Business Associate Agreement
BUSINESS ASSOCIATE AGREEMENT
This Business Associate Agreement (“Agreement”) between Client Name (“Covered Entity”) and Cerbo, LLC (“Business Associate”) is made pursuant to and governed by the Master Subscription Agreement by and between the Parties (the “MSA”). All terms not defined herein have the meaning set forth in the MSA.
The Parties desire to comply with the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended and supplemented, and the regulations promulgated thereunder (the “HIPAA Rules”) to the extent applicable.
Business Associate may perform or assist Covered Entity with a function or activity which may involve the use or disclosure of protected health information (“PHI”).
If and to the extent that Business Associate accesses, uses, or discloses PHI in the course of performing functions or services on behalf of Covered Entity, the Parties agree that this Agreement applies to safeguard PHI created, received, maintained or transmitted by Business Associate from or on behalf of Covered Entity as required by the HIPAA Rules.
The Parties therefore agree as follows:
1. Definitions. Capitalized terms used, but not otherwise defined, in this Agreement have the same meaning as those terms in the HIPAA Rules.
a. “Secretary” means the Secretary of the Department of Health and Human Services or his/her duly appointed designee.
b. “Security Incident” has the same meaning as the term “Security Incident” as defined at 45 C.F.R. § 1604.304, but does not include trivial incidents that occur on a daily basis such as scans, “pings,” or routine attempts to penetrate computer networks or servers maintained or utilized by Business Associate; provided that none of the foregoing compromise the privacy, integrity and security of PHI.
c. “Service Agreement” means the MSA and any present or future agreement(s), either written or oral, between Covered Entity and Business Associate under which Business Associate provides services to Covered Entity that involve the use or disclosure of PHI.
2. Obligations and Activities of Business Associate.
a. Security and Confidentiality. If and to the extent that Business Associate receives PHI from Covered Entity in the course of performing services or functions on its behalf, Business Associate will comply with the HIPAA Rules which are applicable to a “Business Associate,” as such term is defined in the HIPAA Rules. Business Associate shall not use or disclose PHI in a manner that would violate the HIPAA Rules. Business Associate shall maintain the security and confidentiality of the PHI in accordance with all applicable laws and regulations.
b. Use and Disclosure of PHI.
- i. Business Associate shall not use or disclose PHI other than as permitted or required by this Agreement, the MSA(s) or as otherwise Required by Law.
- ii. Business Associate may use and disclose PHI to the minimum extent necessary to provide the Services or to evaluate or set up provision of the Services.
- iii. If Business Associate must provide PHI received from Covered Entity to any of Business Associate’s agents or subcontractors, Business Associate shall ensure that such agents or subcontractors to whom it provides PHI on behalf of Covered Entity agrees in writing to the same or similar restrictions and conditions that apply through this Agreement and the HIPAA Rules to Business Associate with respect to such information.
- iv. Business Associate may use PHI to provide data aggregation services to Covered Entity as permitted by the HIPAA Rules. Business Associate may subsequently use and disclose de-identified data unless prohibited by applicable law.
- v. Business Associate shall not receive any remuneration in exchange for PHI, except as permitted under applicable law. However, nothing in this provision should be construed to prohibit payment to Business Associate by Covered Entity for the Services.
- vi. Business Associate may use and disclose PHI as necessary for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, except as otherwise limited in this Agreement or as Required By Law.
- vii. Except as expressly provided in this Agreement, Business Associate does not assume any obligations of Covered Entity under the HIPAA Rules. To the extent Business Associate is to carry out any of Covered Entity’s obligation(s) under the HIPAA Rules as expressly provided in this Agreement, Business Associate shall comply with the requirements of the HIPAA Rules that apply to Covered Entity in the performance of such obligation(s).
c. Safeguards. Business Associate agrees to use appropriate administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI (whether electronic or otherwise) in accordance with the HIPAA Rules to prevent the use or disclosure of PHI other than as provided in this Agreement.
d. Reporting. If Business Associate becomes aware of any use or disclosure of PHI that is impermissible under this Agreement, Business Associate shall notify Covered Entity of such impermissible use or disclosure of PHI without unreasonable delay. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
e. Access and Amendments to PHI. The Parties acknowledge and agree that Business Associate does not normally receive or maintain information that is part of a designated record set on behalf of Covered Entity in providing the Services on behalf of Covered Entity. Accordingly, Business Associate typically has no obligation to provide an individual with access to, or make amendments to, the information Business Associate receives from Covered Entity. However, should Business Associate receive such requests, Business Associate agrees to promptly forward them to Covered Entity to process in accordance with the HIPAA Rules.
f. Documenting and Accounting of Disclosures. Business Associate shall maintain the information necessary to provide an accounting of the disclosures made by Business Associate of PHI for the term of this Agreement as required by the HIPAA Rules.
g. Access to Business Associate’s Policies and Records. Business Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS, in a time and manner designated by the Secretary, for purposes of the Secretary determining Covered Entity’s or Business Associate’s compliance with the HIPAA Rules or as Required by Law.
h. Return or Destruction of PHI. No sooner than 90 days and no later than one year after termination of this Agreement, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity, to the extent possible. In the event that Business Associate determines in its reasonable judgment that returning or destroying the PHI is not feasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Business Associate shall retain such information and, for so long as Business Associate maintains such PHI, Business Associate shall extend the protections of this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that are both consistent with the terms of this Agreement and that make the return or destruction not feasible.
