Business Associate Agreement
This Business Associate Agreement (“Agreement”) is entered between [Customer Signer.Company] (“Covered Entity”) and Udo Care, LLC (“Business Associate”).
Pursuant to the parties’ separate Subscription Agreement (“Subscription Agreement”), Business Associate has agreed to perform certain services for or on behalf of Covered Entity that may involve the creation, maintenance, use, transmission or disclosure of protected health information within the meaning of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their implementing regulations, 45 CFR Parts 160 and 164, as they may be amended (collectively “HIPAA”).
If and only to the extent that Business Associate is a “business associate” as defined by HIPAA, this Agreement supplements the Subscription Agreement and is intended to and shall be interpreted to satisfy the requirements for business associate agreements as set forth in HIPAA. If Business Associate is not a business associate as defined in HIPAA, this Agreement shall be void notwithstanding any other terms to the contrary.
- General Definitions. The terms used in this Agreement shall have the same meaning as those terms in HIPAA, including but not limited to: Breach, Data Aggregation, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
- Specific Definitions.
- Business Associate shall generally have the same meaning as the term “business associate” at 45 CFR § 160.103, and in reference to the party to this Agreement, shall mean Udo Care, LLC and its parent company and affiliates.
- Covered Entity shall generally have the same meaning as the term “covered entity” at 45 CFR § 160.103, and in reference to the party to this Agreement, shall mean Covered Entity.
- Protected Health Information shall generally have the same meaning as the term “protected health information” at 45 CFR § 160.103, and shall include any individually identifiable information that is created, received, maintained, or transmitted by Business Associate on behalf of Covered Entity that relates to an individual’s past, present, or future physical or mental health, health care, or payment for health care, whether such information is in oral, hard copy, electronic, or any other form or medium.
- HIPPA Rules shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
- Business Associate Responsibilities. Business Associate agrees to:
- Not use or disclose protected health information except as permitted by Section 2, below, or as otherwise required by law.
- Use appropriate safeguards to prevent the use or disclosure of protected health information other than as permitted by this Agreement. To the extent applicable to business associates, Business Associate shall comply with the requirements in 45 CFR Part 164, Subpart C, including the use of administrative, physical, and technical safeguards to protect electronic protected health information.
- Report to Covered Entity any use or disclosure of protected health information not permitted by this Agreement of which it becomes aware, including breaches of unsecured protected health information as required by 45 CFR § 164.410, and any security incident as required by 45 CFR § 164.314(a)(2) and no later than fifteen (15) days from notice of such a breach. The parties agree that Business Associate will have the right and duty to handle breach notifications that are the result of unauthorized access or disclosures within Business Associate’s control. The parties further acknowledge that Business Associate is periodically subject to attempted but unsuccessful attempts to access its information system (e.g., typical “pings” or port scans), but that such unsuccessful attempts are trivial, routine, and do not constitute a material threat to the security of protected heath information. The parties agree that further notice of such trivial but unsuccessful attempts shall not be required unless expressly required by Covered Entity.
- Ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of Business Associate agree to the same restrictions, conditions, and requirements that apply to Business Associate with respect to such information as required by 45 CFR §§ 164.308(b)(2)–(3) and 502(e)(1)–(2). Business Associate may fulfill this requirement by having the subcontractors execute an agreement that incorporates the terms of this Agreement.
- Within fifteen (15) days after Covered Entity’s request, make available to Covered Entity any protected health information in Business Associate’s control as necessary to enable Covered Entity to satisfy its obligations to provide an individual with access to certain protected health information under 45 CFR § 164.524.
- Within thirty (30) days after Covered Entity’s request, make available to Covered Entity any protected health information for amendment and incorporate any amendments to protected health information as necessary to enable Covered Entity to satisfy its obligations under 45 CFR § 164.526.
- Within thirty (30) days after Covered Entity’s request, maintain and make available to Covered Entity the information required to provide an accounting of disclosures as necessary to enable Covered Entity to satisfy its obligations under 45 CFR § 164.528.
- To the extent Business Associate is to carry out Covered Entity’s obligations under 45 CFR Part 164, Subpart E, comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligations.
