement and the Underlying Agreement, Business Associate may de-identify PHI received or created pursuant to the Underlying Agreement consistent with 45 CFR §164.514(a)-(c)
E. Business Associate agrees to make uses and disclosures and requests for PHI consistent with the Covered Entity’s minimum necessary policies and procedures as provided to Business Associate.
4. Obligations and Activities of Business Associate.
A. Business Associate agrees not to use or disclose PHI other than as permitted or required by the Underlying Agreement, Subcontractor Agreement, or as otherwise Required by Law.
B. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement or a related Subcontractor Agreement.
C. Business Associate agrees to use commercially reasonable efforts to maintain the security of PHI and to prevent unauthorized use and/or disclosure of such PHI. As part of such security measures, Business Associate shall, at a minimum:
(i) Implement HIPAA-compliant administrative, physical and technical safeguards, as defined by 45 CFR §§164.302 through 164.318, that reasonably and appropriately protect the confidentiality, integrity and availability of Covered Entity’s electronic PHI that it creates, receives, maintains or transmits on behalf of the Covered Entity, including written policies and procedures consistent with the documentation requirements of the HIPAA Security Rule; and
(ii) Enter into business associate agreements with subcontractors who meet the definition of “Business Associate” under 45 CFR §160.103 with respect to the Business Associate, and to whom Business Associate provides such PHI or access thereto under a Subcontractor Agreement, that require the subcontractors to agree, in writing, to the same restrictions, conditions, and requirements that apply to the Business Associate in this Agreement. Business Associate will ensure that any Subcontractor to whom the Business Associate provides PHI, will not export such PHI beyond the borders of the United States of America without express written agreement of the Covered Entity.
D. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
E. Business Associate agrees to report to Covered Entity within seventy two (72) hours of Discovery, any use or disclosure of PHI not permitted or required in connection with the Underlying Agreement or otherwise permitted by law as well as any Security Incident or Breach of Unsecured PHI (hereinafter referred to as a “Breach”). Business Associate may supplement its initial report as facts become available and will promptly provide all available information necessary for Covered Entity to fulfill its Breach notification obligations under HITECH, including the identification of each individual whose unsecured PHI has been or is reasonably believed by Business Associate to have been accessed, acquired or disclosed during such Breach. Breach notification will be made to the following individual or such other individual as Covered Entity may designate in writing from time to time:
BREACH NOTIFICATION CONTACT INFORMATION:
F. Business Associate agrees to use commercially reasonable efforts to ensure that the agents and subcontractors to whom it provides PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, agree in writing to the same restrictions, conditions, and requirements regarding the implementation of reasonable and appropriate security safeguards, that apply through this Agreement to Business Associate with respect to such information.
G. Business Associate agrees to provide access, at the commercially reasonable request of Covered Entity, to PHI in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR 164.524.
H. Business Associate agrees to make any feasible amendment(s) to PHI in a Designated Record Set that Covered Entity directs or agrees to pursuant to 45 CFR 164.526, at the commercially reasonable request of the Covered Entity or an Individual. Covered entity understands that due to the nature of the medical image data that Business Associate may maintain, it is not feasible for Business Associate to amend certain PHI, and such PHI must be amended by Covered Entity.
I. Business Associate agrees to make internal practices, books, and records, including policies and procedures relating to the use and disclosure of PHI, available to HHS, in a commercially reasonable time and manner, or as designated by HHS, for purposes of HHS determining Covered Entity’s or Business Associate’s compliance with their respective obligations under HIPAA.
J. Business Associate agrees to document such disclosures of PHI and information related to such disclosures as required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528 as amended from time to time, including amendments under HITECH.
K. Business Associate agrees to provide to Covered Entity or an Individual, in a commercially reasonable time and manner designated by Covered Entity, information collected in accordance with the provision of the services through the Underlying Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528.
L. To the extent Covered Entity delegates any of its obligations under the Privacy Rule to Business Associate, Business Associate agrees to comply with the requirements of the Privacy Rule that would apply to Covered Entity in the performance of such obligation in accordance with 45 CFR 164.504(e)(2)(ii)(H).
M. Business Associate understands and agrees that it will not access or use any PHI of an Individual except for those Individuals whose PHI has been disclosed to Business Associate, and it will further limit access to that PHI that is necessary to the activities undertaken by Business Associate on behalf of Covered Entity.
N. Business Associate will comply with all additional applicable requirements of HIPAA, including those contained in 45 C.F.R. §§ 164.502(e) and 164.504(e)(1)(ii), at such time as those requirements are applicable to Business Associate. Business Associate will not directly or indirectly receive remuneration in exchange for any PHI, subject to the exceptions in HITECH, without a valid authorization from the affected Individual. Business Associate will not engage in any communication which might be deemed “Marketing” under HITECH. In addition, Business Associate will comply with all applicable requirements of the Security Rule contained in 45 C.F.R. §§ 164.308, 164.310, 164.312 and 164.316, at such time as the requirements become applicable to Business Associate.
