|
<br />Business Associate Agreement Page 2 of 7
<br />identifiable information that is created, received, maintained, or transmitted by Business
<br />Associate on behalf of Covered Entity that relates to an Individual’s past, present, or future
<br />physical or mental health, health care, or payment for health care, whether such
<br />information is in oral, hard copy, electronic, or any other form or medium.
<br />AGREEMENT
<br />I. Recitals Incorporated. The recitals above are expressly incorporated into the terms of this
<br />Agreement.
<br />II. Relationship of the Parties. Business Associate is, and at all times during this Agreement shall,
<br />be acting as an independent contractor to the Covered Entity, and not as the Covered Entity’s
<br />agent. Covered Entity shall not have authority to control the method or manner in which Business
<br />Associate performs its services on behalf of Covered Entity, provided that Business Associate
<br />complies with the terms of this Agreement and the HIPAA Rules. Business Associate shall not
<br />have authority to bind Covered Entity to any liability unless expressly authorized by Covered
<br />Entity in writing, and Covered Entity shall not be liable for the acts or omissions of Business
<br />Associate. Business Associate shall not represent itself as the agent of Covered Entity. Nothing
<br />in this Agreement shall be deemed to establish an agency, partnership, joint venture or other
<br />relationship except that of independently contracting entities.
<br />III. Business Associate Responsibilities. Business Associate agrees to:
<br />(A) Fully comply with the HIPAA Rules as they apply to business associates.
<br />(B) Not use or disclose PHI except as permitted by this Agreement or as otherwise required by
<br />law.
<br />(C) Use appropriate safeguards to prevent the use or disclosure of PHI other than as permitted
<br />by this Agreement. Business Associate shall comply with the requirements in 45 CFR Part
<br />164, Subpart C applicable to business associates, including the use of administrative,
<br />physical and technical safeguards to protect electronic PHI. Such safeguards will include,
<br />but not be limited to, Business Associate conducting periodic risk assessments with respect
<br />to Covered Entity’s PHI. Business Associate shall, to the extent reasonably possible,
<br />implement and follow recognized security practices consistent with H.R. 7898, enacted into
<br />law on January 5, 2021. Business Associate shall provide Covered Entity with all
<br />information reasonably requested about such safeguards, including whether Business
<br />Associate follows such recognized security practices and, if so, which practice or practices.
<br />(D) Within thirty (30) days after discovery, report to Covered Entity any use or disclosure of PHI
<br />not permitted by this Agreement, applicable state privacy laws, or the HIPAA Rules of
<br />which Business Associate becomes aware, including but not limited to reporting breaches
<br />of unsecured PHI as required by 45 CFR § 164.410, reporting security incidents as
<br />required by 45 CFR § 164.314(a)(2)(i)(C), and reporting breaches and security incidents of
<br />Business Associate’s contractors and subcontractors.
<br />(E) Fully cooperate with Covered Entity’s efforts to promptly investigate, mitigate, and notify
<br />third parties of breaches of unsecured PHI or security incidents as required by the HIPAA
<br />Rules.
<br />(F) Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of
<br />Business Associate agree to the same or equivalent restrictions, conditions, and
<br />requirements set forth in this Agreement, applicable state privacy laws, HITECH, and the
<br />HIPAA Rules applicable to such subcontractors. Without limitation, Business Associate
<br />shall ensure that any subcontractors comply with the applicable requirements of 45 C.F.R.
<br />Parts 160, 162, and 164. Business Associate shall fulfill this requirement by executing a
<br />written agreement with any subcontractors in compliance with the requirements of the
<br />HIPAA Rules. To the extent required by applicable law or other binding regulatory
<br />guidance, Business Associate shall not disclose PHI to a "tracking technology vendor" (as
<br />Docusign Envelope ID: 59F6B981-5F1A-449B-900F-594D12FCBB6B
|