- Make Business Associate’s internal practices, books, and records relating to the use and disclosure of protected heath information received from, created, or received by Business Associate on behalf of Covered Entity, available to the Secretary for purposes of determining Covered Entity’s compliance with HIPAA.
- Uses and Disclosures by Business Associate.
2.1 Permissible Uses and Disclosures. Business Associate may use or disclose protected health information only as follows:
- As necessary to perform the services set forth in the Subscription Agreement.
- To de-identify protected health information in accordance with 45 CFR § 164.514(a)–(c). Any information that has been de-identified as provided in this subsection shall not be subject to this Agreement and Business Associate shall be entitled to use it for its own purposes.
- As required by law.
- For the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that: (i) any disclosures for these purposes are required by law, or (ii)(a) Business Associate obtains reasonable assurances from the entity to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the entity, and (b) the entity notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
- To provide data aggregation services relating to the health care operations of Covered Entity as defined in 45 CFR § 164.501.
2.2 Impermissible Uses or Disclosures. Business Associate may not use or disclose protected health information in a manner that would violate 45 CFR Part 164, Subpart E if done by Covered Entity except for the specific uses and disclosures set forth in Sections 2.1(d)–(e), above.
2.3 Minimum Necessary. Business Associate agrees to make uses and disclosures and requests for protected health information consistent with the requirements of HIPAA Rules.
- Covered Entity Responsibilities.
3.1 Representations and Warranties. Covered Entity represents and warrants that, prior to execution of this Agreement and at all times during this Agreement, (i) Covered Entity has obtained or will obtain any consent or authorization required by HIPAA or other law necessary for Business Associate to perform its duties pursuant to this Agreement; and (ii) Covered Entity has notified Business Associate of:
- Any limitation(s) in Covered Entity’s notice of privacy practices, policies, or agreements, or any order or other limitation imposed on Covered Entity, to the extent that such limitation may affect Business Associate’s use or disclosure of protected health information.
- Any agreement by Covered Entity with an individual concerning the use or disclose the individual’s protected health information, to the extent that such agreements may affect Business Associate’s use or disclosure of protected health information.
- Any restriction on the use or disclosure of protected health information to which Covered Entity has agreed or with which Covered Entity is required to abide under 45 CFR § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of protected health information.
3.2 Notice of Change by Covered Entity. Covered Entity agrees to immediately notify Business Associate of any non-compliance with the representations and warranties identified in Section 3.1, including any change in the limitations, agreements, or restrictions identified in Section 3.1. Covered Entity understands and agrees that Business Associate entered this Agreement in reliance on Covered Entity’s representations and warranties in Section 3.1, and that any non-compliance or change in limitations, agreements or restrictions may affect Business Associate’s performance under this Agreement and shall entitle Business Associate to immediately terminate this Agreement and/or the Subscription Agreement at Business Associate’s election. Covered Entity shall pay or reimburse to Business Associate any costs or expenses incurred by Business Associate as a result of any change or limitation affecting Business Associate’s performance under this Agreement.
- Requests by Covered Entity. Covered Entity shall not request Business Associate to use or disclose protected health information in any manner that would not be permitted under the HIPAA Privacy Rule if done by Covered Entity, except that Business Associate may use or disclose protected health information for Business Associate’s data aggregation, management, administration, and legal responsibilities as set forth in Section 2.1(d)–(e).
- Term and Termination. Unless otherwise agreed in writing by the parties, this Agreement shall be effective as of the date executed by the parties and shall continue until terminated as provided below.
5.1 Termination. This Agreement may be terminated as follows:
- Either party may terminate this Agreement upon thirty (30) days prior written notice to the other party due to a material breach of this Agreement by the other party. The breaching party shall have the opportunity to cure the breach during the 30-day notice period. If the breaching party fails to cure the breach within the 30-day notice period, the non-breaching party may declare this Agreement terminated by providing written notice at the end of the 30-day period.
- Either party may terminate this Agreement if either party determines that the other party has violated any law or regulation and/or that continued performance under this Agreement may subject the party to adverse action by any governmental agency.
- Business Associate may terminate this Agreement pursuant to Section 3.2.