3. Responsibilities of Covered Entity.
a. Minimum Disclosure. Covered Entity shall provide to Business Associate the minimum PHI necessary for Business Associate to provide the Services or to evaluate or set up provision of the Services.
b. Special Restrictions on Use and Disclosure. Unless Covered Entity notifies Business Associate of any restrictions or limitations that limit Business Associate’s ability to use or disclose the PHI as permitted or required under this Agreement and Business Associate agrees to honor such restrictions or limitations, Covered Entity shall not provide Business Associate the PHI subject to additional restrictions or limitations.
c. Safeguards. Covered Entity shall maintain administrative, physical, and technical safeguards to ensure the confidentiality, privacy, and security of the PHI in accordance with the standards and requirements of HIPAA and its implementing regulations.
d. Consent. Covered Entity shall obtain any consent or authorization that may be required by applicable federal or state laws and regulations prior to transmitting the PHI to Business Associate.
e. Permissible Requests. Covered Entity shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Rules. Covered Entity shall limit disclosure of PHI to Business Associate to only that PHI which is reasonably required for Business Associate to perform the services under the Service Agreement or otherwise required by law.
This Agreement is effective as of the date that it is signed by both Parties, and terminates at the earlier of (a) the termination of all engagements between the Parties or (b) when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is returned to Covered Entity or is destroyed. If either party knows of a pattern of activity or practice of the other party that constitutes a material breach of this Agreement, the non-breaching party shall provide written notice specifying the nature of the breach to the breaching party. The breaching Party must cure the breach on or before thirty days after receipt of the written notice. In the absence of a cure reasonably satisfactory to the non-breaching Party within the specified timeframe, or in the event the breach is reasonably incapable of cure, then the non-breaching Party may (i) terminate this Agreement, if feasible; or (ii) if termination of this Agreement is infeasible, report the issue to HHS.
a. Regulatory References. A reference in this Agreement to a section in HIPAA or other applicable law or regulation means the section in effect on the effective date of this Agreement, together with any subsequent amendments.
b. Change in Applicable Law or Regulation. Upon the enactment of any law or regulation affecting the use or disclosure of the PHI, or the publication of any decision of a court of the United States or the state where either Party is organized or located relating to any such law, or the publication of any interpretative policy or opinion of any governmental agency charged with the enforcement of any such law or regulation, the Parties agree to amend this Agreement as necessary to comply with such law or regulation. Failure to amend this Agreement does not relieve either Party of its obligations to comply with all applicable laws and regulations.
c. Interpretation. Any ambiguity in this Agreement should be resolved in favor of a meaning that permits Covered Entity and Business Associate to comply with HIPAA and other applicable law.
d. No Third-Party Beneficiaries. There are no third-party beneficiaries to this Agreement.
e. Relationship of the Parties. The Parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the Parties.
f. Waiver and Cumulative Remedies. No failure or delay by either Party in exercising any right under this Agreement is a waiver of that right. Other than as expressly stated herein, the remedies provided herein are in addition to, and not exclusive of, any other remedies of a Party at law or in equity.
g. Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, the Parties agree that such provision should be modified by the court and interpreted to accomplish the objectives of the original provision to the fullest extent permitted by law. Any provision that is modified or invalidated by a court of competent jurisdiction should be considered severable from the remaining provisions, which will remain in effect.
h. Execution. This Agreement may be executed in counterparts, each of which will constitute an original and all of which will be one and the same document. Facsimiles of this Agreement are deemed to be originals and facsimile signatures are deemed to be valid signatures for all purposes of this Agreement.
i. Cooperation. Each Party shall cooperate in good faith with the other Party in connection with any requests by a federal or state governmental authority for additional information and documents or any governmental investigation, complaint, action or other inquiry.
j. Entire Agreement. This Agreement, together with the MSA(s) between the Parties, contains the entire agreement between the Parties with respect to management of the PHI. No provision of this Agreement may be modified, amended or waived other than by a supplemental writing signed by the Parties or their respective successors in interest.
k. JURY TRIAL WAIVER. EACH PARTY HEREBY IRREVOCABLY WAIVES ANY AND ALL RIGHT TO A JURY TRIAL FOR ANY AND ALL CLAIMS ARISING OUT OF OR RELATING TO THIS AGREEMENT.
l. Choice of Law. The law of the State of Delaware shall govern this Agreement. Each Party to this Agreement hereby agrees and consents that any legal action or proceeding with respect to this Agreement shall only be brought in the courts of the state and county where Business Associate is located.