Business Associate Agreement
In accordance with the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104‑191, as amended under the Health Information Technology For Economic and Clinical Health Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009, and their implementing regulations at 45 C.F.R. Parts 160 and 164, Subparts A, C, and E (collectively, “HIPAA”), Frontive, Inc. (“Business Associate”) shall, to the extent it acts in the capacity of a Business Associate to the Client identified on the Frontive, Inc. Order Form and Services Agreement (“Covered Entity”) to which this Business Associate Agreement (“BAA”) relates or is attached (“Service Agreement”), adhere to the applicable requirements established under HIPAA for Business Associates as set forth below effective as of the Effective Date of the Services Agreement.
- DEFINITIONS. Capitalized terms used, but not otherwise defined, in this BAA shall have the same meaning as those terms as used or defined under HIPAA, including but not limited to the following terms: Breach, Business Associate, Covered Entity, Data Aggregation, Designated Record Set, Individual, Minimum Necessary, Notice of Privacy Practices, Privacy Rule, Protected Health Information (“PHI”) and Electronic Protected Health Information (“EPHI”), Required By Law, Secretary, Security Incident, Security Rule, Subcontractor, and Unsecured Protected Health Information.
- OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE.
- Business Associate agrees not to use or disclose PHI other than as permitted or required by the Agreement or this BAA, or as permitted or Required By Law.
- Business Associate agrees to use appropriate safeguards to protect against any use or disclosure of PHI not provided for herein and to comply, where applicable, with Subpart C of 45 CFR Part 164 with respect to EPHI.
- Business Associate will mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement.
- In accordance with 45 CFR 164.502 (e)(1)(ii) and 164.308(b)(2), Business Associate agrees to require that any Subcontractor, to whom it delegates any function or activity it has undertaken to perform on behalf of Covered Entity, and to whom it provides PHI received from or created, received, maintained, or transmitted on behalf of Covered Entity, agrees to substantially the same restrictions and conditions on the use or disclosure of PHI as apply through this BAA to Business Associate through a business associate agreement between such Subcontractor and Business Associate.
- Upon the Covered Entity’s written request, and in a reasonable time and manner, Business Associate agrees to provide to Covered Entity PHI maintained by Business Associate in a Designated Record Set as required for Covered Entity to respond to a request for access under 45 CFR 164.524.
- Upon the Covered Entity’s written request, and in a reasonable time and manner, Business Associate agrees to make available PHI maintained by it in a Designated Record Set, and to make amendments to PHI, in order for Covered Entity to respond to a request for amendment under 45 CFR 164.526.
- Business Associate agrees to make its internal practices, policies, procedures, books, and records relating to the use and disclosure of PHI received from or created or received by Business Associate on behalf of Covered Entity, available for inspection and copying by the Secretary upon the Secretary’s written request for same for purposes of the Secretary determining the Covered Entity's compliance with the HIPAA Rules.
- Business Associate agrees to document such disclosures of PHI made by it, and information related to such disclosures, as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI under 45 CFR 164.528.
- Upon written request by Covered Entity, and in a reasonable time and manner, Business Associate agrees to provide to Covered Entity information collected in accordance with Paragraph G of this Section for Covered Entity to provide an accounting under 45 CFR 164.528.
- To the extent Covered Entity specifically delegates to Business Associate one or more of Covered Entity's obligation(s) under Subpart E of 45 CFR Part 164, Business Associate agrees to comply with the requirements of Subpart E that apply to Covered Entity in the performance of such obligation(s).
- As soon as practicable, but in no event later than within ten (10) business days, Business Associate Agrees to report to Covered Entity any use or disclosure of PHI not provided for in this BAA or the Agreement of which it becomes aware, including breaches of Unsecured PHI as required under, and in the manner set forth at, 45 CFR 164.410, and any Security Incident of which it becomes aware. The Parties acknowledge and agree that this section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which no additional notice to Covered Entity shall be required. “Unsuccessful Security Incidents” shall include, but are not limited to, pings and other broadcast attacks on Business Associate’s firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized acquisition, access, use, or disclosure of PHI.
- PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE.
- Business Associate may use or disclose PHI to perform functions, activities, and services for or on behalf of, Covered Entity as provided in this BAA and the Agreement. Such uses and disclosures shall be limited to those that would not violate the Privacy Rule if done by Covered Entity except that Business Associate may use and disclose PHI:
- to provide Data Aggregation services to Covered Entity as permitted by 45 CFR 164.504(e)(2)(i)(B);
- for the proper management and administration of Business Associate or to carry out its legal responsibilities; provided that, in the case of any disclosures for this purpose, the disclosure is Required by Law or Business Associate obtains reasonable assurances in writing from the person to whom the information is disclosed, that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and that the person will notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; and
- Business Associate may also use and disclose PHI: (i) to respond on behalf of Covered Entity to requests for PHI accompanied by an authorization that meets the requirements of 45 CFR 164.508; (ii) to de-identify the information or create a limited data set in accordance with 45 CFR §164.514, which de-identified information or limited data set may be used and disclosed by Business Associate as permitted by law, including HIPAA; (iii) to report violations of law to appropriate federal and state authorities, consistent with 45 CFR §164.502(j)(1); and (iv) as authorized in writing by Covered Entity.
