Customer Business Associate Agreement
Relaymed Customer Business Associate Agreement
Please read this Business Associate Agreement (“BAA”) carefully. If you are a Covered Entity as that term is defined below, then you as a customer (referred to as “Covered Entity” herein) by using Relaymed or signing up for an account, you are agreeing to this BAA. This is a legal agreement.
Covered Entity and Business Associate have entered into an arrangement and may in the future enter into additional arrangements (collectively, the “Underlying Contracts”) pursuant to which Business Associate provides various services to Covered Entity and may create, receive, maintain, or transmit Protected Health Information on behalf of Covered Entity.
Covered Entity and Business Associate are committed to complying with the federal standards and requirements of HIPAA, the Privacy and Security Rules, the HITECH Act and the Final Omnibus Rule (as defined below) and any other applicable federal or state privacy and confidentiality laws (collectively referred to herein as “Rules”), as applicable to each entity in their respective roles.
Definitions. All capitalized terms used but not otherwise defined in this BAA shall have the same meaning as set forth in HIPAA, the Privacy Rule, the Security Rule, the HITECH Act, and the Final Omnibus Rule (as defined herein).
- “Covered Entity” means a health plan, a healthcare clearinghouse, or health care provider as those terms are defined at 45 C.F.R. 160.103.
- “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (1996).
- “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E.
- “Security Rule” means the Security and Electronic Signature Standards at 45 C.F.R. Part 160 and Part 164, Subparts A and C.
- “HITECH Act” means Subtitle D of the Health Information Technology for Economic and Clinical Health Act provisions of the American Recovery and Reinvestment Act of 2009, Public Law 111-005 (2009) (codified at 42 U.S.C. §300jj et seq., §17921 et seq.).
- “Final Omnibus Rule” means those modifications to the HIPAA Rules which were mandated by the HITECH Act, and enacted by the final rule at 78, Fed. Reg. 5566 (Jan. 25, 2013).
- “Protected Health Information” shall mean Protected Health Information, as defined in 45 C.F.R. §160.103, and is limited to the Protected Health Information received from, or received, created, maintained, or transmitted by Business Associate on behalf of Covered Entity.
- “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. § 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).
- “Data Aggregation” means, with respect to Protected Health Information created or received by Business Associate in its capacity as the “business associate” under HIPAA of Covered Entity, the combining of such Protected Health Information by Business Associate with the Protected Health Information received by Business Associate in its capacity as a business associate of one or more other “covered entity” under HIPAA, to permit data analyses that relate to the Health Care Operations of the respective covered entities. The meaning of “data aggregation” in this BAA shall be consistent with the meaning given to that term in the Privacy Rule.
- A reference in this BAA to a section in the Rules, or implementing regulations means the section as in effect or as amended, and for which compliance is required.
Permitted Uses and Disclosures by Business Associate. Except as otherwise limited in this BAA or any provision of the Underlying Contracts, Business Associate may:
- Use or disclose Protected Health Information in its possession to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Underlying Contracts, provided that such use or disclosure would not violate HIPAA if done by Covered Entity.
- Use Protected Health Information for the proper management and administration of Business Associate and to carry out the legal responsibilities of Business Associate.
- Disclose the Protected Health Information in its possession for its proper management and administration and to fulfill any legal responsibilities of Business Associate, provided that:
(i) The Disclosure is Required by Law; or
(ii) Business Associate has received from the third party reasonable written assurances that: (1) the information will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the party; and (2) the third party will notify Business Associate of any instances of which it becomes aware in which the confidentiality of the information has been breached.
- Business Associate may de-identify Protected Health Information, and aggregate, manipulate, use, disclose, publish and distribute such de-identified health information and data in accordance with 45 C.F.R. § 164.514 (a) and (b). De-identified data does not constitute Protected Health Information as that term is defined under HIPAA.
- Business Associate may use Protected Health Information for Data Aggregation services as permitted by 42 C.F.R. § 164.504(e)(2)(i)(B).
- Business Associate may use and disclose Protected Health Information to report violations of to appropriate Federal and State authorities, consistent with 45 C.F.R. § 164.502(j)(1).
Obligations and Activities of Business Associate.
- Business Associate shall not use or disclose Protected Health Information other than as permitted or required by this BAA or as Required by Law.
- Business Associate agrees to use appropriate administrative, physical, and technical safeguards and comply, where applicable, with the Security Rule with respect to Electronic Protected Health Information, to prevent use or disclosure of the Protected Health Information other than as provided for by this BAA.
- Business Associate agrees to otherwise comply with the applicable requirements of the Security Rule. The additional requirements of the HITECH Act that relate to security and that are applicable to Business Associate shall be and by this reference hereby are incorporated into this BAA.