5. Obligations of Covered Entity. This Agreement relates to the use or disclosure of PHI in connection with the Underlying Agreement between Covered Entity and Business Associate. This Agreement shall apply only in the event that Business Associate meets the definition of “Business Associate” under 45 CFR §160.103 (or successor provisions).
A. Covered Entity shall notify Business Associate of any limitations in the Notice of Privacy Practices of Covered Entity, in accordance with 45 CFR 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of PHI.
B. Covered Entity shall notify Business Associate of any changes in, or revocation of permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s use or disclosure of PHI.
C. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI.
D. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity (except data aggregation or management and administrative activities of Business Associate).
E. Covered Entity shall obtain all necessary consents and Authorizations required under HIPAA or any other applicable law to provide the PHI to Business Associate in order to Business Associate to provide the services in the Underlying Agreement.
6. Term and Termination.
A. Term. This Term of this Agreement shall be effective as of the commencement of the Underlying Agreement, and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or if it is infeasible to return or destroy PHI, protections are extended to such information in accordance with the termination provisions of Section 7(B) below.
B. Opportunity to Cure Breach. Upon Covered Entity’s knowledge of a material breach by Business Associate of this Agreement, Covered Entity shall either.
(i) Provide a reasonable opportunity for Business Associate to cure the breach, or end the violation and terminate this Agreement and the Underlying Agreement if Business Associate does not cure the breach or end the violation within the reasonable time period specified by Covered Entity
(ii) Immediately terminate this Agreement and the Underlying Agreement if Business Associate has breached a material term of this Agreement and cure is not possible. If neither termination nor cure is feasible, Covered Entity may report the violation to the HHS to the extent required by law.
7. Effect of Termination.
A. Except as provided in Section 7(B) below, upon termination of this Agreement for any reason, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. Business Associate shall retain no copies of the PHI except as may be permitted by law.
B. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity written notification of the conditions that make return or destruction infeasible. In such event, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.
8. Indemnification. Each party (“Indemnifying Party”) agrees to indemnify, defend and hold harmless the other Party and the other Party’s employees, directors, officers, subcontractors, or agents (collectively “Indemnified Parties”) from any costs, damages, expenses, judgments, losses and attorneys’ fees arising from any breach of this Agreement by the Indemnifying Party, including failure to perform its obligations under HIPAA or the Regulations. These indemnification obligation shall survive the termination of this Agreement for any reason.
A. Integration with the Underlying Agreement. The terms, agreements and obligations of the parties set forth herein shall be in addition to and shall supplement the terms, agreements and obligations of the parties in the Underlying Agreement. In the event of any inconsistencies, the terms and conditions of this Agreement shall prevail with respect to matters regarding the privacy and security of PHI, unless the Underlying Agreement imposes more stringent protections of PHI.
B. Amendment. The parties acknowledge that state and federal laws relating to electronic data security and privacy are rapidly evolving and that amendment of this Agreement may be required to ensure compliance with such developments Specifically, HITECH, as implemented by the HIPAA Omnibus Rule (78 Fed. Reg. 5566 (January 25, 2013)), imposes new requirements on business associates and covered entities with respect to privacy, security and breach notification. Applicable HIPAA and HITECH provisions, together with any guidance issued by HHS, and any applicable amendments to federal and state privacy law, are hereby incorporated by reference and will become part of this Agreement as if set forth in their entirety, effective as of the applicable effective dates.
C. Waiver. No provision of this Agreement that is required by law may be waived. No waiver of any other provision of this Agreement shall be effective unless given in writing signed by the party against whom the waiver is sought to be enforced. No failure to exercise, and no delay in exercising, any right, power, or privilege under this Agreement will operate as a waiver hereof, nor will any single or partial exercise of any right, power, or privilege under this Agreement preclude any further exercise of the same or any other right, power, or privilege hereunder.
D. No Third Party Beneficiary. Nothing express or implied in this Agreement is intended to confer, and nothing herein shall confer, upon any person other than the parties and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever.
E. Survival. The respective rights and obligations of the parties under this Agreement, including without limitation the obligations of the Business Associate under Section 7, shall survive termination of the Agreement to the extent necessary to fulfill their purposes.
F. Successors and Assigns. Neither party shall assign, subcontract, delegate, or otherwise transfer this Agreement, or its rights and obligations herein, without obtaining the prior written consent of the other party, and any attempted assignment, subcontract, delegation, or transfer in violation of the foregoing will be null and void; provided, however, that either party may assign this Agreement in connection with a merger, acquisition, reorganization or sale of all or substantially all of its assets, or other operation of law, without any consent of the other party. The terms of this Agreement shall be binding upon the parties and their respective successors and permitted assigns.
G. Regulatory References. A reference in this Agreement to a section in the Privacy or Security Rule means the section as in effect or as amended, and for which compliance is required.
H. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with HIPAA and the Regulations. If any part of this Agreement shall be adjudged by a court of competent jurisdiction to be invalid in any circumstance, such invalidity shall not affect any other provisions or circumstances.
IN WITNESS WHEREOF, the parties hereto have duly executed this Agreement as of the Effective Date.
Covered Entity Signature Business Associate Signature
Company Name: Business Associate Name:
Name / Title (Print): Name / Title (Print):