- Business Associate agrees to request, use, and disclose PHI in compliance with the Minimum Necessary standard of the HIPAA Rule.
- Business Associate may use or disclose PHI to perform functions, activities, and services for or on behalf of, Covered Entity as provided in this BAA and the Agreement. Such uses and disclosures shall be limited to those that would not violate the Privacy Rule if done by Covered Entity except that Business Associate may use and disclose PHI:
- OBLIGATIONS OF COVERED ENTITY.
- Covered Entity shall provide PHI to Business Associate in compliance with the Minimum Necessary standard of the Privacy Rule. Covered Entity shall not ask or require Business Associate to use or disclose Protected Health Information in a manner in which Covered Entity could not do as a Covered Entity except as permitted by 45 CFR 164.504(e) to perform Data Aggregation services.
- Covered Entity represents and warrants that its Notice of Privacy Practices complies with 45 C.F.R. 164.520 and permits Covered Entity to use and disclose Protected Health Information in the manner that Business Associate is authorized to use and disclose Protected Health Information under this BAA.
- To the extent that the Covered Entity honors a request to restrict the use or disclosure of PHI pursuant to 45 C.F.R. 164.522(a), Covered Entity agrees not to provide such PHI to Business Associate unless Covered Entity notifies Business Associate of the restriction and Business Associate advises Covered Entity that it is able to accommodate the restriction. Covered Entity agrees to reimburse Business Associate for any increase in costs required to accommodate such restriction.
- Covered Entity shall be responsible for using administrative, physical and technical safeguards at all times to maintain and ensure the confidentiality, privacy and security of PHI transmitted to Business Associate in accordance with the standards and requirements of the HIPAA Rules, until such PHI is received by Business Associate.
- Covered Entity shall obtain any consent or authorization that may be required by applicable federal or state laws in order for Business Associate to provide its services under the Agreement.
- TERM AND TERMINATION.
- This BAA shall become effective on the Effective Date in the Agreement and shall terminate on the same date that the Agreement terminates or as described in Section 5.2.
- If either party knows of a pattern of activity or practice of the other party that constitutes a material breach or violation of this BAA then the non-breaching party shall provide written notice of the breach or violation to the other party that specifies the nature of the breach or violation. The breaching party must cure the breach or end the violation on or before thirty (30) days after receipt of the written notice. In the absence of a cure reasonably satisfactory to the non-breaching party within the specified timeframe, or in the event the breach is reasonably incapable of cure, then the non-breaching Party may terminate this BAA.
- Upon termination of this BAA for any reason, Business Associate, with respect to PHI from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall
- Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities and any PHI for which return or destruction is infeasible;
- Return to Covered Entity, or if agreed to by Covered Entity, destroy, the remaining PHI that Business Associate still maintains in any form;
- Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to EPHI to prevent use or disclosure of the protected health information other than as provided for in this Section, for as long as Business Associate retains the PHI;
- Not use or disclose the PHI retained by Business Associate other than for purposes for which such PHI was retained and subject to the same conditions as set out in Section 3 which applied prior to termination; and
- Return to Covered Entity, or if agreed to by Covered Entity, destroy, the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities or if return or destruction are no longer infeasible. The obligations of Business Associate under Section 5. 3. of this BAA shall survive the Termination of this BAA.
- LIMITATION OF LIABILITY. In no event will either party be liable for other than actual damages as a result of the performance or default of this Agreement. NEITHER PARTY SHALL BE LIABLE FOR ANY INDIRECT, PUNITIVE SPECIAL OR CONSEQUENTIAL DAMAGES, REGARDLESS OF THE FORM OF ACTION (WHETHER IN CONTRACT, TORT, NEGLIGENCE OR OTHERWISE) EVEN IF IT IS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
- MISCELLANEOUS.
- Regulatory References. A reference in this Appendix to a section in the HIPAA regulations means the section as in effect or as amended, and as of its applicable compliance date.
- Changes to this BAA. The parties agree to negotiate in good faith to amend this BAA or the Agreement as necessary to comply with any changes to HIPAA.
- Interpretation. Any ambiguity in this BAA shall be resolved to permit the parties to comply with HIPAA.
- No Third-Party Beneficiaries. Nothing express or implied in this BAA is intended to confer, nor shall anything herein confer, upon any person other than Covered Entity, Business Associate and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
- Independent Contractors. Business Associate and Covered Entity are and shall remain independent contractors throughout the term. Nothing in this BAA shall be construed to constitute Business Associate and Covered Entity as partners, joint venturers, agents or anything other than independent contractors.