- Any termination of the Subscription Agreement shall automatically terminate this Agreement.
- Any termination of this Agreement shall automatically terminate the Subscription Agreement.
5.2 Obligations of Business Associate Upon Termination. Upon termination of this Agreement for any reason, Business Associate, with respect to protected health information received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall:
- Retain only that protected health information which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities as described in Section 2.1(d).
- If feasible, return or destroy all other protected health information in Business Associate’s control.
- For any protected health information that is retained, continue to extend the protections of this Agreement to such information and limit further uses and disclosures to those purposes permitted by this Agreement.
- Not use or disclose the protected health information retained by Business Associate other than for the purposes for which such protected health information was retained and subject to the same conditions set out at Section 2.1, which applied prior to termination; and
- Return to covered entity or destroy the protected health information retained by Business Associate when it is no longer needed by business associate for its proper management and administration or to carry out its legal responsibilities.
5.3 Survival. Business Associate’s obligations under this Section shall survive the termination of this Agreement.
- Regulatory References. A reference in this Agreement to a section in HIPAA means the section as in effect or as amended.
- Amendment. The parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary to comply with the requirements of HIPAA and any other applicable law or, if the parties cannot agree on such amendment, to terminate this Agreement upon notice to the other party.
- Governing Law. This Agreement shall be construed to comply with the requirements of HIPAA, and any ambiguity in this Agreement shall be interpreted to permit compliance with HIPAA. All other aspects of this Agreement shall be governed under the laws of the State of Utah.
- Assignment/Subcontracting. This Agreement shall inure to the benefit of and be binding upon the parties and their respective legal representatives, successors, and assigns. Business Associate may assign or subcontract rights or obligations under this Agreement to subcontractors or third parties without the express written consent of Covered Entity. Covered Entity may assign its rights and obligations under this Agreement to any successor or affiliated entity.
- Cooperation. The parties agree to cooperate with each other’s efforts to comply with the requirements of HIPAA and other applicable laws; to assist each other in responding to and mitigating the effects of any breach of protected health information in violation of HIPAA or this Agreement; and to assist the other party in responding to any investigation, complaint, or action by any government agency or third party relating to the performance of this Agreement.
- Relation to Subscription Agreement. This Agreement supplements the Subscription Agreement. The terms and conditions of the Subscription Agreement shall continue to apply to the extent not inconsistent with this Agreement. If there is a conflict between this Agreement and the Subscription Agreement, this Agreement shall control.
- No Third-Party Beneficiaries. Nothing in this Agreement is intended to nor shall it confer any rights on any other persons except Covered Entity and Business Associate and their respective successors and assigns.
- Entire Agreement. This Agreement contains the entire agreement between the parties as it relates to the use or disclosure of protected health information, and supersedes all prior discussions, negotiations and services relating to the same to the extent such other prior communications are inconsistent with this Agreement.
- Indemnification. If a party to this Agreement breaches any provision of this Agreement or violates any requirement of HIPAA applicable to that party, that party shall indemnify, hold harmless and defend the other party from and against any and all claims, losses, liabilities, costs, and other expenses incurred by the other party as a result of such breach or violation.
- Limitation on Liability. In no event shall Business Associate or any of its directors, officers, agents, parents, affiliates, or subsidiaries (collectively “Business Associate”) be liable to Covered Entity or any third party for any special, consequential, incidental, or indirect loss or damages arising out Business Associate’s acts or omissions relating to this Agreement or HIPAA whether or not Business Associate has been advised of the possibility of such loss or damages. In all cases, Business Associate’s aggregate liability under any legal theory, including contract, tort, or other bases, shall not exceed the fees paid by Covered Entity to Business Associate pursuant to the Subscription Agreement during the six (6) month period prior to the first occurrence upon which liability is based, or the limits of Business Associate’s applicable insurance, whichever is less.
Print Name: [Customer Signer.FirstName] [Customer Signer.LastName]
Print Title: [Customer Signer.Title]
Udo Care, LLC
Print Name: [Udo Signer.FirstName] [Udo Signer.LastName]
Print Title: [Udo Signer.Title]