- Business Associate agrees to promptly report to Covered Entity:
(i) Any use or disclosure of Protected Health Information not provided for by this BAA, including Breaches of Unsecured Protected Health Information; and/or
(ii) Any Security Incident, provided that this section shall hereby serve as notice, and no additional reporting shall be required, of any unsuccessful attempts at unauthorized access, use, disclosure, modification, or destruction of information or unsuccessful interference with system operations in an information system (“Unsuccessful Security Incidents”). Unsuccessful Security Incidents shall include, but not be limited to, pings and other broadcast attacks on firewalls, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI.
- For any possible Breach of Unsecured Protected Health Information, Business Associate agrees to supplement the above report with the information required by 45 C.F.R. § 164.410 without unreasonable delay and in no case later than sixty (60) calendar days after discovery of the possible Breach.
- Business Associate agrees to ensure that any Subcontractors that create, receive, maintain, or transmit Protected Health Information on Business Associate’s behalf agree in writing to the same restrictions and conditions that apply through this BAA to Business Associate with respect to such Protected Health Information, including complying with the applicable requirements of the Security Rule and HITECH Act.
- Business Associate agrees to make its internal practices, books, and records relating to the Use and Disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity, available to the Secretary of the Department of Health and Human Services (“Secretary”) for the purposes of the Secretary determining compliance with HIPAA. Nothing in this section shall be construed as a waiver of any legal privilege or of any protections for trade secrets or confidential commercial information. It is not necessary nor anticipated that Business Associate will maintain a Designated Record Set for Covered Entity.
- If Business Associate maintains a Designated Record Set, upon request by Covered Entity, Business Associate will make Protected Health Information in a Designated Record Set available to Covered Entity as necessary to allow Covered Entity to comply with its obligations to provide access to Individuals of their health information as required by 45 C.F.R. § 164.524.
- If Business Associate maintains a Designated Record Set, upon request by Covered Entity, Business Associate will make Protected Health Information in a Designated Record Set available to Covered Entity and will incorporate any amendments to such information as instructed by Covered Entity as necessary to allow Covered Entity to comply with its amendment obligations as required by 45 C.F.R. § 164.526.
- Business Associate will maintain and, upon request by Covered Entity, provide Covered Entity with the information necessary for Covered Entity to provide an Individual with an accounting of disclosures as required by 45 C.F.R. § 164.528, and if and to the extent that such accounting is required under the HITECH Act or Health and Human Services regulations adopted in connection with the HITECH Act. Such accounting is limited to disclosures that were made in the six (6) years prior to the request. Business Associate shall provide such information necessary to provide an accounting within forty (40) calendar days of Covered Entity’s request. Such accounting must be provided without cost to the Individual or to Covered Entity if it is the first accounting requested by an Individual within any twelve (12) month period; however, a reasonable, cost-based fee may be charged, for subsequent accountings if Business Associate informs Covered Entity and the Covered Entity informs the Individual in advance of the fee, and the Individual is afforded an opportunity to withdraw or modify the request.
- To the extent that Business Associate is to carry out one or more of Covered Entity’s obligations under the Privacy Rule, Business Associate shall comply with the requirements that apply to Covered Entity in the performance of such obligations.
- Business Associate shall not directly or indirectly receive remuneration in exchange for Protected Health Information unless such remuneration is permissible under HIPAA and the HITECH Act.
- Business Associate (or its agents or subcontractors) will use reasonable efforts to request, use and disclose only the minimum amount of Protected Health Information necessary in accordance with 45 C.F.R. §§ 164.502(b), 164.514(d) and § 1305(b) of the HITECH Act. The entity disclosing the Protected Health Information (as opposed to the requestor) shall make the minimum necessary determination.
Obligations of Covered Entity.
- Covered Entity shall notify Business Associate of any limitation(s) in the notice of privacy practices of Covered Entity under 45 C.F.R. § 164.520, to the extent that such limitation may affect Business Associate’s use or disclosure of Protected Health Information. Covered Entity will not include any limitations in its notice of privacy practices that limit Business Associate’s use or disclosure of Protected Health Information under this BAA unless such limitation is Required By Law.
- Covered Entity shall notify Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her Protected Health Information, to the extent that such changes may affect Business Associate’s use or disclosure of Protected Health Information.
- Covered Entity shall notify Business Associate of any restriction on the use or disclosure of Protected Health Information that Covered Entity has agreed to or is required to abide by under 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of Protected Health Information. Covered Entity will not agree to any restriction on the use or disclosure of Protected Health Information that limit Business Associate’s use or disclosure of Protected Health Information under this BAA unless Covered Entity is legally required to agree to such restrictions.
- Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule, if done by Covered Entity, except for uses or disclosures for proper administration and management of business associate, legal responsibilities and data aggregation by Business Associate as referenced above.
HITECH Act Requirements
a) The HITECH Act imposes on entities covered by HIPAA and their business associates federal breach notification requirements when “unsecured” PHI is acquired by an unauthorized party. The breach notification requirements will apply to PHI in any form. PHI may be secured through encryption, destruction or redaction.
b) The following requirement shall apply to the extent that Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses “unsecured PHI,” which is defined in the HITECH Act as not secured through the use of a technology or methodology that renders the information “unusable, unreadable, or indecipherable” to unauthorized individuals. In addition to the notification requirements with respect to electronic PHI set forth herein above, Business Associate shall notify Covered Entity as soon as possible but not later than 10 days following the discovery of any unauthorized acquisition, access, use or disclosure of such unsecured PHI. Such notice shall include identification of each individual whose unsecured PHI has been, or is reasonably believed by the Business Associate to have been accessed, acquired, or disclosed during such unauthorized activity. Covered Entity, at its sole discretion, shall make the determination of whether or not the definition of “Breach” as that term is set forth in the HITECH Act and 45 C.F.R. §164.402, or any more stringent applicable state law has been met. If the unauthorized activity arises solely out of the fault, gross negligence or willful misconduct of Business Associate, and Covered Entity determines the unauthorized activity qualifies as a breach that triggers the breach notification requirements, all of the direct costs reasonably associated with sending out notifications of the breach to affected patients, clients, media, and regulatory authorities shall be the responsibility of the Business Associate.
Term and Termination.
- Term. The term of this BAA shall commence as of the Effective Date and shall terminate ninety (90) days after the date when all Underlying Contracts have terminated.
- Termination by Covered Entity. Upon Covered Entity’s knowledge of a breach of a material term of this BAA by Business Associate or its agents or subcontractors, Covered Entity may terminate the Underlying Contracts: (i) immediately if Covered Entity determines that there is a continuing risk to the confidentiality, integrity, or availability of Protected Health Information that cannot be immediately cured; or (ii) after Covered Entity has notified Business Associate of the breach and provided at least 30 calendar days for Business Associate to cure the breach if Business Associate has not cured the breach in such period of time.
- Termination by Business Associate. If Business Associate determines that Covered Entity has breached a material term of this BAA, then Business Associate will provide Covered Entity with written notice of the existence of the breach and shall provide Covered Entity with 30 days to cure the breach. Covered Entity’s failure to cure the breach within the 30-day period will be grounds for immediate termination of the BAA and this BAA by Business Associate.
- Effect of Termination.
(i) Except as provided in paragraph (ii) of this section, upon termination of this BAA or the Underlying Contracts for any reason, Business Associate shall return or destroy all Protected Health Information, and Business Associate shall retain no copies of the Protected Health Information.
(ii) In the event that Business Associate determines that returning or destroying the Protected Health Information obtained by Business Associate is infeasible, then Business Associate shall extend the protections of this BAA to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for as long as Business Associate maintains such Protected Health Information. Business Associate may retain a copy of that Protected Health Information which is (i) embedded with information that has operational, legal, fiscal, or historical value, (ii) which is necessary for Business Associate’s proper management or administration, to carry out its legal responsibilities, or (iii) which Business Associate may be required to retain pursuant to its internal policies or procedures, or for compliance with applicable federal or state law. This Section shall survive the termination of this BAA for any reason.
- No Third Party Beneficiaries. Nothing in this BAA shall confer upon any person other than the parties and their respective successors or assigns, any rights, remedies, obligations, or liabilities whatsoever.
- Amendment; Waiver. This BAA may be modified only in writing, executed by both parties. The parties agree to take such action as is reasonably necessary to amend this BAA in order to comply with the requirements of HIPAA and the HITECH Act, as they may be amended from time to time, and as new regulations may be issued by Health and Human Services under HIPAA and the HITECH Act. The waiver by either party of a breach or violation of any provision of this BAA shall not be construed to be a continuing waiver or a waiver of any subsequent breach of either the same or any other provision of this BAA.
- Effect on BAA. Except as specifically required to implement the purposes of this BAA, or to the extent inconsistent with this BAA, all other terms of the Underlying Contracts shall remain in force and effect. Business Associate and Covered Entity shall comply with any provision or requirement concerning privacy or security of information under any state law applicable to Business Associate’s use and disclosure of Protected Health Information that is more stringent than a similar provision or requirement under HIPAA, as provided in 45 C.F.R.§160.203.