Last Updated: May 2, 2023
This Business Associate Agreement (“BAA”) and the terms and conditions contained herein apply to Company’s use of those Services specified within a Subscription Order Form entered into by and between HCP and Company, as expressly incorporated into and made a part of the Subscription Order Form by reference therein. By way of execution of the Subscription Order Form, both HCP, as a Business Associate of Company, and Company, as a Covered Entity, have agreed to be bound by this BAA, which shall be effective as of the date of Company’s signature on the Subscription Order Form (“Effective Date”). All capitalized terms used herein but not defined shall have the meanings ascribed to them in the Agreement to which this BAA applies.
HCP provides Services to Company pursuant to one or more underlying Subscription Order Forms that incorporate by reference HCP’s Terms of Services (each Subscription Order Form that incorporates by reference the Terms of Service is an “Agreement”), pursuant to which HCP may create, receive, maintain, or transmit Protected Health Information (“PHI”) of Company in order to enable HCP to perform one or more Services for Company related Company’s Treatment, Payment or Health Care Operations.
HCP and Company desire to comply with the Health Insurance Portability HCP and Accountability Act of 1996 (“HIPAA”) and the Final Rule for Standards for Privacy of Individually Identifiable Health Information adopted by the United States Department of Health and Human Services and codified at 45 C.F.R. Part 160 and Part 164, Subparts A, C (“Security Rule”), and E (“Privacy Rule”) as well as Subtitle D of the Health Information Technology for Economic and Clinical Health Act (“HITECH”).
Capitalized terms within this BAA shall have the same meaning as those terms are defined at 45 C.F.R. §§ 160.103, 164.103, 164.304, 164.402, and 164.501. This BAA applies to uses and disclosures of all PHI that HCP creates for or on behalf of, or receives from or on behalf of, Company.
HCP and Company hereby agree as follows:
1. Permitted Uses and Disclosures. HCP may use and disclose PHI:
- in the course of performing Services for or on behalf of Company;
- as required or permitted by law, regulation, regulatory agency, or by any accrediting body to whom Company or HCP may be required to disclose such PHI;
- as set forth in an authorization that complies with HIPAA and HITECH; or
- to provide Data Aggregation services, as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).
Except as otherwise limited in this BAA, HCP may use PHI for the proper management and administration of HCP or to carry out the legal responsibilities of HCP.
2 . HCP’s Obligations
- Ensure, through a written contractual agreement that complies with 45 C.F.R. § 164.314, that its agents and Subcontractors to whom it may provide PHI agree to the same terms and conditions as are applicable to HCP.
- Implement appropriate and reasonable safeguards to prevent use or disclosure of PHI other than as permitted herein, including those safeguards required pursuant to 45 C.F.R. § 164.308, 164.310, 164.312, 164.314, and 164.316, and comply, as applicable, with the requirements of 45 C.F.R. Part 164, Subpart C.
- Make available to the Secretary of Health and Human Services, HCP’s internal practices, books and records relating to the use or disclosure of PHI for purposes of determining Company’s compliance with HIPAA.
- Report to Company and mitigate, to the extent practicable, any harmful effect that is known to HCP of uses or disclosures of PHI of which HCP becomes aware that do not comply with the terms herein, including Breaches of Unsecured PHI as required by 45 C.F.R. § 164.410, and any Security Incident of which it becomes aware.
- Make uses and disclosures and requests for PHI consistent with HCP’s minimum necessary policies and procedures.
3. Company’s Obligations
- Notify HCP of any limitation(s) in its notice of privacy practices in accordance with 45 C.F.R. § 164.520, to the extent that such limitation may affect HCP’s use or disclosure of PHI.
- Notify HCP of any changes in, or revocation of, permission by an individual to use or disclose PHI to the extent that such changes may affect HCP’s use or disclosure of PHI.
- Notify HCP of any restriction to the use or disclosure of PHI that Company has agreed to in accordance with 45 C.F.R. §164.522, to the extent that such restriction may affect HCP’s use or disclosure of PHI.
- Request HCP to use or disclose PHI only in a manner permissible under HIPAA and HITECH if done by the Company.
4. Term and Termination
The term of this BAA shall commence as of the Effective Date and shall terminate when all of the PHI provided by Company to HCP, or created or received by HCP on behalf of Company, is destroyed or, if it is infeasible to destroy the PHI, when protections are extended to such information, as provided herein. Company may terminate this BAA if HCP fails to cure or take substantial steps to cure a material breach of this BAA within thirty (30) days after receiving written notice of such material breach from Company. If the underlying agreement terminates or expires, HCP will maintain Company’s PHI for sixty (60) days in order for Company to resubmit claims as necessary. Company’s PHI will then be destroyed by HCP. If such destruction of PHI is not feasible, HCP will continue to abide by the terms set forth herein with respect to such PHI, and further uses and disclosures of such PHI will be limited to those purposes that make destruction infeasible. This Section 4 shall survive the termination of this BAA.
This BAA, as part of the applicable Agreement, constitutes the entire agreement between the Parties concerning its subject matter. This BAA may be amended only in writing signed by Company and HCP. The Parties agree to take such action to amend this BAA as is necessary to comply with the requirements of HIPAA and HITECH. This BAA and the rights and obligations of the Parties hereunder shall in all respects be governed by, and construed in accordance with, the laws of the State of Idaho, including all matters of construction, validity, and performance. Any ambiguity in this BAA shall be resolved in favor of a meaning that permits the Parties to comply with HIPAA and HITECH, as applicable.
All liability of HCP under this BAA is subject to the limitation of liability provisions set forth in the Agreement. In any event, HCP’s aggregate liability arising from or relating to this BAA, HIPAA or the transactions contemplated under this BAA shall not, in the aggregate, exceed the amounts paid by Company to HCP under the Agreement during the 12-month period immediately preceding the event that caused the damage relating to the first claim made under the Agreement.